smtpd: listen on (eth0)

2017-04-20 Thread Harald Dunkel
Hi folks,

I am running opensmtpd on Linux (next to OpenBSD, of course). Problem:
Apparently smtpd doesn't recognize a new IPv6 address assigned to the
network interface (e.g. due to a prefix change). It keeps on listening
on the old IPv6 address only.

Do you think this could be improved?


Thanx in advance
Harri

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: smtpd: listen on (eth0)

2017-04-22 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 04/21/17 05:56, Harald Dunkel wrote:
> Hi folks,
> 
> I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: 
> Apparently smtpd doesn't recognize a new IPv6 address assigned to the network 
> interface (e.g. due to a prefix change). It keeps on listening on the old 
> IPv6 address only.
> 

PS: Of course the old address is tagged "deprecated".


Regards
Harri

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAlj7WuIACgkQCp4qnmbT
gcuPywf/aHlonhxuhtKrnrmk4IQ1fGdjvsrohnQCm/8+X+a/391/ZwDbVJKpCzX4
zdXmVORTM+Th7SqGr4tqcoTWzp0RwfrZhr/j1hH7hVWH0DeUpjaiKW+b2N21sj8s
xcutHnEvburegaI9zeJwlPxCmrhMnBip5OOFy8Qxhm3q8Ue4cYuHIHzVhvRjceaS
nDEX9YXgpsX+3d5+btzEPpSsnZbluE7W2ECsTCv6sG5OX1TlTCZDhi1oB194HWeV
IrnELy7i2EhnSzmDoSWbd6E6MLcJ7mTij+WGYgr4rQtvP9TVaubaKV7hQBX0H0NA
WEqbaNbDPh3IQ3uuB/Qy9SNDXV0u9g==
=XT4U
-END PGP SIGNATURE-

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: "limit mta inet4" is ignored, smtpd fails to start

2018-03-18 Thread Harald Dunkel
On 03/18/18 13:54, Richard wrote:
> 
> It appears that "limit mta inet4" statement limits outgoing ipv6
> connections but not incoming ipv6 connections...
> 
> Instead of the limit statement one might use a notation like this
> which limits incoming and outgoing connections to ipv4 by interface:
> 
>listen on lo inet4 tls pki $xname
>listen on eth0 inet4 tls pki $xname
>listen on eth1 inet4 tls pki $xname
> 

This works for me in this case (thanx very much), but apparently it
doesn't really solve the problem. If I use a global IPv6 address and
a dual-stack configuration

xname="mailhost.example.com"

pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mailhost.example.com.pem"

listen on lo tls pki $xname
listen on eth0 tls pki $xname
listen on eth1 tls pki $xname
:

then smtpd stumbles over the tentative IPv6 address again. The only
difference is that its not a link-local address anymore:

:
:
670   bind(11, {sa_family=AF_INET, sin_port=htons(25), 
sin_addr=inet_addr("10.0.0.2")}, 16 
670   <... bind resumed> )  = 0
670   socket(PF_INET6, SOCK_STREAM, IPPROTO_IP 
670   <... socket resumed> )= 12
670   setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4 
670   <... setsockopt resumed> )= 0
670   setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4 
670   <... setsockopt resumed> )= 0
670   bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6, 
"2001:DB8:30:ffe0::e6", _addr), sin6_flowinfo=0, sin6_scope_id=0}, 28 <
670   <... bind resumed> )  = -1 EADDRNOTAVAIL (Cannot assign 
requested address)
670   write(2, "pony express: smtpd: bind: Canno"..., 59 
670   <... write resumed> ) = 59
670   exit_group(1) = ?
670   +++ exited with 1 +++


Regards
Harri

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: 6.4 broke procmail .forward

2018-10-31 Thread Harald Dunkel

Hi Gilles,

On 10/28/18 6:52 PM, Gilles Chehade wrote:


Please do yourselves a favor, ditch procmail in favor of fdm.



