filter testing perl script

[Edgar Pettijohn]

list,


It looks like I finished this little helper script for testing smtpd 
filters, but forgot about it...



Anyway it can be found at 
http://www.pettijohn-web.com/new-filter-test.pl. Theres even a SHA512 
file so you can make sure you got all the right bits in all the right spots.



I believe the documentation provided via `perldoc' should be sufficient, 
but if it isn't feel free to hit me up offlist. Hope it helps someone 
out there trying to get a filter/reporter working.



Edgar

Re: filter testing

[Edgar Pettijohn]

On 4/17/22 02:46, Tassilo Philipp wrote:

This is very cool, thank you!
One question about the fflush() you mention: I use awk filters a lot 
and never had any need to explicitly flush, but you probably did. Mind 
sharing some details on your use case?

Thank you!



I think some versions of awk automagically flush their output stream and 
others don't. If it doesn't then your filter will get stuck during the 
handshake stage and never complete.


There is one but I thought of last night and will hopefully get around 
to fixing soon is that the src and dest should have port numbers 
something like:


src => 1.2.3.4:13435,

dest => 4.3.2.1:25

I overlooked that. It will also solve another problem. If the dest is 
port 25 then it will skip the auth stages. If its 587 it will do the 
auth stages. So if you run into an issue with that no need to report it. 
Currently burnt out on it though. I had it almost complete and then 
realized a better way and the better way ended up being a complete rewrite.


Edgar



On Sat, Apr 16, 2022 at 01:04:21PM -0500, Edgar Pettijohn wrote:

I've written a perl script to help test filters. It can be found at:

http://www.pettijohn-web.com/filter-test.pl

Its not 100% complete but it should be helpful enough in finding 
common problems. Such as forgetting fflush() in awk filters or 
swapping the session id and opaque tokens.


If you run into any problems please send examples of what you 
expected vs what you got. Or patches would be great.



Edgar

filter testing

[Edgar Pettijohn]

I've written a perl script to help test filters. It can be found at:

http://www.pettijohn-web.com/filter-test.pl

Its not 100% complete but it should be helpful enough in finding common 
problems. Such as forgetting fflush() in awk filters or swapping the 
session id and opaque tokens.


If you run into any problems please send examples of what you expected 
vs what you got. Or patches would be great.



Edgar

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Edgar Pettijohn]

On 4/14/22 14:00, Beau Ford wrote:



On Thu, 14 Apr 2022, Beau Ford wrote:



1) Am I still using my aliases that are defined in:

table aliases file:/usr/local/etc/mail/aliases
action "local_mail" mbox alias 

... or are those superceded now by the catchall ?



It turns out I am *not* using my aliases anymore and that my rules, as
they are written, are mutually exclusive.

If I order them like this:


    match from any for domain "domain.com" action "local_mail"
    match from any for domain "domain.com" action "catchall"


... then my aliases table is processed, like normal, and the catchall is
ignored.  This makes sense, because the rule matches and it completes -
there is no reason to move on to the catchall address.

Nonexistent addresses (that I hoped to get with the catchall) bomb out
with 550 Invalid recipient.


HOWEVER, if I reverse the order:


    match from any for domain "domain.com" action "catchall"
    match from any for domain "domain.com" action "local_mail"


... then the catch-all works and I lose all of my aliases.  My aliases
table is not used.  Again, makes sense - the first rule matches and
completes.


-


So, how can I say (pseudocode):

match from any person actually a user or in my aliases table action
"local_mail"


... which would fail for nonexistent addresses, which is GOOD, and then
successfully move down to the catchall match ?



Thanks.




I recall someone on the list trying to solve this problem awhile back. 
As I recall they needed to have a copy of all inbound emails saved for 
some reason or another. I think for their use case they had to run a 
second postfix instance to handle the catchall. Might be worth 
traversing the list archives.



Edgar

Re: mutt can't send emails via localhost 25 with error 503 5.5.1

[Edgar Pettijohn]

On 3/6/22 07:58, Pete Long wrote:

On Sun, Mar 06, 2022 at 02:28:54PM +0100, Jiri Navratil wrote:

Hi,

I'm using notebook with OpenBSD and every email from mail and from mutt
goes firstly to  OpenSMTPD on localhost and then are relayed to my
server with static IP.

I have been using in OpenBSD 6.7 for mutt

set smtp_url="smtp://127.0.0.1"

but after switch to OpenBSD 7.0, I'm getting from OpenSMTPD

SMTP session failed: 503 5.5.1 Invalid command: Command not supported

[...]

Hi Jiri,

I have a slightly different configuration but all hosts are on the LAN.

Here are what I believe to be the relevant config lines for Mutt. I'm
using the same version as yourself: Mutt 2.1.3 (2021-09-10), which is
running on OpenBSD 7.0. OpenSMTPD is version 7.0.0.



set smtp_url = "smtp://ch...@chunkymonkey.tld:587/"
set smtp_pass = "superpassw0rd"
set ssl_starttls=yes
set ssl_verify_host=no


Pete.



I'm using thunderbird but its a similar setup. My smtpd.conf:


edgar@bsd:~ $ cat /usr/local/etc/mail/smtpd.conf
#   $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
pki localhost cert "/etc/ssl/localhost.crt"
pki localhost key "/etc/ssl/localhost.key"

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets
table passwd file:/etc/mail/passwd

# To accept external mail, replace with: listen on all
#
listen on lo0 tls pki localhost inet4 auth-optional 

action "local" maildir alias 
action "relay" relay host smtp+tls://ed...@mail.obfuscated.com:587 auth 



# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
match for local action "local"
match from local for any action "relay"
match auth from any for any action "relay"

And then I just point thunderbird to 127.0.0.1 port 25 and it handles 
the rest.


table aliases is stock with the addition of my user.

table secrets contains the relay password.

table passwd is a mapping from my user to a password encrypted using 
smtpctl.



Edgar

Re: Aliases trouble

[Edgar Pettijohn]

On 1/24/22 13:36, John Batteen wrote:


Greetings list,

With the following config, with the secondary domain anonymized to 
bd.net: https://batteen.com/smtpd.conf.txt


and "fem: john" contained within /etc/mail/aliases

%{dest.user} is not expanding to the post-alias address as I 
expected.  Emails to f...@batteen.com (it's my power company so I can 
tell if they sold my email, not anything creepy) are being delivered 
to /var/mail/batteen.com/fem/Maildir instead of 
/var/mail/batteen.com/john/Maildir as I expected.


https://batteen.com/smtpdlog.txt

Man smtpd.conf explains: "alias     Use the mapping table for 
aliases(5) expansion." which to me implies that "%{dest.user} user 
part after expansion" would be the user after processing through 
aliases.  However, in order to get the expected behavior, I must use 
%{user.username} instead.


I'm guessing that I've misinterpreted the man page, and would 
appreciate correction in my understanding, but on the off chance I 
have discovered undesired behavior, I bring it to the list.  If 
anything else in my config is less than ideal, I would appreciate 
feedback.


Thank you very much for your time,

John Batteen

It could very well be a dovecot issue. What does your "action" line look 
like for delivering mail.



Edgar

Re: Regex in db table

[Edgar Pettijohn]

On 8/26/21 6:25 AM, Jack wrote:

Could you resend with proper line breaks. This is difficult to read.



Sorry, the line breaks got messed up.

I'm using OpenSTMPD 6.8 portable and want to filter on DNS names or HELO
strings with regular expressions. Therefore I created the following
minified config:


$ cat /etc/opensmtpd/smptd.conf
table helotable db:/etc/opensmtpd/helotable.db
filter block_helo phase helo match helo regex  disconnect
"554 Not welcome"
listen on 0.0.0.0 filter { block_helo }

$ makemaup -U /etc/opensmtpd/helotable.db
myte.t 


However the filter "block_helo" only matches when someone connects with
the verbatim string "HELO myte.t" (with a dot), which is of course not
how regex are supposed to work.
As soon as I replace the database entry with a regular text file (table
helotable file:/etc/opensmtpd/helotable.txt), the regex starts to work,
ie "HELO mytest" or "HELO mytett" are matched.
Question: How can I use regular expressions in db files? Text files
don't seem to be an option, because they are only read on startup so I
cannot update them on the fly.

You can update `file' tables with `smtpctl update table helotable'. If 
it is a bug in the db table I'm willing to bet it won't be fixed. As I 
recall it is on the chopping block. Don't think its built by default on 
portable at least.



Edgar

Re: Regex in db table

[Edgar Pettijohn]

On 8/25/21 2:43 AM, Jack wrote:

Hello list,

I already posted this on the bug tracker of OpenSMTPD, but maybe I'm
doing something wrong in the config and you can help me:

I'm using OpenSTMPD 6.8 portable and want to filter on DNS names or HELO
strings with regular expressions. Therefore I created the following
minified config:




||$ cat /etc/opensmtpd/smptd.conf |table helotable
db:/etc/opensmtpd/helotable.db filter block_helo phase helo match helo
regex  disconnect "554 Not welcome" listen on 0.0.0.0 filter
{ block_helo } $ cat /etc/opensmtpd/helotable.txt myte.t
| However the filter block_helo only
matches when someone connects with the verbatim string "HELO myte.t"
(with a dot). As soon as I replace the database entry with a regular
text file, the regex starts to work, ie "HELO mytest" or "HELO mytett"
are matched. How can I use regular expressions in db files? Text files
don't seem to be an option, because they are only read on startup so I
cannot update them on the fly. Thanks in advance. ||



Could you resend with proper line breaks. This is difficult to read.


Edgar

Re: Syntax Error

[Edgar Pettijohn]

On 8/5/21 9:56 AM, Vigneshwaran Ravichandran wrote:

Hi Thomas,

I am attaching my log file for reference.

-Original Message-
From: Thomas Bohl 
Sent: Thursday, 5 August, 2021 10:24 PM
To: misc@opensmtpd.org
Subject: Re: Syntax Error


I am Vigneshwaran R @ vgnshlvnz. I am a FreeBSD OS enthusiast. Recently I tried 
to deploy opensmtpd in FreeBSD 12.2-RELEASE, I get syntax error when I run 
`smtpd -n`. I have attached the file for reference. Can someone point out the 
issue?


Probably because you are using the old syntax. Not sure how its even 
starting up though. Also the maillog shows multiple permission errors 
early on and one of the daemons closes its socket if I'm reading 
correctly. I would do a `pgrep smtpd` and make sure all the daemons are 
still running. Off the top of my head I think there should be 4 or 5 going.



Edgar


Since you didn't show your error message, I got to assume its the fact that the 
file has CR LF at the end of a line (Windows encoding for a new
line) instead of just LF (What a *nix systems expects).

Re: rspamd issue

[Edgar Pettijohn]

On 6/9/21 4:42 PM, Diana Eichert wrote:

I setup an email server following the guide here,
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/

I did this over a year ago, however I never actively used this system
to receive external email.  I originally set it up as 6.7, then
performed sysupgrades along the way to 6.9.

I just realized the system has an issue with rspamd filter , however I
am unsure how to troubleshoot the issue.  rspamd is running, however I
never see anything in rspamd logs

Here is the error log

Jun  9 15:01:07 mail smtpd[65808]: e819ce7095fd1031 smtp connected
address=66.175.222.108 host=mail02.groups.io
Jun  9 15:01:07 mail smtpd[12968]: senderscore: link-connect
addr=66.175.222.108 score=94
Jun  9 15:01:08 mail smtpd[65808]: e819ce7095fd1031 smtp tls
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Jun  9 15:01:08 mail smtpd[65808]: e819ce7095fd1031 smtp cert-check
result="no certificate presented"
Jun  9 15:01:09 mail smtpd[12968]: rspamd: failed to receive a
response from daemon
Jun  9 15:01:10 mail smtpd[65808]: e819ce7095fd1031 smtp
failed-command command="DATA" result="421 server internal error"
Jun  9 15:01:10 mail smtpd[65808]: e819ce7095fd1031 smtp disconnected
reason=quit

I appreciate any pointers

diana

I would recommend running rspamd in the foreground and see what it says 
when it gets a connection and go from there.



Edgar

Re: How to copy all outgoing mails based on sender definition

[Edgar Pettijohn]

Sorry for spamming the list, but noticed that part of the script was 
missing for some reason.


line 66 should be concluded with 


Edgar

On 6/8/21 4:31 PM, Edgar Pettijohn wrote:


On 6/7/21 6:52 PM, Edgar Pettijohn wrote:


On 6/7/21 6:35 PM, Thomas Bohl wrote:
So I have a list of users defined on a server and I want to copy 
all mails of users with a specific mail domain.


I don't think that is possible without writing a custom filter or mda.



Do you need a copy of all:

a) incoming mails

b) outgoing mails

c) all of the above


Edgar



Attached is a barely tested archive script.


filter archive proc-exec "/path/to/script.pl"

listen on egress port 587 auth  filter "archive"


Edgar

Re: How to copy all outgoing mails based on sender definition

[Edgar Pettijohn]

On 6/7/21 6:52 PM, Edgar Pettijohn wrote:


On 6/7/21 6:35 PM, Thomas Bohl wrote:
So I have a list of users defined on a server and I want to copy 
all mails of users with a specific mail domain.


I don't think that is possible without writing a custom filter or mda.



Do you need a copy of all:

a) incoming mails

b) outgoing mails

c) all of the above


Edgar



Attached is a barely tested archive script.


filter archive proc-exec "/path/to/script.pl"

listen on egress port 587 auth  filter "archive"


Edgar




filter-archive.pl
Description: Perl program

Re: How to copy all outgoing mails based on sender definition

[Edgar Pettijohn]

On 6/7/21 6:35 PM, Thomas Bohl wrote:
So I have a list of users defined on a server and I want to copy all 
mails of users with a specific mail domain.


I don't think that is possible without writing a custom filter or mda.



Do you need a copy of all:

a) incoming mails

b) outgoing mails

c) all of the above


Edgar

Re: Relay based on either auth or cert?

[Edgar Pettijohn]

On May 11, 2021 8:35 PM, Sean Kamath  wrote:I was pondering a message Gille Chehade commented on (https://narkive.com/2puCGKoq.4) a very long time ago.



He said:

> The cert verification happens at the transport level, not the SMTP level

> and an invalid certificate will cause TLS to abort and close connection.

> 

> You can use this for example to have your local CA issue certificates to

> a set of internal machines and have the mail gateway accept relaying for

> these machines without authentication.

> 

> You can also use this to ensure that users have a two-factor auth, their

> credentials no longer are enough to relay, they would also have to use a

> valid certificate issued by your CA. if their credentials are stolen, it

> will not allow people to use the server as a spamming center.

> 

> Or you could decide to authenticate users using certificates and not the

> traditional user/password mechanism. A client will then have to show you

> a valid certificate otherwise connection will drop at TLS negotiation.



What I’m wondering is if there is a way to do both on the submission port (one of two factors, either being sufficient for relaying).



In other words, accept mail on the submission port from either an authenticated user using a password, or verify they are using a certificate.  I don’t want to require users using a password to use a cert, and I don’t want users using a cert be required to authenticate with a password.  Is this possible?



Sean


You may be able to coax `auth-optional' to do what you want. Edgar 

Re: Relay based on either auth or cert?

[Edgar Pettijohn]

On May 11, 2021 8:35 PM, Sean Kamath  wrote:I was pondering a message Gille Chehade commented on (https://narkive.com/2puCGKoq.4) a very long time ago.



He said:

> The cert verification happens at the transport level, not the SMTP level

> and an invalid certificate will cause TLS to abort and close connection.

> 

> You can use this for example to have your local CA issue certificates to

> a set of internal machines and have the mail gateway accept relaying for

> these machines without authentication.

> 

> You can also use this to ensure that users have a two-factor auth, their

> credentials no longer are enough to relay, they would also have to use a

> valid certificate issued by your CA. if their credentials are stolen, it

> will not allow people to use the server as a spamming center.

> 

> Or you could decide to authenticate users using certificates and not the

> traditional user/password mechanism. A client will then have to show you

> a valid certificate otherwise connection will drop at TLS negotiation.



What I’m wondering is if there is a way to do both on the submission port (one of two factors, either being sufficient for relaying).



In other words, accept mail on the submission port from either an authenticated user using a password, or verify they are using a certificate.  I don’t want to require users using a password to use a cert, and I don’t want users using a cert be required to authenticate with a password.  Is this possible?



Sean


You could have separate listen directives on separate ports. Of course the users would have to set up their clients correctly. Edgar 

Re: dkim signing integrated in opensmtpd?

[Edgar Pettijohn]

On May 10, 2021 9:35 AM, Harald Dunkel  wrote:On 5/10/21 3:14 PM, Martijn van Duren wrote:

> There's filter-dkimsign in packages, which is also mentioned in

> smtpd.conf. I don't think there's a more lightweight solution

> possible.

> 



I had found your web site https://palant.info/2020/11/09/adding-\

dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned

building opensmtpd-filter-dkimsign from "some Dutch web server".

I didn't expect a package.



Actually I am running my major MTA with sendmail, still. The

problem in this configuration is, the opendkim milter is called

before masquerading is done. opendkim signs a header that is

modified my sendmail later. (There are some workarounds, but they

are unreliable.)



Is there a similar pitfall for opensmtpd-filter-dkimsign and

opensmtpd?





Regards

Harri




I'm not masquerading but I doubt you will have any issues.Edgar 

[patch] RCPT TO with quoted user part

[Edgar Pettijohn]

Added a block to smtp_mailaddr() in smtp_session.c to allow for quoted
usernames. Only tested on my laptop and seems to work. However, I'm
thinking it might should be moved past the point of splitting on ':'.

Edgar
Index: smtp_session.c
===
RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v
retrieving revision 1.429
diff -u -p -u -r1.429 smtp_session.c
--- smtp_session.c  5 Mar 2021 12:37:32 -   1.429
+++ smtp_session.c  10 Apr 2021 12:57:55 -
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtp_session.c,v 1.429 2021/03/05 12:37:32 eric Exp $ */
+/* $OpenBSD: smtp_sesson.c,v 1.429 2021/03/05 12:37:32 eric Exp $  */
 
 /*
  * Copyright (c) 2008 Gilles Chehade 
@@ -2224,7 +2224,7 @@ static int
 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
 const char *domain)
 {
-   char   *p, *e;
+   char   *p, *e, *q, *s;
 
if (line == NULL)
return (0);
@@ -2233,15 +2233,28 @@ smtp_mailaddr(struct mailaddr *maddr, ch
return (0);
 
e = strchr(line, '>');
+
if (e == NULL)
return (0);
+
*e++ = '\0';
+
while (*e == ' ')
e++;
*args = e;
 
if (!text_to_mailaddr(maddr, line + 1))
return (0);
+
+   q = strchr(maddr->user, '"');
+   if (q != NULL) {
+   q++;
+   s = strrchr(q, '"');
+   if (s == NULL)
+   return (0);
+   *s = '\0';
+   memmove(maddr->user, q, strlen(q) + 1);
+   }
 
p = strchr(maddr->user, ':');
if (p != NULL) {

Re: RCPT syntax error from bank

[Edgar Pettijohn]

On Apr 4, 2021 5:36 PM, "Anthony J. Bentley"  wrote:Hi Peter,



Peter Nicolai Mathias Hansteen writes:

> It's interesting that the subject turns up here, when there is a

> fresh (and good IMO) blog post out about email address validation out,

> "Your E-Mail Validation Logic is Wrong"

>  by Jan Schaumann



This seems to suggest the problem is in the opposite direction: that

OpenSMTPD is wrong to reject "user"@example.com, and perhaps also

wrong to not map "user"@example.com to u...@example.com.



-- 

Anthony J. Bentley


It would be wrong if the "user"@example.com was an actual username. I don't think smtpd should have any hard coded mappings built in. I believe the real problem is the banks server decided to change your email username to another valid username without your consent. Luckily its your server and you can see what happened.Edgar 

Re: RCPT syntax error from bank

[Edgar Pettijohn]

On Sun, Apr 04, 2021 at 07:03:47AM -0600, Anthony J. Bentley wrote:
> Hi,
> 
> I had an interesting occurrence today... I was performing an action
> that required a confirmation code from my bank, which they sent by
> email. Unfortunately the mail never arrived, because:
> 
> Apr  4 03:25:16 axx smtpd[59645]: fdc8f818f7adb2aa smtp failed-command
> command="RCPT TO:<"username"@example.com>"
> result="501 5.1.3 Recipient address syntax error"
> 
> I assume the double quotes in there were the problem. I had to switch
> to a GMail account to receive it.
>

It is. Seemed like a good problem for a filter to solve, but it looks like
smtpd verifies the syntax before sending to filterland.

You should write their postmaster and complain.

