smtpd: listen on (eth0)
Hi folks, I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: Apparently smtpd doesn't recognize a new IPv6 address assigned to the network interface (e.g. due to a prefix change). It keeps on listening on the old IPv6 address only. Do you think this could be improved? Thanx in advance Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd: listen on (eth0)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/21/17 05:56, Harald Dunkel wrote: > Hi folks, > > I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: > Apparently smtpd doesn't recognize a new IPv6 address assigned to the network > interface (e.g. due to a prefix change). It keeps on listening on the old > IPv6 address only. > PS: Of course the old address is tagged "deprecated". Regards Harri -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAlj7WuIACgkQCp4qnmbT gcuPywf/aHlonhxuhtKrnrmk4IQ1fGdjvsrohnQCm/8+X+a/391/ZwDbVJKpCzX4 zdXmVORTM+Th7SqGr4tqcoTWzp0RwfrZhr/j1hH7hVWH0DeUpjaiKW+b2N21sj8s xcutHnEvburegaI9zeJwlPxCmrhMnBip5OOFy8Qxhm3q8Ue4cYuHIHzVhvRjceaS nDEX9YXgpsX+3d5+btzEPpSsnZbluE7W2ECsTCv6sG5OX1TlTCZDhi1oB194HWeV IrnELy7i2EhnSzmDoSWbd6E6MLcJ7mTij+WGYgr4rQtvP9TVaubaKV7hQBX0H0NA WEqbaNbDPh3IQ3uuB/Qy9SNDXV0u9g== =XT4U -END PGP SIGNATURE- -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: "limit mta inet4" is ignored, smtpd fails to start
On 03/18/18 13:54, Richard wrote:
>
> It appears that "limit mta inet4" statement limits outgoing ipv6
> connections but not incoming ipv6 connections...
>
> Instead of the limit statement one might use a notation like this
> which limits incoming and outgoing connections to ipv4 by interface:
>
>listen on lo inet4 tls pki $xname
>listen on eth0 inet4 tls pki $xname
>listen on eth1 inet4 tls pki $xname
>
This works for me in this case (thanx very much), but apparently it
doesn't really solve the problem. If I use a global IPv6 address and
a dual-stack configuration
xname="mailhost.example.com"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mailhost.example.com.pem"
listen on lo tls pki $xname
listen on eth0 tls pki $xname
listen on eth1 tls pki $xname
:
then smtpd stumbles over the tentative IPv6 address again. The only
difference is that its not a link-local address anymore:
:
:
670 bind(11, {sa_family=AF_INET, sin_port=htons(25),
sin_addr=inet_addr("10.0.0.2")}, 16
670 <... bind resumed> ) = 0
670 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP
670 <... socket resumed> )= 12
670 setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4
670 <... setsockopt resumed> )= 0
670 setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4
670 <... setsockopt resumed> )= 0
670 bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6,
"2001:DB8:30:ffe0::e6", _addr), sin6_flowinfo=0, sin6_scope_id=0}, 28 <
670 <... bind resumed> ) = -1 EADDRNOTAVAIL (Cannot assign
requested address)
670 write(2, "pony express: smtpd: bind: Canno"..., 59
670 <... write resumed> ) = 59
670 exit_group(1) = ?
670 +++ exited with 1 +++
Regards
Harri
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.4 broke procmail .forward
Hi Gilles, On 10/28/18 6:52 PM, Gilles Chehade wrote: Please do yourselves a favor, ditch procmail in favor of fdm. I am not sure if fdm is an option. Looking at https://github.com/ft/fdm.git it seems that this code has been abandoned. Are there others? Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Address family mismatch on destination MXs
Hi folks, sometimes opensmtpd (OpenBSD 6.3) queues an EMail with Address family mismatch on destination MXs even though smtpd.conf says limit mta inet4 The destination MX on my testcase (running OpenBSD 6.3 and opensmtpd as well) has both IPv4 and IPv6 address. According to smtpd.conf(5) opensmtpd is supposed to ignore IPv6 completely on outgoing connections due to the "limit" line. Did I miss something here? Every helpful comment is highly appreciated Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
kill -HUP not working as expected
Hi folks, I learned some time ago that daemons restart or reload their config file, when they receive a HUP. sendmail, sshd and tons of others do. smtpd doesn't. :-( Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: kill -HUP not working as expected
Hi Gilles, On 11/29/18 9:17 AM, Gilles Chehade wrote: there are multiple reasons behind that: - smtpd can be killed/restarted right away without having to do cleanups and given that other MTA are supposed to retry transfers if connection drops, the complexity of dealing with reloading when you could just do a plain restart was not worth it. reload would be nice, it's not a big deal as far as i'm concerned and not high on my todo. I agree that this is not a high-prio task. But when I sent a HUP to smtpd, it was gone afterwards. Thats the unexpected part, but maybe it is still better then silently ignoring the HUP, still running the old configuration. My suggestion would be to mention it in the man page. Thanx very much. Keep on your good work Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
openssl support
Hi folks, I wonder what became of https://github.com/OpenSMTPD/OpenSMTPD/issues/534 ? IMHO this issue was closed way too early. Are all OS distros happy with opensmtpd going libressl-only? Will the rest follow? Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
Hi Gilles, I understand that ssl support is a highly complex issue, making it necessary to focus and to get rid of the cruft. It would be a pity if opensmtpd becomes "OpenBSD-only", though. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account
On 5/10/19 10:55 AM, Harald Dunkel wrote: Hi folks, for testing purposes I have to setup opensmtpd 6.0.3 to redirect all outgoing EMails from a list of stage systems to a dedicated internal account. smtpd.conf is attached. I have found it: : table aliases file:/etc/aliases table vmap file:/etc/vmap accept for local alias deliver to mbox accept from source sender for any virtual deliver to mbox accept from source sender for any relay hostname "mailproxy.example.com" pki $xname : with an appropriate vmap file, e.g. @ catchall and a local user "catchall" did the trick. Thanx anyway. Keep on your good work Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
opensmtpd 6.0.3: redirect outgoing EMails to an internal account
Hi folks,
for testing purposes I have to setup opensmtpd 6.0.3 to
redirect all outgoing EMails from a list of stage systems to a
dedicated internal account. smtpd.conf is attached.