I am not sure if fdm is an option. Looking at https://github.com/ft/fdm.git
it seems that this code has been abandoned.

Are there others?


Regards
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Address family mismatch on destination MXs

2018-11-07 Thread Harald Dunkel

Hi folks,

sometimes opensmtpd (OpenBSD 6.3) queues an EMail with

Address family mismatch on destination MXs

even though smtpd.conf says

limit mta inet4

The destination MX on my testcase (running OpenBSD 6.3 and
opensmtpd as well) has both IPv4 and IPv6 address.

According to smtpd.conf(5) opensmtpd is supposed to ignore
IPv6 completely on outgoing connections due to the "limit"
line. Did I miss something here?


Every helpful comment is highly appreciated
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



kill -HUP not working as expected

2018-11-28 Thread Harald Dunkel

Hi folks,

I learned some time ago that daemons restart or reload their config
file, when they receive a HUP. sendmail, sshd and tons of others do.

smtpd doesn't. :-(


Regards
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: kill -HUP not working as expected

2018-11-29 Thread Harald Dunkel

Hi Gilles,

On 11/29/18 9:17 AM, Gilles Chehade wrote:


there are multiple reasons behind that:

- smtpd can be killed/restarted right away without having to do cleanups
   and given that other MTA are supposed to retry transfers if connection
   drops, the complexity of dealing with reloading when you could just do
   a plain restart was not worth it. reload would be nice, it's not a big
   deal as far as i'm concerned and not high on my todo.



I agree that this is not a high-prio task. But when I sent a HUP to
smtpd, it was gone afterwards. Thats the unexpected part, but maybe
it is still better then silently ignoring the HUP, still running
the old configuration.

My suggestion would be to mention it in the man page.


Thanx very much. Keep on your good work

Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



openssl support

2019-05-17 Thread Harald Dunkel

Hi folks,

I wonder what became of

https://github.com/OpenSMTPD/OpenSMTPD/issues/534

? IMHO this issue was closed way too early. Are all OS distros
happy with opensmtpd going libressl-only? Will the rest follow?


Regards

Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Harald Dunkel

Hi Gilles,

I understand that ssl support is a highly complex issue, making it
necessary to focus and to get rid of the cruft.

It would be a pity if opensmtpd becomes "OpenBSD-only", though.


Regards
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-13 Thread Harald Dunkel

On 5/10/19 10:55 AM, Harald Dunkel wrote:

Hi folks,

for testing purposes I have to setup opensmtpd 6.0.3 to
redirect all outgoing EMails from a list of stage systems to a
dedicated internal account. smtpd.conf is attached.



I have found it:

:
table aliases file:/etc/aliases
table vmap file:/etc/vmap
accept for local alias  deliver to mbox
accept from source  sender  for any virtual 
 deliver to mbox
accept from source  sender  for any relay hostname 
"mailproxy.example.com" pki $xname
:

with an appropriate vmap file, e.g.

@   catchall

and a local user "catchall"

did the trick.


Thanx anyway. Keep on your good work


Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-10 Thread Harald Dunkel

Hi folks,

for testing purposes I have to setup opensmtpd 6.0.3 to
redirect all outgoing EMails from a list of stage systems to a
dedicated internal account. smtpd.conf is attached.

Problem is, there is an invalid recipient error for sending
an EMail from such a stage system:

% netcat 10.0.0.115 25
220 example.de ESMTP OpenSMTPD
EHLO stage
250-example.com Hello stage [10.0.0.238], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-STARTTLS
250 HELP
MAIL from: 
250 2.0.0: Ok
RCPT to: 
550 Invalid recipient
^C

If I replace the "deliver to mda ..." by a usual relay statement,
then the EMail is relayed, so I have to assume that the "deliver
to mda" somehow affects filtering EMails.

Unfortunately opensmtpd 6.4 is not an option.