Edgar
> -- 
> Anthony J. Bentley
> 

Re: Pluses in addresses do not work as expected

[Edgar Pettijohn]

On Sun, Jan 31, 2021 at 04:24:28PM -0600, Chris Bennett wrote:
> On Sun, Jan 31, 2021 at 03:51:01PM +0100, Pascal Huisman wrote:
> > Which got me out of the mess. See man smtpd.conf
> > It now switches to the user before delivering. So it's not vmail as
> > directory owner, but the username who is directory owner. In the trace
> > you can see the switch in user in the trace.
> > 
> > My virtual user config: 
> > pascal:someencryptedpasswdhash:pascal:1000:1000:/home/pascal::userdb_ma
> > il=maildir:/home/pascal/Maildir
> > 
> 
> The example in smtpd.conf shows:
> 
> action "outbound" relay host smtp+tls://b...@smtp.example.com auth secrts
> ^^^
> Having bob here completely confuses me.
> I'm not using this method, but I have to ask the question:
> What happens if you have two users, bob and jane? Or a hundred users?

You would need to create a credentials table mapping the label `bob' to his 
credentials.
Along with your other 100 users. You would then need to have match rules to 
correspond to 
their action rules. I don't really see much need since you could just configure
their mua's to do this. I think the majority of people use this so that their 
system
mail reaches them. Such as the output from /etc/daily and the like.

> It seems to me that there needs to be a table or something in
> smtpd.conf.

See table(5) under credential tables.

> Could someone explain this example to me, please.
> 
> I'd really like to remove my dunce cap on this one.
> Thanks,
> Chris Bennett
> 
> 
> 

Edgar

Re: mails not sent when using alias as recipient

[Edgar Pettijohn]

On Sun, Jan 17, 2021 at 06:33:29PM +0100, Yvan Masson wrote:
> Hi list,
> 
> I have two Debian servers that need to be able to send notification emails
> via a relay. Their configuration is identical, but only the first works
> properly. On the second, sending to aliases does not work:
> 
> 
> $ echo foo | mail -s test y...@masson-informatique.fr
> -> works
> 
> $ echo foo | mail -s test root
> mail: cannot send message: Process exited with a non-zero status
> -> does not work :-(
> 
> 
> Unfortunately after two hours digging I still can't find where the issue
> lies??? Any pointer would be greatly appreciated!
> 
> Best regards,
> Yvan
> 
> 
> # smtpd -d -T lookup
> 82908be87cc7fef7 smtp event=connected address=local host=debian
> lookup: check "local" as NETADDR in table static: -> found
> lookup: check "server.foo.fr" as DOMAIN in table static: -> 0
> lookup: check "local" as NETADDR in table static: -> found
> lookup: check "server.foo.fr" as DOMAIN in table static: -> 0
> 82908be87cc7fef7 smtp event=failed-command address=local host=debian
> command="RCPT TO: " result="550 Invalid recipient"
> 
> 82908be87cc7fef7 smtp event=closed address=local host=debian
> reason=disconnect
> 
> 
> $ cat /etc/smtpd.conf
> listen on localhost
> # If you edit the file, you have to run "smtpctl update table aliases"
> table aliases file:/etc/aliases
> table secrets file:/etc/smtpd.secrets
> accept for local \
> alias  \
> deliver to mbox
> accept for domain masson-informatique.fr \
> relay via secure+auth://y...@mail.infomaniak.com:587 \
> auth  \
> as y...@masson-informatique.fr
> 
> 
> $ cat /etc/aliases
> root: y...@masson-informatique.fr

r...@server.foo.fr: y...@masson-informatique.fr

> 
> 
> $ cat /etc/hostname
> 127.0.0.1   localhost
> 127.0.1.1   server.foo.fr serveur
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

[Edgar Pettijohn]

On Sun, Aug 16, 2020 at 02:15:52AM +0200, Fabian M??ller wrote:
> 
> is your user allowed to connect to the host above?
> 
> ** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and 
> even db1, db2, db3 directly (which I also tried, but did not change 
> anything). And the internet is allowed to connect to mx1. Or did you mean the 
> mda1? mda1 is not yet set up.
>

The user from mysql.conf needs to be able to connect to the mysql server
found at host db.[removed for privacy].

>  
> 
> > username [removed for privacy]
> 
> > password [removed for privacy]
> 
> > database [removed for privacy]
> 
> > 
> 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> 
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> 
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> 
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
>  
> 
> # Further explinations: What I've tried
> 
> First I guess the error has something to do with the mysql-stuff.
> 
>  
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.
> 
>  
> 
> Have you tried:
> 
>  
> 
> man table-mysql
> 
>  
> 
> Perhaps its missing if so you can find it on github.
> 
>  
> 
>  
> 
> ** I found the source for a man that sheds light on what those config options 
> are for. 
> 
>  
> 
> But that actually doesn???t help me with the error which occurs or if they 
> are needed.
> 
>  
> 
> By taking a look at table_proc.c from the opensmdpd source on github I guess 
> 
>  
> 
> > warn: table-proc: pipe closed
> 
>  
> 
> means that opensmtpd got an emty response when trying to do something (?) 
> with a table. I am unsure what opensmtpd is trying to do with the table. 
> Strangely it isn???t even trying to connect to the db-server (tcpdump 
> unrevals that). 
> 
>  
>

table-proc is a seperate process if I'm not mistaken that needs to talk
to the table-mysql which is a seperate process. If the pipe is closed
they can't talk to eachother.

> So what we know: It has something to do with the mysql-tables. What I don???t 
> understand is, what opensmtpd is trying to do which leads to that error. To 
> my understanding opensmtpd should only try to connect to the database if it 
> needs to read from the tables, which ??? if just starting up ??? obviously is 
> not the case. 
> 
>

If you try something like:

# smtpd -dv

You should get some useful messages from table-mysql if its not
connecting or what have you.

Edgar

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

[Edgar Pettijohn]

On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote:
> Hi!
> 
> I am hopefully a new opensmtpd user and before I???ll start off with my first 
> newbie question I???d be happy to briefly introduce myself: I???m Fabian from 
> Germany. Actually I am studying german law, but as ??? in opposite to legal 
> work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT 
> since I left school. Together with some friends I own a small IT-company 
> which makes me here and there a few bucks but is actually there more for the 
> fun rather than the profit. During shool-time I???ve already run a mailserver 
> (postfix + dovecot, but that actually doesn???t mean I???ve known anything 
> about mail ;)) but after we started offering services to businesses we 
> somehow switched over to an all in one solution (plesk).
> 
> As those AiO-solutions sucks because they are a blackbox and debugging is a 
> nightmare we've decided to do hosting ourself again. And as I am the only one 
> of us who is motivated to dive into mail, it became my part. So after some 
> days googeling around and spending a serious amount of time on youtube 
> watching mail-server-congress-talks I decided to go with a setup including 
> opensmtpd rather than postfix. As the best way to start with something is to 
> start trying I span up a few cloud-servers and started trying. As expected I 
> ran into problems but ??? not expected ??? reading the man and googeling 
> around couldn't solve them.
> 
> So that's how I ended up here, hoping for your help!
> 
> # General Setup
> 1. OpenSMTPD (tables via mysql, delivering via lmtp)
> 2. Dovecot (not yet set up)
> 3. MariaDB Galera Cluster as Backend-Database
> 
> # The Problem
> I'm getting the following error and can't connect to port 25 from outside 
> world (telnet port 25).

Are you sure your ISP isn't blocking you? Can you connect to a non
standard port or the submission port from outside?

listen on egress port 5000

telnet yourhost.com 5000

> 
> > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting
> > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed
> > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting
> > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed 
> 

Is mysqld up and running? Have you verified from the command line that
your username and password are correct?

mysql --user=username --password=password dbase

> # Host-System
> OS: Debian 10
> OpenSMTPd: 6.0.3p1-5+deb10u4
> Openssmtpd-extras: 5.7.1-4+b2
> 
> # /etc/smtpd.conf
> > # Variablen setzen
> > ipv4addr = [removed for privacy]
> > hostn = mx01.[removed for privacy]
> >
> > # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 
> > Stunden (optional)
> > #queue compression
> > #queue encryption key "[removed for privacy]"
> > #expire 4h
> >
> > # Zertifikate hinzuf??gen
> > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for 
> > privacy].crt"
> > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for 
> > privacy].key"
> > 
> > # Relevante Tabellen laden
> > table domains mysql:/etc/mail/mysql.conf
> > table credentials mysql:/etc/mail/mysql.conf
> > 
> > # Zuh??ren
> > listen on $ipv4addr port smtp tls
> > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth 
> > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev 
> > auth 
> > 
> > # E-Mails annehmen und weitergeben
> > accept from any for domain  deliver to lmtp "mda1:24"
> > accept for any relay
> 
> # /etc/mail/mysql.conf
> > host db.[removed for privacy]

is your user allowed to connect to the host above?

> > username [removed for privacy]
> > password [removed for privacy]
> > database [removed for privacy]
> > 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
> # Further explinations: What I've tried
> First I guess the error has something to do with the mysql-stuff.
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.

Have you tried:

man table-mysql

Perhaps its missing if so you can find it on github.

> 
> In the beginning I thought it works like if I write 
> 
> > table domains mysql:/etc/mail/mysql.conf
> 
> to the smtpd.conf the value domains is retrieved from what's stated after
> 
> query_domains  (query_domains because the name of the table is domains. So 
> from my guess table example would translate to query_example).
> 
> Therefor I only had one line 
> 
> query_domain SELECT name FROM virtual_domains WHERE name=?;
> 
> in my mysql.conf. I've also tried using $1 instead of ?. After every conf I 
> found in the internet (about 3) had query_credenti

Re: Is LDAP+SSL supported?

[Edgar Pettijohn]

On Sat, Jul 25, 2020 at 02:26:27PM +0200, ?loi Rivard wrote:
> > In my opinion, table-ldap from extras is doomed as it relies on a lib
> > that
> > is barely maintained and doing LDAP asynchronously is painful. 
> 
> Are you saying the support for table-ldap may stop in a near future?
> 
> > I doubt the
> > code will go much further than it currently does.
> However, would you still accept patches for ldaps support?
> 
> > If the table-procexec work I documented on my blog gets pushed to
> > OpenBSD,
> > then it will ease the writing of a table-ldap with a modern library.
> I will keep an eye on this then.

I think the plan is to move to the table-procexec. Similar to the
filters and you would be able to write an ldap backend in any language.

Edgar

Re: Help to adapt ???Setting up a mail server with OpenSMTPD, Dovecot and Rspamd???

[Edgar Pettijohn]

table-passwd can be found here:

https://github.com/OpenSMTPD/OpenSMTPD-extrashttps://github.com/OpenSMTPD/OpenSMTPD-extras

On Mon, Jul 13, 2020 at 05:23:20PM -0300, Leandro Peracchi wrote:
> Scenario: hypno.cat expanded inside a Raspberry Pi 4 with Arch Linux, three
> breeds (domains), two virtual users and one local user.
> 
> 
> - Raspberry Pi 4 Model B Rev 1.2 with 4 GB RAM and 64 GB SD Card
> 
> - Arch Linux ARM armv7l with kernel 5.4.50-1-ARCH
> 
> - OpenSMTPD 6.7.1p1-4, Dovecot 2.3.10.1-1 and Rspamd 2.5-2
> 
> - three domains [ birman.com persian.com siamese.com ]
> 
> - same two virtual users on each domain [ daddy mommy ]
> 
> - one ip address [ a.b.c.d ]
> 
> - one local user [ user ]
> 
> 
> DNS records:
> 
> 
> birman.com A a.b.c.d
> 
> birman.com MX 10 mail.birman.com
> 
> birman.com TXT "v=spf1 mx -all"
> 
> _dmarc birman.com TXT "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@
> birman.com;"
> 
> 20200713._domainkey birman.com TXT "v=DKIM1;k=rsa;p=MIG...QAB;"
> 
> mail birman.com A a.b.c.d
> 
> 
> * same for persian.com and siamese.com with respective changes in domain
> name
> 
> 
> Created a local user to manage the six virtual mailboxes.
> 
> 
> $ sudo useradd -m -c "Virtual Mail" -d /var/mail/vmail -s /sbin/nologin
> vmail
> 
> 
> I got the certificates with LetsEncrypt.
> 
> 
> $ sudo certbot --nginx --agree-tos --no-eff-email --redirect --hsts
> --staple-ocsp --email personal.em...@gmail.com -d mail.birman.com
> 
> 
> Generate keys for DKIM.
> 
> 
> $ sudo mkdir /etc/smtpd/dkim
> 
> $ sudo openssl genrsa -out /etc/smtpd/dkim/birman.com.key 1024
> 
> $ sudo openssl rsa -in /etc/smtpd/dkim/birman.com.key -pubout \
> 
> -out /etc/smtpd/dkim/birman.com.pub
> 
> $ sudo chown -R rspamd:rspamd /etc/smtpd/dkim
> 
> 
> * same for persian.com and siamese.com with respective changes in domain
> name
> 
> 
> In this learning setup will exist six virtual mailboxes and three email
> addresses delivering to the local user ???user??? (u...@birman.com,
> u...@persian.com and u...@siamese.com).
> 
> 
> Under /home/user/Maildir will be mail sent for u...@birman.com,
> u...@persian.com and u...@siamese.com.
> 
> 
> At /var/mail/vmail will exist three directories (birman.com, persian.com
> and siamese.com) and below each of these directories will exist two
> directories (daddy and mommy) which in turn will have the Maildir directory
> to store mail.
> 
> 
> Also I would like OpenSMTPD to use the respective domain/certificate when
> receiving or sending mail (based on the domain of the user receiving or
> sending).
> 
> 
> I can get all ???parts??? ready to work but cannot create the appropriate 
> files
> to OpenSMTPD and Dovecot make this scenario work.
> 
> 
> If this scenario is possible and someone with more knowledge could provide
> the configuration for smtpd.conf and dovecot.conf I would be grateful.
> 
> 
> It has been two weeks trying to understand/consolidate several pieces of
> information from the Internet without success. Also I find other problems
> on the way. First I tried with Manjaro ARM (64-bit). Could not get rspamd
> to start. Then I tried Ubuntu 20.04. Some packages aren???t available. Tried
> to put OpenBSD or FreeBSD on Raspberry, can???t either. Get all ???parts??? 
> ready
> on Arch Linux. I???m learning a lot, but some help now would be great!
> 
> 
> Thanks!

Re: Help to adapt ???Setting up a mail server with OpenSMTPD, Dovecot and Rspamd???

[Edgar Pettijohn]

On Tue, Jul 14, 2020 at 10:10:23PM -0300, Leandro Peracchi wrote:
> I made some progress, all services start without errors.
> 
> When tried to send a test mail from Gmail to my server, got the error:
> 
> smtpd[727]: ny express[727]: c2a5ef6f793addab mda delivery
> evpid=567ebdf9f826cf44
>   from= to= rcpt=
> user=vmail
>   delay=4m10s result=TempFail stat=Error
>   (temporary failure: "mail.lmtp: LMTP server error: 550 5.1.1 <
> mo...@birman.com> User doesn't exist: mo...@birman.com")
> 
> Below are my conf files
> 
> 
> /etc/smtpd/smtpd.conf
> =
> pki mail.birman.com cert "/etc/letsencrypt/live/
> mail.birman.com/fullchain.pem"
> pki mail.birman.com key  "/etc/letsencrypt/live/mail.birman.com/privkey.pem"
> 
> #pki mail.persian.com cert "/etc/letsencrypt/live/
> mail.persian.com/fullchain.pem"
> #pki mail.persian.com key  "/etc/letsencrypt/live/
> mail.persian.com/privkey.pem"
> 
> srs key "j1wFzMlJEb1w81mqWC1NpKRsMJBzeKavii+ALQ8W"
> #srs key backup ""
> 
> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
> '.*\.dsl\..*' } \
>   disconnect "550 no residential connections"
> 
> filter check_rdns phase connect match !rdns \
>   disconnect "550 no rDNS is so 80s"
> 
> filter check_fcrdns phase connect match !fcrdns \
>   disconnect "550 no FCrDNS is so 80s"
> 
> filter senderscore \
>   proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor
> 5000"
> 
> filter rspamd proc-exec "filter-rspamd"
> 
> table aliases  file:/etc/smtpd/aliases
> table domains  file:/etc/smtpd/domains
> table passwds  file:/etc/smtpd/passwds

See note below about passwd-file.

> table virtuals file:/etc/smtpd/virtuals
> 
> listen on 0.0.0.0 tls pki mail.birman.com \
>   filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
> 
> listen on 0.0.0.0 port submission mask-src tls-require pki mail.birman.com
> auth  \
>   filter rspamd
> 
> action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
> match from any for domain  action "RECV"
> 
> action "SEND" relay srs helo mail.birman.com
> match from any auth for any action "SEND"
> 
> 
> /etc/smtpd/aliases
> ==
> vmail:  /dev/null
> 
> root:   user
> user:   da...@birman.com
> 
> 
> /etc/smtpd/domains
> ==
> birman.com
> persian.com
> siamese.com
> 
> 
> /etc/smtpd/mailname
> ===
> mail.birman.com
> 
> 

If you are trying to use passwd-file format you need to install the
passwd backend.

> /etc/smtpd/passwds
> ==
> da...@birman.com:$6$...::
> mo...@birman.com:$6$...::
> da...@persian.com:$6$...::
> mo...@persian.com:$6$...::
> da...@siamese.com:$6$...::
> mo...@siamese.com:$6$...::
> 
> 
> /etc/smtpd/virtuals
> ===
> da...@birman.comvmail
> mo...@birman.comvmail
> 
> da...@persian.com   vmail
> mo...@persian.com   vmail
> 
> da...@siamese.com   vmail
> mo...@siamese.com   vmail
> 
> 
> /etc/dovecot/dovecot.conf
> =
> listen = 0.0.0.0
> 
> ssl = required
> ssl_cert =  ssl_key  =  
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> 
> disable_plaintext_auth = yes
> 
> protocols = lmtp imap
> 
> service lmtp {
> unix_listener lmtp {
> user  = vmail
> group = vmail
> }
> }
> 
> service imap-login {
> inet_listener imaps {
> port = 993
> }
> }
> 
> passdb {
> driver = passwd-file
> args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/users
> }
>

username_format=%u

Since your database has the full username. Or you can probably just omit
it.

> userdb {
> driver = passwd-file
> args = username_format=%n /etc/dovecot/users
> override_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
> }
> 
> mail_location = maildir:~/Maildir
> 
> 
> /etc/dovecot/users
> ==
> da...@birman.com:{SHA512-CRYPT}$6$...
> mo...@birman.com:{SHA512-CRYPT}$6$...

Good luck,

Edgar

Re: mail log oddity

[Edgar Pettijohn]

On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote:
> I'm curious what this would actually accomplish on a vulnerable server.
> 
> There's no path or executable its trying to find in its iterations. This 
> looks more like an arbitrary shell command meant to act as a scan/test to 
> find vulnerable servers without fully leveraging the exploit.
> 
> If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 
> 8:08 PM, Ryan Kavanagh  wrote:

61.148.74.134

Edgar

> >
> > On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: 
> > > Saw this in the maillog today. Any ideas what they are trying to do? 
> > > 
> > >?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 
> > >2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 
> > >Invalid command: Must issue an AUTH command first" 
> >
> > My guess is that they're trying to exploit CVE-2020-7247. Search the 
> > advisory text for that command: 
> >
> > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt 
> >
> > Best, 
> > Ryan 
> >

mail log oddity

[Edgar Pettijohn]

Saw this in the maillog today. Any ideas what they are trying to do?

 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 
5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
command: Must issue an AUTH command first"

Edgar

Re: Newbie config question

[Edgar Pettijohn]

On Fri, Jun 05, 2020 at 11:28:12AM -0500, David Favor wrote:
> I've been wrestling with this for days with no progress.
> 
> Can someone drop me a v6.6.4 config to do something similar to the following.
> 
>da...@davidfavor.com   - maildir
>i...@davidfavor.com- forward to da...@davidfavor.com
>supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay 
> Service
> 
>supp...@radicalhealth.com - maildir
>i...@radicalhealth.com- forward to supp...@radicalhealth.com
>da...@radicalhealth.com   - send natively to da...@davidfavor.com (no 
> Smarthost or Relay Service)
> 
> Just a raw config file will be fine, I can remove
> whatever I don't require right now, like DKIM signing,
> which I'll add later.
>

It would likely be easier if you just posted your current smtpd.conf and
associated tables. 

Edgar

> I'm just trying to get basic OpenSMTPD delivery working.
> 
> Thanks.

Re: new table backends

[Edgar Pettijohn]

On Tue, May 26, 2020 at 10:58:12PM +, gil...@poolp.org wrote:
> Hellow,
> 
> I have been working on a new table backend: table-procexec.
> 
> What it does is translate the imsg table API to a line-based protocol that is
> very similar to what we did for filters. A table backend can become a program
> consuming table requests from stdin and responding to stdout:
> 
> stdin : table
> 
> 
> The idea behind this is to unlock table backend development to people who are
> not necessarily C developers and who could still write useful implementations
> in other languages. Like with filters, this makes it possible to use anything
> from awk to shell, Go, Python and what not without OpenSMTPD caring about how
> these backends are implemented.
> 
> I have written a Golang package to abstract the protocol details and that let
> you write a backend by implementing the four basic operations of table API. A
> sample table-example.go is available here to see how a backend looks like:
> 
> https://gist.github.com/poolpOrg/b3b97a65791a11a49f5e76ea51331ae4
> 
> 
> If people are willing to help implement some backends, hit me up
> 
> Cheers,
> Gilles

Sweet. Looking at 
https://github.com/poolpOrg/go-opensmtpd/blob/master/table/table.go 
seems like it will be pretty simple to write some nice tables.