Problem is, there is an invalid recipient error for sending
an EMail from such a stage system:
% netcat 10.0.0.115 25
220 example.de ESMTP OpenSMTPD
EHLO stage
250-example.com Hello stage [10.0.0.238], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-STARTTLS
250 HELP
MAIL from:
250 2.0.0: Ok
RCPT to:
550 Invalid recipient
^C
If I replace the "deliver to mda ..." by a usual relay statement,
then the EMail is relayed, so I have to assume that the "deliver
to mda" somehow affects filtering EMails.
Unfortunately opensmtpd 6.4 is not an option.
Every insightful comment is highly appreciated.
Harri
xname="mp2.example.com"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mailproxy.example.com.pem"
limit mta inet4
listen on lo inet4 tls pki $xname
listen on eth0 inet4 tls pki $xname
table aliases file:/etc/aliases
table lan { 10.0.0.0/24 } # hosts allowed
to send emails
table stage_hosts { 10.0.0.238 10.0.0.240 10.0.0.245 }# stage hosts
*not* allowed to send emails
table at_example_com{ "@example.com" } # From address
accept for local aliasdeliver to
mbox
accept from source sender for any deliver to
mda "/usr/bin/procmail -f -" as gotcha
accept from source sender for any relay
hostname "mailproxy.example.com" pki $xname
Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account
Hi Gilles, On 5/10/19 11:30 AM, Gilles Chehade wrote: without your configuration it's hard to determine what's wrong Config file was attached. You can find it in the archive as well, e.g. on https://www.mail-archive.com/misc@opensmtpd.org/msg04343.html Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/14/19 3:43 PM, Harald Dunkel wrote:
>
> This is Debian sid (amd64), including openssl version 1.1.1c .
> Here is the list of packages providing shared objects for smtpd:
>
> ||/ Name VersionArchitecture Description
> +++--==--===
> ii libasr0 1.0.2-2+b1 amd64asynchronous DNS
> resolver
> ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for
> security auditing
> ii libc6:amd64 2.28-10amd64GNU C Library:
> Shared libraries
> ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX
> capabilities library
> ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3
> Database Libraries [runtime]
> ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event
> notification library
> ii libpam0g:amd64 1.3.1-5amd64Pluggable
> Authentication Modules library
> ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer
> toolkit - shared libraries
> ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library
> - runtime
>
PS: compiler version:
{harri@cecil:~ (master) 502} gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19'
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr
--with-gcc-major-version-only --program-suffix=-8
--program-prefix=x86_64-linux-gnu-
--enable-shared --enable-linker-build-id --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --libdir=/usr/lib
--enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new
--enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-19)
Regards
Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/13/19 9:02 PM, gil...@poolp.org wrote: > 13 août 2019 12:35 "Harald Dunkel" a écrit: > >> >> Surely I don't have a highly complex EMail configuration, but >> the new version is running on my MTA and the nullclients since >> Aug 7th: No issues by now, AFAICT. Cool. >> > > Care to mention what system you are using ? :-) > This is Debian sid (amd64), including openssl version 1.1.1c . Here is the list of packages providing shared objects for smtpd: ||/ Name VersionArchitecture Description +++--==--=== ii libasr0 1.0.2-2+b1 amd64asynchronous DNS resolver ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for security auditing ii libc6:amd64 2.28-10amd64GNU C Library: Shared libraries ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX capabilities library ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3 Database Libraries [runtime] ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event notification library ii libpam0g:amd64 1.3.1-5amd64Pluggable Authentication Modules library ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer toolkit - shared libraries ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - runtime Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
Hi folks, On 7/24/19 1:16 PM, Gilles Chehade wrote: > On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > >> I will check runtime ASAP. >> > > Great ! > > Keep on providing feedback please ! > Surely I don't have a highly complex EMail configuration, but the new version is running on my MTA and the nullclients since Aug 7th: No issues by now, AFAICT. Cool. Regards Harri
tags on the portable branch?
