Re: list server maintenance
PONG ! On Fri, Apr 12, 2024 at 5:14 PM wrote: > April 12, 2024 4:38 PM, gil...@poolp.org wrote: > > > Helo, > > > > The list server will be upgraded to OpenBSD 7.5 shortly, > > there may be minor disruptions and I'll send a mail when it's back to > verify it is dispatched. > > > > Sorry for the noise. > > PING ? > >
Re: Wrote a blogpost on OpenSMTPD mailrelay - feedback appreciated
Since people are sharing posts / articles, if others have written such articles feel free to share in this thread, I’m curious :-) > On 8 Mar 2024, at 22:53, Peter Thurner | Blunix GmbH > wrote: > > Hello misc@opensmtpd.org, > > I just wrote a blogpost that explains how to configure OpenSMTPD as a > mailrelay for (Debian based) servers. > > I wanted to link it here in the hopes that somebody could find any mistakes I > might have possibly made. Any feedback would be highly appreciated :) > > Here is the link: > https://www.blunix.com/blog/secure-smtp-email-relay-on-debian-and-ubuntu-with-opensmtpd-instead-of-postfix.html > > > with kind regards, > > Peter Thurner > > CEO Blunix GmbH > > -- > > Blunix GmbH > Glogauer Straße 21 > 10999 Berlin > Germany > > Web: https://www.blunix.com >
Re: Introductions
On Wed, Feb 14, 2024 at 08:08:12AM -0600, Robert B. Carleton wrote: > A brief introduction as suggested by the mailing lists page. I've been > running OpenBSD on and off for about 10 years, but much more seriously > the last four. I operate email for myself, and a couple of web forums > that I run supporting around 290 users. > > I've managed to use OpenSMTPD well enough to support these things so > far. Previously I had mostly used sendmail, with occasional forays into > Exim and Postfix. I'm currently using spamd, dkimsign, and the > associated DNS records to keep things working. My setup isn't > particularly complicated compared to enterprise environments, but I've > had to go beyond the examples in the man pages to get things working. > > Anyway, I figured I'd join the mailing list, to both learn, and share > where I can. > > Cheers, > Welcome ! -- Gilles Chehade
Re: Senderscore Filter Version Bump on OpenBSD
I’ll send a diff to update ports tonight or tomorrow Cheers, > On 6 Feb 2024, at 18:02, Otto Retter wrote: > > Hi Folks, > > I'm running OpenSMTPD 7.4.0 on OpenBSD 7.4. I tried using the senderscore > filter option "-allowlist", but it is not available in the filter version > installed from pkg_add. > > $ pkg_info opensmtpd-filter-senderscore > Information for inst:opensmtpd-filter-senderscore-0.1.1p0 > ... > smtpd[87549]: info: OpenSMTPD 7.4.0 starting > smtpd[47081]: senderscore: flag provided but not defined: -allowlist > ... > smtpd[21822]: warn: lost processor: senderscore exited abnormally > > As a workaround, I built the filter from source and now have a happily > working allowlist. I noticed in the OpenBSD ports Makefile the filter version > is 0.1.1, but the latest source version is 0.1.2. > > Is this the right place to ask for a version bump on the port? Thanks to all > for the hard work on this amazing project :-). > > - Otto >
Re: Authentication problem
> On 14 Jun 2021, at 19:20, François RONVAUX wrote: > > Thanks for the reply. > I will have a look at smtpctl encrypt... > > > According to this ressource (section "Credentials tables"): > https://man.openbsd.org/OpenBSD-6.9/table.5 > -- > In a relay context, the credentials are a mapping of labels and > username:password pairs: > > label1 user:password > > The label must be unique and is used as a selector for the proper credentials > when multiple credentials are valid for a single destination. > The password is not encrypted as it must be provided to the remote host. > -- > > It clearly states that the password must be not encrypted. > Maybe this man page is not up to date ? For mta authentication, when your server authenticates elsewhere, the password is not encrypted because it can’t, it must be supplied to the remote server. For listener authentication, when a client authenticates to your machine, the password is encrypted because we use crypt(3) to validate. In your mail, you showed the listen configuration: listen on egress inet4 \ tls-require \ auth So I assumed you were talking about incoming authentication. > And I run and old OpenSMTPD v6.4.0 with relaying e-mails to a gmail account > and it does work with not-encrypted password in the secret file. > When did this requirement of encrypted password change ? > > Regards. > > > > > > > > > Le lun. 14 juin 2021 à 14:08, a écrit : > June 14, 2021 9:19 AM, "François RONVAUX" wrote: > >> Hello, >> >> I have a mail server "mx1" with this listening section : >> --- >> listen on egress inet4 \ >> tls-require \ >> auth >> --- >> >> I have also a server "test" and I would want to authenticate the user when >> sending an e-mail to the >> server "mx1" but I get an error : >> --- >> test smtpd[9309]: f3880cf18b73253d mta error reason=AUTH rejected: 535 >> Authentication failed >> --- >> >> "test" seems to connect properly on "mx1" but the error does occur on the >> user authentication. >> >> Because I can perfectly connect to "mx1" with a MUA like Thunderbird, it >> makes me think the error >> should be located on the opensmtpd "test" secrets file : >> --- >> foo f...@mx1.example.org:password >> --- >> >> The password is 40 digits long and looks like this : >> C>(3")GID~7B7%{~LIq_G*JdP6fTW*"[`G)> >> Can a special character be a problem in the password field ? >> If yes, how to deal with it ? >> >> Thanks for your suggestions. > > The problem is not that there's a special character but that the password > should be crypt(3)-ed, > look at smtpctl encrypt
Re: Unable to remove mail from queue
this is due to a short-coming with how inflight envelopes are handled: when a mail is passed from scheduler to mta, it is marked as "inflight" and can't be removed until it comes back to scheduler. this is usually not a big deal because an envelope is marked inflight only a few seconds usually... ... except that eric@ and I came with an optimization to avoid envelopes going back and forth into the scheduler when they have multiple routes or when there's a chance a route gets enabled soon, they are kept in the MTA for a bit longer, but this means that they can't be removed either. we had discussed a quick fix for this but since the MTA layer is supposedly going to be simplified a lot, it was not worth the effort. I don't know where eric@ stands wrt this as of today On Sun, May 31, 2020 at 8:00 PM Chris Bennett wrote: > On Sun, May 31, 2020 at 05:24:18PM +0200, Mischa Peters wrote: > > Hi All, > > > > I just noticed something strange on one of my mailservers running > OpenSMTPd 6.7.0p1 (OpenBSD 6.7). > > The mailserver was trying to deliver a spam mailbounce to fedex, it kept > failing so I removed it from the queue. > > The logs kept showing it was being delivered, eventhough nothing was > showing in the queue. > > After a restart of smtpd the message did show up in the queue again. > > > > root@smtp1:~ # smtpctl show queue > > cd9b0933db878954|local|mta|auth|@|prvs=1417a4ec2a=bou...@nds.fedex.com > |prvs=1417a4ec2a=bou...@nds.fedex.com > |1590676002|1590676002|1590937323|0|inflight|99| > > > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl remove > cd9b0933db878954 > > 1 envelope removed > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl remove > cd9b0933db878954 > > 0 envelope removed > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # ls -la > > total 52 > > drwx-- 2 _smtpq wheel512 May 28 16:26 . > > drwx-- 3 _smtpq wheel512 May 30 20:49 .. > > -rw--- 1 _smtpq wheel316 May 28 16:26 cd9b0933db878954 > > -rw--- 1 _smtpq wheel 19296 May 28 16:26 message > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl show queue > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # rcctl restart smtpd > > smtpd(ok) > > smtpd(ok) > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl show queue > > cd9b0933db878954|local|mta|auth|@|prvs=1417a4ec2a=bou...@nds.fedex.com > |prvs=1417a4ec2a=bou...@nds.fedex.com > |1590676002|1590676002|1590937456|0|inflight|1| > > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # ls -la > > total 52 > > drwx-- 2 _smtpq wheel512 May 28 16:26 . > > drwx-- 3 _smtpq wheel512 May 30 20:49 .. > > -rw--- 1 _smtpq wheel316 May 28 16:26 cd9b0933db878954 > > -rw--- 1 _smtpq wheel 19296 May 28 16:26 message > > > > I assume this is not the expected result. :) > > What else can I collect to pinpoint what is going on, before I rm the > files? > > > > Mischa > > > > > > I also had this same problem. I rm'd the files. > However, what is the right solution? > (I was in a big rush and had to quickly solve the problem.) > > Chris Bennett > > > >
Re: 553 ORCPT address syntax errors on OpenBSD-6.6-current
On Mon, Feb 03, 2020 at 06:37:38AM -0800, Scott Vanderbilt wrote: > I'm starting to get several log entries for several errors of type: > > 553ORCPT address syntax error > > The error is intermittent since the server is able to process other incoming > mails without error. For instance, I just sent myself an email from GMail, > and it came through successfully. > > Typical log entry will look like: > > Feb?? 3 06:02:26 callistus smtpd[21460]: cb9690ea8af2a8ec smtp connected > address=198.2.185.67 host=mail67.suw111.mcdlv.net > Feb?? 3 06:02:26 callistus smtpd[21460]: cb9690ea8af2a8ec smtp tls > ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > Feb?? 3 06:02:27 callistus smtpd[21460]: cb9690ea8af2a8ec smtp > failed-command command="RCPT TO: > ORCPT=rfc822;li...@datagenic.com" result="553 ORCPT address syntax error" > Feb?? 3 06:02:27 callistus smtpd[21460]: cb9690ea8af2a8ec smtp disconnected > reason=quit > > Mail logs prior to latest update to 6.6-current are free of these errors, so > presumably the regression has been introduced in the latest snapshot > (OpenBSD 6.6-current (GENERIC.MP) #628: Sat Feb?? 1 23:32:22 MST 2020). In > fact, it looks as though it is related to this recent commit: > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtp_session.c.diff?r1=1.422&r2=1.423 > > In which case, it may be suggested that the change is being perhaps a little > too strict. > indeed addresses in ORCPT are prefixed with a character that's not allowed in the mailaddr character set. the fix has been committed, thanks
Re: fix build on netbsd
On Wed, Dec 04, 2019 at 07:27:07PM -0600, Edgar Pettijohn wrote: > diff --git a/openbsd-compat/openbsd-compat.h > b/openbsd-compat/openbsd-compat.h > index 6c73e5b5..c7af0135 100644 > --- a/openbsd-compat/openbsd-compat.h > +++ b/openbsd-compat/openbsd-compat.h > @@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *); > ??unsigned int arc4random(void); > ??#endif > > -#if defined(HAVE_ARC4RANDOM_STIR) > +#if !defined(HAVE_ARC4RANDOM_STIR) > ??void arc4random_stir(void); > ??#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER) > ??/* Recent system/libressl implementation; no need for explicit stir */ > with this, your build is fixed ? I've been fixing the .c part of openbsd-compat but haven't worked on the .h part yet, will have look at it -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
CVE-2019-19521 what about OpenSMTPD ?
Hello, In case you haven't seen, multiple CVE were released by Qualys: https://www.openwall.com/lists/oss-security/2019/12/04/5 CVE-2019-19521 refers to an Authentication bypass allowing remote people to authenticate to an OpenSMTPD without credentials. A few people were wondering why we didn't publish a patch so here is the explanation to clarify a bit. TL;DR: - if you're not on OpenBSD, you can disregard, you're not affected - if you're on OpenBSD, run `syspatch` and, once done, restart smtpd, it is _normal_ that you don't see an smtpd patch Details: The CVE show-cases a vulnerability using smtpd, ldapd, radiusd, sshd and su but the issue is really in a libc API they use: bsd_auth(3). There is an incorrect code pattern which is coupled with an insufficient check to the username, and this allows the authentication bypass that is shown on multiple consumers. So should you worry ? If you're not using OpenBSD you can disregard this advisory, bsd_auth(3) doesn't exist elsewhere. If you're using OpenBSD, RUN `syspatch` RIGHT AWAY, then restart daemons which perform user authentication. The issue being in the libc, you will not see a patch for smtpd, it is normal, you still have to restart it so it catches up the libc update. If you're using an OpenBSD that's no longer supported (<=6.4) you're now at risk and need to upgrade or disable network daemons that do auth. Could your OpenSMTPD be used to send spam ? If you're not using OpenBSD, nope. If you're using OpenBSD, it's technically possible but unlikely. You can check by going through your logs and looking for user "-schallenge". The bypass only makes sense for setups that expose auth and provide rules to match auth users. If you have questions, you can follow up to this mail, Cheers, -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Exploit CVE-2019-19521?