Thanks!

[patch] add a timeout to filter registration

[Edgar Pettijohn]

When playing with filters its easy to forget to register
stdout, etc...

Here is a patch to add a timeout and give a little helpful info as
opposed to just hanging in an unusable state.
Index: lka_filter.c
===
RCS file: /cvs/src/usr.sbin/smtpd/lka_filter.c,v
retrieving revision 1.62
diff -u -p -u -r1.62 lka_filter.c
--- lka_filter.c24 Apr 2020 11:34:07 -  1.62
+++ lka_filter.c2 May 2020 15:37:56 -
@@ -66,6 +66,7 @@ static void   filter_result_disconnect(uin
 static voidfilter_session_io(struct io *, int, void *);
 void   lka_filter_process_response(const char *, const char *);
 
+static voidlka_proc_timeout(int, short, void *);
 
 struct filter_session {
uint64_tid;
@@ -180,6 +181,7 @@ struct processor_instance {
char*name;
struct io   *io;
struct io   *errfd;
+   struct event tmo;
int  ready;
uint32_t subsystems;
 };
@@ -213,10 +215,13 @@ lka_proc_config(struct processor_instanc
io_printf(pi->io, "config
 }
 
+#define TIMEOUT 10
+
 void
 lka_proc_forked(const char *name, uint32_t subsystems, int fd)
 {
struct processor_instance   *processor;
+   struct timeval timeout = { TIMEOUT, 0 };
 
if (!processors_inited) {
dict_init(&processors);
@@ -232,6 +237,10 @@ lka_proc_forked(const char *name, uint32
 
io_set_fd(processor->io, fd);
io_set_callback(processor->io, processor_io, processor->name);
+
+   evtimer_set(&processor->tmo, lka_proc_timeout, processor);
+   evtimer_add(&processor->tmo, &timeout);
+
dict_xset(&processors, name, processor);
 }
 
@@ -269,6 +278,7 @@ processor_register(const char *name, con
processor = dict_xget(&processors, name);
 
if (strcmp(line, "register
+   evtimer_del(&processor->tmo);
processor->ready = 1;
return;
}
@@ -1741,4 +1751,12 @@ lka_report_proc(const char *name, const 
sp = ep + 1;
 
lka_report_filter_report(reqid, name, 0, direction, &tv, sp);
+}
+
+static void
+lka_proc_timeout(int fd, short events, void *arg)
+{
+   struct processor_instance *processor = arg;
+
+   fatalx("%s: failed to register", processor->name);
 }

Re: Custom filter

[Edgar Pettijohn]

On Thu, Apr 16, 2020 at 06:14:46PM +0200, Martijn van Duren wrote:
> On 4/16/20 3:58 PM, Jacky wrote:
> > Hi,
> > 
> > I am using Opensmtp 6.6.4p1. I am going to use Opensmtp as outgoing SMTP 
> > server, and use POP before SMTP method for authentication.
> > 
> > Is it possible for us to write and use custom filter ? If yes, is there any 
> > information / resources available in the web ?
> > 
> > Jacky
> > 
> 

You can get the manual here:
https://raw.githubusercontent.com/OpenSMTPD/OpenSMTPD/portable/smtpd/smtpd-filters.7

I don't believe it is 100% but still a good starting point.

Edgar

> There are a couple of filters available, but I'm not aware of how
> cross-platform available they are.
> From the OpenBSD ports tree there's the following written in go:
> - https://github.com/poolpOrg/filter-rspamd
> - https://github.com/poolpOrg/filter-senderscore
> - spamassassin via https://www.umaxx.net
> The latter has a couple of other filters, but aren't in the ports
> tree, so probably have a little less testing.
> 
> I have written filter-dnsbl and filter-dkimsign in C:
> - http://imperialat.at/dev/libopensmtpd/ (dependency for both)
> - http://imperialat.at/dev/filter-dnsbl/
> - http://imperialat.at/dev/filter-dkimsign/
> 
> I've got libopensmtpd to compile on Linux, but after that my need to get
> them to work on Linux disappeared so the filters themselves never got 
> there. If you want to use them I'm willing to help you set them up in 
> your environment and commit the changes to my repo.
> 
> Other filters are relatively easy to write, but I don't think the
> protocol is properly documented. You can look at this thread[0] as a
> starting point, but there have been some minor changes since then, so
> make sure to check your input.
> 
> martijn@
> 
> [0] https://www.mail-archive.com/misc@opensmtpd.org/msg03727.html

filter-spamassassin.pl

[Edgar Pettijohn]

http://www.pettijohn-web.com/filter-spamassassin.pl

http://www.pettijohn-web.com/SHA512

I've written a little spamassassin filter in perl. The only requirements 
you may not have installed is AnyEvent. Its pretty common so your os 
most likely has it packaged. If not:


# cpan -i AnyEvent

Obviously you will also need the spamassassin daemon running.

I've been using it for about 3 days so far without issues, though there 
may still be bugs lurking. One is likely to be the need for a message 
size limit. Not sure what that should be though.



Edgar

OpenSMTPD::Password perl module now supports openbsd

[Edgar Pettijohn]

OpenBSD is now supported and tested on OpenBSD 6.6 stable. Install both 
modules listed below and then just 'use OpenSMTPD::Password qw/newhash 
checkhash/;' It will automatically detect the XS module and use it.


http://www.pettijohn-web.com/OpenSMTPD-Password-XS-0.01.tar.gz

http://www.pettijohn-web.com/OpenSMTPD-Password-0.03.tar.gz

http://www.pettijohn-web.com/SHA512

On 3/18/20 10:29 AM, Edgar Pettijohn wrote:
Just updated the module with a few minor tweaks, mostly just making it 
more perl like and a few more error checks. Also requires 
BSD::arc4random to provide random numbers as opposed to the perl 
builtin rand(). Should make the truly paranoid types happy :) Again it 
still only works for portable. Plan on adding openbsd support this 
weekend hopefully. If not sometime soon.


http://www.pettijohn-web.com/OpenSMTPD-Password-0.02.tar.gz

http://www.pettijohn-web.com/SHA512

I'm also working on a plack app for adding/deleting users and allowing 
users to change their passwords. Its still pretty rough, but mostly 
works. Currently it only supports sql databases. Tested with mariadb, 
but I think its generic enough that mysql and postgres should work out 
of the box. If anyone is interested in checking it out let me know. It 
would really benefit from some html gurus attention.


Thanks,


Edgar

OpenSMTPD::Password perl module

[Edgar Pettijohn]

Just updated the module with a few minor tweaks, mostly just making it 
more perl like and a few more error checks. Also requires 
BSD::arc4random to provide random numbers as opposed to the perl builtin 
rand(). Should make the truly paranoid types happy :) Again it still 
only works for portable. Plan on adding openbsd support this weekend 
hopefully. If not sometime soon.


http://www.pettijohn-web.com/OpenSMTPD-Password-0.02.tar.gz

http://www.pettijohn-web.com/SHA512

I'm also working on a plack app for adding/deleting users and allowing 
users to change their passwords. Its still pretty rough, but mostly 
works. Currently it only supports sql databases. Tested with mariadb, 
but I think its generic enough that mysql and postgres should work out 
of the box. If anyone is interested in checking it out let me know. It 
would really benefit from some html gurus attention.


Thanks,


Edgar

perl module for hashing/checking passwords

[Edgar Pettijohn]

Here is a simple perl module for hashing passwords/checking passwords 
for use in scripts and such. Tested on Slackware current and Netbsd 8.1 
others expected to work. Only works with portable smtpd.


Basically just a perl version of contrib/libexec/encrypt/encrypt.c

http://www.pettijohn-web.com/OpenSMTPD-Password-0.01.tar.gz


Edgar

Re: filter question

[Edgar Pettijohn]

On Mar 9, 2020 1:34 AM, Martijn van Duren  wrote:
>
> On 3/6/20 5:00 PM, epektasis wrote:
> > Greetings.  I have my own blacklist file of email addresses
> > (some in the format microcen...@microcenter.com and some in 
> > the format *@squaredeals.com), one per line.  I would like to
> > filter each incoming email so that a mail-from address
> > that matches any line in the blacklist file will go to a
> > junk file.  In the smtpd.conf I have tried
> > 
> > table blksender file:/etc/blksender
> > filter mail-from  junk
> > match filter mail-from  junk
> > 
> > but get syntax errors on both of the last two lines when
> > checking the configuration.  There's something I'm not
> > understanding and am asking for advice.
> > epektasis
> > 
> Have another look at the manpage:
>  filter filter-name phase phase-name match conditions decision
>  Register a filter filter-name.  A decision about what to do
>  with the mail is taken at phase phase-name when matching
>  conditions.  Phases, matching conditions, and decisions are
>  described in MAIL FILTERING, below.
>
> So without testing (you should do that yourself anyway) I think what you
> want would be:
>
> table blksender file:/etc/blksender
> filter blksender phase mail-from match mail-from  junk
> listen on   filter blksender
>

Also look at table(5) '*' is only allowed on the domain side of the '@'.

Edgar

perl filter/report module

[Edgar Pettijohn]

I wrote a simple perl module for easing the writing of filter/reports 
for OpenSMTPD. It isn't 100% complete, but its usable.


http://www.pettijohn-web.com/OpenSMTPD-Report-0.01.tar.gz


Edgar

Re: Enforce outgoing mail to always use TLS

[Edgar Pettijohn]

On 02/22/20 12:55, Søren Aurehøj wrote:

Hi Misc

I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable

Currently I’m using the tls-require option in order to get mandatory 
TLS on outgoing mail, but with that follows the normal time-out values 
regarding bounce intervals.
Because of greylisting, I’m not sure that adjusting these time-out 
values is the best way around this problem.


I have tested the scenario with a mailserver which is unable to use 
TLS, by sending mail to mailnesia.com .
This gives the expected result - "mta event=error reason=TLS required 
but not supported by remote host” in the maillog.


My mailserver recognizes when it is unable to continue the 
delivery due to a configuration setting on my mailserver.
But instead of bouncing the mail immediately, it is queued anyway for 
later delivery.



Is it possible to enforce outgoing mail to always use TLS - and bounce 
more or less immediately,
if the sending mailserver registers that the receiving mailserver is 
unable to meet our requirements regarding TLS?




Kind regards

Søren Aurehøj




I guess you could try adding to smtpd.conf:

bounce warn-interval 1s

Edgar

Re: Subject prefixing

[Edgar Pettijohn]

On Feb 13, 2020 2:01 PM, Ionel GARDAIS  wrote:
>
> Hi list,
>
> I'm looking for an easy way to add a static prefix "[*EXT*]" to all incoming emails, as long as the subject does not already contains this string.
> OpenSMTPD is running as a filtering MX running senderscore filter.
> default action is relay to another host.
>
> Can OpenSMTPD modify the header conditionally ?
A filter could be written to do this.
> If so, should I add a filter to the existing "listen" line or should I add a new "listen" line with a dedicated filter and chaining listen->action relay to local listen->action relay to external ?
If you used a separate listen directive. It would have to be on a different port.
>
> Thanks,
> Ionel
>
>

logging

[Edgar Pettijohn]

I'm curious with the advent of the `report/filter' interface. Will there 
be the possibility of disabling syslog logging in the future? I was 
thinking of writing a script to "log" in xml for easy parsing/pretty 
printing the logs. The only drawback I see is doubling the disk usage.


I suppose I could use tmux and do a `smtpd -d >/dev/null 2>&1' Just not 
sure if there would be any side effects.


Thanks,


Edgar

Re: filter bug?

[Edgar Pettijohn]

On 02/01/20 11:08, Reio Remma wrote:

Hello!

The token|session id in v0.4 of the filter protocol were swapped to 
the more sensible session id|token order in v0.5. I believe the docs 
are still being worked on and will apply to the v0.5 protocol.




Thought I was going crazy. I was reading docs for .5 and testing on a 
system running .4 so as usual the fault lies with myself.


Thanks!

Edgar

For example filter-rspamd was recently updated to work with both 
versions, switching the argument order as needed.


Good luck,
Reio

On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 
states the following:


 For all phases, excepted "data-line", the responses must follow the 
same
 construct, a message type "filter-result", followed by the 
unique session

 id, the opaque token, a decision and optional decision-specific
 parameters:

filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the 
banner is

 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is 
the ISC


# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar

filter bug?

[Edgar Pettijohn]

Not sure if its a documentation bug or not, but smtpd-filters.7 states 
the following:


 For all phases, excepted "data-line", the responses must follow the same
 construct, a message type "filter-result", followed by the unique 
session

 id, the opaque token, a decision and optional decision-specific
 parameters:

   filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the banner is
 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is the ISC

# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar

Re: filter oddities

[Edgar Pettijohn]

On 01/25/20 16:14, Edgar Pettijohn wrote:



On 01/25/20 14:48, Edgar Pettijohn wrote:



On 01/25/20 14:24, gil...@poolp.org wrote:
January 25, 2020 9:21 PM, "Edgar Pettijohn" 
 wrote:



On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn" 
 wrote:


I haven't seen any mention of this, but for some reason in my 
limited "testing" of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't 
seem to be documented and what

filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.

For example without ORS = "\r\n" the following script will cause 
smtpd to basically just hang.
There is no errors reported, but when I attempt to telnet 
localhost 25 the daemon doesn't greet me.

After adding ORS = "\r\n" everything works as expected.
I'm not familiar with awk beyond very basic uses, could this be 
due to some
flushing not happening by default and which gets triggere with 
"\r\n" ?

Adding:

setvbuf(stdout, NULL, _IONBUF, 0);

to awk's main() fixes it on my laptop. Still don't understand how my 
laptop is apparently the only device effected...


At least I can continue testing on my laptop anyway.

Edgar

Re: smtpd-filters.7 patch

[Edgar Pettijohn]

Missed a typo "s/strenght/strength/"


On 01/25/20 14:12, Edgar Pettijohn wrote:



On 01/25/20 14:08, gil...@poolp.org wrote:

The diff reads ok but I wonder why you removed this sentence:

-No decision is ever taken by the report stream.

I think it made it a bit more clear that reporting is informative only.


I felt that the line stating it was a one-way stream covered it. 
Mainly it just made me stumble on the line and have to reread it a 
couple of times.


Edgar



diff --git a/smtpd/smtpd-filters.7 b/smtpd/smtpd-filters.7
index 1e1a27ef..bf563174 100644
--- a/smtpd/smtpd-filters.7
+++ b/smtpd/smtpd-filters.7
@@ -89,22 +89,21 @@ to inform
 in real-time about events that are occurring in the daemon.
 The report events do not expect an answer from
 .Nm ,
-it is just meant to provide them with informations.
+it is just meant to provide them with information.
 A filter should be able to replicate the
 .Xr smtpd 8
-state for a session by gathering informations coming from report events.
-No decision is ever taken by the report stream.
+state for a session by gathering information coming from report events.
 .Pp
 The filter stream is a two-way stream which allows
 .Xr smtpd 8
 to query
 .Nm
 about what it should do with a session at a given phase.
-The filter requests expects an answer from
+The filter requests expect an answer from
 .Nm ,
 .Xr smtpd 8
 will not let the session move forward until then.
-A decision must always be taken by the filter stream.
+A decision must always be made by the filter stream.
 .Pp
 It is sometimes possible to rely on filter requests to gather information,
 but because a reponse is expected by
@@ -112,13 +111,13 @@ but because a reponse is expected by
 this is more costly than using report events.
 The correct pattern for writing filters is to use the report events to
 create a local state for a session,
-then use filter requests to take decisions based on this state.
+then use filter requests to make decisions based on this state.
 The only case when using filter request instead of report events is correct,
 is when a decision is required for the filter request and there is no need for
 more information than that of the event.
 .Sh PROTOCOL
 The protocol is straightforward,
-it consists of a human-readable line exchanges between
+it consists of human-readable line exchanges between
 .Nm
 and
 .Xr smtpd 8
@@ -165,7 +164,7 @@ will be documented in the sections below.
 .Sh CONFIGURATION
 During the initial handshake,
 .Xr smtpd 8
-will emit a serie of configuration keys and values.
+will emit a series of configuration keys and values.
 The list is meant to be ignored by
 .Nm
 that do not require it and consumed gracefully by filters that do.
@@ -265,7 +264,7 @@ This event is generated upon successful negotiation of TLS.
 .Pp
 .Ar tls-string
 contains a colon-separated list of TLS properties including the TLS version,
-the cipher suite used by the session and the cipher strenght in bits.
+the cipher suite used by the session and the cipher strength in bits.
 .It Ic link-disconnect
 This event is generated upon disconnection of the client.
 .It Ic link-auth : Ar username Ar result
@@ -514,7 +513,7 @@ 
filter|0.5|1576146008.006103|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d
 
filter|0.5|1576146008.006105|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d|.
 .Ed
 .Pp
-They are expected to produce an output stream similarly terminate by a single
+They are expected to produce an output stream similarly terminated by a single
 dot.
 A filter may inject,
 suppress,

Re: filter oddities

[Edgar Pettijohn]

On 01/26/20 01:01, Edgar Pettijohn wrote:

On Jan 26, 2020 12:11 AM, Martijn van Duren  
wrote:

On 1/25/20 8:50 PM, Edgar Pettijohn wrote:

I haven't seen any mention of this, but for some reason in my limited
"testing" of filters I have to use \r\n in my responses to smtpd. Is
this normal? Doesn't seem to be documented and what filters I've looked
at don't appear to be using \r\n.


For example without ORS = "\r\n" the following script will cause smtpd
to basically just hang. There is no errors reported, but when I attempt
to telnet localhost 25 the daemon doesn't greet me. After adding ORS =
"\r\n" everything works as expected.

#!/usr/bin/awk -f
BEGIN {
       ARGC = 0
       FS = "|"
       OFS = FS
       ORS = "\r\n"
}

"config|ready" == $0 {
       print "register|report|smtp-in|*"
       print "register|ready"
       print $0 >> "/tmp/report.txt"
       next
}

"config" == $1 {
       next
}

"report" == $1 {
       print $0 >> "/tmp/report.txt"
       next
}



I tried both your awk script without ORS and perl script a
OpenBSD-current machine and both work as expected. So either there's
something weird in -portable or there's something weird with your
setup.

I don't have a NetBSD machine at hand, so could you provide me shell-
access to a machine that can reproduce this problem? I can probably
take a look at it in the coming week.

Will do. I'll spin one up and get it ready for you tomorrow hopefully.

Thanks,

Edgar


Must be a local issue to my laptop. I spun up a server at vultr and got 
everything ready. Then tested and it works both with and without the 
/r/n. I don't understand what the difference is between my laptop and 
the server. Either way it appears to be resolved.


Thanks,

Edgar

Re: filter oddities

[Edgar Pettijohn]

On 01/25/20 14:48, Edgar Pettijohn wrote:



On 01/25/20 14:24, gil...@poolp.org wrote:
January 25, 2020 9:21 PM, "Edgar Pettijohn"  
wrote:



On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn" 
 wrote:


I haven't seen any mention of this, but for some reason in my 
limited "testing" of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem 
to be documented and what

filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.

For example without ORS = "\r\n" the following script will cause 
smtpd to basically just hang.
There is no errors reported, but when I attempt to telnet 
localhost 25 the daemon doesn't greet me.

After adding ORS = "\r\n" everything works as expected.
I'm not familiar with awk beyond very basic uses, could this be due 
to some
flushing not happening by default and which gets triggere with 
"\r\n" ?


This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from 



so I'm not sure why yours block but the solution is not with "\r\n" 
for sure

I get the same with filter-rewrite-from.

Can you run filter traces while you reproduce ?