Hi folks, would it be possible to set tags on the portable branch as well? Something like portable-6.4.1 would do. This could help alot for creating some kind of "official" source package for Debian and Fedora/RedHat. Thanx in advance Harri
Re: tags on the portable branch?
Hi Gilles, On 8/24/19 9:14 PM, Gilles Chehade wrote: > > This is expected. > > Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x > do you think it would be possible to set a tag matching support for openssl 1.1.1c as well? The version I am using right now now is based on 772da22936c8d80f7ad3284ea7e5bdbfdbee2efb, but this might be too experimental for production use. Regards Harri
Re: tags on the portable branch?
On 8/23/19 9:55 PM, John Cox wrote:
> Hi
>
> Whilst I know it doesn't help you I just git cloned that URL and the
> tag checkout just worked for me. What happens if you make another new
> (temporary) repo with clone and try again?
>
> Regards
>
> John Cox
>
Using a new clone, as suggested: The tag "opensmtpd-6.4.2p1" is available,
but it doesn't build on Debian sid (openssl 1.1.1c). Full build.log is
attached.
:
:
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. -I/usr/include
-DSMTPD_CONFDIR=\"/usr/local/etc\" -DPATH_CHROOT=\"/var/empty\"
-DPATH_SMTPCTL=\"/usr/local/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/local/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/local/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/ssl/cert.pem\" -g -O2 -fPIC -DPIC -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset
-D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo './'`../../smtpd/ca.c
../../smtpd/ca.c: In function 'ca_X509_verify':
../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
'X509_STORE_CTX' {aka 'struct x509_store_ctx_s'}
204 |*errstr = X509_verify_cert_error_string(xsc->error);
| ^~
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
incomplete type
307 | static RSA_METHOD rsae_method = {
| ^~
../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
308 | "RSA privsep engine",
| ^~~~
../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
309 | rsae_pub_enc,
| ^~~~
../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
310 | rsae_pub_dec,
| ^~~~
../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
311 | rsae_priv_enc,
| ^
../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
312 | rsae_priv_dec,
| ^
../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
313 | rsae_mod_exp,
| ^~~~
../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
314 | rsae_bn_mod_exp,
| ^~~
../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:315:2: warning: excess elements in struct initializer
315 | rsae_init,
| ^
../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:316:2: warning: excess elements in struct initializer
316 | rsae_finish,
| ^~~
../../smtpd/ca.c:316:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:317:2: warning: excess elements in struct initializer
317 | 0,
| ^
../../smtpd/ca.c:317:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:318:2: warning: excess elements in struct initializer
318 | NULL,
| ^~~~
../../smtpd/ca.c:318:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:319:2: warning: excess elements in struct initializer
319 | NULL,
| ^~~~
../../smtpd/ca.c:319:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:320:2: warning: excess elements in struct initializer
320 | NULL,
| ^~~~
../../smtpd/ca.c:320:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:321:2: warning: excess elements in struct initializer
321 | rsae_keygen
| ^~~
../../smtpd/ca.c:321:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c: In function 'rsae_pub_enc':
../../smtpd/ca.c:407:21: error: dereferencing pointer to incomplete type
'RSA_METHOD' {aka 'const struct rsa_meth_st'}
407 | return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding));
| ^~
../../smtpd/ca.c: In function 'ca_engine_init':
../../smtpd/ca.c:493:38: error: invalid use of incomplete typedef 'RSA_METHOD'
{aka 'struct rsa_meth_st'}
493 | if (!ENGINE_set_name(e, rsae_method.name)) {
| ^
../../smtpd/ca.c:511:27: error: 'RSA_FLAG_SIGN_VER' undeclared (first use in
this function)
511 | if (rsa_default->flags & RSA_FLAG_SIGN_VER)
| ^
../../smtpd/ca.c:511:27: note: each
Re: tags on the portable branch?
On 8/22/19 10:34 AM, Gilles Chehade wrote:
On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote:
Hi folks,
would it be possible to set tags on the portable branch as well?
Something like
portable-6.4.1
would do.
This could help alot for creating some kind of "official" source
package for Debian and Fedora/RedHat.
you mean like this ? :-)
https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/opensmtpd-6.4.2p1
{hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v
origin https://github.com/OpenSMTPD/OpenSMTPD.git (fetch)
origin https://github.com/OpenSMTPD/OpenSMTPD.git (push)
{hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1
error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git
???
Re: tags on the portable branch?
On 8/23/19 1:37 PM, Harald Dunkel wrote:
{hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v
origin https://github.com/OpenSMTPD/OpenSMTPD.git (fetch)
origin https://github.com/OpenSMTPD/OpenSMTPD.git (push)
{hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1
error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git
???
PS: Of course I did a "git fetch --all" first.