On Wed, Dec 04, 2019 at 11:08:44PM +0100, Henry Jensen wrote: > Hi, > Hi, > from https://seclists.org/oss-sec/2019/q4/120 > > == > 1.2. Case study: smtpd > == > > To demonstrate how smtpd's authentication can be bypassed, we follow the > instructions from the manual page of smtpd.conf: > > [...] > > I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box. > But I didn't get much further. After the authentication succeeded > I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the > connection was aborted. After I patched my system I could no longer get > a 235 2.0.0 Authentication succeeded message > > Question is: would it have been possible in the "real world" to exploit > this to relay arbitrary messages (e.g. spam)? > Yes it would have been most definitely possible now if you have yourself relayed spam, I'll tell you that it's very unlikely this was used. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: opensmtpd setresgid ubuntu crash
On Fri, Nov 15, 2019 at 12:03:01PM +0100, Martijn van Duren wrote: > That seems to do the trick. Thanks. > Sorry for the noise. > I have traced back the issue to a pasto in configure.ac which caused the setresuid.c file to be included on systems with setresuid() and this has bad side-effects because the openbsd-compat setresuid() function will do some funny things. The portable branch should work again for all. Writing this from a Debian/arm64 with a working smtpd -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: opensmtpd setresgid ubuntu crash
Try using the 6.6.1p1 tag, I'm currently reworking the dev branch to completely revamp compat layer, things will be shaky for the next few daysOn Nov 15, 2019 11:22, Martijn van Duren wrote:EHLO, I'm currently trying to port filter-dnsbl to ubuntu, but I'm stuck at not being able to startup smtpd. Is there anyone who has seen this before and who has a (possible) solution? This all is freshly installed. OS: Ubuntu 18.04.3 LTS OpenSMTPD: git portable (latest) Installed packages: - build-essential - autoconf - libtool - libssl-dev - libz-dev - bison - libasr-dev - gdb configure parameters: none backtrace: #0 setresgid (rgid=rgid@entry=1001, egid=1001, egid@entry=, sgid=1001, sgid@entry=) at setresgid.c:29 #1 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #2 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #3 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #4 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #5 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #6 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #7 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #8 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #9 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #10 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #11 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #12 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #13 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #14 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #15 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #16 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #17 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #18 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #19 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #20 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #21 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #22 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #23 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #24 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #25 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #26 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #27 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #28 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #29 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #30 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #31 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #32 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #33 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #34 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 #35 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29 martijn@
Re: 6.6.1p1 fails to build on Void Linux
On Mon, Nov 11, 2019 at 08:10:50PM -0600, epektasis wrote: > Thank you for your reply. Libevent-2.1.11_1 is installed. So is > autoconf-2.69_7, automake-1.16.1_2, bison-3.4.2_1, libtool-2.4.6_4, and > libasr-1.0.3_1. There are several fatal errors for some missing header > files; I guess I'll try to track them down and see if I can get this > going again. I'll let you know. > In some distributions, packages are split between two, so you have for example libevent and libevent-dev, the former for runtime dependencies and the second for build time dependencies with headers and such. This may be the case here ? I'm on my openbsd laptop right now, as soon as I boot on a Linux one I will try to build on void linux and get back to you, cheers. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: 6.6.1p1 fails to build on Void Linux
Very likely libevent is missing... I fixed a configure bug where missing libevent caused a SSL test to fail and thus lead to a confusing error. > On 12 Nov 2019, at 00:28, epektasis wrote: > > I'm trying to build opensmtpd-6.6.1p1 on an updated Void Linux. Already > overcame a couple of missing development packages by installing them. > But I can't seem to get by this error, which occurs in the configure > process just after opensslv.h is found (configure exit status 1): > >configure error: error: *** Can't find recent LibreSSL crypto >(see config.log for details) > > LibreSSL 3.0.2_1 is installed. So is libcrypto44 and 45 (for the > latter, both 64 and 32 bit versions). I read the README file and made > sure the stated dependencies are installed. Nothing in the config.log > jumps out at me; I'll attach it nevertheless. > > -- >
Announce: OpenSMTPD 6.6.0 released
OpenSMTPD 6.6.0 has just been released. OpenSMTPD is a FREE implementation of the SMTP protocol with some common extensions. It allows ordinary machines to exchange e-mails with systems speaking the SMTP protocol. It implements a fairly large part of RFC5321 and can already cover a large range of use-cases. It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and glibc-based Linux. The archives are now available from the main site at www.OpenSMTPD.org We would like to thank the OpenSMTPD community for their help in testing the snapshots, reporting bugs, contributing code and packaging for other systems. This is a major release with multiple bug fixes and new features. Dependencies note: == This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0. It's preferable to depend on LibreSSL as OpenSMTPD is written and tested with that dependency. In addition, the features parity is not respected, some features will not be available with OpenSSL, like ECDSA server-side certificates support in this release. OpenSSL library is considered as a best effort target TLS library and provided as a commodity, LibreSSL has become our target TLS library. Changes in this release (since 6.4.0): == - various improvements to documentation and code - reverse dns session matching criteria added to smtpd.conf(5) - regex table lookup support added to smtpd.conf(5) - introduced support for ECDSA certificates with an ECDSA privsep engine - introduced builtin filters for basic filtering of incoming sessions - introduced option to deliver junk to a Junk folder in mail.maildir(8) - fixed the smtp(1) client so it uses correct default port for SMTPS - fixed an smtpd(8) crash on excessively large input - ensured mail rejected by an LMTP server stay queued Experimental features: - introduced a filters API to allow writing standalone filters for smtpd - introduced proxy-v2 support allowing smtpd to operate behind a proxy Checksums: == SHA256 (opensmtpd-6.6.0.tar.gz) = fcf4496493d211c7024798b8107194ff6f2469b143b232f8559d36ce98d5d728 SHA256 (opensmtpd-6.6.0p1.tar.gz) = 75a420941963a672b21fe6c820c51de07f1ac94a0d6d4aa4f7364124d85efce9 Verify: === Starting with version 5.7.1, releases are signed with signify(1). You can obtain the public key from our website, check with our community that it has not been altered on its way to your machine. $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub Once you are confident the key is correct, you can verify the release as described below: 1- download both release tarball and matching signature file to same directory: for OpenBSD version: $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0.sum.sig $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0.tar.gz for portable version: $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0p1.sum.sig $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0p1.tar.gz 2- use `signify` to verify that signature file is properly signed and that the checksum matches the release tarball you downloaded: for OpenBSD version: $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.6.0.sum.sig Signature Verified opensmtpd-6.6.0.tar.gz: OK for portable version: $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.6.0p1.sum.sig Signature Verified opensmtpd-6.6.0p1.tar.gz: OK If you don't get an OK message, then something is not right and you should not install without first understanding why it failed. Support: You are encouraged to register to our general purpose mailing-list: http://www.opensmtpd.org/list.html The "Official" IRC channel for the project is at: #OpenSMTPD @ irc.freenode.net Support us: The project is maintained by volunteers, you can support us by: - donating time to help test development branch during development cycle - donating money to either one of the OpenBSD or OpenSMTPD project - sponsoring developers through direct donations or patreon - sponsoring developers through contracts to write features Get in touch with us by e-mail or on IRC for more informations. Reporting Bugs: === Please read http://www.opensmtpd.org/report.html Security bugs should be reported directly to secur...@opensmtpd.org Other bugs may be reported to b...@opensmtpd.org -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Portable buildung issues
Sorry, will expand: We're in between two LibreSSL releases which is why the LibreSSL you're using is not compatible. When LibreSSL 3.0.2 is released, it will automagically build with it. LibreSSL 3.0.1 development version is already working. LibreSSL remains our target for both OpenBSD and portable but we're kind of in a time warp right now in between two versions. On Tue, Oct 22, 2019, 16:23 Gilles Chehade wrote: > LibreSSL is supported and recommended, this really needs to be fixed > before the 6.6.0p1 portable release. > > On Tue, Oct 22, 2019, 14:44 John Smith wrote: > >> Hello, >> >> thanks very much for all your replies. In deed, I rebuild world replacing >> openssl with libressl, basically only for opensmtpd. So it is the github >> issue. I knew smtpd portable supports openssl, but it did not come to my >> mind, that libressl is not supported at all for the portable version, >> openssl being just being an extra service, so I thought I'll do it >> something good. >> >> I'll revert to openssl and report back. May take a day or two. >> >> Thanks again >> >> Ede >> >> >>
Re: Portable buildung issues
LibreSSL is supported and recommended, this really needs to be fixed before the 6.6.0p1 portable release. On Tue, Oct 22, 2019, 14:44 John Smith wrote: > Hello, > > thanks very much for all your replies. In deed, I rebuild world replacing > openssl with libressl, basically only for opensmtpd. So it is the github > issue. I knew smtpd portable supports openssl, but it did not come to my > mind, that libressl is not supported at all for the portable version, > openssl being just being an extra service, so I thought I'll do it > something good. > > I'll revert to openssl and report back. May take a day or two. > > Thanks again > > Ede > > >
Re: upcoming 6.6.0 release
On Thu, Oct 17, 2019 at 03:07:45PM +0300, Reio Remma wrote: > On 17/10/2019 15:06, Gilles Chehade wrote: > > On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote: > > > On 17/10/2019 14:20, gil...@poolp.org wrote: > > > > Hello misc@, > > > > > > > > As some have noticed, the 6.6.0 tag was created on Github to match the > > > > code from smtpd in OpenBSD 6.6. > > > > > > > > A portable branch, branch-6.6.0p1, has been forked from there and can > > > > be used to test the matching portable version: > > > > > > > > https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1 > > > > > > > > > > > > I have not tagged 6.6.0p1 yet because there's still some time and I > > > > want to gain confidence that it works for most systems and > > > > distributions we have supported so far. > > > > > > > > Note that: > > > > > > > > - this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x > > > > - musl-based distros may have issues at this point, they are being > > > > tracked down, musl is not a showstopper for me as we have had issues in > > > > previous releases too but if we can track down the problem I'd be happy > > > > (unsuccessful so far) > > > > > > > > I _really_ need help on testing this as I had unexpected hand surgery > > > > and doing the tests myself is extremely long. > > > > > > > > Please report as a follow up to this mail what you did test, > > > > > > > > > > > Hello! Do you have any pointers as to what an SRS key should look like? > > > > > just make it something hard to guess :-) > > > > So it's just a few random letters? Reading "key" I always think of some kind > of a hash. :) > the key you set is rehashed so make it whatever you want -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: upcoming 6.6.0 release
On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote: > On 17/10/2019 14:20, gil...@poolp.org wrote: > > Hello misc@, > > > > As some have noticed, the 6.6.0 tag was created on Github to match the code > > from smtpd in OpenBSD 6.6. > > > > A portable branch, branch-6.6.0p1, has been forked from there and can be > > used to test the matching portable version: > > > > https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1 > > > > > > I have not tagged 6.6.0p1 yet because there's still some time and I want to > > gain confidence that it works for most systems and distributions we have > > supported so far. > > > > Note that: > > > > - this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x > > - musl-based distros may have issues at this point, they are being tracked > > down, musl is not a showstopper for me as we have had issues in previous > > releases too but if we can track down the problem I'd be happy > > (unsuccessful so far) > > > > I _really_ need help on testing this as I had unexpected hand surgery and > > doing the tests myself is extremely long. > > > > Please report as a follow up to this mail what you did test, > > > > > > Hello! Do you have any pointers as to what an SRS key should look like? > just make it something hard to guess :-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: filter-rspamd DKIM checks failing intermittently.
On Wed, Oct 16, 2019 at 10:36:32PM +0300, Reio Remma wrote: > So it's wasn't line breaks afterall. > > It turned out that OpenSMTPD passes raw SMTP data lines to filters and raw > SMTP lines have leading dot characters escaped by another dot, so .text > became ..text. Feeding it to Rspamd like that made DKIM alignment tests > fail, because body hash came out wrong. > > A pull request has been submitted with a fix. > nice catch :-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: filter-rspamd DKIM checks failing intermittently.
Very likely yes, can you give it a try ? On Sun, Oct 13, 2019, 15:15 Reio Remma wrote: > On 13.10.2019 16:09, Reio Remma wrote: > > On 13.10.2019 16:05, Gilles Chehade wrote: > > I don't think that is the issue, it is probably the filter-rspamd > reconstruction of the message that is incorrect. > > > I was thinking along the same lines, but I'm not sure how OpenSMTPD splits > strings before passing them to the filter. Can the filter then extract > "leftover" line endings for incoming strings and make decision based on > that when joining the strings before Rspamd? > > Do you experience the same yourself? > > > strings.NewReader(strings.Join(s.tx.message, "\n")) > > Wonder if we should use \r\n here? > > > > Reio > > > > On Sun, Oct 13, 2019, 15:00 Martijn van Duren < > opensm...@list.imperialat.at> wrote: > >> On 10/13/19 1:59 PM, Reio Remma wrote: >> > Hello! >> > >> > I finally moved to Rspamd (2.0) on my production server and I'm seeing >> > lots of failed DKIM checks, specifically dkim=fail (body hash did not >> > verify). >> > >> > >> > Authentication-Results: host.domain.com; >> > dkim=fail (body hash did not verify) header.d=facebookmail.com >> > header.s=s1024-2013-q3 header.b=pNWbKJUd; >> > dmarc=pass (policy=reject) header.from=facebookmail.com; >> > spf=pass (host.domain.com: domain of notificat...@facebookmail.com >> > designates 66.220.144.215 as permitted sender) >> > smtp.mailfrom=notificat...@facebookmail.com >> > >> > My current stab-in-the-dark theory is that there might be something >> > going on with line endings when mails are fed to Rspamd. >> > >> > Any better theories? :) >> >> It's a known issue that mails that don't end on \r\n (both \r\r\n and >> \n) cause issues. There's efforts going on to see how we can remedy >> this, but in the mean time tell your senders that they should fix their >> mails (RFC5321): >>In addition, the appearance of "bare" "CR" or "LF" characters in text >>(i.e., either without the other) has a long history of causing >>problems in mail implementations and applications that use the mail >>system as a tool. SMTP client implementations MUST NOT transmit >>these characters except when they are intended as line terminators >>and then MUST, as indicated above, transmit them only as a >>sequence. >> > >> > Thanks, >> > Reio >> > >> > >> >> > >
Re: filter-rspamd DKIM checks failing intermittently.
I don't think that is the issue, it is probably the filter-rspamd reconstruction of the message that is incorrect. On Sun, Oct 13, 2019, 15:00 Martijn van Duren wrote: > On 10/13/19 1:59 PM, Reio Remma wrote: > > Hello! > > > > I finally moved to Rspamd (2.0) on my production server and I'm seeing > > lots of failed DKIM checks, specifically dkim=fail (body hash did not > > verify). > > > > > > Authentication-Results: host.domain.com; > > dkim=fail (body hash did not verify) header.d=facebookmail.com > > header.s=s1024-2013-q3 header.b=pNWbKJUd; > > dmarc=pass (policy=reject) header.from=facebookmail.com; > > spf=pass (host.domain.com: domain of notificat...@facebookmail.com > > designates 66.220.144.215 as permitted sender) > > smtp.mailfrom=notificat...@facebookmail.com > > > > My current stab-in-the-dark theory is that there might be something > > going on with line endings when mails are fed to Rspamd. > > > > Any better theories? :) > > It's a known issue that mails that don't end on \r\n (both \r\r\n and > \n) cause issues. There's efforts going on to see how we can remedy > this, but in the mean time tell your senders that they should fix their > mails (RFC5321): >In addition, the appearance of "bare" "CR" or "LF" characters in text >(i.e., either without the other) has a long history of causing >problems in mail implementations and applications that use the mail >system as a tool. SMTP client implementations MUST NOT transmit >these characters except when they are intended as line terminators >and then MUST, as indicated above, transmit them only as a >sequence. > > > > Thanks, > > Reio > > > > > >
table-passwd
Hello, Is there anyone using table-passwd for _any_ other purposes than sharing with Dovecot ? I have built a fully virtual setup which shares credentials with Dovecot and since I managed to do it _without_ table-passwd I'm wondering if the table backend is really useful and if it was not created because soneone had overlooked the first few lines of the Dovecot documentation stating: "For a password database, it's enough to have only the user and password fields." -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Failed logins hammer/filter.
On Mon, Sep 16, 2019 at 10:20:42AM +0300, Reio Remma wrote: > Hello! > Hello, > Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login > failures from IPs, but that doesn't work any more with the log format > changed from: > > smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr > command="AUTH LOGIN (password)" result="535 Authentication failed" > | > smtp failed-command command="AUTH LOGIN (password)" result="535 > Authentication failed" > using the human logs for this kind of programmatic stuff is no longer supported, the proper way is to write a filter that registers for all register events and parses that output instead. we assume programs to read reports so the format is versionned and is going to be easily parsed, we assume humans to read the logs so we're going to adapt the logs without caring too much about scripts. > Surprisingly SMTP isn't brute forced that much, but as I registered 472 > failed authentications from a single IP yesterday, I'm going to have a Go at > a filter too. :) > I do get a lot of brute-force but it mostly comes from compromised hosts so filtering on !rdns, !fcrdns and matching some common dynamic patterns kills the bulk of them. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd / mail.lmtp rewrites from address, breaking lmtp
On Tue, Aug 27, 2019 at 10:30:01PM +0100, Michal Krzysztofowicz wrote: > Hi again Gilles, > > > A possible fix to your issue would be to add ' to the allowed charset in > > util.c, can you try and see if it is enough to solve your issue ? > > If I read the code correctly, the ' is already allowed. valid_localpart() > inside util.c defines IS_ATEXT macro as below: > > #define IS_ATEXT(c) (isalnum((unsigned char)(c)) || > strchr(MAILADDR_ALLOWED, (c))) > > then MAILADDR_ALLOWED is defined inside smtpd.h as: > > #define MAILADDR_ALLOWED"!#$%&'*/?^`{|}~+-=_??? > > therefore it contains the ' character. > > Am I looking at the correct place? > can you try the following diff ? Index: smtpd.h === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v retrieving revision 1.636 diff -u -p -r1.636 smtpd.h --- smtpd.h 11 Sep 2019 04:19:19 - 1.636 +++ smtpd.h 16 Sep 2019 18:03:05 - @@ -69,8 +69,7 @@ * potentially dangerous and need to be escaped. */ #defineMAILADDR_ALLOWED"!#$%&'*/?^`{|}~+-=_" -#defineMAILADDR_ESCAPE "!#$%&'*/?^`{|}~" - +#define MAILADDR_ESCAPE "!#$&*?^`{|}" #define F_STARTTLS 0x01 #define F_SMTPS0x02 -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
On Wed, Aug 28, 2019 at 10:55:05AM +0300, Reio Remma wrote: > On 28/08/2019 10:44, gil...@poolp.org wrote: > > 28 ao??t 2019 00:00 "Reio Remma" a ??crit: > > > > > On 27.08.2019 21:25, Richard Narron wrote: > > > > > > > The OpenSMTPD portable version from > > > > https://github.com/OpenSMTPD/OpenSMTPD > > > > works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 > > > > It took me a while to get it to work though. > > > > I first downloaded the "current" portable version from > > > > https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz > > > > And I got errors very similar to those of Denis Fateyev on Fedora 30. > > > > Next I downloaded the portable version from github.com > > > > and found that autoconf had not been run and this was no good. > > > > Finally I discovered the post on the mailing list which mentioned the > > > > "bootstrap" script and then I was able to download and build the > > > > portable > > > > version from git. > > > > The code shows version "6.6.0-portable". > > > > It runs fine on Slackware64 current and I'm happy that it now works with > > > > OpenSSL 1.1 > > > > Regards, > > > > Richard Narron > > > Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c. > > > > > > Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a > > > -l:libcrypto.a is the correct way > > > to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up > > > using these (and -pthreads > > > -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7. > > > > > I don't know about the -l:lib notation sorry > > > > Out of curiosity, why would you want ssl statically compiled into OpenSMTPD > > ? > > This means that when an issue hits OpenSSL, updating OpenSSL and restarting > > the daemon will not be > > enough to be back on track. > > > > In addition, I'm not sure why you need -pthreads because OpenSMTPD is not > > multi-threaded. > > Hello! > > CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c > compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine > with CentOS 7's old OpenSSL version. > > I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL > libraries. Without these I ran into errors hinting at threads and dl. > > I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on a > production machine. :) > Understood ! OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get solved by itself soon ;-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: tags on the portable branch?