Doesn't seem to do much.

laptop$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.

laptop$ sudo smtpd -dv -T filters
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
info: OpenSMTPD 6.6.1-portable starting
debug: init ssl-tree
debug: init ssl-tree
debug: init ssl-tree
debug: init ca-tree
debug: init ca-tree
debug: init ssl-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: using "ram" stat backend
setup_peer: control -> klondike[6603] fd=5
setup_peer: lookup -> control[18573] fd=5
setup_peer: control -> lookup[27107] fd=6
setup_peer: lookup -> pony express[16452] fd=6
setup_peer: control -> pony express[16452] fd=7
setup_peer: lookup -> queue[4582] fd=7
setup_peer: control -> queue[4582] fd=8
setup_peer: control -> scheduler[28554] fd=9
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: klondike -> control[18573] fd=5
setup_peer: klondike -> pony express[16452] fd=6
debug: init ca-tree
setup_done: ca[6603] done
setup_proc: klondike done
setup_proc: control done
setup_done: control[18573] done
debug: init ssl-tree
setup_proc: lookup done
setup_done: lka[27107] done
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: pony express -> control[18573] fd=5
filters init type=proc, name=filter-perl, proc=filter-perl
setup_peer: pony express -> klondike[6603] fd=6
setup_peer: pony express -> lookup[27107] fd=7
setup_peer: pony express -> queue[4582] fd=8
setup_done: pony[16452] done
setup_proc: pony express done
debug: rsa_engine_init: using RSA privsep engine
debug: ecdsa_engine_init: using ECDSA privsep engine
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: scheduler -> control[18573] fd=5
setup_peer: queue -> control[18573] fd=5
setup_peer: scheduler -> queue[4582] fd=6
setup_peer: queue -> pony express[16452] fd=6
setup_peer: queue -> lookup[27107] fd=7
setup_peer: queue -> scheduler[28554] fd=8
setup_proc: queue done
setup_done: queue[4582] done
setup_proc: scheduler done
debug: bounce warning after 4h
setup_done: scheduler[28554] done
smtpd: setup done
debug: parent_send_config_ruleset: reloading
debug: parent_send_config: configuring pony process
debug: parent_send_config: configuring ca process
debug: init private ssl-tree
debug: smtp: listen on 127.0.0.1 port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [::1] port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x2400 pki "" ca ""
debug: smtp: will accept at most 1697 clients
debug: queue: done loading queue into sche

Re: filter oddities

[Edgar Pettijohn]

On 01/25/20 14:24, gil...@poolp.org wrote:

January 25, 2020 9:21 PM, "Edgar Pettijohn"  wrote:


On 01/25/20 14:20, gil...@poolp.org wrote:


January 25, 2020 8:50 PM, "Edgar Pettijohn"  wrote:


I haven't seen any mention of this, but for some reason in my limited "testing" 
of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem to be 
documented and what
filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.


For example without ORS = "\r\n" the following script will cause smtpd to 
basically just hang.
There is no errors reported, but when I attempt to telnet localhost 25 the 
daemon doesn't greet me.
After adding ORS = "\r\n" everything works as expected.

I'm not familiar with awk beyond very basic uses, could this be due to some
flushing not happening by default and which gets triggere with "\r\n" ?

This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from

so I'm not sure why yours block but the solution is not with "\r\n" for sure

I get the same with filter-rewrite-from.

Can you run filter traces while you reproduce ?


Doesn't seem to do much.

laptop$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.

laptop$ sudo smtpd -dv -T filters
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
info: OpenSMTPD 6.6.1-portable starting
debug: init ssl-tree
debug: init ssl-tree
debug: init ssl-tree
debug: init ca-tree
debug: init ca-tree
debug: init ssl-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: using "ram" stat backend
setup_peer: control -> klondike[6603] fd=5
setup_peer: lookup -> control[18573] fd=5
setup_peer: control -> lookup[27107] fd=6
setup_peer: lookup -> pony express[16452] fd=6
setup_peer: control -> pony express[16452] fd=7
setup_peer: lookup -> queue[4582] fd=7
setup_peer: control -> queue[4582] fd=8
setup_peer: control -> scheduler[28554] fd=9
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: klondike -> control[18573] fd=5
setup_peer: klondike -> pony express[16452] fd=6
debug: init ca-tree
setup_done: ca[6603] done
setup_proc: klondike done
setup_proc: control done
setup_done: control[18573] done
debug: init ssl-tree
setup_proc: lookup done
setup_done: lka[27107] done
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: pony express -> control[18573] fd=5
filters init type=proc, name=filter-perl, proc=filter-perl
setup_peer: pony express -> klondike[6603] fd=6
setup_peer: pony express -> lookup[27107] fd=7
setup_peer: pony express -> queue[4582] fd=8
setup_done: pony[16452] done
setup_proc: pony express done
debug: rsa_engine_init: using RSA privsep engine
debug: ecdsa_engine_init: using ECDSA privsep engine
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: scheduler -> control[18573] fd=5
setup_peer: queue -> control[18573] fd=5
setup_peer: scheduler -> queue[4582] fd=6
setup_peer: queue -> pony express[16452] fd=6
setup_peer: queue -> lookup[27107] fd=7
setup_peer: queue -> scheduler[28554] fd=8
setup_proc: queue done
setup_done: queue[4582] done
setup_proc: scheduler done
debug: bounce warning after 4h
setup_done: scheduler[28554] done
smtpd: setup done
debug: parent_send_config_ruleset: reloading
debug: parent_send_config: configuring pony process
debug: parent_send_config: configuring ca process
debug: init private ssl-tree
debug: smtp: listen on 127.0.0.1 port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [::1] port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x2400 pki "" ca ""
debug: smtp: will accept at most 1697 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
deb

Re: filter oddities

[Edgar Pettijohn]

On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn"  wrote:


I haven't seen any mention of this, but for some reason in my limited "testing" 
of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem to be 
documented and what
filters I've looked at don't appear to be using \r\n.


Indeed, you must certainly NOT use "\r\n" in filters.



For example without ORS = "\r\n" the following script will cause smtpd to 
basically just hang.
There is no errors reported, but when I attempt to telnet localhost 25 the 
daemon doesn't greet me.
After adding ORS = "\r\n" everything works as expected.


I'm not familiar with awk beyond very basic uses, could this be due to some
flushing not happening by default and which gets triggere with "\r\n" ?

This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from

so I'm not sure why yours block but the solution is not with "\r\n" for sure

I get the same with filter-rewrite-from.

Re: smtpd-filters.7 patch

[Edgar Pettijohn]

On 01/25/20 14:08, gil...@poolp.org wrote:

The diff reads ok but I wonder why you removed this sentence:

-No decision is ever taken by the report stream.

I think it made it a bit more clear that reporting is informative only.


I felt that the line stating it was a one-way stream covered it. Mainly 
it just made me stumble on the line and have to reread it a couple of times.


Edgar

filter oddities

[Edgar Pettijohn]

I haven't seen any mention of this, but for some reason in my limited 
"testing" of filters I have to use \r\n in my responses to smtpd. Is 
this normal? Doesn't seem to be documented and what filters I've looked 
at don't appear to be using \r\n.



For example without ORS = "\r\n" the following script will cause smtpd 
to basically just hang. There is no errors reported, but when I attempt 
to telnet localhost 25 the daemon doesn't greet me. After adding ORS = 
"\r\n" everything works as expected.


#!/usr/bin/awk -f
BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    ORS = "\r\n"
}

"config|ready" == $0 {
    print "register|report|smtp-in|*"
    print "register|ready"
    print $0 >> "/tmp/report.txt"
    next
}

"config" == $1 {
    next
}

"report" == $1 {
    print $0 >> "/tmp/report.txt"
    next
}

smtpd-filters.7 patch

[Edgar Pettijohn]

diff --git a/smtpd/smtpd-filters.7 b/smtpd/smtpd-filters.7
index 1e1a27ef..3cdb10e1 100644
--- a/smtpd/smtpd-filters.7
+++ b/smtpd/smtpd-filters.7
@@ -89,22 +89,21 @@ to inform
 in real-time about events that are occurring in the daemon.
 The report events do not expect an answer from
 .Nm ,
-it is just meant to provide them with informations.
+it is just meant to provide them with information.
 A filter should be able to replicate the
 .Xr smtpd 8
-state for a session by gathering informations coming from report events.
-No decision is ever taken by the report stream.
+state for a session by gathering information coming from report events.
 .Pp
 The filter stream is a two-way stream which allows
 .Xr smtpd 8
 to query
 .Nm
 about what it should do with a session at a given phase.
-The filter requests expects an answer from
+The filter requests expect an answer from
 .Nm ,
 .Xr smtpd 8
 will not let the session move forward until then.
-A decision must always be taken by the filter stream.
+A decision must always be made by the filter stream.
 .Pp
 It is sometimes possible to rely on filter requests to gather information,
 but because a reponse is expected by
@@ -112,13 +111,13 @@ but because a reponse is expected by
 this is more costly than using report events.
 The correct pattern for writing filters is to use the report events to
 create a local state for a session,
-then use filter requests to take decisions based on this state.
+then use filter requests to make decisions based on this state.
 The only case when using filter request instead of report events is correct,
 is when a decision is required for the filter request and there is no need for
 more information than that of the event.
 .Sh PROTOCOL
 The protocol is straightforward,
-it consists of a human-readable line exchanges between
+it consists of human-readable line exchanges between
 .Nm
 and
 .Xr smtpd 8
@@ -165,7 +164,7 @@ will be documented in the sections below.
 .Sh CONFIGURATION
 During the initial handshake,
 .Xr smtpd 8
-will emit a serie of configuration keys and values.
+will emit a series of configuration keys and values.
 The list is meant to be ignored by
 .Nm
 that do not require it and consumed gracefully by filters that do.
@@ -514,7 +513,7 @@ 
filter|0.5|1576146008.006103|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d
 
filter|0.5|1576146008.006105|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d|.
 .Ed
 .Pp
-They are expected to produce an output stream similarly terminate by a single
+They are expected to produce an output stream similarly terminated by a single
 dot.
 A filter may inject,
 suppress,

netbsd fails without /etc/mailname

[Edgar Pettijohn]

Just built a fresh git checkout. The configure make and install all went 
smoothly. However, now I have to have an /etc/mailname file or it gets 
stuck in config_default(). Specifically the following line from 
getmailname():



error = getaddrinfo(hostname, NULL, &hints, &res);


It just hangs there until I ^C.


Edgar

netbsd makefile issue

[Edgar Pettijohn]

Had to do the following for `make uninstall'

$ for file in `find . -name Makefile`
> do
> sed -i 's/\/bin\/true/\/usr\/bin\/true/g' $file
> done
$ sudo make uninstall

Edgar

Re: Skip recipient verification and forward everything to a LMTP socket

[Edgar Pettijohn]

On Jan 18, 2020 2:45 PM, gil...@poolp.org wrote:
>
> January 15, 2020 6:03 PM, "Éloi Rivard"  wrote:
>
> > Hi,
> > 
> > I would like to put a OpenSMTPD server in front of a sourcehut lists
> > installation [1] (that is, a mailing list system for sourcehut).
> > OpenSMTPD and sourcehut communicate through a lmtp unix socket. Here is
> > my configuration (without the filter and pki parts):
> > 
> > listen on eth0 tls pki lists.forge.mydomain.tld
> > action sourcehut lmtp /tmp/lists.forge.mydomain-tld-lmtp.sock
> > 
> > match from any for domain "lists.forge.yaal.fr" action "sourcehut"
> > 
> > Now with this configuration I only get "550 Invalid recipient" errors,
> > which is expected because OpenSMTPD has no way to know what is a valid
> > sourcehut list recipient.
> > 
> > How can I make OpenSMTPD just skip the recipient verification, and just
> > forward everything to the lmtp socket?
> > 
>
> There are two ways:
>
> 1- synchronize the list of recipients in a recipient table in smtpd, that
>    may be less convenient because you need to have the list of recipients
>    on the SMTP side AND the lmtp side, but... that's the clean way.
>
> 2- you can have a virtual mapping with a catch-all so that all recipients
>    are accepted and passed to the LMTP socket, this works but is not very
>    clean because it will backscatter if LMTP rejects the recipient.
>
>
> > I read about userbase catchall, but my understanding is that userbases
> > maps recipients to a system user, and that seems irrelevant for me as
> > no system user is involved here.
> > 
>
> The userbase feature is to provide an alternate mechanism to resolve the
> usernames to uid, gid and home directory. I don't think it's useful here
> but your comment has hinted me at the issue:
>
> It is inaccurate that no system user is involved here, all recipients do
> resolve into a username because some user has to do the LMTP session. In
> virtual setups, like yours seems to be, the proper way is to create some
> dedicated user and map all recipients to that:
>
>     action sourcehut lmtp "/tmp/lists.forge.mydomain-tls-lmtp.sock" \
>     virtual { "@" = _sourcehut }
>
> In cases where you have a full list of recipients and do not need to get
> virtual mappings involved, you can do:
>
>     action sourcehut lmtp "/tmp/lists.forge.mydomain-tls-lmtp.sock" \
>     user _sourcehut
>


> But no matter what, any action in smtpd.conf is a command that is going
> to get executed and a process has to have a owner, so there is going to
> be a system user involved.
>

Something along these words should be added to the manual somewhere. I think 
that is a common misunderstanding for virtual setups.

Edgar

Re: Auth not working on linux?

[Edgar Pettijohn]

On Jan 18, 2020 8:54 AM, Michael Jacob  wrote:
>
> I am trying to setup a opensmtpd server on Arch Linux, the arch package version is 6.6.1p1-2 from 2019-11-06. When I use the "auth" option with "listen on", no authorization with valid system users succeed. But using "auth" with an external table created with smtpctl encrypt does work.
>
> Is this supposed to be working with Linux users and passwords and I am doing something wrong?
> Or does auth only work with OpenBSD users/crypt?
>
Check it was built with Pam support and Pam is set up. 
Edgar

[patches] remove warnings from build on NetBSD

[Edgar Pettijohn]

Remove warnings about strtonum(). Probably a better place for this, but 
not sure where.


diff --git a/openbsd-compat/defines.h b/openbsd-compat/defines.h
index 23fc8ae2..868943cd 100644
--- a/openbsd-compat/defines.h
+++ b/openbsd-compat/defines.h
@@ -491,4 +491,8 @@ typedef uint16_t    in_port_t;
 #define LOG_PERROR 0
 #endif

+#ifdef __NetBSD__
+#define _OPENBSD_SOURCE
+#endif
+
 #endif /* _DEFINES_H */

Remove warnings about errc()

diff --git a/openbsd-compat/errc.c b/openbsd-compat/errc.c
index 658a55b4..9132dcb9 100644
--- a/openbsd-compat/errc.c
+++ b/openbsd-compat/errc.c
@@ -21,6 +21,7 @@
 #include "includes.h"

 #ifndef HAVE_ERRC
+#define HAVE_ERRC

 #include 
 #include 

Remove warnings about strtonum()

diff --git a/smtpd/smtp_client.c b/smtpd/smtp_client.c
index 22e79890..70241b0b 100644
--- a/smtpd/smtp_client.c
+++ b/smtpd/smtp_client.c
@@ -16,6 +16,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

+#include "includes.h"
+
 #include 
 #include 


Remove warnings about err()


diff --git a/smtpd/util.c b/smtpd/util.c
index eec3a303..5aa08413 100644
--- a/smtpd/util.c
+++ b/smtpd/util.c
@@ -32,6 +32,7 @@
 #include 

 #include 
+#include 
 #include 
 #include 
 #include 

RE: Unable to use .forward with snmpd

[Edgar Pettijohn]

On Dec 18, 2019 12:50 PM, Юрий Иванов  wrote:
>
> No, It present.
> I shrink output to save space in message a little bit.
>
> suser@webmail:~$ ll /home/suser/Maildir/.admin     
> total 32
> drwx--  5 suser suser 4096 Dec 16 19:26 ./
> drwx-- 13 suser suser 4096 Dec 18 20:47 ../
> drwx--  2 suser suser 4096 Dec 16 19:26 cur/
> -rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
> -rw---  1 suser suser  872 Dec 16 19:26 dovecot.index.cache
> -rw---  1 suser suser  304 Dec 16 19:26 dovecot.index.log
> -rw---  1 suser suser    0 Dec 16 19:26 maildirfolder
> drwx--  2 suser suser 4096 Dec 16 19:26 new/
> drwx--  2 suser suser 4096 Dec 16 19:26 tmp/
> suser@webmail:~$ ll /home/suser/Maildir/.admin/new/
> total 8
> drwx-- 2 suser suser 4096 Dec 16 19:26 ./
> drwx-- 5 suser suser 4096 Dec 16 19:26 ../
> 
> От: GARDAIS Ionel 
> Отправлено: 18 декабря 2019 г. 20:32
> Кому: Юрий Иванов 
> Копия: Edgar Pettijohn ; misc 
> Тема: Re: Unable to use .forward with snmpd
>  
> I see no 'new' folder under the 'Maildir/.admin' folder.
> Should you create it by hand ?
> -- 
> Ionel GARDAIS
> Tech'Advantage CIO - IT Team manager
>
> 
> De: "Юрий Иванов" 
> À: "Edgar Pettijohn" , "misc" 
> Envoyé: Mercredi 18 Décembre 2019 18:50:30
> Objet: RE: Unable to use .forward with snmpd
>
> I've created directory through regular RoundCube web interface.
> Base directory:
> suser@webmail:~$ ll Maildir/ 
> total 188
> drwx-- 13 suser suser  4096 Dec 18 19:42 ./
> drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
> drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
> drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
> ...
> drwx--  2 suser suser 12288 Dec 18 19:41 cur/
> -rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
> -rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
> -r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
> -rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
> ...
> -rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
> drwx--  2 suser suser  4096 Dec 18 18:01 new/
> -rw---  1 suser suser    53 Dec 17 09:42 subscriptions
> drwx--  2 suser suser  4096 Dec 18 18:00 tmp/
>
> Admin dir, that was created via roundcube web interface:
> suser@webmail:~$ ll Maildir/.admin/
> total 32
> drwx--  5 suser suser 4096 Dec 16 19:26 ./
> drwx-- 13 suser suser 4096 Dec 18 19:42 ../
> drwx--  2 suser suser 4096 Dec 16 19:26 cur/
> -rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
> ...
>
> suser@webmail:~$ ll Maildir/.admin/cur/
> total 8
> drwx-- 2 suser suser 4096 Dec 16 19:26 ./
> drwx-- 5 suser suser 4096 Dec 16 19:26 ../
>
> Normal home directory:
> suser@webmail:~$ ll
> total 256
> drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
> drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
> -rw---  1 suser suser    875 Dec 16 20:24 .bash_history
> -rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
> -rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
> drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
> drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
> -rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
> -rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
> -rw---  1 root  root    1129 Dec 11 09:42 .viminfo
> drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/
> 
> От: Edgar Pettijohn 
> Отправлено: 18 декабря 2019 г. 19:28
> Кому: misc@opensmtpd.org ; Юрий Иванов 
> Тема: Re: Unable to use .forward with snmpd
>  
>
>
> On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
> >
> > Hi, I'm using snmpd with roundcube.
> >
> > After creating .forward file I apply chmod 400 .forward, so no errors in my mail.err log.
> > Default permissions leads to generating warn in logs:
> > smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
> >
> > Content is more or less default:
> >
> > ad...@mydomain.com        # anything after # is ignored
> > "|/home/suser/Maildir/.admin/new/"
Probably shouldn't pipe it through a directory.
> >
> > As the result my mail is not working:
> >
> > Dec 18 12:54:33 webmail smtpd[6279]:  mda event=delivery evpid=3b98bdcf411c5f9a from= to= user=suser method=mda delay=3h48m10s result=TempFail stat=Error ("/bin/sh: 1: /home/suser/Maildir/.admin/new/: Permission denied")
> >
>
> What are the permissions for the directory you are forwarding to?
>
> > Thanks in advance
>
>
>
>

Re: Unable to use .forward with snmpd

[Edgar Pettijohn]

On 2019-12-18 17:28, Edgar Pettijohn wrote:



On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"



Probably shouldn't try piping it through a directory.



>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance

Re: Unable to use .forward with snmpd

[Edgar Pettijohn]

On 2019-12-18 18:32, GARDAIS Ionel wrote:

I see no 'new' folder under the 'Maildir/.admin' folder.
Should you create it by hand ?
--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager



Please attach your smtpd.conf




*De: *"Юрий Иванов" 
*À: *"Edgar Pettijohn" , "misc" 


*Envoyé: *Mercredi 18 Décembre 2019 18:50:30
*Objet: *RE: Unable to use .forward with snmpd

I've created directory through regular RoundCube web interface.
Base directory:
suser@webmail:~$ ll Maildir/
total 188
drwx-- 13 suser suser  4096 Dec 18 19:42 ./
drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
...
drwx--  2 suser suser 12288 Dec 18 19:41 cur/
-rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
-rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
-r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
-rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
...
-rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
drwx--  2 suser suser  4096 Dec 18 18:01 new/
-rw---  1 suser suser    53 Dec 17 09:42 subscriptions
drwx--  2 suser suser  4096 Dec 18 18:00 tmp/

Admin dir, that was created via roundcube web interface:
suser@webmail:~$ ll Maildir/.admin/
total 32
drwx--  5 suser suser 4096 Dec 16 19:26 ./
drwx-- 13 suser suser 4096 Dec 18 19:42 ../
drwx--  2 suser suser 4096 Dec 16 19:26 cur/
-rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
...

suser@webmail:~$ ll Maildir/.admin/cur/
total 8
drwx-- 2 suser suser 4096 Dec 16 19:26 ./
drwx-- 5 suser suser 4096 Dec 16 19:26 ../

Normal home directory:
suser@webmail:~$ ll
total 256
drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
-rw---  1 suser suser    875 Dec 16 20:24 .bash_history
-rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
-rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
-rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
-rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
-rw---  1 root  root    1129 Dec 11 09:42 .viminfo
drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/
--------
*От:* Edgar Pettijohn 
*Отправлено:* 18 декабря 2019 г. 19:28
*Кому:* misc@opensmtpd.org ; Юрий Иванов 


*Тема:* Re: Unable to use .forward with snmpd


On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance

Re: Unable to use .forward with snmpd

[Edgar Pettijohn]

On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no errors in my mail.err log.
> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda event=delivery evpid=3b98bdcf411c5f9a from= to= user=suser method=mda delay=3h48m10s result=TempFail stat=Error ("/bin/sh: 1: /home/suser/Maildir/.admin/new/: Permission denied")
>
What are the permissions for the directory you are forwarding to?
> Thanks in advance

Re: fix build on netbsd

[Edgar Pettijohn]

On Dec 5, 2019 1:06 AM, Gilles Chehade  wrote:
>
> On Wed, Dec 04, 2019 at 07:27:07PM -0600, Edgar Pettijohn wrote:
> > diff --git a/openbsd-compat/openbsd-compat.h
> > b/openbsd-compat/openbsd-compat.h
> > index 6c73e5b5..c7af0135 100644
> > --- a/openbsd-compat/openbsd-compat.h
> > +++ b/openbsd-compat/openbsd-compat.h
> > @@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *);
> > ??unsigned int arc4random(void);
> > ??#endif
> > 
> > -#if defined(HAVE_ARC4RANDOM_STIR)
> > +#if !defined(HAVE_ARC4RANDOM_STIR)
> > ??void arc4random_stir(void);
> > ??#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
> > ??/* Recent system/libressl implementation; no need for explicit stir */
> > 
>
> with this, your build is fixed ?
>
> I've been fixing the .c part of openbsd-compat but haven't worked on the
> .h part yet, will have  look at it
>

Yes. Restarted from configure through make install and no problems.