Re: git portable branch: Failed to parse smarthost
Hi Gilles, On 8/6/19 1:35 PM, Gilles Chehade wrote: > > you're using an auth label but this requires a secure transport. > > from smtpd.conf(5): > > The label corresponds to an entry in a credentials table, > as documented in table(5). It is used with the > "smtp+tls" and "smtps" protocols for authentication. > found it. Sorry, my bad. Regards Harri
git portable branch: Failed to parse smarthost
Hi folks,
trying the new smtpd with openssl support on Debian I get the
following error:
Aug 5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost
smtp://someh...@mail.somehost.de
Mail is not forwarded, of course.
The config file says
:
table localnet { 10.0.0.0/24, 2001:db8:1f24:b803::/64 }
table secrets file:/etc/secrets
:
action "relay_somehost" relay host smtp://someh...@mail.somehost.de auth
mail-from "@example.de"
:
match from srcfor any action "relay_somehost"
match from localfor any action "relay_somehost"
The secrets file is:
somehost postmas...@x.mail.somehost.de:geheim
AFAICS the syntax follows the man page, so why does it complain?
I don't see it. Every helpful hint is highly appreciated.
Regards
Harri
improve smtpd.conf syntax check at startup?
Hi folks, Do you think it would be possible to improve checking the syntax of the config file? A line like action "relay" relay host smtp+tls"//t...@example.com auth did not trigger an error message at startup time. When there was an EMail to send I got an error message in mail.log Jan 24 10:04:35 mailproxy smtpd[2041]: warn: Failed to parse smarthost smtp+tls"//t...@example.com Obviously this was too late. smtpd was version OpenSMTPD 6.6.1p1 on Debian 10. Regards Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Jason, On 2020-01-29 14:33, Jason Barbier wrote: According to the CVE everything since the commit in May 2018 that established the new grammar. The EMail did not mention a CVE. I was very concerned that I had to upgrade my "old" hosts to the new smtpd.conf syntax, so this is good news. Thanx for your reply. Regards Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Gilles, On 2020-01-28 23:30, gil...@poolp.org wrote: Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! Which versions of opensmtpd are affected? Thanx for the quick fix. Harri
common format for maillog lines?
Hi folks, apparently there are 2 different kinds of lines in /var/log/maillog: Lines with a message id, and lines without. Very painful. The lines without message id seem to start with "smtp-out:", eg smtp-out: No valid route for [connector:10.125.142.10->[relay:example.com,smtp,sourcetable=,heloname=mail.example.de],0x0] Do you think it would be possible to clean this up? I would like to grep for the message ID to get the *whole* set of log file lines related to this message, and to ignore the unrelated smtp-out lines. Thanx in advance Harri
opensmtpd appears to be IPv4-only
Hi folks, I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. My smtpd.conf says : xname = "mailhost.example.com" pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" pki $xname key "/etc/mail/ssl/mailhost.example.com.key" listen on lotls pki $xname listen on eth0 tls pki $xname : lsof -p shows that smtpd is listening only on the IPv4 address on eth0. The IPv6 addresses bound to eth0 (link-local and global) are ignored. If I *restart* smtpd, then it is listening on IPv6 as well, up to the next prefix change propagated via router advertisement. The IPv6 address with the new prefix is ignored. When the old prefix expires, then opensmtpd is back to IPv4-only. I have to restart it again. Can anybody reproduce this? Every helpful comment is highly appreciated. Regards Harri
smtp-out: Address family mismatch
Hi folks, I see a lot of outgoing EMails queued with a message "smtp-out: Address family mismatch" in the log file. My colleagues don't like EMails being put on hold at all. Prior to 6.4 there was a limit mta inet4 The upgrade guide to the new smtpd.conf syntax (https://www.openbsd.org/faq/upgrade64.html) mentioned "set and limit removed as main keywords" and a new "mta namespace", but smtpd.conf(5) is insufficient in this aspect. It doesn't tell. https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ doesn't tell, either. My current (new-style) smtpd.conf has a line action "relay_external" relay src 192.168.1.1 helo "mail.example.com" i.e. the AF is implicitly defined, but as the AF mismatch messages indicate this is not sufficient. Could you please elaborate? Regards Harri
Re: smtp-out: Address family mismatch
Hi Thomas,
On 7/7/20 2:12 AM, Thomas Bohl wrote:
My guess would be that the target domain, at the time of the DNS query, only
returned a IPv6 address.
I have a similar problem. My config is
action "relay2Internet" relay \
helo $hostn \
src {$v4adr, $v6adr}
as I want to allow IPv4 and IPv6. Since the src-adresses are getting alternated I often
get "Address family mismatch" because the target doesn't have IPv6 yet. (At
least I believe that is what's happening.)
Sorry to say, but thats pretty unlikely. IPv4 is much more common than
IPv6 (still), especially for EMail.
I would guess thats a bug. Somebody didn't care about the old-style
limit mta inet4
for the new config file syntax.
Regards
Harri
syslog logging changed ?