On Sun, Aug 25, 2019 at 07:16:23AM +0200, Harald Dunkel wrote: > Hi Gilles, > > On 8/24/19 9:14 PM, Gilles Chehade wrote: > > > > This is expected. > > > > Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x > > > > do you think it would be possible to set a tag matching support > for openssl 1.1.1c as well? The version I am using right now now > is based on 772da22936c8d80f7ad3284ea7e5bdbfdbee2efb, but this > might be too experimental for production use. > I'm unsure I understand what you want :-/ OpenSSL 1.1.x is only supported in the development branch so you need to track latest commit in branch 'portable': the commit you're using is one of the development branch from two weeks ago, if you are happy with that keep it, it's no less or more experimental than any commit in the branch since you're already running development code. I wouldn't know what to tag honestly -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: stumped on virtual aliases
On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote: > I???m trying to match an email: nos...@domain.tld to expand to > webmas...@domain.tld and deliver to local mailbox. > > My setup is pretty simple and works well for virtual mailboxes linked to a > couple of virtual domains. now I???m trying t add aliases to some accounts. > > From the error, it seems like smtpd is not transforming the alias address > into the final address for delivery. > Seems like I???m not understanding how smtpd transforms an recipient address > in an into the actual recipient for delivery. > > I must be conceptually stumped on this one. > > [...] > > the configuration files for the domain and tables follows. > > > # file:/etc/mail/domain.tld/accounts/valiases: > = > > nospam webmas...@domain.tld > ## EOF > > # file:/etc/mail/domain.tld/accounts/emails > > > webmas...@domain.tld::/home/domain/mail/master > > webdus...@domain.tld::/home/domain/mail/duster > > webbus...@domain.tld::/home/domain/mail/buster > ## EOF > Your problem lies here. expansion resolves an e-mail address into a user-part, so ultimately what's looked up in a userbase is the part before '@' if you're already using a virtual account, why not do something like this ? valiases: == nospam webmaster emails: == webmaster ::/hoome/domain/mail/master if you really want the indirection, you can even: nospam webmas...@domain.tld webmas...@domain.tld webmaster > # file:/etc/mail/domain.sub.smtpd.conf > = > > > ## = > > ## DOMAIN CONFIGURATION: > > ## = > > # TABLE DECLATATIONS: > > # --- > > table domains \ > > file:/etc/mail/domain.tld/domains > > table valiases \ > > file:/etc/mail/domain.tld/accounts/valiases > > table e-boxes \ > > file:/etc/mail/domain.tld/accounts/emails > > > > # ACTIONS > > # --- > > action valiases_set \ > > expand-only \ > > virtual > > action deliver_virtual_set \ > > maildir \ > > userbase > > > > # MATCHES > > # --- > > match from any \ > > for domain \ > > action valiases_set > > match from any \ > > for domain \ > > action deliver_virtual_set > > > > > -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Service names in listen on directives
On Sat, Aug 24, 2019 at 10:16:26PM +0200, Martijn van Duren wrote: > On 8/24/19 10:06 PM, Gilles Chehade wrote: > > On Sat, Aug 24, 2019 at 12:32:05PM -0700, Darren S. wrote: > >> OpenBSD 6.5 amd64 > >> OpenSMTPD 6.5.0 > >> > >> port [port] > >> Listen on the given port instead of the default port 25. > >> > >> I wanted to confirm if service names are intended to be supported for > >> `listen on` option in smtpd.conf. > >> > >> These result in syntax failure: > >> > >> listen on lo port smtp > >> listen on lo port smtps > >> > >> These do not: > >> > >> listen on lo port 25 > >> listen on lo port 465 > >> > >> This also does not: > >> > >> listen on lo port submission > >> > >> Found it curious that `submission` may be used in place of a port > >> number but not the other service names. > >> > > > > this is because `smtp' and `smtps` are keywords, so they must be quoted: > > > > listen on lo port "smtp" > > > > > Don't know if there's interest, but considering the port argument is > non-optional and smtp and smtps are valid (and imho not unreasonable) > port names I reckon we could add them explicitly so they can be used > without quotes. > You beat me to it, yes this makes sense. > Index: parse.y > === > RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v > retrieving revision 1.258 > diff -u -p -r1.258 parse.y > --- parse.y 23 Aug 2019 19:05:01 - 1.258 > +++ parse.y 24 Aug 2019 20:14:40 - > @@ -1863,6 +1863,38 @@ opt_if_listen : INET4 { > free($2); > listen_opts.port = ntohs(servent->s_port); > } > + | PORT SMTP { > + struct servent *servent; > + > + if (listen_opts.options & LO_PORT) { > + yyerror("port already specified"); > + YYERROR; > + } > + listen_opts.options |= LO_PORT; > + > + servent = getservbyname("smtp", "tcp"); > + if (servent == NULL) { > + yyerror("invalid port: smtp"); > + YYERROR; > + } > + listen_opts.port = ntohs(servent->s_port); > + } > + | PORT SMTPS{ > + struct servent *servent; > + > + if (listen_opts.options & LO_PORT) { > + yyerror("port already specified"); > + YYERROR; > + } > + listen_opts.options |= LO_PORT; > + > + servent = getservbyname("smtps", "tcp"); > + if (servent == NULL) { > + yyerror("invalid port: smtps"); > + YYERROR; > + } > + listen_opts.port = ntohs(servent->s_port); > + } > | PORT NUMBER { > if (listen_opts.options & LO_PORT) { > yyerror("port already specified"); > -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Service names in listen on directives
On Sat, Aug 24, 2019 at 12:32:05PM -0700, Darren S. wrote: > OpenBSD 6.5 amd64 > OpenSMTPD 6.5.0 > > port [port] > Listen on the given port instead of the default port 25. > > I wanted to confirm if service names are intended to be supported for > `listen on` option in smtpd.conf. > > These result in syntax failure: > > listen on lo port smtp > listen on lo port smtps > > These do not: > > listen on lo port 25 > listen on lo port 465 > > This also does not: > > listen on lo port submission > > Found it curious that `submission` may be used in place of a port > number but not the other service names. > this is because `smtp' and `smtps` are keywords, so they must be quoted: listen on lo port "smtp" -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: tags on the portable branch?
On Sat, Aug 24, 2019 at 04:19:11PM +0200, Harald Dunkel wrote: > On 8/23/19 9:55 PM, John Cox wrote: > > Hi > > > > Whilst I know it doesn't help you I just git cloned that URL and the > > tag checkout just worked for me. What happens if you make another new > > (temporary) repo with clone and try again? > > > > Regards > > > > John Cox > > > > Using a new clone, as suggested: The tag "opensmtpd-6.4.2p1" is available, > but it doesn't build on Debian sid (openssl 1.1.1c). Full build.log is > attached. > This is expected. Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x See: https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/ -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: tags on the portable branch?
On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote: > Hi folks, > > would it be possible to set tags on the portable branch as well? > Something like > > portable-6.4.1 > > would do. > > This could help alot for creating some kind of "official" source > package for Debian and Fedora/RedHat. > you mean like this ? :-) https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/opensmtpd-6.4.2p1 -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd not passing data to rspamd
On Wed, Aug 21, 2019 at 08:06:58PM +, Thomas Smith wrote: > > ? Original Message ? > On Wednesday, August 21, 2019 8:28 AM, Gilles Chehade > wrote: > > > On Wed, Aug 21, 2019 at 03:22:39PM +, Thomas Smith wrote: > > > > > Hi, > > > I've setup filter-rspamd with rspamd. Both appear to be running (smtpd > > > and rspamd), I'm able to query rspamd's controller, access the web UI; > > > smtpd is processing and delivering mail as expected. > > > ps wuax | grep rspam > > > root 86736 0.0 0.4 45236 4008 ?? I 6:30AM 0:00.05 rspamd: main process > > > (rspamd) > > > _rspamd 32135 0.0 1.0 45344 10140 ?? S 6:30AM 0:00.23 rspamd: > > > rspamd_proxy process (localhost:11332) (rspamd) > > > _rspamd 4059 0.0 1.4 45688 14632 ?? S 6:30AM 0:01.63 rspamd: controller > > > process (localhost:11334) (rspamd) > > > _rspamd 16743 0.0 1.1 45384 11020 ?? S 6:30AM 0:00.33 rspamd: normal > > > process (localhost:11333) (rspamd) > > > _smtpd 32851 0.0 0.4 105520 3624 ?? I 6:56AM 0:00.01 > > > /usr/local/bin/filter-rspamd > > > _smtpd 68802 0.0 0.1 844 808 ?? Ip 6:56AM 0:00.00 sh -c > > > /usr/local/bin/filter-rspamd > > > However, I don't see any messages being processed by rspamd. Nor do I see > > > any indication that data is being sent to rspamd (nothing in the logs, no > > > stats appearing in the web UI). > > > > can you show full logs for a sample smtpd session that didn't go through > > rspamd ? > > Is this what you're looking for? > > Aug 21 12:42:22 host smtpd[71198]: 43e03ee20005a41f smtp connected > address=x.x.x.x host=***t.com > Aug 21 12:42:23 host smtpd[71198]: 43e03ee20005a41f smtp message > msgid= size=338369 nrcpt=1 proto=ESMTP > Aug 21 12:42:23 host smtpd[71198]: 43e03ee20005a41f smtp envelope > evpid= > from=<t.com> > to=<***.***> > Aug 21 12:42:24 host smtpd[71198]: 43e03ee20005a41f smtp disconnected > reason=quit > > The msgid reveals some additional data, but the server doesn't manage final > delivery--emails are received and relayed only. So the additional message > information is related to the outbound (relayed) email but I can provide if > needed. > sorry but this is tricky to troubleshoot with so few logs, obfuscated on top of it :-/ -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
FLOSS Weekly 543 OpenSMTPD
Hello everyone, I was invited to talk a bit about SMTP and OpenSMTPD in FLOSS Weekly. Here is the link in case you're interested: https://twit.tv/shows/floss-weekly/episodes/543 Cheers -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd not passing data to rspamd
On Wed, Aug 21, 2019 at 03:22:39PM +, Thomas Smith wrote: > Hi, > > I've setup filter-rspamd with rspamd. Both appear to be running (smtpd and > rspamd), I'm able to query rspamd's controller, access the web UI; smtpd is > processing and delivering mail as expected. > > ps wuax | grep rspam > root 86736 0.0 0.4 45236 4008 ?? I 6:30AM0:00.05 rspamd: > main process (rspamd) > _rspamd 32135 0.0 1.0 45344 10140 ?? S 6:30AM0:00.23 rspamd: > rspamd_proxy process (localhost:11332) (rspamd) > _rspamd 4059 0.0 1.4 45688 14632 ?? S 6:30AM0:01.63 rspamd: > controller process (localhost:11334) (rspamd) > _rspamd 16743 0.0 1.1 45384 11020 ?? S 6:30AM0:00.33 rspamd: > normal process (localhost:11333) (rspamd) > _smtpd 32851 0.0 0.4 105520 3624 ?? I 6:56AM0:00.01 > /usr/local/bin/filter-rspamd > _smtpd 68802 0.0 0.1 844 808 ?? Ip 6:56AM0:00.00 sh -c > /usr/local/bin/filter-rspamd > > However, I don't see any messages being processed by rspamd. Nor do I see any > indication that data is being sent to rspamd (nothing in the logs, no stats > appearing in the web UI). > can you show full logs for a sample smtpd session that didnt go through rspamd ? > smtpd.conf: > filter "rspamd" proc-exec "/usr/local/bin/filter-rspamd" > listen on egress tls hostname $mx_domain pki $mx_domain filter "rspamd" > > 'smtpd -d -v': > debug: smtp: listen on x.x.x.x port 25 flags 0x2401 pki "" ca "" > > I also don't see any debug messages regarding rspamd. > your config is correct -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Question about OpenSMTPD and Debian package and filters/spam filtering
On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote: > Hi! > Hi, > I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD > (6.0.3) for private email and am looking what my best options are to limit > spam. > I know there are some filters from Joerg > (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not > sure if these will work with my version of OpenSMTPD (I get a syntax error > when trying the old filter syntax). > > I can also relay everything to Amavisd/SpamAssassin but then email won???t > get blocked at the SMTP level, also ASSP or Rspamd is an option but they are > pretty resource intensive and will eat all my VPS memory ;) > > What would be my best option? > 6.0.3 is a fairly old version and there aren't many options available. if you're forced to stick with that version, which suffers from at least one denial of service as far as I know, your best option is to relay via something like SpamPD so it can interface with SpamAssassin, but this is not going to operate at SMTP level, it will happen at delivery time. there will be no way of blocking at SMTP level before next release 6.6.0 that is going to happen in a few weeks, during October, so any option is going to be post delivery: either as a custom MDA, or as a relay via for some smtp proxy that will reinject in smtpd like the dkimproxy stuff. your best option would really be to build from source 6.4.2: it will not block at SMTP level but will provide mechanisms to ease interfacing with spamassassin or rspamd for post-SMTP handling. if you're not too easily scared, running the development version is good too because it's very close to release now, very stable and will not get much changes until October as I'm busy busy these days ;-) > I like to do some DNSBL and SpamAsssassin checks if possible. > > My config if that is to any use to give some insights: > > pki server.pragmasec.nl certificate > "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem" > pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem" > listen on localhost > listen on eth0 port 25 tls pki server.pragmasec.nl hostname > server.pragmasec.nl auth-optional > listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname > server.pragmasec.nl auth > table vdomains file:/etc/mail/domains > table vusers file:/etc/mail/vusers > expire 7d > limit mta inet4 > accept from any for domain virtual deliver to mda > "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}" > accept from local for any relay > > Cheers, > > Michiel > > > -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: forcing SMTP authentication
On Wed, Aug 21, 2019 at 07:39:42AM +0200, Selmeci Tam?s wrote: > Hello! > > In brief: STARTTLS is enabled, there is a self-signed certificate for > encryption (better than nothing), smarthost is used to send mails from > my domain. My problem is that it still accepts SMTP connections (over > TLS) without authentication. What I want: > - anybody can send email to my email address in my domain (now it's > working); > - relaying through my SMTP server is allowed only after successful > authentication (now anybody can relay through my server without > authentication, e.g. to send spams). Authentication should be based on > regular /etc/passwd file (local users of the computer). In order to > hide the passwords, STARTTLS should be used; > > It's a rather simple configuration, but I wasn't able to set it up. If > I put 'auth' into the 'listen on' line, it needs authentication to any > access of the SMTP server, so other machines (e.g. from google.com) > can't send me mails. Using 'authenticated' in 'accept from' directives > also didn't do the trick appropriately (it wasn't able to receive any > mails at all). > > Could you please help me out with this? > > Thanks, regards, > --- > --- > pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt" > pki mail.486.hu key "/etc/smtpd/mail.486.hu.key" > > table cred file:/etc/smtpd/cred > > listen on eth0 port 25 hostname mail.486.hu tls-require > listen on localhost port 25 hostname mail.486.hu tls-require > you should add: listen on eth0 port 587 hostname mail.486.hu tls-require auth > # Storing mails arriving at the domain '486.hu'. > accept from any for domain 486.hu deliver to mbox > > # If the recipient is out of domain '486.hu', the mail is relayed through the > # smarthost using TLS and authentication, see 'cred' file. > accept from any for ! domain 486.hu relay via > tls+auth://t-onl...@mail.t-online.hu auth > That last rule is essentially "accept from any for (pretty much) any" so you have created an open relay. Replace the "from any" with "from local" so the rule reads as: accept from local for ! domain 486.hu relay via tls+auth://t-onl...@mail.t-online.hu auth This should be much better. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: filter assistance requested
On Mon, Aug 19, 2019 at 01:48:05PM -0500, Edgar Pettijohn wrote: > Nothing urgent here. Probably can wait for filter documentation. However, > I've been > playing with filters off and on with limited success. It seems like data-line > will > be the most useful to filter on so thats been my focus lately. I have the > following > script: > > #!/usr/bin/perl > > use strict; > use warnings; > use diagnostics; > > open(my $fh, '>', '/tmp/log.txt') or die $!; > > # remove line buffering > select(STDOUT); > $|++; > select($fh); > $|++; > > print STDOUT "register|filter|smtp-in|data-line\n"; > print STDOUT "register|ready\n"; > > while ( <> ) { > chomp; # get rid of newline > > my @report = split /\|/; > > next if $report[0] eq 'config'; > > foreach (@report) { > print $fh "$_\|"; # just to see whats there > } > print $fh "\n"; > > my $inbody = 0; > my ($sid, $token, $line); > $sid = $report[5]; > $token = $report[6]; > $line = $report[$#report]; > if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and $report[4] > eq 'data-line') { > die "invalid filter command" if (scalar @report < 7); > if ($line eq '') { print $fh "end of headers\n"; $inbody++; } > if ($line eq '.') { print $fh "end of message\n"; $inbody--; } > print $fh "filter-dataline|$token|$sid|$line\n"; > print STDOUT "filter-dataline|$token|$sid|$line\n"; > } > } > > close $fh; > > 0; > > It prints the following in /tmp/log.txt after a > $ echo "HI" | mail edgar > > filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received: > from localhost (deathstar.my.domain [local])| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost > (deathstar.my.domain [local]) > filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| > by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d| by > deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a > filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| > for ;| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d| for > ; > filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| > Mon, 19 Aug 2019 13:38:53 -0500 (CDT)| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d| Mon, 19 Aug 2019 > 13:38:53 -0500 (CDT) > filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From: > Edgar Pettijohn | > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn > > filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date: > Mon, 19 Aug 2019 13:38:53 -0500 (CDT)| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 > 13:38:53 -0500 (CDT) > filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To: > edgar| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar > filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a > filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI > filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.| > end of message > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|. > > I get the following response: > deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, > message refused: Message is not RFC 2822 compliant > > I see the same from a telnet session as well. > > So there are 2 problems. First my script doesn't appear to acurately > determine that the headers are finished. Second mail > doesn't go through. Any suggestions are appreciated. > This error occurs when you don't have at least an empty line to separate headers from the body. Based on your output, it seems that you are generating a bad line: > filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a There should be a | at the end of your filter-dataline because it is not valid as is, I'll check why smtpd did not hit a fatal. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