>
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>

fix build on netbsd

[Edgar Pettijohn]

diff --git a/openbsd-compat/openbsd-compat.h 
b/openbsd-compat/openbsd-compat.h

index 6c73e5b5..c7af0135 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *);
 unsigned int arc4random(void);
 #endif

-#if defined(HAVE_ARC4RANDOM_STIR)
+#if !defined(HAVE_ARC4RANDOM_STIR)
 void arc4random_stir(void);
 #elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
 /* Recent system/libressl implementation; no need for explicit stir */

Re: Primary Domains vs. Virtual Domains - what's the difference?

[Edgar Pettijohn]

On Nov 18, 2019 9:14 AM, Charles Collicutt  wrote:
>
> On 18 Nov 2019, at 13:07, gil...@poolp.org wrote:
> > 
> > With a virtual domain, OpenSMTPD assumes that domain.org == the content of 
> > the virtual table.
> > The virtual mechanism is not optional, the recipient MUST exist in the 
> > table to be valid.
>
> Can virtual users be used with sub-addresses, e.g user+...@virtualdomain.org ?
>

They should work out of the box. Just sent one to myself to double check and it 
went through.

Edgar

> When I tried that (some time ago) it failed saying that the user did not 
> exist.
>
> — 
> Charles
>

Re: Accept mail for all recipients

[Edgar Pettijohn]

On Oct 30, 2019 12:02 PM, Sergey Seacher  wrote:
>
> 26.10.2019 19:06, Sergey Seacher пишет:
>
> 26.10.2019 13:51, Reio Remma пишет:
>
> On 26/10/2019 13:35, Sergey Seacher wrote:
>
> Hello!
>
> How can I make, opensmtpd accept mail for all recipients: that are present in the file /etc/opensmtpd/aliases and that are not present?
> I had the rule in my /etc/opensmtpd/smtpd.conf file:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd alias  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> I have changed this rule to:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> Now, if I send to any recipient in my domain, for example rggg...@domain.ltd, I receive error 550, but I need mail to be deliver to i...@domain.ltd 
> Do you mean a catch all alias? Try adding to your aliases file:
>
> @domain.ltd i...@domain.ltd
>
> And re-add alias  to your accept rule.
>
> Thanks! Also I have changed table aliases to table vusers. It works.
> Not working again.
> The contents of the file /etc/opensmtpd/aliases:
>>
>> info              smtpd
>> @domain.ltd    i...@domain.ltd
>
> Rule in the file /etc/opensmtpd/smtpd.conf:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd alias  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> I sended an email to rggg...@domain.ltd and I got an error in log:
>>
>> ac73a7d6da66117e smtp event=connected address=209.85.208.173 host=mail-lj1-f173.google.com
>> ac73a7d6da66117e smtp event=failed-command address=209.85.208.173 host=mail-lj1-f173.google.com command="RCPT TO:" result="550 Invalid recipient"
>> ac73a7d6da66117e smtp event=closed address=209.85.208.173 host=mail-lj1-f173.google.com reason=quit
>
> Then I renamed the file /etc/opensmtpd/aliases to /etc/opensmtpd/vusers and changed the rule to:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd virtual  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> And now I get an error:
>>
>> e85fb8ffeed306b1 smtp event=connected address=209.85.167.50 host=mail-lf1-f50.google.com
>> e85fb8ffeed306b1 smtp event=message address=209.85.167.50 host=mail-lf1-f50.google.com msgid=7d1551d1 from= to= size=2904 ndest=1 proto=ESMTP
>> e85fb8ffeed306b1 smtp event=closed address=209.85.167.50 host=mail-lf1-f50.google.com reason=quit
>>  mda event=delivery evpid=7d1551d1e9537f74 from= to= rcpt=, user=smtpd method=lmtp delay=0s result=TempFail stat=Error ("RCPT TO rejected: 550 5.1.1  User doesn't exist: smtpd")
>
$ grep smtpd /etc/passwd
Edgar
> -- 
>
> Sergey

Re: Docker build is failing

[Edgar Pettijohn]

Kinda curious what the config.h looks like after you run configure.
On Oct 10, 2019 2:04 PM, Ihor Antonov  wrote:
>
> On Thu, 2019-10-10 at 14:46 -0400, Ihor Antonov wrote:
> > Docker build of portable branch is broken, and has been for a while
> > now. I discovered this while trying to test out Gilles' rspamd
> > plugin,
> > which requires latest 6.6 version
> > 
> > I am not a C developer, but from the error it a bit of googling it
> > looks like stuff from openbsd-compat/ is conflicting with some system
> > libraries. 
> > 
> > I did some bisecting and last good commit (in regards of Dockerfile
> > ) 
> > which was a while ago.
> > 
> > > Commit 9f6b7cc1b14624f919a6a9d7ac5a2ded002b2707
> > > Author: Arthur Moore 
> > > Date:   Wed Feb 20 22:20:56 2019 -0500
> > > 
> > >    Add an automated test to check if TLS certificates work
> > > 
> > >    This should allow Docker Hub to act as a CI platform.
> > 
> > Github Actions CI seems to be working fine, but it uses ubuntu, not
> > alpine.  I am happy to help fix/troubleshoot this but I
> > need  guidance
> > from someone who knows C. I am also interested in building it for
> > Alpine as I need this for my future work.
> > 
> > ---
> > Ihor Antonov
> > 
>
> Forgot to include the link to github issue
> https://github.com/OpenSMTPD/OpenSMTPD/issues/944
>
>

Re: Handling of mailing list (or other non system) accounts

[Edgar Pettijohn]

> > 
> > Accepting mails for user known to the system works, but what I haven't
> > though about, are mailing lists. And probably, also mails to be
> > recieved in
> > [B]CC could be affected.
> > 
> > As those are not directly adressed to any account known to the system,
> > but
> > f.e "misc@opensmtpd.org", opensmtpd rejects them with an "550 Invalid
> > recipient"

sounds like a good response to me

> > 
> > That is a problem I have currently no idea on how to deal with this.
> > 

I don't understand how not accepting mails that you have no user to accept
is a problem. 


> > Any insides?
> > 

I think you need to provide more information about what you want to happen
and what is happening.

> > Thanks again
> > 
> > Thanks Ede
>

Edgar 

Re: unable to send mail from desktop mail client to remote email addresses

[Edgar Pettijohn]

Could you post your config. 
Thanks
On Oct 3, 2019 10:34 AM, Kevin  wrote:On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen  wrote:On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote:
> Hi all,
> 
> Having just followed the setup instructions on Gilles HOWTO page here:
> 
> 
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
> 
> 
> ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD 6.6-beta
> (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
> other deliveries (and mail retrieval) work.
> 
> The pertinent log message looks like this:
> 
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
> evpid=2c41c5fc4a7e6c06 from= to=
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
> reason=quit
> Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
> reason=Connection timeout

Connection timeout sounds very much like your machine is not allowed to send 
outgoing mail via SMTP. Check for firewalls and the like.

Also,

[Thu Oct 03 09:24:37] peter@skapet:~$ host example.app
Host example.app not found: 3(NXDOMAIN)
[Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app
Host mx.example.app not found: 3(NXDOMAIN)

Among the things you need in order to deliver mail, a valid domain is in 
the top few. I think the basic requirements are indeed listed in the article
(under "Requirements"), please go back and re-read, check that you have
all of those set up properly.I can see why you might think that given that I altered the real domain name to example.app. (I know it's frowned upon; I only did it because this is a new machine with a setup hobbling along. Bad Kevin... bad...)In any event, I'm *sure* the domain DNS part is right as I can _receive_ email just fine, including from the same @gmail address I'm writing this from, ergo, DNS resolution of the real domain (and its MX record) are fine. As for pf being the issue; it's disabled.# pfctl -s infoStatus: Disabled for 0 days 08:23:56             Debug: errLatest, greatest kernel running:$ dmesg | grep Open | tail -1    OpenBSD 6.6 (GENERIC) #326: Wed Oct  2 22:34:33 MDT 2019 One of the things that's puzzling is this part of the log:smtp disconnected reason=quit.If I can send the domain email, if I can retrieve email via Dovecot, if I can send mail to myself from the server's CLI (and even retrieve it remotely via my mail client), it seems like there's some knob missing that says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles' rules (and edited them for my own domain) , and it am no workie.Is there perhaps something else akin to the forwarding knob that lets PF forward packets between interfaces that either I've forgotten or was skipped in the HOWTO?Thanks,Kevin

Re: need help

[Edgar Pettijohn]

On Sep 30, 2019 9:10 AM, Reio Remma  wrote:
>
> On 30/09/2019 16:55, gil...@poolp.org wrote:
> > Hello,
> >
> > I'd like to bring native support for SPF in OpenSMTPD in a future release,
> > but for this I need a bit of help to make sure my SPF resolver works fine.
> >
> > I have created a repository with a standalone executable that performs the
> > SPF lookup and checks if an IP address is allowed to send on behalf of the
> > sending domain:
> >
> > https://github.com/poolpOrg/spf
> >
> > https://github.com/poolpOrg/spf/blob/master/README.md
> >
> >
> > If you could test and report issues, it would be nice,
> >
>
> Is it OpenBSD only atm?
>
> On CentOS 7:
>
> $ make
> Makefile:26: *** missing separator.  Stop.
>
> Reio
>
>

Looking at the makefile. My guess is yes, but you could try bmake and see if it 
gets further.

Edgar

Re: Senders based relaying & authentication

[Edgar Pettijohn]

It's the first example in smtpd.conf(5).

Edgar
On Sep 26, 2019 8:43 AM, john philip  wrote:
>
> Hello everybody.
> I'm new to the list :-)
>
> Postfix has senders-dependent routing and authentication.
>
> How to do senders-based relaying & authentication as Postfix
> to different smart hosts?
>
> On a laptop, for example:
>
> us...@isp1.com => smtp.isp1.com:465
> us...@isp1.com => smtp.isp1.com:465
>
> us...@isp2.com => smtp.isp2.com:587
> us...@isp3.com => smtp.isp3.com:465
> ..
>
> Thanks in advence.
>
> -- 
> john
>

Re: table-passwd

[Edgar Pettijohn]

On Sep 23, 2019 11:58 AM, Joerg Jung  wrote:
>
>
>
> > On 18. Sep 2019, at 09:38, gil...@poolp.org wrote:
> > 
> > September 17, 2019 11:41 PM, "Edgar Pettijohn"  
> > wrote:
> > 
> >> On Sep 17, 2019 9:05 AM, Gilles Chehade  wrote:
> >> 
> >>> Hello,
> >>> 
> >>> Is there anyone using table-passwd for _any_ other purposes than sharing
> >>> with Dovecot ?
> >>> 
> >>> I have built a fully virtual setup which shares credentials with Dovecot
> >>> and since I managed to do it _without_ table-passwd I'm wondering if the
> >>> table backend is really useful and if it was not created because soneone
> >>> had overlooked the first few lines of the Dovecot documentation stating:
> >>> 
> >>> "For a password database, it's enough to have only the user and password
> >>> fields."
> >>> 
> >> 
> >> Not actually using it, but for dovecot to use it as a userdb as well as a 
> >> passdb it needs the
> >> additional fields.
> >> 
> > 
> > ok so I'm misunderstanding the use-case, let me explain why I'm curious:
> > 
> > I wrote table-passwd because I was told that if you wanted to create a 
> > virtual setup,
> > backed by one single user, you needed to have a passwd(5)-format file for 
> > Dovecot and
> > share that with OpenSMTPD.
> > 
> > But then I did a fully virtual setup for myself and I didn't use 
> > table-passwd, so the
> > rationale behind it falls a bit apart for me, unless there's other 
> > use-cases.
> > 
> > On my setup, file /etc/mail/accounts is a simple two columns 
> > username/password table:
> > 
> > # head -1 /etc/mail/accounts.txt 
> > gil...@poolp.org:$2b$09$0ek9ozmo1u0mSsiRo/z2AumROLK.70T9A6bP3mFDqb38L0sC5RvT6
> > #
> > 
> [...]
> > 
> > This allows both OpenSMTPD and Dovecot to authenticate accounts that are 
> > not system
> > users, allows OpenSMTPD to drop mail to a maildir owned by system account 
> > in charge
> > of virtual accounts and allows Dovecot to properly serve these accounts.
> > 
> > Am I missing your use-cases here ?
> > 
>
> Yes, this is perfectly fine for simpler cases, but as someone else 
> mentioned in this thread earlier already:
> Dovecot passdb knows about additional fields, in particular 
> to specify user specific quotas (usually rather important in 
> virtual user setups). table-passwd can handle/ignore these 
> extra_fields correctly. So my passwd file lines looks like this:
> f...@bar.de:$2b$::userdb_quota_rule=*:storage=10G
>
>
>

I'm guessing you are looking for fat to trim. Personally I like it as is. Just 
my two cents.

Edgar

Re: table-passwd

[Edgar Pettijohn]

On Sep 17, 2019 9:05 AM, Gilles Chehade  wrote:
>
> Hello,
>
> Is there anyone using table-passwd for _any_ other purposes than sharing
> with Dovecot ?
>
> I have built a fully virtual setup which shares credentials with Dovecot
> and since I managed to do it _without_ table-passwd I'm wondering if the
> table backend is really useful and if it was not created because soneone
> had overlooked the first few lines of the Dovecot documentation stating:
>
> "For a password database, it's enough to have only the user and password
> fields."
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>

Not actually using it, but for dovecot to use it as a userdb as well as a 
passdb it needs the additional fields.

Edgar

Re: smarthost + aliases

[Edgar Pettijohn]

On Sat, Sep 14, 2019 at 12:32:22AM +0200, Thomas Schweikle wrote:
> Hi!
> 
> Trying to set up opensmtpd as a simple single mta relaying all mail to a
> smarthost. But ...
> 
> Config:
> listen on localhost
> table aliases db:/etc/aliases.db
> table secrets db:/etc/smtpd.secrets.db
> expire 4h


Add:

accept for local alias  deliver to mbox
accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth



> 
> aliases hold:
> root: @gmail.com
> 
> now: aliases are not used. If I change??
> accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth
> 
> 
> to
> 
> accept from local for any alias  relay via smtps+auth://
> gm...@smtp.gmail.com:465 auth 
> 
> "smtpd -n"??exhausts:
> /etc/smtpd.conf:18: aliases/virtual may not be used with a relay rule
> warn: no rules, nothing to do
> 
> what i want is:
> - accept mail from local,
> - apply alias expansion so "root" -> "??@ maildomain"
> - relay the whole thing.
> 
> at the smarthost this shall look like:
> From: root??@ servername
> To: ??@ maildomain
> 
> any idea how to make it happen??with opensmtpd?
> There are lots of examples to find within the www, but non with relaying. All
> with local delivery. But I like to relay and expand aliases before!
> 
> --
> Thomas

Re: My smtp server can't send emails to another ones (550 Invalid recipient)

[Edgar Pettijohn]

On Fri, Sep 13, 2019 at 08:04:12PM -0300, marcio_silva wrote:
> Hi all,
> 
> I am using Hyperbola distro with the following packages:
> 
> * opensmtpd 6.4.2p1
> * dkimproxy 1.4.1
> 
> I have installed a mail server to send and receive emails with my own domain
> with the following configurations:
> 
> * "smtp.libreware.info" as server
> * "libreware.info" as email address
> * "dusseldorf.libreware.info" as PTR in IPv4
> * "smtp.libreware.info" as PTR in IPv6
> 
> Features that works well:
> 
> * Accessing to port 587 SMTP+TLS
> * Receiving from itself and from another smtp servers around internet (eg.
> riseup.net emails)
> * Sending emails to itself and another @libreware.info users
> 
> Issues:
> 
> * Port 25 to send emails has not been tested
> * Localhost network has not been tested
> * Accessing to port 465 (SMTPS) is not working
> * Sending email to another smtp servers (eg. f...@libreware.info ->
> b...@example.com) is not working by generating 550 error (550 Invalid
> recipient)
> 
> 
> 
> smtpd.conf:
> 
> ## This is the smtpd server system-wide configuration file.
> ## See smtpd.conf(5), aliases(5) and table(5) for more information.
> 
> ca smtp.libreware.info cert
> '/etc/letsencrypt/archive/libreware.info/chain1.pem'
> 
> bounce warn-interval  '4h'
> 
> mta max-deferred  100
> 
> pki smtp.libreware.info cert
> '/etc/letsencrypt/archive/libreware.info/fullchain1.pem'
> pki smtp.libreware.info dhe   auto
> pki smtp.libreware.info key
> '/etc/letsencrypt/archive/libreware.info/privkey1.pem'
> 
> queue compression
> queue ttl '4d'
> 
> smtp ciphers  
> 'HIGH:AES128:!aNULL:!kDH:!kPSK:!NULL:!kRSA:!kRSAPSK:SHA:SHA256:SHA384:!TLSv1'
> smtp max-message-size '35M'
> smtp sub-addr-delim   '+'
> 
> table aliases '/etc/smtpd/tables.d/aliases.conf'
> table credentials '/etc/smtpd/tables.d/credentials.conf'
> table domains '/etc/smtpd/tables.d/domains.conf'
> table hostnames_inet  '/etc/smtpd/tables.d/hostnames.conf'
> table virtuals'/etc/smtpd/tables.d/virtuals.conf'
> 
> 
> 
> action deliver_to_inetmaildir 
> '/var/mail/%{user.username}/inbox'  \
>   alias   
> action deliver_to_local   maildir 
> '/var/mail/%{user.username}/inbox'  \
>   virtual 
> action relay_to_inet_smtp relay
>   helo-src
> action relay_to_inet_subm relay   
> \
>   helo-src
> \
>   host
> smtp+tls://la...@smtp.libreware.info:25 \
>   auth
> action relay_to_inet_submsrelay   
> \
>   helo-src
> \
>   host
> smtp+tls://la...@smtp.libreware.info:25 \
>   auth
> action relay_to_local relay
> 
> listen on lo  port   24   \
>   tag lmtp_local
> listen on eth0auth-optional  
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port   25   \
>   tag smtp_server_starttls\
>   tls-require
> listen on eth0auth   
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port  465   \
>   smtps   \
>   tag smtps_submission
> listen on eth0auth   
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port  587   \
>   tag smtp_submission_starttls\
>   tls-r

Re: Virtual User handling

[Edgar Pettijohn]

On Sep 8, 2019 7:58 AM, Ede Wolf  wrote:
>
>
> > 
> > 
> > Looks like lmtpd isn't running.
> > 
>
> Not sure wether there is such a thing as a lmtpd service? lmtpd is the 
> name of the user, that is supposed to connect to the socket.
>
> A bit unlucky naming maybe, but the "d" stands for deliver, not daemon.
>
> But may I am missing something else
>

https://manpages.debian.org/testing/cyrus-common/cyrus-lmtpd.8.en.html

Re: Virtual User handling

[Edgar Pettijohn]