Hi folks, before 6.7 the smtpd log file entries were easy to find: Just look for "smtpd" in /var/log/mail.log. With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" as expected, so I wonder wth? Regards Harri
Re: opensmtpd appears to be IPv4-only
Hi Slavik, On 2020-07-22 18:26, Slavik Svyrydiuk wrote: I do not have any issues with IPv6. It works for me. Ubuntu == opensmtpd 6.0.3p1-1ubuntu0.2 smtpd.conf lines: listen on 0.0.0.0 port 25 listen on ::0 port 25 $ netstat -lnt | grep ':25' tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp6 0 0 :::25 :::*LISTEN Nice hint, but AFAIU your smtpd is listening on all interfaces. Thats not the case on my host. Regards Harri
Re: smtp-out: Address family mismatch
The Network error on destination MX has been resolved. The Address family mismatch is still open. smtpctl show queue gives me a9f755dd88e88083|inet4|mta||u...@example.com|cont...@bugs.debian.org|cont...@bugs.debian.org|1595227438|1595227438|0|27|pending|29446|Address family mismatch on destination MXs ebbe485d057fa820|inet4|mta||u...@example.com|xxx...@bugs.debian.org|xxx...@bugs.debian.org|1595227386|1595227386|0|27|pending|29394|Address family mismatch on destination MXs Please note the "inet4" and % host bugs.debian.org bugs.debian.org has address 140.211.166.212 bugs.debian.org has address 209.87.16.39 bugs.debian.org has IPv6 address 2605:bc80:3010:b00:0:deb:166:212 bugs.debian.org has IPv6 address 2607:f8f0:614:1::1274:39 bugs.debian.org mail is handled by 10 buxtehude.debian.org. % host buxtehude.debian.org. buxtehude.debian.org has address 209.87.16.39 buxtehude.debian.org has IPv6 address 2607:f8f0:614:1::1274:39 buxtehude.debian.org mail is handled by 10 mailly.debian.org. buxtehude.debian.org mail is handled by 10 muffat.debian.org. Currently telnet 140.211.166.212 smtp fails with Connection refused, but where is the address family mismatch between inet4 and 209.87.16.39 ? Regards Harri
Re: how to ignore TLS1.3 for test purposes?
On 2020-07-29 04:12, Larkin Nickle wrote: Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be a useful starting point. That helped alot. Using TLS 1.2 I was able to actually see something in the tcpdump (see attachment). Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the peer, including a list of ciphers and several extensions. The peer (buxtehude.debian.org) answers with "Handshake failure", but it doesn't tell what exactly is wrong. See attachment. Any ideas? I am sure you guys are more proficient in reading TLS protocol than I am. Harri buxtehude.debian.org.pcap Description: application/vnd.tcpdump.pcap
how to ignore TLS1.3 for test purposes?
Hi folks, there seems to be a compatibility issue between opensmtpd on OpenBSD 6.7 and exim4 on Debian's bugtracker, see https://lists.debian.org/debian-user/2020/07/msg01091.html Most recent syspatches are applied, of course. I cannot reproduce this problem with opensmtpd 6.7.1-p1 on Debian. How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use TLS1.2 only, just for test purposes? TLS1.3 in libressl appears to be brand new. Maybe its buggy. Every helpful hint is highly appreciated Harri
how to watch opensmtpd filters at work?
Hi folks, for debugging I would like to know which "match" line does actually match the incoming EMails. Is there some option for opensmtpd to watch it? "-v" seems to be insufficient. Every insightful comment would be highly appreciated. Regards Harri
Re: how to watch opensmtpd filters at work?
On 1/7/21 1:03 PM, Martijn van Duren wrote: Your question isn't really specific, but my best guess is that -Tfilters will do the trick. I tried "smtpctl trace all", but there was no visual effect. Regards Harri
Re: OpenSMTPD 6.8.0p1 RC1 - please test !
I installed it on my mailhost: Seems to work. The problem with
logging ("y express" instead of "smtpd" in the logfile) seems to
be gone.
Good work
Harri
how to reject a spoofed "From: " address?
Hi folks,
AFAICS opensmtpd can reject EMails with a spoofed from address
in the envelope, as shown in smtpd.conf(5). But how can I reject
EMails with a spoofed "From: " address in the EMail header,
matching my own domain?
See below for smtpd.conf. EMails with a spoofed From addresses get
through via rule 8.
Every insightful comment is highly appreciated.
Harri
--
xname = "mail.example.de"
pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname dhe auto
listen on lo0 tls pki $xname
listen on internal tls pki $xname
listen on external tls pki $xname
table aliases db:/etc/mail/aliases.db
table trusted_mta { 10.1.0.11 10.1.0.22 }
table at_example{"@example.de", "@example.com", "@*.example.de",
"@*.example.com"}
table example {"example.de", "example.com", "*.example.de",
"*.example.com"}
action "local"mbox alias
action "relay_example"relay host smtp://mail.int.example.de helo
"mail.example.de"
action "relay_external" relay src { 10.0.0.1 2001:db8::::1 } helo
"mail.example.de"
match from localfor local action "local"
match from localfor domain action
"relay_example"
match from localfor any action
"relay_external"
match from src for domain action
"relay_example"
match from src for any action
"relay_external"
match from any mail-from for any reject
match mail-from for any reject
match from any for domain action
"relay_example"
# the rest is rejected by default
match from any for any reject
Re: how to watch opensmtpd filters at work?