On Fri, Aug 16, 2019 at 03:38:43AM +0600, Denis Fateyev wrote: > Hello Gilles, > > You are right, I tried "opensmtpd-6.4.2p1.tar.gz" release for some reasons, > and it was failing to build. > > The latest checkout from portable branch is fine, and doesn't bring any > build issues anymore, it's great! > I will test it for a while with some use cases. > > > Out of curiosity, I have also tried it with openssl-1.0.2k (RHEL7) , and as > expected it's failing. > Mostly related to RSA methods. Just to note: > https://kojipkgs.fedoraproject.org//work/tasks/2547/37062547/build.log > yeah, the problem is described here: https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/ long story short, the same code can't build for both 1.0.z and 1.1.z, to support both requires using two different APIs. it is technically doable but 1.0.z will be EOL a month or so after we'll release our next major version so the work isn't worth it. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
[jungleboog...@gmail.com: Fwd: OpenSMTPD on FLOSS Weekly]
- Forwarded message from jungle Boogie - From: jungle Boogie To: Misc@opensmtpd.org Cc: Bcc: Date: Mon, 19 Aug 2019 10:16:34 -0700 Subject: OpenSMTPD on FLOSS Weekly Hi All, Gilles will be on FLOSS Weekly this Wednesday 21 August at 9:30am PT, 1630 UTC. You can watch live at https://twit.tv/live I'm looking forward to this interview! Thanks for being on the show, Gilles. Best, j.b. - End forwarded message - -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Simple rewrite-from filter in awk
On Sun, Aug 18, 2019 at 06:49:25PM +0200, Jakub Jirutka wrote: > Hi, > > I was playing a bit with new proc filters and wrote a very simple filter > for rewriting email address in both MAIL FROM command and From header > with the specified email address... in just ~60 lines of AWK! > > https://github.com/jirutka/opensmtpd-filter-rewrite-from > > I'm really impressed how simple yet powerful is the new proc filter > interface! The fact that you can implement a simple filter in fews lines > of such limited language as AWK clearly proves the simplicity. No > language-specific API and bindings, no complex formats or craps like > gRPC, just plain old processes, stdin/stdout and simple line-oriented > protocol with delimiter-separated fields. The proper Unix way. <3 > You. made. my. day :-) I'm glad that I resisted the pressure to implement milters and to push a ton of features in the daemon because the implementation is exactly what we wanted to achieve: fast, easy and secure. Took time but we are there. We lose the many milters that are available, but the simplicity allows a rewrite of any filter we need in a very short time, including maybe some milter interface on top of our implementation if someone feels like it. Looking forward to see what the community builds with this ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: filter-senderscore for testing
On Sun, Aug 18, 2019 at 10:39:29AM +0200, Gilles Chehade wrote: > Hello, > > I have written a second filter: > > https://github.com/poolpOrg/filter-senderscore > > Senderscore is the reputation scoring built by Return-Path which some of > the Big Mailers Corp feedback into. > > It isn't bullet-proof but, while good reputations doesn't mean sender is > good for real, bad reputations generally mean sender is bad for real. > > I'd appreciate some testing and reporting ;-) > Just for the record: Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp connected address=23.129.64.207 host=207.emeraldonion.org Aug 18 09:02:42 in smtpd[27481]: : senderscore(23.129.64.207) -> 127.0.4.8 Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp failed-command command="" result="550 your IP reputation is too low for this MX" Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp disconnected reason=quit Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp connected address=23.129.64.216 host= Aug 18 09:02:43 in smtpd[27481]: : senderscore(23.129.64.216) -> 127.0.4.2 Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp failed-command command="" result="550 your IP reputation is too low for this MX" Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp disconnected reason=quit Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp connected address=23.129.64.162 host=162.emeraldonion.org Aug 18 09:02:51 in smtpd[27481]: : senderscore(23.129.64.162) -> 127.0.4.4 Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp failed-command command="" result="550 your IP reputation is too low for this MX" Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp disconnected reason=quit Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp connected address=23.129.64.162 host=162.emeraldonion.org Aug 18 09:02:52 in smtpd[27481]: : senderscore(23.129.64.162) -> 127.0.4.4 Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp failed-command command="" result="550 your IP reputation is too low for this MX" Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp disconnected reason=quit Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp connected address=193.169.252.212 host= Aug 18 09:07:09 in smtpd[27481]: : senderscore(193.169.252.212) -> 127.0.4.0 Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp failed-command command="" result="550 your IP reputation is too low for this MX" Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp disconnected reason=quit -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
filter-senderscore for testing
Hello, I have written a second filter: https://github.com/poolpOrg/filter-senderscore Senderscore is the reputation scoring built by Return-Path which some of the Big Mailers Corp feedback into. It isn't bullet-proof but, while good reputations doesn't mean sender is good for real, bad reputations generally mean sender is bad for real. I'd appreciate some testing and reporting ;-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: filter-rspamd available for testing
On Fri, Aug 16, 2019 at 12:02:29AM +0200, Jakub Jirutka wrote: > Hi Gilles, > > I'm testing OpenSMTPD on Alpine Linux (musl libc) built from the last > commit from the portable branch [1] and filters don't work. > > The filter script gets the following lines on the start of OpenSMTPD: > > config|smtp-session-timeout|300\n > config|ready\n > > Right after reading "config|ready" I print the following lines to STDOUT: > > register|filter|smtp-in|data-line\n > register|filter|smtp-in|commit\n > register|ready\n > > No problem so far. But when I send a message via sendmail(1), OpenSMTPD > processes it, but doesn't feed any input to the script. The script is > running and when I kill OpenSMTPD, it's gracefully exited (STDIN??? is > closed, the script finishes). > > I've even tried to register all the reporters and filters as > filter-rspamd do, i.e. emit exactly the same output, but no change. > > My smtpd.conf: > > table aliases file:/etc/smtpd/aliases > filter "my-filter" proc-exec "/etc/smtpd/filter.sh" > listen on lo filter "my-filter" > > action "local" mbox alias > match for local action "local" > > Jakub > > [1]: > https://github.com/OpenSMTPD/OpenSMTPD/commit/772da22936c8d80f7ad3284ea7e5bdbfdbee2efb > Are you sure you're not enqueuing the mail through the local socket ? Note that 'listen on lo0' is a network listener and does not catch mails that are submitted through the 'mail' command for instance. Try adding 'listen on socket' and let me know if it works better. > P.S.: misc+get-04...@opensmtpd.org doesn't work. > never used it, i'll look -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
Hu, this doesn't look like latest checkout from portable, can you double check ? Le mer. 14 août 2019 à 22:17, Denis Fateyev a écrit : > Hello Gilles, > > Tried to rebuild on Fedora 30, but got compile errors (providing below > with warnings in case if you find them useful): > --- < cut here > --- > gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat > -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. > -I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\" > -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\" > -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\" > -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL > -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS > -fexceptions -fstack-protector-strong -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection > -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign > -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE > -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o > ../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo > './'`../../smtpd/ca.c > ../../smtpd/aliases.c: In function 'aliases_get': > ../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used > [-Wunused-but-set-variable] >56 | struct table*userbase = NULL; > | ^~~~ > ../../smtpd/aliases.c: In function 'aliases_virtual_get': > ../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not > used [-Wunused-but-set-variable] > 114 | struct table*userbase = NULL; > | ^~~~ > gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat > -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. > -I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\" > -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\" > -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\" > -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL > -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall > -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS > -fexceptions -fstack-protector-strong -grecord-gcc-switches > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection > -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign > -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE > -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o > ../../smtpd/smtpd-compress_backend.o `test -f > '../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c > ../../smtpd/ca.c: In function 'ca_X509_verify': > ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type > 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'} > 204 |*errstr = X509_verify_cert_error_string(xsc->error); > | ^~ > ../../smtpd/ca.c: At top level: > ../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but > incomplete type > 307 | static RSA_METHOD rsae_method = { > | ^~ > ../../smtpd/ca.c:308:2: warning: excess elements in struct initializer > 308 | "RSA privsep engine", > | ^~~~ > ../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:309:2: warning: excess elements in struct initializer > 309 | rsae_pub_enc, > | ^~~~ > ../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:310:2: warning: excess elements in struct initializer > 310 | rsae_pub_dec, > | ^~~~ > ../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:311:2: warning: excess elements in struct initializer > 311 | rsae_priv_enc, > | ^ > ../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:312:2: warning: excess elements in struct initializer > 312 | rsae_priv_dec, > | ^ > ../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:313:2: warning: excess elements in struct initializer > 313 | rsae_mod_exp, > | ^~~~ > ../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method') > ../../smtpd/ca.c:314:2: warning: excess elements in struct initializer > 314 | rsae_bn_mod_exp, > | ^~~ > ../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_meth
filter-rspamd available for testing (repost)
Hello, It seems that I forgot to setup a proper outgoing route yesterday, so my mail announcing availability of filter-rspamd has been SPF-rejected by a bunch of hosts... Here's a link to the mail archive: https://www.mail-archive.com/misc@opensmtpd.org/msg04472.html Note that since then, the port has been committed to OpenBSD ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: AUTH failures requires restarting smtpd
On Sat, Aug 10, 2019 at 02:24:57PM -0500, Edgar Pettijohn wrote: > > On Aug 10, 2019 1:05 PM, Gilles Chehade wrote: > > > > On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote: > > > > > > On Jul 22, 2019 8:17 AM, Andreas Karlsson wrote: > > > > > > > > On 2019-07-21 18:25, Edgar Pettijohn wrote: > > > > > Not sure exactly when this started, but I get authentication errors > > > > > that require smtpd to be restarted. Here are some logs and other > > > > > pertinent data. > > > > > > > > > > Thanks, > > > > > > > > > > Edgar > > > > > > > > > Hi, > > > > Can you check if there are any issues with the connection to the MySQL > > > > database during the time of the credentials lookup fails? > > > > > > > > I've had similar issues with Postgresql databases in the past (many > > > > OpenSMTPD versions ago) where the psql tcp connection was disconnected > > > > due to restarting the psql database. This was not handled well by > > > > OpenSMTPD. > > > > > > > > br, > > > > > > > > -- > > > > You received this mail because you are subscribed to misc@opensmtpd.org > > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > > > > > > Maybe something similar. Mysqld is running and double checking the SQL > > > from the command line works. Plus dovecot is using the same without error. > > > > > > Thanks, > > > > > > > Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because > > they've been out of my sight for a while. > > > > -- > > Gilles Chehade @poolpOrg > > > > https://www.poolp.org?? patreon: > > https://www.patreon.com/gilles > > > > > Thanks. As an update I upgraded to a snapshot last week with no change. Have > a cron job restarting smtpd every hour as a workaround. You should create an issue on our issue tracker so I don't forget about this in a week -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: AUTH failures requires restarting smtpd
On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote: > > On Jul 22, 2019 8:17 AM, Andreas Karlsson wrote: > > > > On 2019-07-21 18:25, Edgar Pettijohn wrote: > > > Not sure exactly when this started, but I get authentication errors that > > > require smtpd to be restarted. Here are some logs and other pertinent > > > data. > > > > > > Thanks, > > > > > > Edgar > > > > > Hi, > > Can you check if there are any issues with the connection to the MySQL > > database during the time of the credentials lookup fails? > > > > I've had similar issues with Postgresql databases in the past (many > > OpenSMTPD versions ago) where the psql tcp connection was disconnected > > due to restarting the psql database. This was not handled well by OpenSMTPD. > > > > br, > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > Maybe something similar. Mysqld is running and double checking the SQL from > the command line works. Plus dovecot is using the same without error. > > Thanks, > Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because they've been out of my sight for a while. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd / mail.lmtp rewrites from address, breaking lmtp
On Wed, Jun 26, 2019 at 10:56:50AM +0100, Michal Krzysztofowicz wrote: > Hi All, > Hi, > I???ve been using OpenSMTPD on OpenBSD to run my email server since at least > 2015, and this setup has been working really well for me since. > > [...] > > Am I missing something in the configuration, or is this something that needs > to be fixed in smtpd? > > I???m running OpenBSD 6.5 patched to 005_libssl (so I guess it???s the > -stable flavour), with stock OpenSMTPD distributed with OpenBSD 6.5. > Sorry, it took a while to start looking at this. We're very close to 6.6 freeze so I'm not comfortable addressing this in the current timeframe. A possible fix to your issue would be to add ' to the allowed charset in util.c, can you try and see if it is enough to solve your issue ? -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Invalid mbox entries
On Fri, Aug 09, 2019 at 01:19:25AM +0200, Michael Warmuth-Uhl wrote: > Hi Gilles, > > On 8/8/19 9:30 AM, Gilles Chehade wrote: > > What happens if you call mail.local directly, bypassing smtpd altogether ? > > Thanks for your hint. It helped finding the issue. > > $ cat .forward > | /usr/local/bin/procmail > > So it seems procmail is not nice to the mboxes anymore. Removing > it everything is fine again. > there's an option to let procmail prepend the From delimiter but I don't recall what it is, know that it exists though. it was not necessary with OpenBSD 6.3 because OpenSMTPD was doing things wrong by prepending it itself in some cases and not in others. with OpenBSD 6.4, the mda layer was normalized so that there are not any special cases anymore, which means the procmail command line option must be used now. that being said, please don't use procmail, the code is unreadable so it is impossible to audit (not exagerating, have a look for yourself), it's also requesting to be setuid which is a red flag and finally there are a few modern alternatives that are far better, fdm being one of them. Friends don't let friends use procmail. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Invalid mbox entries
Since its mail related, here is fine.What happens if you call mail.local directly, bypassing smtpd altogether ?Are other people on the list experiencing this ?Le 8 août 2019 10:50, Michael Warmuth a écrit :Hello, > Very weird because mail.local which is used for mbox delivery > adds the line unconditionally. To make sure it's not dovecot removing these lines I stopped it and received another mail. "From" line is still missing. $ ls -l /usr/libexec/mail.local -r-xr-xr-x 1 root bin 26320 Apr 14 11:31 /usr/libexec/mail.local Looks good. It is identical to the one in base65.tgz. > How did you update ? I followed the "manual upgrade" processes: http://www.openbsd.org/faq/upgrade64.html#NoInstKern http://www.openbsd.org/faq/upgrade65.html#NoInstKern As it appears to be more an OpenBSD issue, shall I move to the OpenBSD mailing list? Thank you, Michael
Re: Invalid mbox entries