On Sat, Sep 07, 2019 at 11:53:58AM +0200, Ede Wolf wrote:
> > > So it is a binary, thats useful information. Having specified /opt/smtpd
> > > as prefix during ./configure, it is located here:
> > > 
> > > /opt/smptd/libexec/opensmtpd/mail.lmtp
> > > 
> > 
> > Throw it in /usr/local/libexec/smtpd/ and see what happens. May be a build 
> > tools bug.
> > 
> 
> Excellent idea, however, the error stays the same. No change, despite
> copying the whole opensmtpd folder to /usr/local/libexec
> 
> 
> Even strace does not reveal the path it is looking for:
> 
> 
> expand: 0x56284c3f4338: expand_insert() called for
> address:m...@example.com[parent=(nil), rule=(nil)]
> expand: 0x56284c3f4338: inserted node 0x56284c3f6030
> expand: lka_expand: address: m...@example.com [depth=0]
> lookup: match "37.120.186.114" as NETADDR in table static: -> true
> lookup: match "example.com" as DOMAIN in table static: -> true
> rule #1 matched: match from any for domain  action deliver
> lookup: lookup "m...@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "mary" as ALIAS in table static:vusers -> none
> lookup: lookup "@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56284c3f3b10: expand_insert() called for
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56284c3f3b10: inserted node 0x56284c3f6590
> expand: 0x56284c3f4338: expand_insert() called for
> username:lmtpd[parent=0x56284c3f6030, rule=0x56284c403e50,
> dispatcher=0x56284c405750]
> expand: 0x56284c3f4338: inserted node 0x56284c3f6af0
> expand: 0x56284c3f3b10: clearing expand tree
> expand: 0x56284c3f3b10: freeing expand tree
> debug: aliases_virtual_get: '@example.com' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=1, sameuser=0]
> lookup: lookup "lmtpd@" as ALIAS in table static:vusers -> none
> lookup: lookup "lmtpd" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56284c3ed110: expand_insert() called for
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56284c3ed110: inserted node 0x56284c3f6590
> expand: 0x56284c3f4338: expand_insert() called for
> username:lmtpd[parent=0x56284c3f6af0, rule=0x56284c403e50,
> dispatcher=0x56284c405750]
> expand: 0x56284c3f4338: setting sameuser = 1
> expand: 0x56284c3f4338: inserted node 0x56284c3f7050
> expand: 0x56284c3ed110: clearing expand tree
> expand: 0x56284c3ed110: freeing expand tree
> debug: aliases_virtual_get: '@' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=2, sameuser=1]
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: ->
> "115:115:/opt/smptd/var/lmtpd"
> [{EPOLLIN, {u32=6, u64=6}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e607c) = 0
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 12
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 13
> close(12)   = 0
> close(13)   = 0
> recvmsg(6, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="4\0\0\0(\21\0\0\0\0\0\0\237\25\0\0[\300\213\3725\333\374!\0lmtpd\0\0"...,
> iov_len=65535}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4392
> stat("/opt/smptd/var/lmtpd", {st_mode=S_IFDIR
> openat(AT_FDCWD, "/opt/smptd/var/lmtpd/.forward", O_RDONLY
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e5fdc) = 0
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN
> epoll_wait(3, [{EPOLLOUT, {u32=6, u64=6}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e607c) = 0
> sendmsg(6, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="4\0\0\0(\21\0\0\0\0\0\0\234\25\0\0[\300\213\3725\333\374!\1lmtpd\0\0"...,
> iov_len=4392}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4392
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN, {u32=6, u64=6}}expand: no forward
> for user lmtpd, just deliver
> ) = 0
> epoll_wait(3, expand: 0x56284c3f4338: clearing expand tree
> smtp: 0x564267537b60: fd 14 from queue
> smtp: 0x564267537b60: message fd 14
> smtp: 0x564267537b60: message begin
> debug: 0x564267537b60: end of message, error=0
> 21fcdb35fa8bc05b smtp message msgid=22c2f515 size=245 nrcpt=1 proto=ESMTP
> 21fcdb35fa8bc05b smtp envelope evpid=22c2f5151c4decec
> from= to=
> debug: scheduler: evp:22c2f5151c4decec scheduled (mda)
> mda: new user 21fcdb36b331cade for ":lmtpd" delivering as "lmtpd"
> debug: lka: userinfo :lmtpd
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: ->
> "115:115:/opt/smptd/var/lmtpd"
> debug: mda: new session 21fcdb37f01f7374 for user ":lmtpd" evpid
> 22c2f5151c4decec
> debug: mda: no more envelope for ":lmtpd"
> debug: mda: got message fd 14 for session 21fcdb37f01f7374 evpid
> 22c2f5151c4decec
> debug: mda: querying mda fd for session 21fcdb37f01f7374 evpid
> 22c2f5151c4decec
> [{EPOLLIN, {u32=7, u64=7}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 7, 0x7ffeb16e607c) = 0
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 12
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 

Re: Virtual User handling

[Edgar Pettijohn]

On Sep 6, 2019 12:40 PM, Ede Wolf  wrote:
>
> Am 06.09.19 um 18:59 schrieb Edgar Pettijohn:
> > Sounds like the mail.lmtp program is missing or not where it belongs. 
> > Should live somewhere in /usr/local/libexec. Find it and let us know where 
> > it is and somebody can probably tell you where it needs to be. Or it just 
> > didn't get built for some reason.
>
> So it is a binary, thats useful information. Having specified /opt/smtpd 
> as prefix during ./configure, it is located here:
>
> /opt/smptd/libexec/opensmtpd/mail.lmtp
>

Throw it in /usr/local/libexec/smtpd/ and see what happens. May be a build 
tools bug.

> Since libexec is usually not path aynway, I wonder, how to make smtpd 
> recognize it, if --prefix is not honored?
>
>
> > Your copy is apparently different from mine.
>
>
> Nope. I've cited smtpd.conf (from the opensmtpd homepage), you have 
> looked into tables. Since userbase is the only location I've come along 
> that uses the userinfo table, I've went with the attribute, not the 
> argument.
>

Agreed. Must be a bug in the documentation or the daemon. My bet is the manual 
is wrong.

Edgar
> Thanks again for helping out!
>
> Ede
>

Re: Virtual User handling

[Edgar Pettijohn]

On Sep 6, 2019 10:46 AM, Ede Wolf  wrote:
>
>
> > Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
> > is translating the aliases and which rules it's matching etc.
>
> This is a really helpful command. Maybe using that I can be a bit more 
> precise in defining my confusion.
>
> My simple setup, git pulled and build yesterday:
>
>
> action "deliver" lmtp "/run/cyrus/socket/lmtp" rcpt-to user lmtpd
> match from any for domain "example.com" rcpt-to  action deliver
>
>
> With "musers" only containing good ole b...@example.com and "lmtpd" being 
> a regular system user. Bob is not known to the system. And shall not.
>
> Now, the man page reads:
>
> user username
> Specify the username for performing the delivery, to be looked up with 
> getpwnam(3).
>
> and:
>
> userbase 
> Use the mapping table for user lookups instead of the getpwnam(3) function.
> ->The userbase does not apply for the user option.<-
>

Your copy is apparently different from mine.

Userinfo tables

User info tables are used in rule context to specify an alternate user base, 
mapping virtual users to local system users by UID, GID and home directory.

action name method userbase 

A userinfo table looks as follows:

joe 1000:100:/home/virtual/joe jack 1000:100:/home/virtual/jack 

In this example, both joe and jack are virtual users mapped to the local system 
user with UID 1000 and GID 100, but different home directories. These 
directories may contain a forward(5) file. This can be used in conjunction with 
an alias table that maps an email address or the domain part to the desired 
virtual username. For example:

j...@example.org joe j...@example.com jack 

It has to map to a system user.
If you want it to be lmtpd just replace the 1000:100 above with lmtpds uid:gid

> So my "user" attribute is lmtpd, a regular system user. But:
>
> af0267593be5b0a1 smtp connected address=
> expand: 0x5598b9f68328: expand_insert() called for 
> address:b...@example.com[parent=(nil), rule=(nil)]
> expand: 0x5598b9f68328: inserted node 0x5598b9f6a020
> expand: lka_expand: address: b...@example.com [depth=0]
> lookup: match "1.2.3.4" as NETADDR in table static: -> true
> lookup: match "example.com" as DOMAIN in table static: -> true
> lookup: match "b...@example.com" as MAILADDR in table static:musers -> true
> rule #1 matched: match from any for domain  rcpt-to musers 
> action deliver
> expand: 0x5598b9f68328: expand_insert() called for 
> username:bob[parent=0x5598b9f6a020, rule=0x5598b9f77e30, 
> dispatcher=0x5598b9f79750]
> expand: 0x5598b9f68328: inserted node 0x5598b9f6a580
>
> expand: lka_expand: username: bob [depth=1, sameuser=0]
> lookup: lookup "bob" as USERINFO in table getpwnam: -> none
> expand: lka_expand: user-part does not match system user
> expand: 0x5598b9f68328: clearing expand tree
> af0267593be5b0a1 smtp failed-command command="RCPT TO:" 
> result="550 Invalid recipient: "
>
> The problem is obviously: "lookup "bob" as USERINFO in table 
> getpwnam: -> none"
>
>
>
> Now the local delivery should be done with the user lmtpd, why is user 
> "bob" then looked up at all via USERINFO getpwman, instead of lmtpd, 
> when userinfo shall not be used with the "user" attribute.
>
> Wether "userbase" is invoked via getpwnam or a USERINFO table, should 
> make no difference? It should not be used, when the "user" attribute is 
> being used?
>
> Automagically I should add, I have not defined the userbase parameter 
> anywhere in my config.
>
> Hopefully I've been able to narrow down my lack of comprehention. There 
> is something in the manpage I get wrong.
>
> Thanks
>
> Ede
>

Re: Virtual User handling

[Edgar Pettijohn]

Sounds like the mail.lmtp program is missing or not where it belongs. Should 
live somewhere in /usr/local/libexec. Find it and let us know where it is and 
somebody can probably tell you where it needs to be. Or it just didn't get 
built for some reason.

Edgar
On Sep 6, 2019 11:40 AM, Ede Wolf  wrote:
>
> Side note. While I would still like to understand, what I am 
> misunderstanding, practically, I've had some more success with using a 
> virtual catchall table, as recommended before by Edgar. However, there 
> is still one local error I do not yet comprehend:
>
> "Error being: stat=Error (temporary failure: "mail.lmtp: No such file or 
> directoryconnect")"
>
> And I am not sure, what is smtpd looking for or missing exactly? It 
> likey has to do with me using non standard paths, but that again may be 
> helpful for understanding.
>
> action "deliver" lmtp "/run/cyrus/socket/lmtp" rcpt-to virtual  
> user lmtpd
> match from any for domain "example.com" action deliver
>
> with vusers reading:
> @ lmtpd
>
>
> Here is a more complete log:
>
>
> 2c4cbc6c10aebcab smtp connected address=1.2.3.4 host=friendly.nospam.net
> expand: 0x56169b994348: expand_insert() called for 
> address:m...@example.com[parent=(nil), rule=(nil)]
> expand: 0x56169b994348: inserted node 0x56169b996040
> expand: lka_expand: address: m...@example.com [depth=0]
> lookup: match "1.2.3.4" as NETADDR in table static: -> true
> lookup: match "example.com" as DOMAIN in table static: -> true
> rule #1 matched: match from any for domain  action deliver
> lookup: lookup "m...@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "mary" as ALIAS in table static:vusers -> none
> lookup: lookup "@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56169b993b40: expand_insert() called for 
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56169b993b40: inserted node 0x56169b9965a0
> expand: 0x56169b994348: expand_insert() called for 
> username:lmtpd[parent=0x56169b996040, rule=0x56169b9a3e80, 
> dispatcher=0x56169b9a5780]
> expand: 0x56169b994348: inserted node 0x56169b996b00
> expand: 0x56169b993b40: clearing expand tree
> expand: 0x56169b993b40: freeing expand tree
> debug: aliases_virtual_get: '@example.com' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=1, sameuser=0]
> lookup: lookup "lmtpd@" as ALIAS in table static:vusers -> none
> lookup: lookup "lmtpd" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56169b98d140: expand_insert() called for 
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56169b98d140: inserted node 0x56169b9965a0
> expand: 0x56169b994348: expand_insert() called for 
> username:lmtpd[parent=0x56169b996b00, rule=0x56169b9a3e80, 
> dispatcher=0x56169b9a5780]
> expand: 0x56169b994348: setting sameuser = 1
> expand: 0x56169b994348: inserted node 0x56169b997060
> expand: 0x56169b98d140: clearing expand tree
> expand: 0x56169b98d140: freeing expand tree
> debug: aliases_virtual_get: '@' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=2, sameuser=1]
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: -> 
> "115:115:/opt/smptd/var/lmtpd"
> expand: no .forward for user lmtpd, just deliver
> expand: 0x56169b994348: clearing expand tree
> smtp: 0x56047ce92b90: fd 14 from queue
> smtp: 0x56047ce92b90: message fd 14
> smtp: 0x56047ce92b90: message begin
> debug: 0x56047ce92b90: end of message, error=0
> 2c4cbc6c10aebcab smtp message msgid=fd6b9892 size=247 nrcpt=1 proto=SMTP
> 2c4cbc6c10aebcab smtp envelope evpid=fd6b9892d5ac7196 
> from= to=
> debug: scheduler: evp:fd6b9892d5ac7196 scheduled (mda)
> mda: new user 2c4cbc6d6d8e081f for ":lmtpd" delivering as "lmtpd"
> debug: lka: userinfo :lmtpd
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: -> 
> "115:115:/opt/smptd/var/lmtpd"
> debug: mda: new session 2c4cbc6e7f005bc1 for user ":lmtpd" 
> evpid fd6b9892d5ac7196
> debug: mda: no more envelope for ":lmtpd"
> debug: mda: got message fd 14 for session 2c4cbc6e7f005bc1 evpid 
> fd6b9892d5ac7196
> debug: mda: querying mda fd for session 2c4cbc6e7f005bc1 evpid 
> fd6b9892d5ac7196
> debug: smtpd: forking mda for session 2c4cbc6e7f005bc1: lmtpd as lmtpd
> debug: mda: got mda fd 15 for session 2c4cbc6e7f005bc1 evpid 
> fd6b9892d5ac7196
> debug: mda: end-of-file for session 2c4cbc6e7f005bc1 evpid fd6b9892d5ac7196
> debug: mda: all data sent for session 2c4cbc6e7f005bc1 evpid 
> fd6b9892d5ac7196
> debug: smtpd: mda process done for session 2c4cbc6e7f005bc1: exited 
> abnormally
> 2c4cbc6d6d8e081f mda delivery evpid=fd6b9892d5ac7196 
> from= to= rcpt= 
> user=lmtpd delay=11s result=TempFail stat=Error (temporary failure: 
> "mail.lmtp: No such file or directoryconnect")
> debug: mda: session 2c4cbc6e7f005bc1 done
> debug: mda: user "lmtpd" becomes runnable
> debug: mda: all done for user ":lmtpd"
>
>
>
> Am 06.09.19 um 17:46 sc

Re: OpenSMTPD-Logwatch script.

[Edgar Pettijohn]

Look for poolporg on GitHub. He has a filter-eventlog that you can look at for 
inspiration.

Edgar
On Sep 5, 2019 5:37 AM, Reio Remma  wrote:
>
> On 05/09/2019 13:32, Martijn van Duren wrote:
> > On 9/5/19 11:55 AM, Reio Remma wrote:
> >> On 05/09/2019 11:33, gil...@poolp.org wrote:
> >>> Yes, see the smtpd.conf(5) man page:
> >>>
> >>> filter myreporter proc-exec "/tmp/reporting.sh"
> >>>
> >>> listen on [...] filter myreporter
> >> mproc: pony -> lka : 291 IMSG_SMTP_EXPAND_RCPT
> >>
> >> SMTPD seems to get stuck here with no errors. This is with the simple:
> >>
> >> filter reporter proc-exec "/etc/opensmtpd/reporter.sh"
> >>
> >> #!/bin/sh
> >> while read line; do
> >>      echo $line >> /var/log/opensmtpd.log
> >> done
> >>
> >> Reio
> >>
> > You need to register what events you want to receive and finish up with
> > register
> >
> > $ cat test.sh
> > #!/bin/sh
> >
> > while read line; do
> >  echo $line >&2
> >  if [ "${line%%\
> >  if [ "${line#*\
> >  echo "register
> >  echo "register
> >  fi
> >  continue
> >  fi
> > done
> >
> > Possible values for report are (from lka_report.c):
> > static struct smtp_events {
> >  const char *event;
> > } smtp_events[] = {
> >  { "link-connect" },
> >  { "link-disconnect" },
> >  { "link-greeting" },
> >  { "link-identify" },
> >  { "link-tls" },
> >  { "link-auth" },
> >
> >  { "tx-reset" },
> >  { "tx-begin" },
> >  { "tx-mail" },
> >  { "tx-rcpt" },
> >  { "tx-envelope" },
> >  { "tx-data" },
> >  { "tx-commit" },
> >  { "tx-rollback" },
> >
> >  { "protocol-client" },
> >  { "protocol-server" },
> >
> >  { "filter-response" },
> >
> >  { "timeout" },
> > };
> >
> > Possible values for filter are:
> > static struct filter_exec {
> >  enum filter_phase   phase;
> >  const char *phase_name;
> >  int    (*func)(struct filter_session *, struct 
> >filter *, uint64_t, const char *);
> > } filter_execs[FILTER_PHASES_COUNT] = {
> >  { FILTER_CONNECT,   "connect",  filter_builtins_connect },
> >  { FILTER_HELO,  "helo", filter_builtins_helo },
> >  { FILTER_EHLO,  "ehlo", filter_builtins_helo },
> >  { FILTER_STARTTLS,  "starttls", filter_builtins_notimpl },
> >  { FILTER_AUTH,  "auth", filter_builtins_notimpl },
> >  { FILTER_MAIL_FROM, "mail-from",    filter_builtins_mail_from 
> >},
> >  { FILTER_RCPT_TO,   "rcpt-to",  filter_builtins_rcpt_to },
> >  { FILTER_DATA,  "data", filter_builtins_notimpl },
> >  { FILTER_DATA_LINE, "data-line",    filter_builtins_notimpl },
> >  { FILTER_RSET,  "rset", filter_builtins_notimpl },
> >  { FILTER_QUIT,  "quit", filter_builtins_notimpl },
> >  { FILTER_NOOP,  "noop", filter_builtins_notimpl },
> >  { FILTER_HELP,  "help", filter_builtins_notimpl },
> >  { FILTER_WIZ,   "wiz",  filter_builtins_notimpl },
> >  { FILTER_COMMIT,    "commit",   filter_builtins_notimpl },
> > };
> >
> > reports come in in the format:
> > report
> >
> > filters come in in the format:
> > filter
> >
> > Note that filters require a proceed, rewrite, reject, or disconnect
> > reply in the form:
> >
> > filter-result
> > filter-result
> > filter-result
> > filter-result
> >
> > Note that this is mostly stable, but some changes may occur, so
> > keep track of the version. Minor versions are backwards compatible,
> > major versions are not.
> >
>
> Thanks! I'll keep digging. :)
>
> Reio
>

Re: OpenSMTPD-Logwatch script.

[Edgar Pettijohn]

On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:
> On 27.04.2018 12:26, Reio Remma wrote:
> > Hello all,
> > 
> > I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
> > interested on giving it a try, it's now at:
> > 
> > https://github.com/whataboutpereira/OpenSMTPD-Logwatch
> 
> Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
> (current portable).
> 
> Good luck,
> Reio
>

Lots of errors with newer perls. :(

deathstar$ perl -v

This is perl 5, version 28, subversion 2 (v5.28.2) built for amd64-openbsd

Copyright 1987-2019, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

deathstar$ ./opensmtpd.pl   
 
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 523, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 527.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 527, near "};"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 541.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 541, near "} )"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 553.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 553, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 557.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 557, near "};"
./opensmtpd.pl has too many errors 

Re: Virtual User handling

[Edgar Pettijohn]

On Sep 2, 2019 3:18 AM, Reio Remma  wrote:
>
> On 02/09/2019 10:35, Ede Wolf wrote:
> > Hello Edgar,
> >
> > thanks very much for your in depth reply and the effort you've put 
> > into it.
> >
> > As for the "user" keyword, the way I understand this, it that it 
> > equals the "as" statement in the old version.
> >
> > ... lmtp "/run/cyrus/lmtp" rcpt-to ->as nobody<-
>
> I'm using multiple virtual domains myself and delivering to Dovecot via 
> LMTP with no user parameter. I _suspect_ it's more useful when you let 
> OpenSMTPD to deliver straight to mailboxes.
>
> > Back to your reply: That catchall from your example in "@ catchall" is 
> > not a keyword, is it? But a local user accout?
>
> @example.com need to be aliased to a real mail account to receive all these.
>
> > > but some real user has to own the mailbox...
> >

When smtpd goes looking for a . forward file it gets mad if there isn't a 
mailbox to look in. :)

> > Care to explain, why is that? From my unknowledgable point of view, 
> > the mailbox handling should be done on the other side of the lmtpd 
> > socket. This misconception is at the very heart of my question.
>
> Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
> is translating the aliases and which rules it's matching etc.
>
> Good luck,
> Reio
>
>

Re: Building 6.4.2p1 without ssl?