On 1/7/21 3:03 PM, Martijn van Duren wrote: Could you show your config, steps to reproduce and expected behaviour? Because I'm not entirely sure what you try to achieve. I was trying to see which rules in smtpd.conf match. "smtpctl trace all" didn't work. Problem was, I hadn't enabled debug logging in syslog.conf. This rendered "smtpctl trace rules" useless. I would strongly recommend to mention this in the man page. Its easy to forget. Regards Harri
6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
Hi folks,
since the upgrade to OpenBSD 6.9 at the weekend opensmtpd complains
smtp cert-check result="no certificate presented"
for incoming EMails. opensmtpd.conf and the certificate chain
hasn't changed. There is only a single MX defined in DNS (for
both "example.com" and "example.de"), matching the certificate.
The FAQs for the openbsd upgrade state for opensmtpd
Configurations that use only a single certificate do not need updating.
Did I miss something here? Every helpful comment is highly appreciated.
Harri
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
# https://man.openbsd.org/OpenBSD-6.9/smtpd.conf.5
xname = "mail.example.de"
pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname dhe auto
#
# ca can be used to introduce another root CA authority. Intermediate
# certs should be appended to the client certificate, instead.
#
# ca $xname cert "/etc/ssl/public/DigiCertCA.crt"
listen on lo0 tls pki $xname
listen on internal tls pki $xname
listen on external tls pki $xname
smtp max-message-size 128M
table aliases db:/etc/mail/aliases.db
#
# permitted hosts: srvvm01, gate4a/b
table trusted_mta {192.168.96.11 192.168.96.22 192.168.98.246 192.168.98.248 }
table at_example{"@example.de", "@example.com"}
table example {"example.de", "example.com"}
table spf_protection_outlook_com
file:/etc/mail/spf_protection_outlook_com
table external_mta file:/etc/mail/external_mta
action "local" mbox alias
action "relay_example" relay host smtp://mailhost.ac.example.de helo
"mail.example.de"
action "relay_external" relay src { 10.145.142.10
2001:db8:13b0:::60 } helo "mail.example.de"
#
# first match wins, default is to reject.
#
# "from local" and "for local" are the defaults, but it is good practice to not
# omit these statements.
#
match from localfor local
action "local"
match from localfor domain
action "relay_example"
match from localfor any
action "relay_external"
match from src for domain
action "relay_example"
match from src for domain
action "relay_example"
match from srcfor domain
action "relay_example"
match from src for any
action "relay_external"
match from any mail-fromfor any
reject
match from any for domain
action "relay_example"
# the rest is rejected by default
match from any for any reject
smtpctl spf walk -6 ?
Hi folks, I am a big fan of IPv6, so I wonder why smtpctl spf walk omits all the IPv6 addresses? # echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 51.4.72.0/24 51.5.72.0/24 51.5.80.0/27 20.47.149.138/32 51.4.80.0/27 # dig spf.protection.outlook.com TXT +short | tr \ \\n "v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all" # echo spf.protection.outlook.com | smtpctl spf walk -6 invalid command Regards Harri
Re: smtpctl spf walk -6 ?
On 5/12/21 8:56 AM, nathanael wrote: this is what i get on my machine: ~ echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 2a01:111:f400::/48 2a01:111:f403::/48 51.4.72.0/24 51.5.72.0/24 51.5.80.0/27 20.47.149.138/32 51.4.80.0/27 2a01:4180:4051:0800::/64 2a01:4180:4050:0800::/64 2a01:4180:4051:0400::/64 2a01:4180:4050:0400::/64 no idea why you don't see the ipv6 addresses On OpenBSD 6.8 and 6.9 I get the expected result, too. The problem shows up on Debian 10 and Unstable (opensmtpd 6.8.0p2). Using strace I verified that smtpctl and dig connect to the same DNS server. Yet dig reports the IPv6 addresses, smtptl spf walk doesn't. Its unlikely that the DNS server drops the IPv6 addresses from a TXT record, anyway. Maybe its a problem of the BSD compatibility layer, included in the portable version? Regards Harri
dkim signing integrated in opensmtpd?
Hi folks, Would it be possible to *integrate* dkim signatures in opensmtpd? I saw rspamd, but this is not an option. I am looking for a lightweight solution for signing EMail headers. Regards Harri
Re: dkim signing integrated in opensmtpd?
On 5/10/21 3:14 PM, Martijn van Duren wrote: There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri
Re: smtpctl spf walk -6 ?