Very weird because mail.local which is used for mbox delivery adds the line unconditionally.How did you update ?Le 8 août 2019 00:30, Michael Warmuth-Uhl a écrit :Hello, since my yesterday's update to OpenBSD 6.5 (from 6.3 via 6.4), smtpd does create invalid mbox entries for one of my mailboxes: ... (previous mail) +zip-3.0p1 create/update ZIP files compatible with PKZip(tm) Return-Path: Delivered-To: a...@suljee.de Received: from georgi.suljee.de (x5f72144c.dyn.telefonica.de [...]) by nar.suljee.de (OpenSMTPD) with ESMTPSA id 04986583 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO) for ; Wed, 7 Aug 2019 07:42:34 +0200 (CEST) To: Michael Warmuth-Uhl From: Michael Warmuth-Uhl The initial "From" header is missing. This happens for all new mails to that mbox. For others it's working fine. The mbox is rather big (500MB). I saw no relevant log entries. Programs parsing (dovecot) the mbox are not happy. What could be the reason? How can I fix this? Thank you, Michael Details: smtpd.conf == pki mail.suljee.de cert "/etc/ssl/mail.suljee.de.crt" pki mail.suljee.de key "/etc/ssl/private/mail.suljee.de.key" table aliases db:/etc/mail/aliases.db table relayauth file:/etc/mail/relayauth table virtusers file:/etc/mail/virtusertable table domains file:/etc/mail/hosteddomains listen on lo0 #listen on egress tls pki mail.suljee.de listen on egress listen on egress smtps pki mail.suljee.de auth tag t_authenticated #accept from any for domain suljee.de alias deliver to mbox #accept from any for domain "*.suljee.de" alias deliver to mbox #accept from any for domain virtual deliver to mbox #accept for local alias deliver to mbox #accept tagged t_authenticated for any relay #accept from local for any relay action "local_mail" mbox alias action "virt_user" mbox virtual action "relay" relay match auth from any for domain suljee.de action "local_mail" match from any for domain suljee.de action "local_mail" match auth from any for domain "*.suljee.de" action "local_mail" match from any for domain "*.suljee.de" action "local_mail" match auth from any for domain action "virt_user" match from any for domain action "virt_user" match auth from any for local action "local_mail" match from any for local action "local_mail" #match tag t_authenticated action "relay" match from local for any action "relay" match auth from any for any action "relay" dmesg = Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2019 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.5 (GENERIC) #158: Sun Apr 14 04:07:14 MDT 2019 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 1073741824 (1024MB) avail mem = 1037697024 (989MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root: Sun Fire V120 (UltraSPARC-IIe 548MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 3.3) @ 548 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 512K external (64 b/l) psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0 psycho0: bus range 0-2, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ppb0 at pci0 dev 1 function 1 "Sun Simba" rev 0x13 pci1 at ppb0 bus 1 ebus0 at pci1 dev 12 function 0 "Sun RIO EBus" rev 0x01 "flashprom" at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 lom0 at ebus0 addr 20-23 ivec 0x2a: LOMlite2 rev 3.12 alipm0 at pci1 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: 74KHz clock iic0 at alipm0 "max1617" at alipm0 addr 0x18 skipped due to alipm0 bugs spdmem0 at iic0 addr 0x54: 256MB SDRAM registered ECC PC133CL2 spdmem1 at iic0 addr 0x55: 256MB SDRAM registered ECC PC133CL2 spdmem2 at iic0 addr 0x56: 256MB SDRAM registered ECC PC133CL2 spdmem3 at iic0 addr 0x57: 256MB SDRAM registered ECC PC133CL2 ebus1 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 power0 at ebus1 addr 2000-2007 ivec 0x25 com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo com0: console com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo gem0 at pci1 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 0x7c6, address 00:03:ba:27:38:63 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 ohci0 at pci1 dev 12 function 3 "Sun USB" rev 0x01: ivec 0x7e4, version 1.0, legacy support pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7cc for native-PCI interrupt pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) gem1 at pci1 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 0x7dc, address 00:03:ba:27:38:64 ukphy1 at gem1 phy 1:
Re: Limit max recipients per mail setting gone?
On Sun, Aug 04, 2019 at 04:45:17PM +, mabi wrote: > Hello, > > In previous versions of OpenSMTPD I remember there was the following setting: > > limit session max-rcpt > > which one could use to limit the maximum recipients per mail. This setting > seem to have been removed or I can't find it in OpenSMTPD 6.5... > > Is there maybe a new setting name to achieve the same limit? > Indeed, this somehow didn't get documented, please open an issue on our tracker so I take care of this when I get home in a few days. meanwhile, smtp limits are as follow: smtp limit max-mails = max number of mails per session smtp limit max-rcpt = max number of recipient per transaction -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: git portable branch: Failed to parse smarthost
On Mon, Aug 05, 2019 at 07:14:17PM +0200, Harald Dunkel wrote: > Hi folks, > > trying the new smtpd with openssl support on Debian I get the > following error: > > Aug 5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost > smtp://someh...@mail.somehost.de > > Mail is not forwarded, of course. > > > The config file says > > : > table localnet { 10.0.0.0/24, 2001:db8:1f24:b803::/64 } > table secrets file:/etc/secrets > : > action "relay_somehost" relay host smtp://someh...@mail.somehost.de > auth mail-from "@example.de" > : > match from src for any action "relay_somehost" > match from local for any action "relay_somehost" > > > The secrets file is: > > somehost postmas...@x.mail.somehost.de:geheim > > > AFAICS the syntax follows the man page, so why does it complain? > I don't see it. Every helpful hint is highly appreciated. > you're using an auth label but this requires a secure transport. from smtpd.conf(5): The label corresponds to an entry in a credentials table, as documented in table(5). It is used with the "smtp+tls" and "smtps" protocols for authentication. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: unsubscribe old email address?
You have to send a mail to misc+unsubscr...@opensmtpd.org from the e-mail address you want to unsubscribe.You can't unsubscribe other addresses.If you need help, contact me off listLe 6 août 2019 11:30, Harald Dunkel a écrit :Hi folks, https://www.opensmtpd.org/list.html doesn't tell how to unsubscribe an old EMail address, that cannot be used for sending EMails anymore. The same page doesn't list an administrative user, either, so please excuse sending this question to this mailing list. I tried to send an EMail (new address) to misc+unsubscr...@opensmtpd.org saying unsubscribe o...@example.com but this didn't work as expected. The EMail address was ignored. Every helpful hint is highly appreciated. Harri
OpenSMTPD 6.4.2 released to address errata
Helo, A reliability issue has been reported yesterday that allows a remote MTA to crash OpenSMTPD by causing it to hit one of its sanity check and exit with fatal(). Highly annoying but not dangerous. On OpenBSD, the issue is fixed in -current and the fix is backported for OpenBSD 6.4 and OpenBSD 6.5: - on current, update your tree and rebuild smtpd or install snapshot - on 6.4 or 6.5, running `syspatch` will properly update your smtpd On other systems, I have just published a new release 6.4.2p1 which only consists of the previous 6.4.1p1 release but with errata diff applied. I have updated our website front page to provide the tarball and signature as direct links. Alternatively, you can grab the release from our github mirror under the tag opensmtpd-6.4.2p1: https://github.com/OpenSMTPD/OpenSMTPD/tree/opensmtpd-6.4.2p1 -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd accept client certificate only from a specific CA
On Sun, Jul 28, 2019 at 08:37:54PM +, L??vai, D??niel wrote: > Hi Gilles, > > Did you by any chance have time to look at #926? It there something wrong > with my setup or is this a kind of a regression? > Thanks for any info on this! > Nope, if I had you would know ;-) I'm working pretty much alone on smtpd these days and I'm not full-time, so unless an issue is security related, it can take a bit of time before I tackle it. Patience. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
any kibana guru around ?
helo, I'm currently testing a new filter, filter-jsonlog. The filter basically rebuilds the state of SMTP sessions and for each of the SMTP events that occur in a session it will output the session state to syslog in json format. Injecting the json objects to an elasticsearch allows creating dashboard for pretty much anything you can think of because the session states can allow correlating any information together. see: https://twitter.com/PoolpOrg/status/1154858074273996802 The problem is that while I worked with ELK gurus in the past who helped me understand how to properly craft logs to ease creation of dashboards, I suck at actaully creating these dashboards. If there are a few people around with ELK knowledge, it would be nice to give me some help in showcasing what can be achieved with this feature. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: smtpd accept client certificate only from a specific CA
On Fri, Jul 26, 2019 at 08:19:33AM +, L??vai, D??niel wrote: > Hi all! > > Running OpenBSD 6.5-stable, I have this on my relay host: > > smtpd.conf: > ca myCA cert "/path/to/myCA.pem" > > listen on egress port submission \ > tls-require verify \ > ca myCA > > Now with that I expected that it'll only accept smtp clients that provide a > certificate signed by myCA, but it turns out it accepts any certificate that > is trusted based on the default /etc/ssl/certs.pem file. > Besides (re)moving the stock certs file or any other intrusive/ugly > workaround, is there any way I could force a CA for those connections? > Your expectations are also mine. Please open an issue on our bug tracker, I'll have a look at it shortly as I recently did work in that area and it worked as I expected, so I'm a bit surprised. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
filter-rspamd testing
Hello, I've written a filter for rspamd integration in OpenSMTPD. I tested the filter on my laptop for a while but I need to test it on my MX now so... here's a mail which went through rspamd ;-) Please report if you see my MX misbehaving, some mails not reaching this list or anything unusual ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD build on OpenSSL 1.1.x
On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > Hi Gilles, > > On 7/23/19 11:58 AM, Gilles Chehade wrote: > > Hello people, > > > > The portable branch of OpenSMTPD should build with OpenSSL again as long > > as your system is using >= 1.1.x > > > > This is excellent news. I highly appreciate the new portable > version. This solves a lot of problems in my environment. > great ;-) > > OpenSMTPD portable has been built and tested with Ubuntu only, please do > > provide feedback ! > > > > On a first build (Debian 9) configure returned an error > > checking if programs using libevent functions will link... no > checking openssl/opensslv.h usability... yes > checking openssl/opensslv.h presence... yes > checking for openssl/opensslv.h... yes > configure: error: *** Can't find recent LibreSSL libcrypto (see config.log > for details) *** > > > but actually libevent was missing: > > : > configure:19442: checking openssl/opensslv.h usability > configure:19442: gcc -c -g -O2 -fPIC -DPIC -Wall -Wpointer-arith > -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess > -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset > -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include conftest.c >&5 > configure:19442: $? = 0 > configure:19442: result: yes > configure:19442: checking openssl/opensslv.h presence > configure:19442: gcc -E -I/usr/local/ssl/include conftest.c > configure:19442: $? = 0 > configure:19442: result: yes > configure:19442: checking for openssl/opensslv.h > configure:19442: result: yes > configure:19468: gcc -o conftest -g -O2 -fPIC -DPIC -Wall -Wpointer-arith > -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess > -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset > -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include > -L/usr/local/ssl/lib conftest.c -lcrypto -lssl -levent -lasr -lcrypt > -lresolv >&5 > /usr/bin/ld: cannot find -levent > collect2: error: ld returned 1 exit status > : > > After installing the missing package it built fine. > This is a known issue, I'm working on simplifying the configure layer as a there is a lot of room for improvement. I have tried to tackle this multiple times but not successfully yet ;-) > I will check runtime ASAP. > Great ! Keep on providing feedback please ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
OpenSMTPD build on OpenSSL 1.1.x
Hello people, The portable branch of OpenSMTPD should build with OpenSSL again as long as your system is using >= 1.1.x Last month I committed a few things to LibreSSL which allowed me to make changes to OpenSMTPD in order to have the same code build for either one of LibreSSL and OpenSSL. Note that LibreSSL is my target, OpenSSL is only supported as long as it doesn't get in my way and make the code full of ifdefs. I think we'll be fine for the years to come as we don't bring new TLS features every four days but my goal is still to move towards libtls then write a standalone libtls wrapper for OpenSSL. Now a few things: 1- This needs testing as I'm not sure I got the autoconf layer right for all combinations of LibreSSL/OpenSSL, systems with base arc4random(), etc... 2- It's currently impossible to write an ECDSA privsep crypto engine for both LibreSSL and OpenSSL with same code as far as I know. I will get into this when time allows but until then ECDSA server certificate is only supported with LibreSSL. OpenSMTPD portable has been built and tested with Ubuntu only, please do provide feedback ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
new reporting events
Hello, New interesting features have been completed, some committed to -current while others are still on my laptop. Here's a short summary, I'll write about them in details when I'm having my next hack week in... a week :-) 1- reporting API has been extended to report link-reset and link-auth so filters can detect that a session has been reset, or that it has been authenticated for a user. 2- reporting API for smtp-out is implemented and being tested on my side but it's now possible to write reporting-only filters for trafic that is outgoing. 3- OpenSMTPD still assumes LibreSSL to be its target but given changes I committed to LibreSSL recently, code can be written in a way that let OpenSMTPD build on OpenSSL 1.1.x with very minimal diff that is again acceptable for me. Only 1- has been committed at this point, 2- needs more testing before I am comfident about committing. 3- is not merge in portable branch yet as I focused on making it work, not ensuring the compat layer was correctly handling systems with LibreSSL or handling systems with OpenSSL and with a base arc4random() function. Note that I'm PARTICULARLY thrilled about 1- and 2-, because it means we are now VERY VERY VERY sysadmin friendly when it comes to monitoring and alerting: pushing useful metrics to elasticsearch has become trivial. It is likely I'll release a filter-elastic if there is interest. Stay tuned ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
heads up about ongoing work
helo, it's been a while since my last informative mail to the list and it is a shame given the amount of work achieved in 2019 so far. those reading my blog posts are aware of some of the ongoing work that i mentioned there but since not everyone reads it, here's a quick summary: 1- the filter API is working, minor bugs are being fixed and there are a few useful filters already written (though not published yet since we have not had a public release with the API contract yet, that's meant to be for November). 2- i have a native filter-rspamd about to be completed which is going to be solving most of our user requests wrt filters given that rspamd is capable of doing dnsbl, greylisting, interfacing with amavisd, do the dkim signing and verifying, and spam filtering, everything configured directly in rspamd. users that don't want to use rspamd can still use other filters dealing with just one subset of the features but I will at least be able to say: install filter-rspamd for most requests :-) 3- smtp-out reporting is being worked on and will provide the same level of reporting for outgoing connections that we have for incoming ones, which is basically complete reporting of all SMTP events. 4- i have been working hard on converting OpenSMTPD to libtls so that it is no longer relying on the OpenSSL API for TLS. In the short term it means that it will become very hard to run OpenSMTPD with OpenSSL for people who were still trying to avoid LibreSSL through local patches, but once we've switched to libtls, work can start to create a version of libtls that works with OpenSSL, this will keep most complexity out of OpenSMTPD and make us work again with OpenSSL without hacks. Cheers, -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: what's your LMTP use-case
On Fri, Jul 05, 2019 at 04:57:51PM +0200, Gilles Chehade wrote: > helo, > > this is just a question out of curiosity > > I know plenty of people use the lmtp action to deliver mail through LMTP > and I'm genuinely curious: what is your use-case ? > > Why do you deliver to LMTP ? > Thanks for your answers, both public and private :-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
what's your LMTP use-case
helo, this is just a question out of curiosity I know plenty of people use the lmtp action to deliver mail through LMTP and I'm genuinely curious: what is your use-case ? Why do you deliver to LMTP ? -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls no-verify
4 juillet 2019 16:04 "Henry Jensen" a écrit: > > I see. Is this the default behavior? I noticed that > > action "relay" relay host smtp://my.internal.server tls no-verify > > and > > action "relay" relay host smtp://my.internal.server > > (opportunistic TLS) leads to the same result: the mail is transferred using > TLS. Only when I use > > action "relay" relay host smtp://my.internal.server tls > > an error occurs "reason=SSL certificate check failed". > no the default behaviour is opportunistic tls, so it'll do tls no-verify but will fallback to plaintext if no tls is available. tls no-verify won't hard fail if certificate is invalid, but it won't go to plaintext either. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: dkim proxy
On Thu, Jul 04, 2019 at 02:17:28PM +0200, Julien HAUTEFEUILLE wrote: > Hello, > Hello, > I am using OpenBSD 6.5 with Opensmtpd successfully. > Nevertheless, I have a question about the dkim proxy. > > I was inspired by the configuration available on the author's website. > > https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ > I'm not the author of dkim proxy :-) > On this site the passage through the dkim proxy is done in this way: > > match tag DKIM for any action "send" > match for any action "sendtodkimproxy" > > On some other sites, I have seen configurations like this one: > > # with dkim sign > match tag DKIM for any action "send" > match auth tag DKIM from any for any action "send" > > # without > match auth from any for any action "sendtodkimproxy" > match for any action "sendtodkimproxy" > > What do you think is the best way to do this? > Most definitely the second one, not the one on my blog. A long time ago, there was no such thing as matching 'auth'. OpenSMTPD assumed any authenticated user to be a "local" user, so if you read my blog post with that perspective, it makes sense. Nowadays, authenticated users and local users are considered differently so you need to match 'auth' to catch authenticated users. > Thank you for any suggestions you may have. > use the #2 method :-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls no-verify
On Thu, Jul 04, 2019 at 01:29:43PM +0200, Henry Jensen wrote: > Greetings, > > using OpenBSD 6.5 with OpenSMTPD which forwards to an internal mail > server which uses an internal certifiate. > > > from smtpd.conf: > action "local" mbox alias > action "relay" relay host smtp://my.internal.server tls no-verify > > match for local action "local" > match for any action "relay" > > > However, when relaying to that server I get such messages in the log, > despite "tls no-verify" is set: > > smtp-out: Server certificate verification failed on session 3ba547f4f7b77d56c > > > What am I doing wrong? > nothing no-verify only means that if certificate does not validate, connection will be dropped, the log will still be visible. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: RBLs?