Every insightful comment is highly appreciated.
Harri
xname="mp2.example.com"

pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mailproxy.example.com.pem"

limit mta inet4
listen on lo inet4 tls pki $xname
listen on eth0 inet4 tls pki $xname

table aliases file:/etc/aliases

table lan   { 10.0.0.0/24 } # hosts allowed 
to send emails
table stage_hosts   { 10.0.0.238 10.0.0.240 10.0.0.245 }# stage hosts 
*not* allowed to send emails
table at_example_com{ "@example.com" }  # From address

accept for local aliasdeliver to 
mbox
accept from source   sender  for any  deliver to 
mda "/usr/bin/procmail -f -" as gotcha
accept from source   sender  for any  relay 
hostname "mailproxy.example.com" pki $xname


Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-10 Thread Harald Dunkel

Hi Gilles,

On 5/10/19 11:30 AM, Gilles Chehade wrote:


without your configuration it's hard to determine what's wrong



Config file was attached. You can find it in the archive as well,
e.g. on

https://www.mail-archive.com/misc@opensmtpd.org/msg04343.html


Regards
Harri

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/14/19 3:43 PM, Harald Dunkel wrote:
> 
> This is Debian sid (amd64), including openssl version 1.1.1c .
> Here is the list of packages providing shared objects for smtpd:
> 
> ||/ Name VersionArchitecture Description
> +++--==--===
> ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
> resolver
> ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
> security auditing
> ii  libc6:amd64  2.28-10amd64GNU C Library: 
> Shared libraries
> ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
> capabilities library
> ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 
> Database Libraries [runtime]
> ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
> notification library
> ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
> Authentication Modules library
> ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
> toolkit - shared libraries
> ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library 
> - runtime
> 

PS: compiler version:

{harri@cecil:~ (master) 502} gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19' 
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-8 
--program-prefix=x86_64-linux-gnu-
--enable-shared --enable-linker-build-id --libexecdir=/usr/lib 
--without-included-gettext --enable-threads=posix --libdir=/usr/lib 
--enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug 
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new 
--enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie 
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto 
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu 
--target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-19)


Regards
Harri



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/13/19 9:02 PM, gil...@poolp.org wrote:
> 13 août 2019 12:35 "Harald Dunkel"  a écrit:
> 
>>
>> Surely I don't have a highly complex EMail configuration, but
>> the new version is running on my MTA and the nullclients since
>> Aug 7th: No issues by now, AFAICT. Cool.
>>
> 
> Care to mention what system you are using ? :-)
> 

This is Debian sid (amd64), including openssl version 1.1.1c .
Here is the list of packages providing shared objects for smtpd:

||/ Name VersionArchitecture Description
+++--==--===
ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
resolver
ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
security auditing
ii  libc6:amd64  2.28-10amd64GNU C Library: Shared 
libraries
ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
capabilities library
ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 Database 
Libraries [runtime]
ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
notification library
ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
Authentication Modules library
ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
toolkit - shared libraries
ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - 
runtime


Regards
Harri



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-13 Thread Harald Dunkel
Hi folks,

On 7/24/19 1:16 PM, Gilles Chehade wrote:
> On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote:
> 
>> I will check runtime ASAP.
>>
> 
> Great !
> 
> Keep on providing feedback please !
> 

Surely I don't have a highly complex EMail configuration, but
the new version is running on my MTA and the nullclients since
Aug 7th: No issues by now, AFAICT. Cool.


Regards
Harri



tags on the portable branch?

2019-08-22 Thread Harald Dunkel

Hi folks,

would it be possible to set tags on the portable branch as well?
Something like

portable-6.4.1

would do.

This could help alot for creating some kind of "official" source
package for Debian and Fedora/RedHat.


Thanx in advance
Harri



Re: tags on the portable branch?

2019-08-24 Thread Harald Dunkel
Hi Gilles,

On 8/24/19 9:14 PM, Gilles Chehade wrote:
> 
> This is expected.
> 
> Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x
> 

do you think it would be possible to set a tag matching support
for openssl 1.1.1c as well? The version I am using right now now
is based on 772da22936c8d80f7ad3284ea7e5bdbfdbee2efb, but this
might be too experimental for production use.