On 5/12/21 2:56 PM, Martijn van Duren wrote: Apparently it's a problem in glibc's inet_net_pton. It does not support AF_INET6. to.c has the same problem and works around this problem by handcrafting broken_inet_net_pton_ipv6(). Would it be possible to use inet_pton() ? Regards Harri
what happened to smtpd-filters.7 ?
Hi folks, looking at github there is a file "smtpd-filters.7" and "filter.c" in smtpd, but apparently they are not used at build or install time. configure.ac doesn't mention them, either, so I wonder whats the story here? Have they been forgotten? Obsolete code? Regards Harri
Re: what happened to smtpd-filters.7 ?
Hi Martin, thank you very much for your response. I stumbled over this lost man page looking for additional information about the filters mentioned on https://man.openbsd.org/smtpd.conf. Apparently there are a few more unused source files in the git repository. They are very hard to detect without running make. Regards Harri
restart necessary on certificate upgrade (letsencrypt)?
Hi folks, I wonder if opensmtpd starts using new key and certificate chain automagically, in case they replaced the old files? Do I have to hup or restart smtpd? Hopefully I am not too blind to see, but apparently the man page doesn't tell. Regards Harri
what happened to "protocols" and "ciphers" options?
Hi folks, on OpenBSD's smtpd I can set "protocols" and "ciphers" for the listen lines. They are not mentioned in the man page for smtpd.conf on Linux. What is the story here? Regards Harri
do I have to set pki in the relay action?
Hi folks, what is the default for the pki option in a relay action? The man page doesn't tell, AFAICS. Regards Harri
smtpd.conf on OpenBSD: how to say "internal network"?
Hi folks,
hardwired constants in my smtpd.conf are causing problems with IPv6
prefix delegation, so I wonder if there is some abbr. for "internal
network"? Something like
# table localnet { 10.10.10.0/24 10.10.11.0/24 2001:db8:abcd:0012::/64 }
:
listen on intern tls pki $xname
listen on extern tls pki $xname
:
action "relay" relay
# match from src for any action "relay"
match from src (intern:network) for any action "relay"
:
(similar to pf.conf on OpenBSD)? "intern" would be the interface group
configured for all internal network interfaces.
I tried
# table localnet { 10.10.10.0/24 10.10.11.0/24 2001:db8:abcd:0012::/64 }
:
listen on intern tls pki $xname tag INTERN
listen on extern tls pki $xname tag EXTERN
:
action "relay" relay
# match from src for any action "relay"
match tag INTERN for any action "relay"
:
Doesn't work :-(. If I enable the old "localnet" lines, then it does.
Hopefully I am not too blind to see, but I haven't found this in
smtpd.conf(5). Every helpful comment is highly appreciated.
Regards
Harri
Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected
Hi Frank,
I am not sure if I got this correctly, but AFAIU you assume some unusual
chars in the recipient address. There are none, according to /var/log/maillog.
The chars in the recipient address are between 0x33 and 0x7e. And there is
neither a '+' nor a '='.
I have the impression that the recipient address is valid.
Regards
Harri
On 2022-05-30 18:30:04, opensmtpd.open...@xpoundit.com wrote:
Hi Harri,
we had issues with e-mails containing ORCPT as well and fixed the
rejection with a patch. Originally, we created the patch when 6.7 was
out and applied it to the version of OpenSMTPD available in the FreeBSD
ports.
As of today, OpenSMTPD 6.8 is available in the FreeBSD ports system.
The attached patches can be applied to this version (if you are on
FreeBSD, just put them into ports/mail/opensmtpd/files).
If needed, I can massage the patches so they can be applied against the
OpenBSD base as well, where OpenSMTPD resides in nowadays (we mainly
use it on FreeBSD). I did not do this yet, since I wanted to provide a
quick answer.
In our case, the above mentioned groupware introduced characters in the
ORCPT field (colons.., 0x3a), that led smtp_tx_rcpt_to()
(usr.sbin/smtpd/smtp_session.c) to return with "553 ORCPT address
syntax error".
RFC3461 led us to the solution we are using today.
In section 4.2 [1], the ABNF of ORCPT is defined as:
orcpt-parameter = "ORCPT=" original-recipient-address
original-recipient-address = addr-type ";" xtext
addr-type = atom
The log you see is:
May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-
command command="RCPT TO:
ORCPT=rfc822;u...@example.com" result="550 Invalid recipient:
"
According to the ABNF of ORCPT, everything after addr-type ";"
("rfc822;" in your case) is supposed to be xtext, which is described a
bit earlier in the introductory part of section 4 [2].
xtext = *( xchar / hexchar )
xchar = any ASCII CHAR between "!" (33) and "~" (126) inclusive,
except for "+" and "=".