[Edgar Pettijohn]

Look through the archives. There was someone recently building on Debian with a 
similar issue. 
On Sep 2, 2019 2:48 AM, Ede Wolf  wrote:
>
> Hello,
>
> trying to compile opensmtp it fails with openssl errors, so I've tried 
> to specify --without-libssl at configure time, as at least for testing 
> and learning the basics it is not really that important, but it does not 
> seem to get honored.
>
> Any idea, what I may have to change?
>
> Thanks
>
> Ede
>
>
>
> In case anybody has an idea for building with openssl, here are the 
> final words of the compiler:
>
>
> # gcc --version
> gcc (Gentoo 8.3.0-r1 p1.1) 8.3.0
>
> # openssl version
> OpenSSL 1.1.1c  28 May 2019
>
>
>
> ..
>
> gcc -DHAVE_CONFIG_H -I. -I..  -I../smtpd -I../openbsd-compat 
> -I../openbsd-compat/err_h -I/usr/include   -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -c -o fmt_scaled.o fmt_scaled.c
> fmt_scaled.c: In function 'fmt_scaled':
> fmt_scaled.c:243:52: warning: '%1lld' directive output may be truncated 
> writing between 1 and 17 bytes into a region of size between 0 and 5 
> [-Wformat-truncation=]
>     (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
>  ^
> fmt_scaled.c:243:46: note: directive argument in the range 
> [-9007199254740991, 9007199254740991]
>     (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
>    ^~
> In file included from /usr/include/stdio.h:867,
>   from openbsd-compat.h:189,
>   from includes.h:67,
>   from fmt_scaled.c:41:
> /usr/include/bits/stdio2.h:67:10: note: '__builtin___snprintf_chk' 
> output between 5 and 40 bytes into a destination of size 7
>     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>    ^~~~
>  __bos (__s), __fmt, __va_arg_pack ());
>  ~
> gcc -DHAVE_CONFIG_H -I. -I..  -I../smtpd -I../openbsd-compat 
> -I../openbsd-compat/err_h -I/usr/include   -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -c -o fparseln.o fparseln.c
> rm -f libopenbsd-compat.a
> /usr/bin/ar cru libopenbsd-compat.a base64.o bsd-getpeereid.o bsd-misc.o 
> bsd-waitpid.o entropy.o event_asr_run.o fgetln.o freezero.o getopt.o 
> imsg.o imsg-buffer.o pidfile.o pw_dup.o reallocarray.o recallocarray.o 
> setproctitle.o setresguid.o strlcat.o strlcpy.o strmode.o strtonum.o 
> strsep.o vis.o xmalloc.o  crypt_checkpass.o  bsd-closefrom.o   bsd-err.o 
> errc.o  fmt_scaled.o  fparseln.o
> ranlib libopenbsd-compat.a
> make[2]: Leaving directory '/root/build/opensmtpd-6.4.2p1/openbsd-compat'
> Making all in mk
> make[2]: Entering directory '/root/build/opensmtpd-6.4.2p1/mk'
> Making all in smtpd
> make[3]: Entering directory '/root/build/opensmtpd-6.4.2p1/mk/smtpd'
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat 
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. 
> -I/usr/include  -DSMTPD_CONFDIR=\"/opt/smptd/etc\" 
> -DPATH_CHROOT=\"/opt/smptd/var/empty\" 
> -DPATH_SMTPCTL=\"/opt/smptd/sbin/smtpctl\" 
> -DPATH_MAILLOCAL=\"/opt/smptd/libexec/opensmtpd/mail.local\" 
> -DPATH_LIBEXEC=\"/opt/smptd/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL 
> -DCA_FILE=\"/etc/ssl/cert.pem\" -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o 
> ./../smtpd/smtpd-aliases.o `test -f '../../smtpd/aliases.c' 
> './'`../../smtpd/aliases.c
> ./../smtpd/aliases.c: In function 'aliases_get':
> ./../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not 
> used [-Wunused-but-set-variable]
>    struct table    *userbase = NULL;
>     ^~~~
> ./../smtpd/aliases.c: In function 'aliases_virtual_get':
> ./../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not 
> used [-Wunused-but-set-variable]
>    struct table    *userbase = NULL;
>     ^~~~
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat 
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. 
> -I/usr/include  -DSMTPD_CONFDIR=\"/opt/smptd/etc\" 
> -DPATH_CHRO

Re: Virtual User handling

[Edgar Pettijohn]

On Fri, Aug 30, 2019 at 11:14:37PM -0500, Edgar Pettijohn wrote:
> On Fri, Aug 30, 2019 at 05:00:24PM +0200, Ede Wolf wrote:
> > Hello,
> > 
> >
> 
> Semi complete example at the bottom. I'll leave it to you to reverse translate
> to the old syntax. I didn't notice till after I was done and am too lazy to 
> change it. :) Also noticed while re-reading smtpd.conf(5) there is a `user' 
> keyword that can be used in an action:
> 
>  user username
>  Specify the username for performing the delivery, to be
>  looked up with getpwnam(3).
> 
>  This is used for virtual hosting where a single username
>  is in charge of handling delivery for all virtual users.
> 
>  This option is not usable with the mbox delivery method.
> 
> Not sure if its available in whichever version you are using, but may make 
> things easier enough to warrant an upgrade.
>  
> > While trying to learn opensmtpd, amongst other things I am struggeling with
> > the virtual user handling - for a non virtual domain setup.
> > 
> > From what I have been able to understand so far it seems, as if there is no
> > way to deliver mails to a lmtp socket, if there is not at least some
> > reference/mapping to a system user?
> > 
> > accept from any for domain "example.com" recipient  alias 
> > deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody
> > 
> > where vusers contains:
> 
> vusers would need to be `key => value' pairs
> 
> > b...@example.com
> 
> This is a list. More suitable for a vdomains table.
> 
> > 
> > However, despite being listed in vusers, when trying to send a mail to bob,
> > it gets rejected with "550 Invalid recipient". Creating a systemuser "bob"
> > makes it work. But then I do not need the vusers table, so I am wondering,
> > is it possible to get along without the need for a system user?
> > Now the man page mentions a userbase parameter, and I assume, the according
> > table has to be in the format of the userinfo table mentioned in tables(5)?
> > What then effectively again refers to a system user - just with a mapping in
> > between.
> > 
> > My attempts with a single userlist instead so far either resulted in a
> > 'invalid use of table "susers" as USERBASE parameter' or simply a syntax
> > error.
> > 
> > Is that assumption correct? Is there no way of keeping virtual users
> > completely off the system or did I get something terribly wrong? Even when
> > not using mbox/Maildir at all, where this requirement could make sense?
> >
> 
> They are off the system, but some real user has to own the mailbox, etc...
>  
> > And since user filtering will eventually be done at an earlier stage, I
> > would like smtpd to be able to unconditionally forward any mail unaltered
> > (except aliases) to the lmtp socket.
> > 
> > So, in addition to bob@example as for the tests com I would like to be able
> > to use *@example.com or just example.com to not do any user checking at all.
> > Depending on the syntax requirements.
> > 
> > Is it possible to deactivate the user checking one way or the other?
> 
> you could use a catchall
> 
> /etc/mail/vusers
> 
> @ catchall
> 
> > 
> > Thanks for any insight or heads up on what I may have missed or
> > misunderstood.
> > 
> > 
> > Ede
> >
> 
> groupadd -g 5000 vmail
> useradd -g vmail -u 5000 vmail -d /var/vmail -m
> chown -R vmail.vmail /var/vmail
> 
> /etc/mail/userinfo
> 
> bob   5000:5000:/var/vmail/bob
> 
> /etc/mail/vusers
> 
> b...@example.com  bob
> 
> /etc/mail/smtpd.conf snippet
> 
> action "a01" lmtp "/var/cyrus/lmtp" rcpt-to  userbase  virtual 
>  
> # may need to finesse the above. I'm not using cyrus or userbase table, so 
> not 100 percent
> # sure if it will work as is.
> 
> match from all for domain  action "a01"

Another option (that I use):

/etc/mail/vusers

b...@example.comvmail

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to virtual 
match from all for domain  action "a01"

No need for the userbase. I'm not really sure where a userbase table comes into 
play. Maybe someone out there using it can provide an example use case.

> 
> it sorta works...
> deathstar$ telnet localhost 25 
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 deathstar.my.domain ESMTP OpenSMTPD
> ehlo p.com
> 2

Re: Virtual User handling

[Edgar Pettijohn]

On Fri, Aug 30, 2019 at 05:00:24PM +0200, Ede Wolf wrote:
> Hello,
> 
>

Semi complete example at the bottom. I'll leave it to you to reverse translate
to the old syntax. I didn't notice till after I was done and am too lazy to 
change it. :) Also noticed while re-reading smtpd.conf(5) there is a `user' 
keyword that can be used in an action:

 user username
 Specify the username for performing the delivery, to be
 looked up with getpwnam(3).

 This is used for virtual hosting where a single username
 is in charge of handling delivery for all virtual users.

 This option is not usable with the mbox delivery method.

Not sure if its available in whichever version you are using, but may make 
things easier enough to warrant an upgrade.
 
> While trying to learn opensmtpd, amongst other things I am struggeling with
> the virtual user handling - for a non virtual domain setup.
> 
> From what I have been able to understand so far it seems, as if there is no
> way to deliver mails to a lmtp socket, if there is not at least some
> reference/mapping to a system user?
> 
> accept from any for domain "example.com" recipient  alias 
> deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody
> 
> where vusers contains:

vusers would need to be `key => value' pairs

> b...@example.com

This is a list. More suitable for a vdomains table.

> 
> However, despite being listed in vusers, when trying to send a mail to bob,
> it gets rejected with "550 Invalid recipient". Creating a systemuser "bob"
> makes it work. But then I do not need the vusers table, so I am wondering,
> is it possible to get along without the need for a system user?
> Now the man page mentions a userbase parameter, and I assume, the according
> table has to be in the format of the userinfo table mentioned in tables(5)?
> What then effectively again refers to a system user - just with a mapping in
> between.
> 
> My attempts with a single userlist instead so far either resulted in a
> 'invalid use of table "susers" as USERBASE parameter' or simply a syntax
> error.
> 
> Is that assumption correct? Is there no way of keeping virtual users
> completely off the system or did I get something terribly wrong? Even when
> not using mbox/Maildir at all, where this requirement could make sense?
>

They are off the system, but some real user has to own the mailbox, etc...
 
> And since user filtering will eventually be done at an earlier stage, I
> would like smtpd to be able to unconditionally forward any mail unaltered
> (except aliases) to the lmtp socket.
> 
> So, in addition to bob@example as for the tests com I would like to be able
> to use *@example.com or just example.com to not do any user checking at all.
> Depending on the syntax requirements.
> 
> Is it possible to deactivate the user checking one way or the other?

you could use a catchall

/etc/mail/vusers

@   catchall

> 
> Thanks for any insight or heads up on what I may have missed or
> misunderstood.
> 
> 
> Ede
>

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/vmail -m
chown -R vmail.vmail /var/vmail

/etc/mail/userinfo

bob 5000:5000:/var/vmail/bob

/etc/mail/vusers

b...@example.combob

/etc/mail/smtpd.conf snippet

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to  userbase  virtual 
 
# may need to finesse the above. I'm not using cyrus or userbase table, so not 
100 percent
# sure if it will work as is.

match from all for domain  action "a01"

it sorta works...
deathstar$ telnet localhost 25 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 deathstar.my.domain ESMTP OpenSMTPD
ehlo p.com
250-deathstar.my.domain Hello p.com [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250 HELP
mail from:
250 2.0.0 Ok
rcpt to: 
250 2.1.5 Destination address valid: Recipient ok
data
354 Enter mail, end with "." on a line by itself
to: u
from: me

hi bob.

.
250 2.0.0 0a7d910f Message accepted for delivery

a19e5552f2afe6dc smtp connected address=127.0.0.1 host=localhost
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
warn: smtpd: parent_forward_open: /var/mail/bob: No such file or directory
smtp: 0x1903053fd000: fd 13 from queue
smtp: 0x1903053fd000: message fd 13
smtp: 0x1903053fd000: message begin
debug: 0x19034b71f000: adding Date
debug: 0x19034b71f000: adding Message-ID
debug: 0x1903053fd000: end of message, error=0
a19e5552f2afe6dc smtp message msgid=0a7d910f size=335 nrcpt=1 proto=ESMTP
a19e5552f2afe6dc smtp envelope evpid=0a7d910fa2469b23 
from= to=
debug: scheduler: evp:0a7d910fa2469b23 scheduled (mda)
mda: new user a19e5554bded3360 for "userinfo:bob" delivering as "root"
debug: lka: userinfo userinfo:bob
debug: mda: new session a19e20bf2fa5 for user "userinfo:bob" evpid 
0a7d910fa2469b23
debug: mda: no more envelope for "userinfo:bob"
debug: m

Re: Question about match auth with the new syntax.

[Edgar Pettijohn]

On Aug 28, 2019 1:52 PM, Reio Remma  wrote:
>
> Hello!
>
> I've pretty much converted my setup to the new syntax now and I'm 
> wondering if I get this right.
>
> I understand that from local was changed to not include authenticated 
> users, but my question is does "match auth" match both authenticated and 
> local users?
>
> I currently have - "match auth from any for any action dkim" - and I see 
> that I can send mail from command line using that rule, so I'm guessing 
> yes. :)
>
> Maybe the man page could reflect these bits for match auth and match 
> from local.
>

Match from local for local is a default rule. You have to specifically negate 
it if you don't want it. 

Edgar

> Thanks!
> Reio
>

Re: stumped on virtual aliases

[Edgar Pettijohn]

On Sat, Aug 24, 2019 at 06:02:55PM +0200, Joseph A Borg wrote:
> AFAIK I can do that Edgar, I???m already filtering on domain, so the domain 
> stump is not really necessary. 
> 
> this is not an urgent work situation, I???m just trying things out and spent 
> way too much time understanding this not to bother the list. If there is a 
> workaround or it???s a known issue it???s fine. Most probably I???m 
> misunderstanding things.
> 
> Correct me if I???m wrong: I???m assuming, conceptually, that once the 
> aliases in a message's [RCPT TO list] are expanded, the new addresses go 
> through the rule set again and enqueued if they match something that ends up 
> in a mailbox, forwarded. At least that???s what I remember from on elf Gilles 
> articles. If I???m imagining too much then I???ll try something else. :)
> 
> I???m trying to run smtpd -F -v -T all and not getting anything on the 
> command line.

-F logs to syslogd. If you want to see it try `smtpd -dv -T all'

Not entirely helpful, but I switched to sql tables because I couldn't figure 
out a similar situation.

Edgar

> 
> 
> regards to all on a sultry Saturday evening
> 
> 
> > On 24 Aug 2019, at 17:43, Edgar Pettijohn  wrote:
> > 
> > On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote:
> >> I???m trying to match an email: nos...@domain.tld to expand to 
> >> webmas...@domain.tld and deliver to local mailbox.
> >> 
> >> My setup is pretty simple and works well for virtual mailboxes linked to a 
> >> couple of virtual domains. now I???m trying t add aliases to some accounts.
> >> 
> >> From the error, it seems like smtpd is not transforming the alias address 
> >> into the final address for delivery.
> >> Seems like I???m not understanding how smtpd transforms an recipient 
> >> address in an  into the actual recipient for delivery.
> >> 
> >> I must be conceptually stumped on this one.
> >> 
> >> I get the following error in logs and a return mail from smtpd to sender:
> >> 
> >>> 
> >>> I'm sorry to have to inform you that your message could not
> >>> be delivered to one or more recipients.
> >>> 
> >>> 
> >>> : host mx.domain.tld[xxx.xxx.xxx.xxx] said: 550 Invalid
> >>>   recipient:  (in reply to RCPT TO command)
> >>> Reporting-MTA: dns; st43p00im-zteg10071901.me.com
> >>> X-Postfix-Queue-ID: 4E253D8138E
> >>> X-Postfix-Sender: rfc822; sen...@domain2.tld
> >>> Arrival-Date: Sat, 24 Aug 2019 10:24:30 + (UTC)
> >>> 
> >>> Final-Recipient: rfc822;nos...@domain.tld
> >>> Original-Recipient: rfc822;nos...@domain.tld
> >>> Action: failed
> >>> Status: 5.0.0
> >>> Remote-MTA: dns; mx.domain.tld
> >>> Diagnostic-Code: smtp; 550 Invalid recipient: 
> >>> 
> >>> From: 
> >>> Subject: Fwd: Undelivered Mail Returned to Sender
> >>> Date: 24 August 2019 at 12:24:27 GMT+2
> >>> To: nos...@domain.tld
> >>> 
> >> 
> >> 
> >> 
> >> the configuration files for the domain and tables follows.
> >> 
> >> 
> >> 
> >> 
> >> # file:/etc/mail/domain.tld/accounts/valiases:
> >> =
> >>> nospam webmas...@domain.tld
> >> ## EOF
> >> 
> >> # file:/etc/mail/domain.tld/accounts/emails
> >> 
> >>> webmas...@domain.tld::/home/domain/mail/master
> >>> webdus...@domain.tld::/home/domain/mail/duster
> >>> webbus...@domain.tld::/home/domain/mail/buster
> > 
> > I'm not sure this will work. I'm not sure you can map a virtual user to 
> > a single system user with multiple `homes'.
> > 
> > maybe try:
> > 
> > webmaster   ::/home/domain/mail/master
> > 
> > and see if that gets you further.
> > 
> >> ## EOF
> >> 
> >> # file:/etc/mail/domain.sub.smtpd.conf
> >> =
> >> 
> >>> ## =
> >>> ## DOMAIN CONFIGURATION:
> >>> ## =
> >>> # TABLE DECLARATIONS:
> >>> # ---
> >>> table domains   \
> >>>file:/etc/mail/domain.tld/domains
> >>> table valiases  \
> >>>file:/etc/mail/domain.tld/accounts/valiases
> >>> table e-boxes   \
> >>>file:/etc/mail/domain.tld/accounts/emails
> >>> 
> >>> # ACTIONS
> >>> # ---
> >>> action valiases_set \
> >>>expand-only \ 
> > 
> > Seems like expand-only should work with `virtual' aliases, but I'm not sure.
> > Maybe remove it and see what happens.
> > 
> >>>virtual 
> >>> action deliver_virtual_set  \
> >>>maildir \
> >>>userbase 
> >>> 
> >>> # MATCHES
> >>> # ---
> >>> match from any  \
> >>>  for domain   \
> >>>  action valiases_set
> >>> match from any  \
> >>>  for domain   \
> >>>  action deliver_virtual_set
> >>> 
> >>> 
> >> 
> > 
> > Hope this helps.
> > 
> > Edgar
> 

Re: stumped on virtual aliases

[Edgar Pettijohn]

On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote:
> I???m trying to match an email: nos...@domain.tld to expand to 
> webmas...@domain.tld and deliver to local mailbox.
> 
> My setup is pretty simple and works well for virtual mailboxes linked to a 
> couple of virtual domains. now I???m trying t add aliases to some accounts.
> 
> From the error, it seems like smtpd is not transforming the alias address 
> into the final address for delivery.
> Seems like I???m not understanding how smtpd transforms an recipient address 
> in an  into the actual recipient for delivery.
> 
> I must be conceptually stumped on this one.
> 
> I get the following error in logs and a return mail from smtpd to sender:
> 
> > 
> > I'm sorry to have to inform you that your message could not
> > be delivered to one or more recipients.
> > 
> > 
> > : host mx.domain.tld[xxx.xxx.xxx.xxx] said: 550 Invalid
> >recipient:  (in reply to RCPT TO command)
> > Reporting-MTA: dns; st43p00im-zteg10071901.me.com
> > X-Postfix-Queue-ID: 4E253D8138E
> > X-Postfix-Sender: rfc822; sen...@domain2.tld
> > Arrival-Date: Sat, 24 Aug 2019 10:24:30 + (UTC)
> > 
> > Final-Recipient: rfc822;nos...@domain.tld
> > Original-Recipient: rfc822;nos...@domain.tld
> > Action: failed
> > Status: 5.0.0
> > Remote-MTA: dns; mx.domain.tld
> > Diagnostic-Code: smtp; 550 Invalid recipient: 
> > 
> > From: 
> > Subject: Fwd: Undelivered Mail Returned to Sender
> > Date: 24 August 2019 at 12:24:27 GMT+2
> > To: nos...@domain.tld
> > 
> 
> 
> 
> the configuration files for the domain and tables follows.
> 
> 
> 
> 
> # file:/etc/mail/domain.tld/accounts/valiases:
> =
> > nospam webmas...@domain.tld
> ## EOF
> 
> # file:/etc/mail/domain.tld/accounts/emails
> 
> > webmas...@domain.tld::/home/domain/mail/master
> > webdus...@domain.tld::/home/domain/mail/duster
> > webbus...@domain.tld::/home/domain/mail/buster

I'm not sure this will work. I'm not sure you can map a virtual user to 
a single system user with multiple `homes'.

maybe try:

webmaster   ::/home/domain/mail/master

and see if that gets you further.

> ## EOF
> 
> # file:/etc/mail/domain.sub.smtpd.conf
> =
> 
> > ## =
> > ## DOMAIN CONFIGURATION:
> > ## =
> > # TABLE DECLARATIONS:
> > # ---
> > table domains   \
> > file:/etc/mail/domain.tld/domains
> > table valiases  \
> > file:/etc/mail/domain.tld/accounts/valiases
> > table e-boxes   \
> > file:/etc/mail/domain.tld/accounts/emails
> > 
> > # ACTIONS
> > # ---
> > action valiases_set \
> > expand-only \ 

Seems like expand-only should work with `virtual' aliases, but I'm not sure.
Maybe remove it and see what happens.