Regards
Harri



Re: tags on the portable branch?

2019-08-24 Thread Harald Dunkel
On 8/23/19 9:55 PM, John Cox wrote:
> Hi
> 
> Whilst I know it doesn't help you I just git cloned that URL and the
> tag checkout just worked for me.  What happens if you make another new
> (temporary) repo with clone and try again?
> 
> Regards
> 
> John Cox
> 

Using a new clone, as suggested: The tag "opensmtpd-6.4.2p1" is available,
but it doesn't build on Debian sid (openssl 1.1.1c). Full build.log is
attached.

:
:
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat 
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. -I/usr/include  
-DSMTPD_CONFDIR=\"/usr/local/etc\" -DPATH_CHROOT=\"/var/empty\" 
-DPATH_SMTPCTL=\"/usr/local/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/local/libexec/opensmtpd/mail.local\" 
-DPATH_LIBEXEC=\"/usr/local/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL 
-DCA_FILE=\"/etc/ssl/cert.pem\" -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
-Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
-D_BSD_SOURCE -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o 
../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo './'`../../smtpd/ca.c
../../smtpd/ca.c: In function 'ca_X509_verify':
../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type 
'X509_STORE_CTX' {aka 'struct x509_store_ctx_s'}
  204 |*errstr = X509_verify_cert_error_string(xsc->error);
  |   ^~
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but 
incomplete type
  307 | static RSA_METHOD rsae_method = {
  | ^~
../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
  308 |  "RSA privsep engine",
  |  ^~~~
../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
  309 |  rsae_pub_enc,
  |  ^~~~
../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
  310 |  rsae_pub_dec,
  |  ^~~~
../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
  311 |  rsae_priv_enc,
  |  ^
../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
  312 |  rsae_priv_dec,
  |  ^
../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
  313 |  rsae_mod_exp,
  |  ^~~~
../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
  314 |  rsae_bn_mod_exp,
  |  ^~~
../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:315:2: warning: excess elements in struct initializer
  315 |  rsae_init,
  |  ^
../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:316:2: warning: excess elements in struct initializer
  316 |  rsae_finish,
  |  ^~~
../../smtpd/ca.c:316:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:317:2: warning: excess elements in struct initializer
  317 |  0,
  |  ^
../../smtpd/ca.c:317:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:318:2: warning: excess elements in struct initializer
  318 |  NULL,
  |  ^~~~
../../smtpd/ca.c:318:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:319:2: warning: excess elements in struct initializer
  319 |  NULL,
  |  ^~~~
../../smtpd/ca.c:319:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:320:2: warning: excess elements in struct initializer
  320 |  NULL,
  |  ^~~~
../../smtpd/ca.c:320:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:321:2: warning: excess elements in struct initializer
  321 |  rsae_keygen
  |  ^~~
../../smtpd/ca.c:321:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c: In function 'rsae_pub_enc':
../../smtpd/ca.c:407:21: error: dereferencing pointer to incomplete type 
'RSA_METHOD' {aka 'const struct rsa_meth_st'}
  407 |  return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
  | ^~
../../smtpd/ca.c: In function 'ca_engine_init':
../../smtpd/ca.c:493:38: error: invalid use of incomplete typedef 'RSA_METHOD' 
{aka 'struct rsa_meth_st'}
  493 |   if (!ENGINE_set_name(e, rsae_method.name)) {
  |  ^
../../smtpd/ca.c:511:27: error: 'RSA_FLAG_SIGN_VER' undeclared (first use in 
this function)
  511 |  if (rsa_default->flags & RSA_FLAG_SIGN_VER)
  |   ^
../../smtpd/ca.c:511:27: note: each 

Re: tags on the portable branch?