; "hexchar"s are intended to encode octets that cannot appear
; as ASCII characters within an esmtp-value.
hexchar = ASCII "+" immediately followed by two upper case
hexadecimal digits
smtp_tx_rcpt_to() in usr.sbin/smtpd/smtp_session.c tries to convert the
text of the ORCPT DSN into an e-mail address and wants to check the
validity of the local and the domain part. We replaced this check, are
validating the xtext portion as specified above and are replying with a
more precise error message if this check fails:
if (strncasecmp(opt, "rfc822;", 7) == 0)
opt += 7;
-if (!text_to_mailaddr(>evp.dsn_orcpt, opt) ||
-!valid_localpart(tx->evp.dsn_orcpt.user) ||
-(strlen(tx->evp.dsn_orcpt.domain) != 0 &&
- !valid_domainpart(tx->evp.dsn_orcpt.domain))) {
+if (!valid_xtext(opt)) {
smtp_reply(tx->session,
-"553 ORCPT address syntax error");
+"553 ORCPT xtext syntax error");
return;
}
In usr.sbin/smtpd/util.c we added valid_xtext():
+int
+valid_xtext(const char *s)
+{
+while (*s != '\0') {
+if(*s == '\x2b' || *s == '\x3d') {
+return 0;
+} else if(*s <= '\x21' || *s >= '\x7e') {
+return 0;
+} else {
+s++;
+continue;
+}
+return 0;
+}
+return 1;
+}
I hope this helps to narrow down your issue a bit. What kind of non-e-
mailish characters do you see in the ORCPT?
In our case, the xtext portion of the ORCPT quite often contained valid
e-mail addresses, but sometimes, it did not. As far as we understood
the RFCs, xtext doas not necessarily need to be an e-mail address. This
is why we decided to replace the original check. The above mentioned
groupware used colons as field separators inside the xtext portion to
keep track of the communication belonging to certain thread or, well,
recipients.
What do the others think of the way we are handling the ORCPT?
Cheers
Frank
[1] https://datatracker.ietf.org/doc/html/rfc3461#section-4.2
[2] https://datatracker.ietf.org/doc/html/rfc3461#section-4
On Mon, 2022-05-30 at 09:04 +0200, Harald Dunkel wrote:
Hi folks,
my MTA (opensmtpd on OpenBSD 7.0) rejects a few EMails with
a message like
May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-
command command="RCPT TO:
ORCPT=rfc822;u...@example.com" result="550 Invalid recipient:
"
in /var/log/maillog. The EMails to u...@example.com without
"ORCPT=rfc822;" are accepted and forwarded as usual. All EMails
with "ORCPT=rfc822;" to any user are rejected.
I have found https://github.com/OpenSMTPD/OpenSMTPD/issues/658
of course, but I don't see a configuration issue on my side.
My MTA is just an MTA, there are no local users except for root.
Every insightful comment is highly appreciated
Harri
Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected
On 2022-05-31 11:50:39, Harald Dunkel wrote: Hi Frank, I am not sure if I got this correctly, but AFAIU you assume some unusual chars in the recipient address. There are none, according to /var/log/maillog. The chars in the recipient address are between 0x33 and 0x7e. And there is neither a '+' nor a '='. PS: between 0x21 and 0x7e, of course. Regards Harri
EMails to "ORCPT=rfc822;u...@example.com" are rejected
Hi folks, my MTA (opensmtpd on OpenBSD 7.0) rejects a few EMails with a message like May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-command command="RCPT TO: ORCPT=rfc822;u...@example.com" result="550 Invalid recipient: " in /var/log/maillog. The EMails to u...@example.com without "ORCPT=rfc822;" are accepted and forwarded as usual. All EMails with "ORCPT=rfc822;" to any user are rejected. I have found https://github.com/OpenSMTPD/OpenSMTPD/issues/658 of course, but I don't see a configuration issue on my side. My MTA is just an MTA, there are no local users except for root. Every insightful comment is highly appreciated Harri
bounce invalid message IDs?
Hi folks, is it possible to bounce invalid message IDs, e.g. using a UUID instead of the well-known format (https://en.wikipedia.org/wiki/Message-ID)? Regards Harri
what does "from=<>" mean?
Hi folks I see quite a number of EMails mentioned in /var/log/maillog with a string "from=<>", e.g. Jul 6 08:08:24 mailgate smtpd[84448]: 90d0e01d76abce9c mta delivery evpid=e62074ed220d58f9 from=<> to= rcpt=<-> source="10.0.96.7" relay="10.0.96.11 (mailhost.mydomain.com)" delay=0s result="Ok" stat="250 2.0.0 26668Kn61587355 Message accepted for delivery" Its pretty unlikely that an EMail pop ups from nowhere, so what does this "from=<>" actually mean? Would it be possible to add some more useful information to this line? Regards Harri
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved
Hi folks,
smtpctl spfwalk returns messages like
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{ir}.%{v}.%{d}.spf.has.pphosted.com contains macros
and can't be resolved
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{ir}.%{v}.%{d}.spf.has.pphosted.com contains macros
and can't be resolved
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{i}._spf.corp.salesforce.com contains macros and can't
be resolved
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't
be resolved
is this something the owner of the SPF record in DNS has to fix, is
this not implemented yet, or what is the story here?
Every insightful comment is highly appreciated
Harri