> > virtual 
> > action deliver_virtual_set  \
> > maildir \
> > userbase 
> > 
> > # MATCHES
> > # ---
> > match from any  \
> >   for domain   \
> >   action valiases_set
> > match from any  \
> >   for domain   \
> >   action deliver_virtual_set
> > 
> > 
> 

Hope this helps.

Edgar

Re: table api question

[Edgar Pettijohn]

On Sat, Aug 24, 2019 at 08:19:00AM +, gil...@poolp.org wrote:
> 24 ao??t 2019 02:59 "Edgar Pettijohn"  a ??crit:
> 
> > I am writing a table-lua, however the table_lua_update function doesn't 
> > appear to be called.
> > Here are relevant pieces of the code.
> > 
> > The lookup function works. However, it would be more ideal to have the 
> > update() called early
> > to fill in the tables for the other functions. As is the lookup() has to do 
> > the work of both.
> > 
> > Any help is appreciated.
> > 
> 
> update is called when you issue an `smtpctl table update ` command.

Makes sense. However, the smtpctl manual says its for tables using the "file" 
backend.

> 
> On a side note, I had this discussion with someone a few days ago but can't 
> remember
> who, so if it was you and you already know, disregard:
>
> I have a plan for the next two releases to switch the implementation of 
> tables to an
> API similar to that of filters, so we can have tables become scripts that 
> read lines
> from stdin, write answers to stdout, be written in any language, etc..
> 

Not me but sounds interesting.
 
> Not discouraging you from writing something using the current API, it is not 
> so much
> work anyways, but just letting you know that in a relatively short term your 
> code is
> going to need a rewrite.

I was using table-passwd as a bit of a go by. Armed with this new knowledge. I 
see that 
table_passwd_update is called from main.  I think that is what I need to do.

Thanks,

Edgar

table api question

[Edgar Pettijohn]

I am writing a table-lua, however the table_lua_update function doesn't appear 
to be called.
Here are relevant pieces of the code.

The lookup function works. However, it would be more ideal to have the update() 
called early
to fill in the tables for the other functions. As is the lookup() has to do the 
work of both.

Any help is appreciated.

Thanks,

Edgar

table_lua.c

static int
table_lua_update(void)
{
int ret;

lua_getglobal(L, "update");

lua_pushnil(L);
if (lua_pcall(L, 1, 1, 0)) {
log_warnx("warn: update: %s", lua_tostring(L, -1));
return -1;
}

ret = lua_toboolean(L, -1);

log_warnx("\t\tlua-update: %d\n", ret);
return ret;
}

int
main(int argc, char **argv)
{
int ch;
char *path;

log_init(1);

while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
fatalx("bad option");
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;

if (argc == 0)
fatalx("missing path");
path = argv[0];

L = luaL_newstate();

make_global_table(L, "service", services);
make_global_table(L, "Lookup", NULL);
make_global_table(L, "Fetch", NULL);
make_global_table(L, "Check", NULL);
make_global_table(L, "Update", NULL);

luaL_openlibs(L);
if (luaL_loadfile(L, path) || lua_pcall(L, 0, 0, 0))
fatalx("%s", lua_tostring(L, -1));

log_debug("debug: starting...");

table_api_on_update(table_lua_update);
table_api_on_check(table_lua_check);
table_api_on_lookup(table_lua_lookup);
table_api_on_fetch(table_lua_fetch);

table_api_dispatch();

log_debug("debug: exiting");

lua_close(L);

return 1;
}

table.lua

function update ()
io.stderr:write("\n\t\ttable-lua is updating\n")

return true
end

Re: filter assistance requested

[Edgar Pettijohn]

On Aug 20, 2019 4:29 AM, Gilles Chehade  wrote:
>
> On Mon, Aug 19, 2019 at 01:48:05PM -0500, Edgar Pettijohn wrote:
> > Nothing urgent here. Probably can wait for filter documentation. However, 
> > I've been
> > playing with filters off and on with limited success. It seems like 
> > data-line will 
> > be the most useful to filter on so thats been my focus lately. I have the 
> > following
> > script:
> > 
> > #!/usr/bin/perl
> > 
> > use strict;
> > use warnings;
> > use diagnostics;
> > 
> > open(my $fh, '>', '/tmp/log.txt') or die $!;
> > 
> > # remove line buffering
> > select(STDOUT);
> > $|++;
> > select($fh);
> > $|++;
> > 
> > print STDOUT "register|filter|smtp-in|data-line\n";
> > print STDOUT "register|ready\n";
> > 
> > while ( <> ) {
> > chomp; # get rid of newline
> > 
> > my @report = split /\|/;
> > 
> > next if $report[0] eq 'config';
> > 
> > foreach (@report) {
> > print $fh "$_\|"; # just to see whats there
> > }
> >  print $fh "\n";
> > 
> > my $inbody = 0;
> > my ($sid, $token, $line);
> > $sid = $report[5];
> > $token = $report[6];
> > $line = $report[$#report];
> > if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and 
> >$report[4] eq 'data-line') {
> > die "invalid filter command" if (scalar @report < 7);
> > if ($line eq '') { print $fh "end of headers\n"; $inbody++; 
> >}
> > if ($line eq '.') { print $fh "end of message\n"; 
> >$inbody--; }
> > print $fh "filter-dataline|$token|$sid|$line\n";
> > print STDOUT "filter-dataline|$token|$sid|$line\n";
> > }
> > }
> > 
> > close $fh;
> > 
> > 0;
> > 
> > It prints the following in /tmp/log.txt after a 
> > $ echo "HI" | mail edgar
> > 
> > filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received:
> >  from localhost (deathstar.my.domain [local])|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost 
> > (deathstar.my.domain [local])
> > filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  by 
> > deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a
> > filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  for ;|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  for 
> > ;
> > filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  Mon, 19 Aug 2019 
> > 13:38:53 -0500 (CDT)
> > filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From:
> >  Edgar Pettijohn |
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn 
> > 
> > filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date:
> >  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 
> > 13:38:53 -0500 (CDT)
> > filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To:
> >  edgar|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar
> > filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a
> > filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI
> > filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.|
> > end of message
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|.
> > 
> > I get the following response:
> > deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, 
> > message refused: Message is not RFC 2822 compliant
> > 
> > I see the same from a telnet session as well.
> > 
> > So there are 2 problems. First my script doesn't appear to acurately 
> > determine that the headers a

filter assistance requested

[Edgar Pettijohn]

Nothing urgent here. Probably can wait for filter documentation. However, I've 
been
playing with filters off and on with limited success. It seems like data-line 
will 
be the most useful to filter on so thats been my focus lately. I have the 
following
script:

#!/usr/bin/perl

use strict;
use warnings;
use diagnostics;

open(my $fh, '>', '/tmp/log.txt') or die $!;

# remove line buffering
select(STDOUT);
$|++;
select($fh);
$|++;

print STDOUT "register|filter|smtp-in|data-line\n";
print STDOUT "register|ready\n";

while ( <> ) {
chomp; # get rid of newline

my @report = split /\|/;

next if $report[0] eq 'config';

foreach (@report) {
print $fh "$_\|"; # just to see whats there
}
print $fh "\n";

my $inbody = 0;
my ($sid, $token, $line);
$sid = $report[5];
$token = $report[6];
$line = $report[$#report];
if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and $report[4] 
eq 'data-line') {
die "invalid filter command" if (scalar @report < 7);
if ($line eq '') { print $fh "end of headers\n"; $inbody++; }
if ($line eq '.') { print $fh "end of message\n"; $inbody--; }
print $fh "filter-dataline|$token|$sid|$line\n";
print STDOUT "filter-dataline|$token|$sid|$line\n";
}
}

close $fh;

0;

It prints the following in /tmp/log.txt after a 
$ echo "HI" | mail edgar

filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received:
 from localhost (deathstar.my.domain [local])|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost 
(deathstar.my.domain [local])
filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  by deathstar.my.domain 
(OpenSMTPD) with ESMTPA id 7052ea5a
filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
for ;|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  for 
;
filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  Mon, 19 Aug 2019 
13:38:53 -0500 (CDT)
filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From:
 Edgar Pettijohn |
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn 

filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date:
 Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 
13:38:53 -0500 (CDT)
filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To:
 edgar|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar
filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a
filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI
filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.|
end of message
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|.

I get the following response:
deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, message 
refused: Message is not RFC 2822 compliant

I see the same from a telnet session as well.

So there are 2 problems. First my script doesn't appear to acurately determine 
that the headers are finished. Second mail
doesn't go through. Any suggestions are appreciated.

Thanks,

Edgar

Re: AUTH failures requires restarting smtpd

[Edgar Pettijohn]

On Aug 10, 2019 1:05 PM, Gilles Chehade  wrote:
>
> On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote:
> > 
> > On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
> > >
> > > On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > > > Not sure exactly when this started, but I get authentication errors 
> > > > that require smtpd to be restarted. Here are some logs and other 
> > > > pertinent data.
> > > > 
> > > > Thanks,
> > > > 
> > > > Edgar
> > > > 
> > > Hi,
> > > Can you check if there are any issues with the connection to the MySQL 
> > > database during the time of the credentials lookup fails?
> > >
> > > I've had similar issues with Postgresql databases in the past (many 
> > > OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> > > due to restarting the psql database. This was not handled well by 
> > > OpenSMTPD.
> > >
> > > br,
> > >
> > > -- 
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> > 
> > Maybe something similar. Mysqld is running and double checking the SQL from 
> > the command line works. Plus dovecot is using the same without error.
> > 
> > Thanks,
> > 
>
> Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because
> they've been out of my sight for a while.
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>


Thanks.  As an update I upgraded to a snapshot last week with no change. Have a 
cron job restarting smtpd every hour as a workaround.

Re: AUTH failures requires restarting smtpd

[Edgar Pettijohn]

On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
>
> On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > Not sure exactly when this started, but I get authentication errors that 
> > require smtpd to be restarted. Here are some logs and other pertinent data.
> > 
> > Thanks,
> > 
> > Edgar
> > 
> Hi,
> Can you check if there are any issues with the connection to the MySQL 
> database during the time of the credentials lookup fails?
>
> I've had similar issues with Postgresql databases in the past (many 
> OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> due to restarting the psql database. This was not handled well by OpenSMTPD.
>
> br,
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>

Maybe something similar. Mysqld is running and double checking the SQL from the 
command line works. Plus dovecot is using the same without error.

Thanks,

Edgarb��yǢ��m�+&j)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Re: AUTH failures requires restarting smtpd

[Edgar Pettijohn]

On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
>
> On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > Not sure exactly when this started, but I get authentication errors that 
> > require smtpd to be restarted. Here are some logs and other pertinent data.
> > 
> > Thanks,
> > 
> > Edgar
> > 
> Hi,
> Can you check if there are any issues with the connection to the MySQL 
> database during the time of the credentials lookup fails?
>
> I've had similar issues with Postgresql databases in the past (many 
> OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> due to restarting the psql database. This was not handled well by OpenSMTPD.
>
> br,
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>

I think it's good. Dovecot still works and I checked from the terminal and it 
worked. 

Thanks,

Edgar

AUTH failures requires restarting smtpd

[Edgar Pettijohn]

Not sure exactly when this started, but I get authentication errors that 
require smtpd to be restarted. Here are some logs and other pertinent data.

Thanks,

Edgar
#   $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki mail.pettijohn-web.com cert "/etc/ssl/pettijohn-web.com.crt"
pki mail.pettijohn-web.com key "/etc/ssl/private/pettijohn-web.com.key"

table domains mysql:/etc/mail/mysql.conf
table virtuals mysql:/etc/mail/mysql.conf
table credentials mysql:/etc/mail/mysql.conf

filter f01 builtin ehlo fcrdns reject "550 go away punk"
filter f02 builtin helo fcrdns reject "550 go away punk"

filter c01 chain { f01, f02 }

listen on lo0
listen on egress port 25 tls pki mail.pettijohn-web.com filter c01
listen on egress port 587 tls pki mail.pettijohn-web.com auth 

action "act01" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "act02" relay

match auth from any for any action act02
match auth from any for domain  action act01
match from any for domain  action act01
Jul 20 19:50:19 mail smtpd[83239]: 624740cbf697f7b7 smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:50:20 mail smtpd[83239]: 624740cbf697f7b7 smtp message msgid=c417104e 
size=2221 nrcpt=1 proto=ESMTP
Jul 20 19:50:20 mail smtpd[83239]: 624740cbf697f7b7 smtp envelope 
evpid=c417104e559c49ed from= 
to=
Jul 20 19:50:20 mail dovecot: lmtp(83688): Connect from local
Jul 20 19:50:20 mail dovecot: 
lmtp(ed...@pettijohn-web.com)<83688>: 
msgid=<20190721002023.ga85...@deathstar.my.domain>: saved mail to INBOX
Jul 20 19:50:20 mail dovecot: lmtp(83688): Disconnect from local: Client has 
quit the connection (state=READY)
Jul 20 19:50:20 mail smtpd[83239]: 624740cce7483448 mda delivery 
evpid=c417104e559c49ed from= 
to= rcpt= user=vmail delay=0s 
result=Ok stat=Delivered
Jul 20 19:50:30 mail smtpd[83239]: 624740cbf697f7b7 smtp disconnected 
reason=quit
Jul 20 19:51:59 mail smtpd[83239]: 624740ce5f80c637 smtp connected 
address=185.234.216.144 host=
Jul 20 19:51:59 mail smtpd[83239]: 624740ce5f80c637 smtp failed-command 
command="EHLO User" result="550 go away punk"
Jul 20 19:52:00 mail smtpd[83239]: 624740ce5f80c637 smtp disconnected 
reason=quit
Jul 20 19:56:32 mail smtpd[83239]: 624740cf131a2d57 smtp connected 
address=73.203.197.238 host=c-73-203-197-238.hsd1.tn.comcast.net
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp authentication 
user=ed...@pettijohn-web.com result=ok
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp message msgid=2fd09838 
size=633 nrcpt=1 proto=ESMTP
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp envelope 
evpid=2fd09838a28ee47a from= 
to=
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta connecting 
address=smtp://104.47.44.33:25 host=104.47.44.33
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta connected
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-SHA384:256
Jul 20 19:56:33 mail smtpd[83239]: smtp-out: Server certificate verification 
succeeded on session 624740d2ef323b04
Jul 20 19:56:34 mail smtpd[83239]: 624740d2ef323b04 mta delivery 
evpid=2fd09838a28ee47a from= 
to= rcpt=<-> source="108.61.222.55" relay="104.47.44.33 
(104.47.44.33)" delay=1s result="Ok" stat="250 2.6.0 
 [InternalId=51861730154703, 
Hostname=SN1NAM04HT127.eop-NAM04.prod.protection.outlook.com] 7045 bytes in 
0.126, 54.586 KB/sec Queued mail for delivery -> 250 2.1.5"
Jul 20 19:56:43 mail smtpd[83239]: 624740cf131a2d57 smtp disconnected 
reason=quit
Jul 20 19:56:44 mail smtpd[83239]: 624740d2ef323b04 mta disconnected 
reason=quit messages=1
Jul 20 19:57:36 mail smtpd[83239]: 624740d3d9418c2d smtp connected 
address=73.203.197.238 host=c-73-203-197-238.hsd1.tn.comcast.net
Jul 20 19:57:36 mail smtpd[83239]: 624740d3d9418c2d smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp authentication 
user=ed...@pettijohn-web.com result=ok
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp message msgid=ae4c49da 
size=633 nrcpt=1 proto=ESMTP
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp envelope 
evpid=ae4c49da106f2b18 from= 
to=
Jul 20 19:57:37 mail smtpd[83239]: 624740d639a1318b mta connecting 
address=smtp://104.47.2.33:25 host=104.47.2.33
Jul 20 19:57:37 mail smtpd[83239]: 624740d639a1318b mta connected
Jul 20 19:57:38 mail smtpd[83239]: 624740d639a1318b mta tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-SHA384:256
Jul 20 19:57:38 mail smtpd[83239]: smtp-out: Server certificate verification 
succeeded on session 624740d639a1318b
Jul 20 19:57:39 mail smtpd[83239]: 624740d639a1318b mta delivery 
evpid=ae4c49da106f2b18 from= 
to= rcpt=<-> source="108.61.222.55" relay="104.47.2.33 
(104.47.2.33)" delay=2s result="Ok" stat="250 2.6.0 
 [InternalId=52871047466147, 
Hostn

Re: filter feedback/help request

[Edgar Pettijohn]

Turned out to be a line buffering issue. The following works.

#!/usr/bin/perl

open(my $fh, '>', '/tmp/test.txt');

select(STDOUT);
$|++;
select($fh);
$|++;

print STDOUT "register|report|smtp-in|*\n";
print STDOUT "register|ready\n";

while ( my $line = <> ) {
print $fh "$line";
}

close $fh;

0;

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: what's your LMTP use-case

[Edgar Pettijohn]

On Jul 5, 2019 9:57 AM, Gilles Chehade  wrote:
>
> helo,
>
> this is just a question out of curiosity
>
> I know plenty of people use the lmtp action to deliver mail through LMTP
> and I'm genuinely curious: what is your use-case ?
>
> Why do you deliver to LMTP ?
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


I'm using dovecot for imap so might as well let it handle the delivery also. 
Not much of a reason but it's 
it.b��yǢ��m�+&j)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

filter feedback/help request

[Edgar Pettijohn]

I've been playing around with filters for a few hours, but I can't seem to get 
perl or lua scripts to work.

Here is a basic shell script that works.

#!/bin/sh

echo "register|report|smtp-in|*" 
echo "register|ready"

while read -r line;
do
echo "$line" >> /tmp/test.txt
done

However, the perl and lua equivalents do nothing. I don't see anything in the 
logs, but not sure if any filtering causes log entries to begin with. I suppose 
I could just use perl in my shell script, but overall it would be better for 
the perl to just work. I don't have much experience with lua, just wanted to 
test something else when I couldn't get perl working. I also tested the 
filter-eventlog and the filters Joerg posted. All of which worked in my very 
basic testing/experimenting. Thanks in advance for any help.

Edgar

#!/usr/bin/perl

open (my $fh, '>', '/tmp/test.txt') or die $!;

print "register|report|smtp-in|*\n";
print "register|ready\n";

while ( <> ) {
print $fh;
}

0;

#!/usr/local/bin/lua53

io.write("register|report|smtp-in|*\n")
io.write("register|ready\n")

out = io.open("/tmp/test.txt", "w")
io.output(out)

while true do
local line = io.read("*line")
if line == nil then break end
io.write(line)
end

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: LMTP delivery broken in 6.5?

[Edgar Pettijohn]

On May 23, 2019 1:38 AM, mabi  wrote:
>
> Hello,
>
> I upgraded my OpenBSD 6.4 MX server running OpenSMTPD 6.4 to OpenBSD 6.5 
> running OpenSMTPD 6.5 but unfortunately had to revert back to 6.4 because 
> mail delivery to Dovecot using LMTP did not work anymore. Is it possible that 
> LMTP mail delivery is broken in OpenSMTPD 6.5?
>
> In my smtpd.conf file I use:
>
> action "lmtp_dovecot" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
>

Make sure dovecot is running and listening at that path. Netcat should help.

> The relevant error log entry of OpenSMTPD is:
>
> May 22 21:49:08 mx1 smtpd[45250]: dfc2d91c04922d88 mda delivery 
> evpid=7f51132de0fd58db from= to= 
> rcpt= user=vmail delay=1s result=PermFail stat=Error 
> ("mail.lmtp: LMTP server error: 451 4.4.0 Remote server not answering 
> (connect)")
>
> In the log file of Dovecot I don't see anything particular but just some 
> information about the connection:
>
> May 22 21:49:07 mx1 dovecot: lmtp(61415): Connect from local
> May 22 21:49:08 mx1 dovecot: lmtp(61415): Disconnect from local: Remote 
> closed connection (state=READY)
>
> I ran a tcpdump on port 24 (Dovecot LMTP port) and could see that the mail 
> delivery never goes past these two first commands:
>

You are delivering to a Unix socket not tcp.

> LHLO mx1.mydomain.tld
> XCLIENT HELO=localhost TTL=5
>
> In fact it seems to be trying in a loop to connect and always run LHLO and 
> XCLIENT but never goes further to actually issuing the mail.
>
> Running "ps auxwww | grep lmtp" shows me that mail.lmtp is running but never 
> manages to deliver the mail successfully:
>
> vmail    19798  0.0  0.1   248  1172 ??  I 10:03PM    0:00.00 
> /usr/libexec/mail.lmtp -f some...@domain.tld -d /var/dovecot/lmtp 
> m...@mydomain.tld
>
> Any ideas what could be going wrong here? or is it possibly a bug in 6.5?
>
> Best regards,
> Mabi
>
>
>

I haven't gotten around to upgrading yet, so I can't confirm if it's broken. 
However, I doubt it since there haven't been any other reports I've seen.

Edgar
>
>
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>