2019-08-23 Thread Harald Dunkel

On 8/22/19 10:34 AM, Gilles Chehade wrote:

On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote:

Hi folks,

would it be possible to set tags on the portable branch as well?
Something like

portable-6.4.1

would do.

This could help alot for creating some kind of "official" source
package for Debian and Fedora/RedHat.



you mean like this ? :-)

https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/opensmtpd-6.4.2p1



{hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v
origin  https://github.com/OpenSMTPD/OpenSMTPD.git (fetch)
origin  https://github.com/OpenSMTPD/OpenSMTPD.git (push)
{hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1
error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git

???




Re: tags on the portable branch?

2019-08-23 Thread Harald Dunkel

On 8/23/19 1:37 PM, Harald Dunkel wrote:


{hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v
origin  https://github.com/OpenSMTPD/OpenSMTPD.git (fetch)
origin  https://github.com/OpenSMTPD/OpenSMTPD.git (push)
{hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1
error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git

???



PS: Of course I did a "git fetch --all" first.



Re: git portable branch: Failed to parse smarthost

2019-08-06 Thread Harald Dunkel
Hi Gilles,

On 8/6/19 1:35 PM, Gilles Chehade wrote:
> 
> you're using an auth label but this requires a secure transport.
> 
> from smtpd.conf(5):
> 
>  The label corresponds to an entry in a credentials table,
>  as documented in table(5).  It is used with the
>  "smtp+tls" and "smtps" protocols for authentication.
> 

found it. Sorry, my bad.


Regards
Harri



git portable branch: Failed to parse smarthost

2019-08-05 Thread Harald Dunkel
Hi folks,

trying the new smtpd with openssl support on Debian I get the
following error:

Aug  5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost 
smtp://someh...@mail.somehost.de

Mail is not forwarded, of course.


The config file says

:
table localnet { 10.0.0.0/24, 2001:db8:1f24:b803::/64 }
table secrets file:/etc/secrets
:
action "relay_somehost" relay host smtp://someh...@mail.somehost.de auth 
 mail-from "@example.de"
:
match from srcfor any action "relay_somehost"
match from localfor any action "relay_somehost"


The secrets file is:

somehost postmas...@x.mail.somehost.de:geheim


AFAICS the syntax follows the man page, so why does it complain?
I don't see it. Every helpful hint is highly appreciated.


Regards
Harri



unsubscribe old email address?

2019-08-06 Thread Harald Dunkel

Hi folks,

https://www.opensmtpd.org/list.html doesn't tell how to unsubscribe
an old EMail address, that cannot be used for sending EMails anymore.
The same page doesn't list an administrative user, either, so please
excuse sending this question to this mailing list.

I tried to send an EMail (new address) to misc+unsubscr...@opensmtpd.org
saying
unsubscribe o...@example.com

but this didn't work as expected. The EMail address was ignored.


Every helpful hint is highly appreciated.
Harri



improve smtpd.conf syntax check at startup?

2020-01-24 Thread Harald Dunkel

Hi folks,

Do you think it would be possible to improve checking the syntax of
the config file? A line like

action "relay" relay host smtp+tls"//t...@example.com auth 

did not trigger an error message at startup time. When there was an
EMail to send I got an error message in mail.log

Jan 24 10:04:35 mailproxy smtpd[2041]: warn: Failed to parse smarthost 
smtp+tls"//t...@example.com

Obviously this was too late.

smtpd was version OpenSMTPD 6.6.1p1 on Debian 10.


Regards
Harri



Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-30 Thread Harald Dunkel

Hi Jason,

On 2020-01-29 14:33, Jason Barbier wrote:


According to the CVE everything since the commit in May 2018 that established 
the new grammar.



The EMail did not mention a CVE. I was very concerned that I had to upgrade
my "old" hosts to the new smtpd.conf syntax, so this is good news.

Thanx for your reply.