On Wed, Jul 03, 2019 at 08:22:59AM +, mabi wrote: > ? Original Message ? > On Wednesday, July 3, 2019 9:39 AM, Giovanni Bechis > wrote: > > > I think it could be possible to write a filter-spamassassin, that way smtpd > > could reject based on SpamAssassin tags. > yes, that is definitely doable > Good idea, I might look at this alternative when I have a moment to write > something in Ruby interfacing OpenSMTPD<->SA. Is there any documentation > available to the filter "API"? I didn't find anything on opensmtpd.org. Or > should I just check the source code of already existing filters as example? > the filter API is not yet documented, i'm working on it at the moment. if you plan on working on filters, you should join our IRC channel or be prepared to face subtle changes that aren't documented yet ;-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: relay from authenticated users only
On Wed, Jul 03, 2019 at 07:36:43AM +0200, Selmeci Tam?s wrote: > Somebody suggested me to have a look at OpenSMTPD-extras. It contains > table-passwd. I've got an idea. What if I wrote a custom module that is > about to be called by OpenSMTPD upon authentication like table-passwd? > (table-passwd requires another file to store credentials in, and I > insist on using /etc/passwd only). > auth uses the system users by default so you don't need a custom module. i don't know what version you are using, what system you are using, if a package was used or if you built yourself, etc... so i'll just guess the configure options used to build opensmtpd were not correct if auth isn't using your system users out of the box. > The only question is that is it possible to perform this kind of > authentication in plain text? In other words, will OpenSMTPD call my > module if plain text authentication is tried by the client? (I don't > have enough capacity now to play with self-signed certificates, TLS > etc) Yes, I know, there are security concerns... But technically, is it > possible with OpenSMTPD? > no, OpenSMTPD will not advertise AUTH over plaintext channels. it is not an SMTP limitation, it is a decision we made years ago and you will not have a work-around for this. there's no excuse in 2019 to allow AUTH over plaintext :-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: RBLs?
On Tue, Jul 02, 2019 at 06:54:02AM +, mabi wrote: > ? Original Message ? > On Sunday, June 30, 2019 1:46 PM, Gilles Chehade wrote: > > > I'm currently working on bringing a filter-rspamd to life, see: > > > > https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/ > > Fantastic Gilles, thanks for your great work! I am looking forward to try > this filter out. > > [...] > > So basically I am not interested in the score but just in a boolean > true/false if the mail is spam or not and then have OpenSMTPD refuse the > submission/relaying of the mail to further mail servers on the internet. > yes, filter-rspamd will apply the policy configured in rspamd. if you configure rspamd to flag spam mail as reject, smtpd will reject them. > My impression is that this right now is not possible with OpenSMTPD. Am I > right here? > No, it is not possible with OpenSMTPD. You need a filter to do this and filter-rspamd is such a filter. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: RBLs?
On Sat, Jun 29, 2019 at 01:03:46PM +, Mik J wrote: > Hello, Hello, > I'm also interested in this topic. A lot of spam are still passing through. > On my personal mailbox, I receive almost no spam.But on addresses that are > visible on a website I receive spam, two/three per day many are blocked > though. > I have the same strategy as Thomas and use spamd and spam trap mails. > I'm currently working on bringing a filter-rspamd to life, see: https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/ > Joerg your filter looks nice but I don't understand how it works.I'm looking > forward to have something native with opensmtpd, spam is a pain. > I don't understand what you mean by "native". -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Introduction
On Tue, Jun 25, 2019 at 08:15:22PM -0700, tyler wrote: > Hey all, > Hey tyler, > I'm a newbie who started his own email server as a side project. Nothing > serious or as a job, but as a proverbial "middle finger" to gmail and yahoo, > etc, and some personal enrichment. I've been a fan of OpenBSD for many years > now, so OpenSMTPD was the obvious choice. This is email address runs on it, > on a VPS. > \o/ > I've really enjoyed the experience. It didn't take long to set up and after > tinkering with my domain's DNS records seems to work flawlessly, except for > unexplained Proofpoint blocks. > These happen even to the best of us. > Hope you all are having a wonderful day. > Enjoy your stay around, -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match unknown rDNS
On Wed, May 29, 2019 at 09:54:36AM +0200, Pierre-Edouard wrote: > > Le 26/05/2019 ?? 17:22, Gilles Chehade a ??crit??: > > On Sun, May 26, 2019 at 09:53:46AM +0200, Pierre-Edouard wrote: > > > Hi All, > > > > > Hi, > > > > > > > I am currently running OpenSMTPD on OpenBSD 6.5 GENERIC.MP#0 amd64 > > > > > > I am trying to "filter" connexions coming from hosts that don't have any > > > rdns defined. > > > Such hosts appear as in the logs. > > > > > > I've tried the following without any results : > > > > > > > > > table bots {"NXDOMAIN", "\" , ".*unknown.*", "^$" } > > > match from rdns regex for any reject > > > > > > but this rule never matches and hosts without rDNS are still able to send > > > me > > > mail :( > > > > > > Any ideas ? > > > > > the 'from rdns' criteria will fail to match if the client doesn't have a > > reverse dns, so a way to catch them would be: > > > > match !from rdns regex '^.*$' [...] > > > > i'll have a look at how to extend the criteria so we can do: > > > > match !from rdns [...] > > > > but this is not the highest thing in my prio list right now :-) > > > > > Thanks for your answer ! > > Unfortunately the workaround above does not work, it does not match with no > rDNS hosts :-( > okie dokie, can you fill a feature request on our tracker at github ? i'll take care of it soon -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match unknown rDNS
On Sun, May 26, 2019 at 09:53:46AM +0200, Pierre-Edouard wrote: > Hi All, > Hi, > I am currently running OpenSMTPD on OpenBSD 6.5 GENERIC.MP#0 amd64 > > I am trying to "filter" connexions coming from hosts that don't have any > rdns defined. > Such hosts appear as in the logs. > > I've tried the following without any results : > > > table bots {"NXDOMAIN", "\" , ".*unknown.*", "^$" } > match from rdns regex for any reject > > but this rule never matches and hosts without rDNS are still able to send me > mail :( > > Any ideas ? > the 'from rdns' criteria will fail to match if the client doesn't have a reverse dns, so a way to catch them would be: match !from rdns regex '^.*$' [...] i'll have a look at how to extend the criteria so we can do: match !from rdns [...] but this is not the highest thing in my prio list right now :-) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Too many recipients with even 6-7 emails in CC: field
On Fri, May 24, 2019 at 07:09:38AM +0200, Jean Louis wrote: > Hello, > > I am using OpenSMTPD as packaged in Hyperbola > GNU/Linux-libre, it says version 6.0.2p1-3. > > If I place 6-7 recipients in CC: field, I will get > other messages delivered by one of them or two, I > did not yet determine exact number is coming back > with the local (OpenSMTPD) mailer daemon issue > "too many recipients". > > I have tried to setup max-rcpt, but it does not > help. > > Does anybody knows how to solve this? > ams-1$ nc localhost 25 220 poolp.org ESMTP OpenSMTPD EHLO localhost 250-poolp.org Hello localhost [127.0.0.1], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250-DSN 250 HELP MAIL FROM: 250 2.0.0: Ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok RCPT TO: 250 2.1.5 Destination address valid: Recipient ok ^C I think your issues isn't with OpenSMTPD but more likely with your client :-| -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: LMTP dovecot doesn't accept bounces
On Sun, May 19, 2019 at 04:52:39PM +0200, David Flatz wrote: > Gilles Chehade (2019-05-19 14:31+0200): > > On Sun, May 19, 2019 at 12:16:40PM +0200, David Flatz wrote: > > > Gilles Chehade (2019-05-19 10:39+0200): > > > > On Sun, May 19, 2019 at 10:24:07AM +0200, Gilles Chehade wrote: > > > > > On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote: > > > > > > Delivery to dovecot works pretty good for normal mails locally with > > > > > > sendmail > > > > > > and from remote. However, when opensmtpd generates a bounce > > > > > > dovecot won't > > > > > > accept it and returns following error message "501 5.5.4 Invalid > > > > > > FROM: > > > > > > Missing domain". > > > > > > > > > > > > [...] > > > > > > > > > > > > It seems like opensmtpd uses an envelope from for the bounces that > > > > > > dovecot > > > > > > doesn't like. Is there a way to make opensmtpd to either use an > > > > > > empty > > > > > > envelope from (since those seem fine to dovecot) or add a domain? > > > > > > > > > > > > Thanks again and have a great weekend! > > > > > > > > > > > > > > > > Yup, the fix will be committed to -current today > > > > > > > > > > > > > can you test the following diff and tell me if it makes things better ? > > > > > > > > it essentially reverts a commit from months ago which we thought was the > > > > proper way to deal with this, but was actually made necessary because of > > > > another issue in mda_variables.c > > > > > > > > I think this diff should properly fix your issue. > > > > > > > > [...] > > > > > > Thanks for the diff. I get this error with a similar diff (I'm using > > > portable 6.4.1p2): > > > > > > smtpd[6600]: mda delivery evpid=4bbf012508df6894 from=<> > > > to= rcpt= user=username delay=0s > > > result=PermFail stat=Error ("smtpd: No such file or directorymda command > > > line could not be expanded") > > > > > > [...] > > > > care to try building from the github repo ? > > > > my diff assumes a previous fix to mda_variables.c: > > > > https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/mda_variables.c.diff?r1=1.4&r2=1.5&f=h > > > > """ > > in mda variables expansions, do not consider empty strings as errors since > > an empty %{sender} is really a mailer-daemon and not an error > > > > reported and initial diff by Lauri Tirkkonen > > commit is a revised version of the diff based on a discussion with eric@ > > """ > > > > It was committed five months ago, after 6.4.1p2 which is why you get the > > error with my new diff. > > Most recent portable from github segfaulted for me so I backported that fix > to 6.4.1p2. > > With the following diff bounces get accepted by dovecot. > yeah this looks fine however it would be nice to understand why portable from github segfaults so do you have a stack ? -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: LMTP dovecot doesn't accept bounces
On Sun, May 19, 2019 at 12:16:40PM +0200, David Flatz wrote: > Gilles Chehade (2019-05-19 10:39+0200): > > On Sun, May 19, 2019 at 10:24:07AM +0200, Gilles Chehade wrote: > > > On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote: > > > > Delivery to dovecot works pretty good for normal mails locally with > > > > sendmail > > > > and from remote. However, when opensmtpd generates a bounce dovecot > > > > won't > > > > accept it and returns following error message "501 5.5.4 Invalid FROM: > > > > Missing domain". > > > > > > > > [...] > > > > > > > > It seems like opensmtpd uses an envelope from for the bounces that > > > > dovecot > > > > doesn't like. Is there a way to make opensmtpd to either use an empty > > > > envelope from (since those seem fine to dovecot) or add a domain? > > > > > > > > Thanks again and have a great weekend! > > > > > > > > > > Yup, the fix will be committed to -current today > > > > > > > can you test the following diff and tell me if it makes things better ? > > > > it essentially reverts a commit from months ago which we thought was the > > proper way to deal with this, but was actually made necessary because of > > another issue in mda_variables.c > > > > I think this diff should properly fix your issue. > > > > [...] > > Thanks for the diff. I get this error with a similar diff (I'm using > portable 6.4.1p2): > > smtpd[6600]: mda delivery evpid=4bbf012508df6894 from=<> > to= rcpt= user=username delay=0s > result=PermFail stat=Error ("smtpd: No such file or directorymda command line > could not be expanded") > > --- smtpd/parse.y 2018-12-17 13:58:15.0 +0100 > +++ smtpd/parse.y 2019-05-19 10:58:38.678223391 +0200 > @@ -617,11 +617,11 @@ > } dispatcher_local_options > | LMTP STRING { > asprintf(&dispatcher->u.local.command, > - PATH_LIBEXEC"/mail.lmtp -f %%{mbox.from} -d %s %%{user.username}", > $2); > + PATH_LIBEXEC"/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", > $2); > } dispatcher_local_options > | LMTP STRING RCPT_TO { > asprintf(&dispatcher->u.local.command, > - PATH_LIBEXEC"/mail.lmtp -f %%{mbox.from} -d %s %%{dest}", $2); > + PATH_LIBEXEC"/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2); > } dispatcher_local_options > | MDA STRING { > asprintf(&dispatcher->u.local.command, > care to try building from the github repo ? my diff assumes a previous fix to mda_variables.c: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/mda_variables.c.diff?r1=1.4&r2=1.5&f=h """ in mda variables expansions, do not consider empty strings as errors since an empty %{sender} is really a mailer-daemon and not an error reported and initial diff by Lauri Tirkkonen commit is a revised version of the diff based on a discussion with eric@ """ It was committed five months ago, after 6.4.1p2 which is why you get the error with my new diff. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: LMTP dovecot doesn't accept bounces