Regards
Harri



Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-29 Thread Harald Dunkel

Hi Gilles,

On 2020-01-28 23:30, gil...@poolp.org wrote:

Hello misc@,

Qualys has found a critical vulnerability leading to a possible privilege 
escalation.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

We'll provide more details when the advisory will be out and I'll take time to 
write
about how this bug was made possible, but in the meantime get your setups fixed 
!



Which versions of opensmtpd are affected?

Thanx for the quick fix.
Harri



Re: smtp-out: Address family mismatch

2020-07-21 Thread Harald Dunkel

Currently I have 100+ EMails queued with "Network error on
destination MX". This is a severe regression since OpenBSD
6.6.

Every insightful comment is highly appreciated

Harri


On 7/6/20 9:01 AM, Harald Dunkel wrote:

Hi folks,

I see a lot of outgoing EMails queued with a message "smtp-out:
Address family mismatch" in the log file. My colleagues don't like
EMails being put on hold at all.

Prior to 6.4 there was a

 limit mta inet4

The upgrade guide to the new smtpd.conf syntax 
(https://www.openbsd.org/faq/upgrade64.html)
mentioned "set and limit removed as main keywords" and a new
"mta namespace", but smtpd.conf(5) is insufficient in this aspect.
It doesn't tell. 
https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
doesn't tell, either.

My current (new-style) smtpd.conf has a line

 action "relay_external" relay src 192.168.1.1 helo "mail.example.com"

i.e. the AF is implicitly defined, but as the AF mismatch messages indicate
this is not sufficient.

Could you please elaborate?


Regards
Harri






opensmtpd appears to be IPv4-only

2020-07-22 Thread Harald Dunkel

Hi folks,

I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on
Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot.

My smtpd.conf says

:
xname = "mailhost.example.com"
pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert"
pki $xname key  "/etc/mail/ssl/mailhost.example.com.key"

listen on lotls pki $xname
listen on eth0  tls pki $xname
:

lsof -p shows that smtpd is listening only on the IPv4 address on
eth0. The IPv6 addresses bound to eth0 (link-local and global) are
ignored.

If I *restart* smtpd, then it is listening on IPv6 as well, up to
the next prefix change propagated via router advertisement. The
IPv6 address with the new prefix is ignored. When the old prefix
expires, then opensmtpd is back to IPv4-only. I have to restart
it again.

Can anybody reproduce this?


Every helpful comment is highly appreciated.

Regards
Harri



smtp-out: Address family mismatch

2020-07-06 Thread Harald Dunkel

Hi folks,

I see a lot of outgoing EMails queued with a message "smtp-out:
Address family mismatch" in the log file. My colleagues don't like
EMails being put on hold at all.

Prior to 6.4 there was a

limit mta inet4

The upgrade guide to the new smtpd.conf syntax 
(https://www.openbsd.org/faq/upgrade64.html)
mentioned "set and limit removed as main keywords" and a new
"mta namespace", but smtpd.conf(5) is insufficient in this aspect.
It doesn't tell. 
https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
doesn't tell, either.

My current (new-style) smtpd.conf has a line

action "relay_external" relay src 192.168.1.1 helo "mail.example.com"

i.e. the AF is implicitly defined, but as the AF mismatch messages indicate
this is not sufficient.

Could you please elaborate?


Regards
Harri



Re: smtp-out: Address family mismatch

2020-07-11 Thread Harald Dunkel

Hi Thomas,

On 7/7/20 2:12 AM, Thomas Bohl wrote:


My guess would be that the target domain, at the time of the DNS query, only 
returned a IPv6 address.


I have a similar problem. My config is

action "relay2Internet" relay \
     helo $hostn \
     src {$v4adr, $v6adr}

as I want to allow IPv4 and IPv6. Since the src-adresses are getting alternated I often 
get "Address family mismatch" because the target doesn't have IPv6 yet. (At 
least I believe that is what's happening.)



Sorry to say, but thats pretty unlikely. IPv4 is much more common than
IPv6 (still), especially for EMail.