On Sun, May 19, 2019 at 10:24:07AM +0200, Gilles Chehade wrote: > On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote: > > Hello everybody > > > > Hello, > > > > Delivery to dovecot works pretty good for normal mails locally with sendmail > > and from remote. However, when opensmtpd generates a bounce dovecot won't > > accept it and returns following error message "501 5.5.4 Invalid FROM: > > Missing domain". > > > > [...] > > > > It seems like opensmtpd uses an envelope from for the bounces that dovecot > > doesn't like. Is there a way to make opensmtpd to either use an empty > > envelope from (since those seem fine to dovecot) or add a domain? > > > > Thanks again and have a great weekend! > > > > Yup, the fix will be committed to -current today > can you test the following diff and tell me if it makes things better ? it essentially reverts a commit from months ago which we thought was the proper way to deal with this, but was actually made necessary because of another issue in mda_variables.c I think this diff should properly fix your issue. Index: parse.y === RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.251 diff -u -p -r1.251 parse.y --- parse.y 13 Feb 2019 22:57:08 - 1.251 +++ parse.y 19 May 2019 08:35:09 - @@ -664,11 +664,11 @@ MBOX { } dispatcher_local_options | LMTP STRING { asprintf(&dispatcher->u.local.command, - "/usr/libexec/mail.lmtp -f %%{mbox.from} -d %s %%{user.username}", $2); + "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", $2); } dispatcher_local_options | LMTP STRING RCPT_TO { asprintf(&dispatcher->u.local.command, - "/usr/libexec/mail.lmtp -f %%{mbox.from} -d %s %%{dest}", $2); + "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2); } dispatcher_local_options | MDA STRING { asprintf(&dispatcher->u.local.command, -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: LMTP dovecot doesn't accept bounces
On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote: > Hello everybody > Hello, > Delivery to dovecot works pretty good for normal mails locally with sendmail > and from remote. However, when opensmtpd generates a bounce dovecot won't > accept it and returns following error message "501 5.5.4 Invalid FROM: > Missing domain". > > [...] > > It seems like opensmtpd uses an envelope from for the bounces that dovecot > doesn't like. Is there a way to make opensmtpd to either use an empty > envelope from (since those seem fine to dovecot) or add a domain? > > Thanks again and have a great weekend! > Yup, the fix will be committed to -current today -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
On Fri, May 17, 2019 at 02:13:46PM +0200, Harald Dunkel wrote: > Hi Gilles, > Hi, > I understand that ssl support is a highly complex issue, making it > necessary to focus and to get rid of the cruft. > > It would be a pity if opensmtpd becomes "OpenBSD-only", though. > I agree and being the one in charge of portable OpenSMTPD these days you can trust me that I'm highly annoyed by this situation because I wish we were available to everyone. I should clarify something: I didn't wake up in a mood to kill OpenSSL support in OpenSMTPD. I built OpenSMTPD on a range of machines and realized that, again, I had made no change to the TLS layer but build was broken on half the machines. I did not remove the support, it removed itself when a new version came and it broke existing code. After spending two days trying to unbreak things, I decided to put a stop to this madness and remove all of OpenSSL-specific kludge, ifdefs and autoconf pieces. If OpenSSL can be made to work so we don't have to keep adding conditional tests here and there, I'll be more than happy, in the meanwhile I'm not taking the extra load of work. LibreSSL can be built on machines with OpenSSL and coexist, I've done it on several systems (FreeBSD and various Linux distros) so my take now is that there's no reason not to package it as an alternative and OpenSMTPD can depend on it. There's no good reason not to support both... To finish, I had someone tell me in private that he did not want to rely on LibreSSL because he didn't trust it... some of the commits to our TLS layer were actually done or suggested by the LibreSSL folks. We have the same code standards, to trust us but not LibreSSL is really absurd :-) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
On Fri, May 17, 2019 at 10:00:42AM +0200, Harald Dunkel wrote: > Hi folks, > Hi, > I wonder what became of > > https://github.com/OpenSMTPD/OpenSMTPD/issues/534 > > ? IMHO this issue was closed way too early. Are all OS distros > happy with opensmtpd going libressl-only? Will the rest follow? > > Ticket was created in 2015, we're in 2019, it was not closed too early. To put it blunt, there's no way I can make all distros happy, and in the meantime I get to do the additional work of trying to satisfy all of the different openssl builds, some distros using very old versions that lack features we are forced to ifdef (ie: SNI, AES-GCM, ...), some others are even using different configure flags which end up creating very slightly different libraries carrying the same version, ... I'm no longer interested in having to cope with that, having ifdefs that make the code less readable and create versions of smtpd that I will not be able to properly test because _my_ version never enters an ifdef. My target is now LibreSSL with all of the features we need, and there is no specific code to accomodate OpenSSL. If we can _also_ support OpenSSL by writing code which works for both, I'll happily adapt code so that it makes both happy but I will not support OpenSSL-specific bits anymore. I will also make it clear that we only support the LATEST LibreSSL, that means that I will not accomodate all versions of LibreSSL either. If you have diffs that allow OpenSMTPD to build with latest LibreSSL and latest stock OpenSSL (no weird enable/disable configure flags) and which only achieve so through use of common APIs, I'll accept them happily. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account
May 10, 2019 10:55 AM, "Harald Dunkel" wrote: > Hi folks, > > for testing purposes I have to setup opensmtpd 6.0.3 to > redirect all outgoing EMails from a list of stage systems to a > dedicated internal account. smtpd.conf is attached. > > Problem is, there is an invalid recipient error for sending > an EMail from such a stage system: > > [...] > > If I replace the "deliver to mda ..." by a usual relay statement, > then the EMail is relayed, so I have to assume that the "deliver > to mda" somehow affects filtering EMails. > without your configuration it's hard to determine what's wrong -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filters guidance request
Yes to clarify further, I bought myself another release cycle ;-) The filter code in 6.5 is voluntarily undocumented as both grammar and protocol didn't have enough time to "rest" for us to spot things which would appear better after a few months of being in use. Now that the stable release is out I will start documenting and making some of the changes I wanted so that it's "stable" in 6.6. If you're a developer, you can use filters in 6.5, you just need to be advanced enough to read code. On Sat, Apr 27, 2019 at 01:03:57AM +0200, Martijn van Duren wrote: > See https://poolp.org/, there are some things available, but as far as > I'm aware everything is still experimental. > > martijn@ > > On 4/26/19 9:45 PM, Aham Brahmasmi wrote: > > Namaste misc, > > > > I was wondering whether the absence of filters on the 6.5 [1] and > > current smtpd.conf(5) [2] manpages along with the modest OpenSMTPD 6.5.0 > > release notes [3] should be read into. > > > > In other words, are filters ready for general use? > > > > Dhanyavaad. > > > > Regards, > > ab > > [1] - https://man.openbsd.org/OpenBSD-6.5/smtpd.conf > > [2] - https://man.openbsd.org/smtpd.conf > > [3] - https://www.openbsd.org/65.html > > -|-|-|-|-|-|-|-- > > > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to setup a "clean MTA" in 2019?
On Tue, Apr 02, 2019 at 01:02:20PM +0200, Joel Carnat wrote: > Hi, > Hi, > Reading the Internet and looking at actual public DNS records and email > headers, there seem to be disagreements regarding the usage of things > like DMARC/DKIM/SPF. Some discussions are sometimes old (like 2014) and > have not been rediscussed recently. > > So far, I identified the followings: > - MUST: have a proper Reverse DNS > - MUST: have a proper HELO/EHLO value (matching DNS) > - MAY: have SPF configured to announce official MTA > - MAY: have DKIM configured to sign outgoing emails > - MAY: have DMARC set with p=none // many MTA won't check > - DONT: have DMARC set with p=(quarantine|reject) // may break things > > What would be the recommandations from the OpenSMTPD project as of 2019 > when one want to setup an MTA? Are those MUST/MAY/DONT correct? Are > there more things to add to this checklist? > > Thank you. > No wonder there is no consensus: there's no "right" list, it depends for the most part on the reputation of the sender (reputation being trickier than just "IP reputation" as most people think) so different people will have different experience of what works and what doesn't. I will write an in-depth article describing my way of modeling this, but in the mean time I'll tell you the following: Today, SMTP exchanges rely on a proof of work. Some recipient domains require a lot of work from senders, others won't, and with that in mind your list of things to setup may differ on who you are sending from, who you are sending to, the volumes of mails you send, the type of mails you send, etc... My very own minimal would be: - have a dedicated IP address for mail with correct rDNS and fc-rDNS - setup the mta to support TLS (if needed, not the case on OpenSMTPD) - setup the mta to use a EHLO name matching DNS for the IP - setup SPF - setup DKIM That would be my very very very very minimum requirements. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filter email where sender and rcpt-to are the same
On Wed, Feb 20, 2019 at 04:57:08PM +0100, Mischa wrote: > > > > On 6 Feb 2019, at 17:24, Mischa wrote: > > > >> On 6 Feb 2019, at 15:38, Gilles Chehade wrote: > >> > >> On Wed, Feb 06, 2019 at 11:42:19AM +0100, Mischa wrote: > >>> Hi All, > >>> > >>> There has been a new scam going around for some time now where you get an > >>> email from your own email address to your email address. > >>> For people that don't know better it's scares the s**t out of them as the > >>> email is like: > >>> > >>> Hey I hacked your account as you can see since I am sending this email > >>> from your own account. > >>> etc.. > >>> > >>> Is there a quick way to filter email where the sender and rcpt-to are the > >>> same? > >>> Has anybody created a filter already to easily do this? > >>> > >>> Thanx! > >>> > >> > >> I used to have a rule to reject any mail from my domain but which were > >> not originating from trusted machines nor authenticated users. > >> > >> not tested here but something along the lines of: > >> > >> match !from local mail-from "@opensmtpd.org" reject > >> match !auth from any mail-from "@opensmtpd.org" reject > >> > >> there are other ways too > > > > Let me see if some modified version of those rules work, the difference is > > that the MX is for incoming email only, outbound is taking a different > > route. > > > > Thanx Gilles! > > I have been trying to do things like: > > match from any rcpt-to "openbsd @ high5.nl" mail-from "openbsd @ high5.nl" > reject > (without the spaces of course) > > But it's not working. :/ > Is there again parts of the rule I am missing? > yes, you lack the "for" part, making your rules assume "for local", this should be better: match from any mail-from "open...@high5.nl" \ for any rcpt-to "open...@high5.nl"\ reject the criterias are really separate one from another, each performing their own match so you really need the rule to describe every criteria, it will not infer "for" based on "rcpt-to" -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filter email where sender and rcpt-to are the same
On Wed, Feb 06, 2019 at 11:42:19AM +0100, Mischa wrote: > Hi All, > > There has been a new scam going around for some time now where you get an > email from your own email address to your email address. > For people that don't know better it's scares the s**t out of them as the > email is like: > > Hey I hacked your account as you can see since I am sending this email from > your own account. > etc.. > > Is there a quick way to filter email where the sender and rcpt-to are the > same? > Has anybody created a filter already to easily do this? > > Thanx! > I used to have a rule to reject any mail from my domain but which were not originating from trusted machines nor authenticated users. not tested here but something along the lines of: match !from local mail-from "@opensmtpd.org" reject match !auth from any mail-from "@opensmtpd.org" reject there are other ways too -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Upgrade from OpenBSD 6.2-stable to 6.4-stable, new syntax .. mlmmj anyone?
On Tue, Feb 05, 2019 at 05:35:56PM +0100, Tor Houghton wrote: > On Tue, Feb 05, 2019 at 04:40:20PM +0100, Gilles Chehade wrote: > > > > You should really avoid using mlmmj from the config or aliases file. > > > > You can easily plug mlmmj from .forward files which is much safer. > > > > I see. > > I shall put aside some time and do this. > > Thanks again, > > Tor > $ doas grep misc /etc/mail/aliases-opensmtpd.org misc: lists $ doas grep lists /etc/passwd lists:*:1034:1034::/home/lists:/bin/sh $ cat ~lists/.forward |/usr/local/bin/mlmmj-recieve -L /var/spool/mlmmj/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}/ $ -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Upgrade from OpenBSD 6.2-stable to 6.4-stable, new syntax .. mlmmj anyone?
On Tue, Feb 05, 2019 at 04:26:11PM +0100, Tor Houghton wrote: > > > > Try: > > > > action "mlmmj" mda "/usr/local/bin/mlmmj-recieve -L > > /var/spool/mlmmj/%{rcpt.user:lowercase|strip}/" virtual > > > > match from any for domain action "mlmmj" > > > > > You should really avoid using mlmmj from the config or aliases file. You can easily plug mlmmj from .forward files which is much safer. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match rule seems to be failing in -current
On Tue, Jan 29, 2019 at 04:23:23PM +0100, Mischa wrote: > > On 29 Jan 2019, at 16:20, Gilles Chehade wrote: > > > > On Tue, Jan 29, 2019 at 01:10:47PM +0100, Mischa wrote: > >> Hi Gilles, > >> > >>> well, providing the full session log from connect to disconnect without > >>> altering it would be a good start to troubleshoot. > >> > >> Yeah... not really going to happen on public mailinglist. :/ > >> It has the email address of one of my customers and there isn't anything I > >> want to do with the rcpt-to. > >> > >> The IP address is part of src (www-relays), which I checked and double > >> checked. :) > >> > >> The only thing I can think of is that the mail-from is not matched in > >> www-senders file. > >> Just saw I missed one IP, but that is ok, so you get the drift. > >> > >>> I think you are missing a "for any" on some rules which causes them to > >>> not be matched. > >> > >> I would like this email to match the following rule: > >> > >> match from src mail-from action "relay" > >> action "relay" relay > >> > > > > for starters, you lack a 'for any' in that rule, so it will only match > > for recipients that are on a local domain (ie: `hostname` & localhost) > > That makes perfect sense! > It's working as expected now. Thanx Gilles! > np -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match rule seems to be failing in -current
On Tue, Jan 29, 2019 at 01:10:47PM +0100, Mischa wrote: > Hi Gilles, > > > well, providing the full session log from connect to disconnect without > > altering it would be a good start to troubleshoot. > > Yeah... not really going to happen on public mailinglist. :/ > It has the email address of one of my customers and there isn't anything I > want to do with the rcpt-to. > > The IP address is part of src (www-relays), which I checked and double > checked. :) > > The only thing I can think of is that the mail-from is not matched in > www-senders file. > Just saw I missed one IP, but that is ok, so you get the drift. > > > I think you are missing a "for any" on some rules which causes them to > > not be matched. > > I would like this email to match the following rule: > > match from src mail-from action "relay" > action "relay" relay > for starters, you lack a 'for any' in that rule, so it will only match for recipients that are on a local domain (ie: `hostname` & localhost) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match rule seems to be failing in -current
On Tue, Jan 29, 2019 at 12:41:17PM +0100, Mischa wrote: > > > > On 29 Jan 2019, at 12:30, Gilles Chehade wrote: > > > > On Fri, Jan 25, 2019 at 02:08:41PM +0100, Mischa wrote: > >> Hi All, > >> > > > > Hi, > > > > > >> ### smtpd.conf > >> pki mx1.domain1.nl cert "/etc/ssl/mx1.domain1.nl.fullchain.pem" > >> pki mx1.domain1.nl key "/etc/ssl/private/mx1.domain1.nl.key" > >> > >> table names file:/etc/mail/hostnames > >> table aliases file:/etc/mail/aliases > >> table www-relays file:/etc/mail/www-relays > >> table www-senders file:/etc/mail/www-senders > >> table relay-domains file:/etc/mail/relay-domains > >> table reject-email file:/etc/mail/reject-email > >> > >> table domains sqlite:/etc/mail/sqlite.conf > >> table virtuals sqlite:/etc/mail/sqlite.conf > >> table credentials sqlite:/etc/mail/sqlite.conf > >> > >> filter check-fcrdns builtin connect fcrdns disconnect "550 fc-rDNS" > >> > >> listen on mx1.domain1.nl port 25 tls pki mx1.domain1.nl hostnames > >> filter check-fcrdns > >> > >> action "local" mbox alias > >> action "maildir" maildir "/var/mail/virtual/%{dest:lowercase}/" virtual > >> > >> action "relay" relay > >> action "smartrelay" relay host smtp://mail.domain1.nl > >> > >> match from any rcpt-to for any reject > >> match from src !mail-from for any reject > >> match from src mail-from action "relay" > >> match from any for domain action "smartrelay" > >> match from any for domain action "maildir" > >> match from local action "smartrelay" > >> match for any action "relay" > >> ### > >> > >> # cat www-relays > >> 46.23.xx.yy > >> > >> # cat www-senders > >> w...@www.domain2.nl > >> > >> As soon as an email is send from one of the www-relays with the > >> sender that is in www-senders I am getting the following error on > >> the sending mail server (FreeBSD w/ dma): > >> > >> Jan 18 15:56:12 www dma[2eb801]: new mail from user=www uid=80 > >> envelope_from= > >> Jan 18 15:56:12 www dma[2eb801]: mail to= queued as > >> 2eb801.801a2d0a0 > >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying delivery > >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: using smarthost > >> (mx1.domain1.nl:25) > >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying remote delivery to > >> mx1.domain1.nl [46.23.xx.zz] pref 0 > >> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: remote delivery to > >> mx1.domain1.nl [46.23.xx.zz] failed after RCPT TO: 550 Invalid recipient > >> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: delivery failed, bouncing as > >> 2eb803 > >> > >> > >> OpenSMTPD is saying (grep "00a1b263550db3c7" /var/log/maillog): > >> > >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected > >> address=46.23.xx.yy host=46-23-xx-yy.domain1.nl > >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command > >> command="RCPT TO:" result="550 Invalid recipient" > >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp disconnected > >> reason=disconnect > >> > >> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected > >> address=46.23.xx.xx host=www.domain2.nl > >> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command > >> command="RCPT TO:" result="550 Invalid recipient" > >> > >> > >> Anybody have an idea? > >> > > > > can you run smtpd with -dv -T rules and provide log of which rule is > > matched ? > > It says no rules are matched. Which makes sense from a failure perspective, > as it's unable to deliver the email locally. > But the content in the files hasn't changed since the upgrade to the new > syntax. > > debug: lka: helo names:46.23.88.60 > ed537f31142afcea smtp connected address=46.23.xx.xx host=46-23-xx.xx.high5.nl > no rule matched > ed537f31142afcea smtp failed-command command="RCPT TO:" > result="550 Invalid recipient" > ed537f31142afcea smtp disconnected reason=disconnect > > Is there a way to get the sender information in the debug? > well, providing the full session log from connect to disconnect without altering it would be a good start to troubleshoot. I think you are missing a "for any" on some rules which causes them to not be matched. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: match rule seems to be failing in -current
On Fri, Jan 25, 2019 at 02:08:41PM +0100, Mischa wrote: > Hi All, > Hi, > ### smtpd.conf > pki mx1.domain1.nl cert "/etc/ssl/mx1.domain1.nl.fullchain.pem" > pki mx1.domain1.nl key "/etc/ssl/private/mx1.domain1.nl.key" > > table names file:/etc/mail/hostnames > table aliases file:/etc/mail/aliases > table www-relays file:/etc/mail/www-relays > table www-senders file:/etc/mail/www-senders > table relay-domains file:/etc/mail/relay-domains > table reject-email file:/etc/mail/reject-email > > table domains sqlite:/etc/mail/sqlite.conf > table virtuals sqlite:/etc/mail/sqlite.conf > table credentials sqlite:/etc/mail/sqlite.conf > > filter check-fcrdns builtin connect fcrdns disconnect "550 fc-rDNS" > > listen on mx1.domain1.nl port 25 tls pki mx1.domain1.nl hostnames > filter check-fcrdns > > action "local" mbox alias > action "maildir" maildir "/var/mail/virtual/%{dest:lowercase}/" virtual > > action "relay" relay > action "smartrelay" relay host smtp://mail.domain1.nl > > match from any rcpt-to for any reject > match from src !mail-from for any reject > match from src mail-from action "relay" > match from any for domain action "smartrelay" > match from any for domain action "maildir" > match from local action "smartrelay" > match for any action "relay" > ### > > # cat www-relays > 46.23.xx.yy > > # cat www-senders > w...@www.domain2.nl > > As soon as an email is send from one of the www-relays with the > sender that is in www-senders I am getting the following error on > the sending mail server (FreeBSD w/ dma): > > Jan 18 15:56:12 www dma[2eb801]: new mail from user=www uid=80 > envelope_from= > Jan 18 15:56:12 www dma[2eb801]: mail to= queued as > 2eb801.801a2d0a0 > Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying delivery > Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: using smarthost (mx1.domain1.nl:25) > Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying remote delivery to > mx1.domain1.nl [46.23.xx.zz] pref 0 > Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: remote delivery to mx1.domain1.nl > [46.23.xx.zz] failed after RCPT TO: 550 Invalid recipient > Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: delivery failed, bouncing as 2eb803 > > > OpenSMTPD is saying (grep "00a1b263550db3c7" /var/log/maillog): > > Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected > address=46.23.xx.yy host=46-23-xx-yy.domain1.nl > Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command > command="RCPT TO:" result="550 Invalid recipient" > Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp disconnected > reason=disconnect > > Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected > address=46.23.xx.xx host=www.domain2.nl > Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command > command="RCPT TO:" result="550 Invalid recipient" > > > Anybody have an idea? > can you run smtpd with -dv -T rules and provide log of which rule is matched ? -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: "Pipelining not supported" when connecting to port smtp or submission through OpenSSL command line utility
On Sat, Jan 19, 2019 at 02:03:33PM -0600, ed...@pettijohn-web.com wrote: > On Sat, Jan 19, 2019 at 08:12:29PM +0100, Johannes Krottmayer wrote: > > Hello, > > > > I have a question or a problem of understanding. > > > > When I try to connect through the the command line utility openssl to > > port smtp or submission I get this output: > > > > $ openssl s_client -connect odin42:25 > > openssl s_client -connect host:port -starttls smtp > > I did the same thing and forgot the starttls bit. The whole pipelining > thing doesn't really help to figure it out though. > yes :-/ the problem is that the SMTP engine expects an SMTP session, and instead it receives a blob which violates the protocol and likely contains a new line that triggers pipeline violation mechanism. maybe we can do better, will talk with others. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
On Tue, Jan 22, 2019 at 01:11:44AM +0100, Eric Elena wrote: > On Mon, 21 Jan 2019 11:08:02 +0100 Gilles Chehade wrote: > > I may sound a bit harsh, but starting a thread with "this is my last try > > or I'll switch" (as if it actually matters) right before telling someone > > who wants to help you that you actually tried _nothing_ then blaming the > > code improvements for a use-case that could have never worked because it > > not only uses the wrong _documented_ mechanism but also because the code > > to make your use-case work has never existed, kinds of irritates me. > > > > I don't get royalties on smtpd install, please install whatever software > > fits your use case, this is how proper engineering works. > > First of all thank you Gilles (and all the others who contributed to > this project) for your amazing work on OpenSMTPD! > > That said, there is a kind of sender rewriting mechanism in OpenSMTP. > Well, it works for me (tm) I'm not saying it's perfect, it might be an > overkill but at least it does what I want it to do. The conf is > included below (only the part for rewriting the sender > address): > > [...] > > When a mail is received (listen on all): > - check if it is rejected > - if not, if the email if for toto@my.domain, forward it to the very > same OpenSMTP daemon on port 10030 using the authenticated user foo and > using masq@my.domain as the MAIL-FROM in the SMTP session (enveloppe) > - when an email is received on port 10030, tag it with the label MASQ. > The authenticated user is allowed to send an email as the user > masq@my.domain. The keyword masquerade modifies the From header (the > message itself) to match the address given in the SMTP session > - at that point, the sender address is rewritten both in the SMTP > session and the headers > - if the email is for toto@my.domain and is tagged with the label MASQ, > the virtual user address is expanded to the real email address > - continue like a normal message > > There is probably room for improvement but I hope this helps. > indeed, a bit overkill and now that we have removed the blockers we must come up with a simpler way to achieve that... but what you did, that's smart :-) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
On Mon, Jan 21, 2019 at 01:04:16PM -0600, Adam Thompson wrote: > > > Also, this is a recipient translation mechanism, similar to aliases, and > > not a sender rewriting mechanism which we do not have at this point. > > [...] > > virtual _now_ only works on recipients, not senders ? > > the virtual code hasn't changed, it works the way it always did. > > > > there is no way it could ever do what you're describing or attempting to > > do given that it doesn't operate at all anywhere near the message. there > > is no way it has ever parsed: > > This is all very surprising to hear. The existing system works (somehow). > So I am apparently misunderstanding what is happening, because with the > configuration as shown, telling the various broken email senders to use that > box as their mailhost _somehow_ fixes the bogus From: headers and envelopes. > the entire virtual expansion happens between the client sending RCPT TO, and the server responding Ok to that RCPT TO. virtual does not know of a sender, never, and it is done before the message is actually received so it doesn't know headers, which is why i'm 100% confident there isn't one chance it could ever do what you describe. > Oh, this just occurred to me as I'm writing: I really hope I didn't switch > to a different MTA on that system years ago, and then just forgot to check > which MTA was actually running. If that's the case, I'm not going to bother > posting an update, because I'll be busy banging my head on the wall and then > hiding in shame. > that is a more likely possibility. > > > I'm not convinced the new smtpd.conf grammar improves anything at > > > all, but I assume it must help someone or it wouldn't have > > > changed... but I believe my use case got thrown out with the > > > bathwater, so to speak. Oh, well. :-( > > This is bullshit. > > The grammar doesn't reduce the functional scope, it can only expand it. > > I'm taking your word for it - you will know far better than I do! > > > > What you are describing has never existed in smtpd, there's never been > > code to translate sender addresses and there's a good reason for that: > > Good reasons aside, I still need to accommodate other vendor's broken mail > implementations, because I can't fix them. I know of multiple reasons > source rewriting is a bad idea, in general, but I get paid to make stuff > work, not just say that it's broken. > oh, don't get me wrong, i'm not saying there's a good reason not to have this rewriting, what i was saying is that there was a good reason why it was not doable before the grammar change. it is a useful feature which is part of my todo and which i will work on as time allows. > > it not considered doable before the grammar change... > > But sure, blame it on the grammar. > > I believed that the grammar change had rendered my use case impossible > because was now limited to local delivery methods. Clearly I was > wrong... and not even in the way I thought I might be wrong. > yes, that's true. using 'virtual' on relay rules didn't transform anything whatsoever, the code had an explicit check to not enter the transformation lookups if we were in a relay rule. the new grammar just made it clear that what you were trying to do could not work rather than accepting the criteria and disregarding it. > > I may sound a bit harsh, but starting a thread with "this is my last try > > or I'll switch" (as if it actually matters) > > My apologies - that was meant to sound more like "I have a plan B so if this > isn't possible, that's OK but I've wasted so much time on this I'm kinda > running out of time, please tell me if I should just stop now and switch". > I know *exactly* how much OpenBSD devs care if I use their code or not! I > do not want to be "that asshole", although it seems I've succeeded again - > sorry. > > Thank you for taking the time to reply. Now I'm going to go check that mail > server a 7,000,000th time, this time to see what MTA is actually *running*, > not just *configured*. I'm not sure whether I want it to be such a blatant > mistake on my part or not... if yes, this all makes sense but I'm an idiot, > whereas if no, then WTF, how is it working at all? > > FWIW: I am much happier with OpenSMTPd than with other MTAs because of its > forward-declarative configuration syntax. Thank you for your work on > bringing a modern, lean, secure(-er) MTA into existence. > np ;-) -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: disclaimer
On Fri, Jan 18, 2019 at 02:56:10PM +0300, Tevfik Ceydeliler wrote: > Hi > > Is there anu way to add diclaimer?? into?? mail by using smtpd? > Not yet possible easily, no Will be doable with the next release -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
sorry, I obviously f-up my last mail, this one is fixed ;-) On Sun, Jan 20, 2019 at 04:14:05PM -0600, Adam Thompson wrote: > As it turns out, no, that doesn't work. > Trying to fix up broken sender mail domain-parts only simply gets me a "5.2.4 > Mailing list expansion problem" error, with no debug output to suggest why. > > In this test case, my translations map had: > > @bad.athompso.net @good.athompso.net > What is a translation map ? There is no such thing in OpenSMTPD (as of today). > in it. Obviously, this is a test setup :). > Smtpd.conf itself consisted of: > > listen on all received-auth > smtp max-message-size 100M > table translations file:/etc/mail/translations # ORIG->NEW > mappings > table allowed-hosts file:/etc/mail/allowed-hosts# Who can > connect? (bare IP addresses or CIDR subnets) > action translate lmtp "/var/run/lmtp.sock" virtual > # 1st pass on allowed rewrite mail > action forward forward-only > # and now it's not our problem anymore > match for any from local action forward # 2nd pass for > reinjected mail, this time just forward it > match for any from src action translate # inbound mail > - hand it to LMTP, translating as we go > > from table(5): Aliasing tables Aliasing tables are mappings that associate a recipient to one or many destinations. They can be used in two contexts: primary domain aliases and virtual domain mapping. [...] In a virtual domain context, the key is either a user part, a full email address or a catch all, following selection rules described in smtpd.conf(5), and the value is one or many recipients as described in aliases(5): user1 otheruser us...@example.org otheruser1,otheruser2 @example.orgotheru...@example.com @ catch...@example.com You're feeding the virtual table with invalid values. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. > A cursory glance at the source code (yikes, it's been a long time since I was > a programmer) suggests that virtual now only works on recipients, not > senders. Which is too bad for me, as that means I'll have to switch at least > one box to use Postfix. > virtual _now_ only works on recipients, not senders ? the virtual code hasn't changed, it works the way it always did. there is no way it could ever do what you're describing or attempting to do given that it doesn't operate at all anywhere near the message. there is no way it has ever parsed: @bad.athompso.net @good.athompso.net and the only thing that changed is that such errors are now visible from the session as: 5.2.4 Mailing list expansion problem instead of an invalid recipient error like it probably did in 6.3 > I'm not convinced the new smtpd.conf grammar improves anything at all, but I > assume it must help someone or it wouldn't have changed... but I believe my > use case got thrown out with the bathwater, so to speak. Oh, well. :-( > This is bullshit. The grammar doesn't reduce the functional scope, it can only expand it. What you are describing has never existed in smtpd, there's never been code to translate sender addresses and there's a good reason for that: it not considered doable before the grammar change... But sure, blame it on the grammar. > (If anyone cares, the bad sender addresses are mostly alerts coming from > older Sun ALOMs and at least one Lexmark printer that also sends email with > broken From addresses.) > I may sound a bit harsh, but starting a thread with "this is my last try or I'll switch" (as if it actually matters) right before telling someone who wants to help you that you actually tried _nothing_ then blaming the code improvements for a use-case that could have never worked because it not only uses the wrong _documented_ mechanism but also because the code to make your use-case work has never existed, kinds of irritates me. I don't get royalties on smtpd install, please install whatever software fits your use case, this is how proper engineering works. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd - help needed tranlsating to new virtual map syntax
the key is either a user part, a full email address or a catch all, following selection rules described in smtpd.conf(5), and the value is one or many recipients as described in aliases(5): user1 otheruser us...@example.org otheruser1,otheruser2 @example.orgotheru...@example.com @ catch...@example.com You're feeding the virtual table with invalid values. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. > A cursory glance at the source code (yikes, it's been a long time since I was > a programmer) suggests that virtual now only works on recipients, not > senders. Which is too bad for me, as that means I'll have to switch at least > one box to use Postfix. > virtual _now_ only works on recipients, not senders ? the virtual code hasn't changed, it works the way it always did. there is no way it could ever do what you're describing or attempting to do given that it doesn't operate at all anywhere near the message. there is no way it has ever parsed: @bad.athompso.net @good.athompso.net and the only thing that changed is that such errors are now visible from the session as: 5.2.4 Mailing list expansion problem instead of an invalid recipient error like it probably did in 6.3 > I'm not convinced the new smtpd.conf grammar improves anything at all, but I > assume it must help someone or it wouldn't have changed... but I believe my > use case got thrown out with the bathwater, so to speak. Oh, well. :-( > This is bullshit. The grammar doesn't reduce the functional scope, it can only expand it. What you are describing has never existed in smtpd, there's never been code to translate sender addresses and there's a good reason for that: it not considered doable before the grammar change... But sure, blame it on the grammar. > (If anyone cares, the bad sender addresses are mostly alerts coming from > older Sun ALOMs and at least one Lexmark printer that also sends email with > broken From addresses.) > I may sound a bit harsh, but starting a thread with "this is my last try or I'll switch" (as if it actually matters) right before telling someone who wants to help you that you actually tried _nothing_ then blaming the code improvements for a use-case that could have never worked because it not only uses the wrong _documented_ mechanism but also because the code to make your use-case work has never existed, kinds of irritates me. I don't get royalties on smtpd install, please install whatever software fits your use case, this is how proper engineering works. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org