I would guess thats a bug. Somebody didn't care about the old-style

limit mta inet4

for the new config file syntax.


Regards
Harri



syslog logging changed ?

2020-06-26 Thread Harald Dunkel

Hi folks,

before 6.7 the smtpd log file entries were easy to find: Just
look for "smtpd" in /var/log/mail.log.

With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
as expected, so I wonder wth?


Regards
Harri



Re: opensmtpd appears to be IPv4-only

2020-07-26 Thread Harald Dunkel

Hi Slavik,

On 2020-07-22 18:26, Slavik Svyrydiuk wrote:

I do not have any issues with IPv6.
It works for me.

Ubuntu
==
opensmtpd 6.0.3p1-1ubuntu0.2

smtpd.conf lines:
listen on 0.0.0.0 port 25
listen on ::0 port 25

$ netstat -lnt | grep ':25'
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
tcp6   0  0 :::25   :::*LISTEN



Nice hint, but AFAIU your smtpd is listening on all interfaces.
Thats not the case on my host.


Regards
Harri



Re: smtp-out: Address family mismatch

2020-07-26 Thread Harald Dunkel

The Network error on destination MX has been resolved.
The Address family mismatch is still open.

smtpctl show queue gives me

a9f755dd88e88083|inet4|mta||u...@example.com|cont...@bugs.debian.org|cont...@bugs.debian.org|1595227438|1595227438|0|27|pending|29446|Address
 family mismatch on destination MXs
ebbe485d057fa820|inet4|mta||u...@example.com|xxx...@bugs.debian.org|xxx...@bugs.debian.org|1595227386|1595227386|0|27|pending|29394|Address
 family mismatch on destination MXs

Please note the "inet4" and

% host bugs.debian.org
bugs.debian.org has address 140.211.166.212
bugs.debian.org has address 209.87.16.39
bugs.debian.org has IPv6 address 2605:bc80:3010:b00:0:deb:166:212
bugs.debian.org has IPv6 address 2607:f8f0:614:1::1274:39
bugs.debian.org mail is handled by 10 buxtehude.debian.org.
% host buxtehude.debian.org.
buxtehude.debian.org has address 209.87.16.39
buxtehude.debian.org has IPv6 address 2607:f8f0:614:1::1274:39
buxtehude.debian.org mail is handled by 10 mailly.debian.org.
buxtehude.debian.org mail is handled by 10 muffat.debian.org.


Currently telnet 140.211.166.212 smtp fails with Connection refused, but
where is the address family mismatch between inet4 and 209.87.16.39 ?


Regards
Harri



Re: how to ignore TLS1.3 for test purposes?

2020-07-29 Thread Harald Dunkel

On 2020-07-29 04:12, Larkin Nickle wrote:


Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the 
control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think 
"HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell 
according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be 
a useful starting point.



That helped alot. Using TLS 1.2 I was able to actually see something
in the tcpdump (see attachment).

Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the
peer, including a list of ciphers and several extensions. The peer
(buxtehude.debian.org) answers with "Handshake failure", but it
doesn't tell what exactly is wrong. See attachment.

Any ideas? I am sure you guys are more proficient in reading TLS
protocol than I am.


Harri


buxtehude.debian.org.pcap
Description: application/vnd.tcpdump.pcap


how to ignore TLS1.3 for test purposes?

2020-07-28 Thread Harald Dunkel

Hi folks,

there seems to be a compatibility issue between opensmtpd on
OpenBSD 6.7 and exim4 on Debian's bugtracker, see

https://lists.debian.org/debian-user/2020/07/msg01091.html

Most recent syspatches are applied, of course. I cannot reproduce
this problem with opensmtpd 6.7.1-p1 on Debian.

How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use
TLS1.2 only, just for test purposes? TLS1.3 in libressl appears
to be brand new. Maybe its buggy.


Every helpful hint is highly appreciated
Harri