CA certificate stores?
Hi all Can anyone help me with how to get custom certifcate verification to work in opensmtpd? I have two opensmtpd machines - yidhra & azathoth - and I want to deliver mail from azathoth to yidhra. On yidhra: I have generated a local self-signed CA cert I have generated a machiner cert and signed it with my ca cert I can verify the machine cert against the ca cert with openssl I have the certs set smtpd.conf with pki yidhra.outer.uphall.net cert "/etc/ssl/local_certs/yidhra.outer.uphall.net.crt" pki yidhra.outer.uphall.net key "/etc/ssl/private/yidhra.outer.uphall.net.key" ca yidhra.outer.uphall.net cert "/etc/ssl/local_certs/ca_uphall.net.crt" and I belive that all works. When azathoth attempsts to deliver mail I get Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connecting address=smtp://10.44.0.3:25 host=yidhra.outer.uphall.net Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb89e3a43fb8 smtp disconnected reason=quit Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connected Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta server-cert-check result="failure" My questions are: Where should I have put the local CA cert on azathoth in order to get cert check success? Do I need a certificate with purposes set - my current one doesn't? Can I get enhanced debug on the cert verification process so I know what is failing? I had this working (with verify required) until my certs timed out recently & I have clearly cocked up something when updating everything. Many Thanks John Cox
Re: tags on the portable branch?
Hi >On 8/23/19 1:37 PM, Harald Dunkel wrote: >> >> {hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v >> origin https://github.com/OpenSMTPD/OpenSMTPD.git (fetch) >> origin https://github.com/OpenSMTPD/OpenSMTPD.git (push) >> {hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1 >> error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git >> >> ??? >> > >PS: Of course I did a "git fetch --all" first. Whilst I know it doesn't help you I just git cloned that URL and the tag checkout just worked for me. What happens if you make another new (temporary) repo with clone and try again? Regards John Cox
Re: RBLs?
Hi >Hi, > >I’ve been using a combination of OpenSMTPd and spamd on OpenBSD (currently at >6.5) for some time and with success. However, there are still some >false-negatives and I’m looking at ways of reducing those. One way is by >making use of RBLs. > >(I’ve evaluated delivered spam and the majority of it seems to be coming from >IPs that are on various blacklists but aren’t being caught by greylisting.) > >spamd doesn’t support RBLs, at least that I’ve found, it can only use lists >that can be downloaded locally—the particular service I’m wanting to use only >provides DNS-based RBLs. So that’s my problem… > >I’m looking for ways of including an RBL in either spamd or OpenSMTPd, >preferring to stay in OpenBSD base as much as possible. (In other words, I’d >prefer to not rip out spamd or replace or supplement it with SpamAssassin or >rspamd—I’d rather find a solution that will plugin _specifically_ for RBLs >without all of the other bloat that SpamAssassin and similar products bring. > >Can anyone offer some input on this please? > >I’m not opposed to writing an OpenSMTPd filter, though I’d need to locate some >documentation for that (I’ve looked but haven’t been able to find it, so I’m >probably looking in the wrong places—suggestions welcomed). > >~ Tom I wrote a python script (enclosed) that scans the spamd logs, looks up new ip address in zen.spamhaus.org and blacklists if found. It keeps a cache of what it has done to keep the load down and expires it over time. If run at least once within the whitelisting period it will do the RBL thing for you. The script has various command line options (mostly for testing) but oddly if you want to change the RBL you are going to have to edit the script (hopefully obvious). I have this line in roots crontab to run it every 15mins */15* * * * /usr/local/bin/dnsbl-scan.py Hope that helps JC dnsbl-scan.py Description: Binary data
Re: problem with resolution aliases after upgrade to 6.5
Hi >Hello, > >I use aliases in an smtpd config and before upgrade to 6.5 it worked fine. >After upgrade and rewriting config smtpd starts to reject mails >addressed to aliases with a reason "550 Invalid recipient". What's >wrong with new config? > >/var/log/maillog: > >Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp connected >address=209.85.167.44 host=mail-lf1-f44.google.com >Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp tls >ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 >Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp failed-command >command="RCPT TO:" result="550 Invalid recipient: >" >Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp disconnected >reason=quit > >smtpd.conf before upgrade to 6.5: > >pki mx1. certificate "/etc/ssl/.crt" >pki mx1. key "/etc/ssl/private/.key" > >limit mta inet4 >queue compression > >listen on lo0 >listen on lo0 port 10028 tag DKIM_OUT >listen on egress port 25 tls pki mx1. >listen on egress port 465 smtps pki mx1. auth mask-source hostname mx1. >listen on egress port 587 tls-require pki mx1. auth mask-source >hostname mx1. > >table aliases db:/etc/mail/aliases.db >table secrets db:/etc/mail/secrets.db >table domains { } > >accept for local deliver to mbox >accept for local alias deliver to mbox >accept for domain "" relay via >"tls+auth://gm...@smtp.gmail.com:587" auth >accept from any for domain "" alias deliver to mbox >#accept from local for any relay > >accept tagged DKIM_OUT for any relay >accept from local for any relay via smtp://127.0.0.1:10027 > >expire 2d >bounce-warn 2h, 4h, 1d > > >pki mx1. cert "/etc/ssl/.crt" >pki mx1. key "/etc/ssl/private/.key" > >mta limit inet4 >bounce warn-interval 2h, 4h, 1d >queue ttl 4d >queue compression > >listen on lo0 >listen on lo0 port 10028 tag DKIM_OUT >listen on egress port 25 tls pki mx1. >#listen on egress port 25 tls pki mx1. auth-optional hostname mx1. >listen on egress port 465 smtps pki mx1. auth mask-source hostname mx1. >listen on egress port 587 tls-require pki mx1. auth mask-source >hostname mx1. > >table aliases db:/etc/mail/aliases.db >table secrets db:/etc/mail/secrets.db >table domains { } > >action "local" mbox alias >action "gmail" relay host "smtp+tls://gm...@smtp.gmail.com:587" auth >action "relay_dkim" relay host smtp://127.0.0.1:10027 >action "relay" relay > >match tag DKIM_OUT for any action "relay" >match from local for local action "local" >match from local for any auth action "relay_dkim" >match from any for domain domains action "local" Not sure if this is the only problem but domains is a table in this version so the line should be (missing <>): match from any for domain action "local" >match from any for any auth action "gmail" > > >output from smtpd -dv -Texpand: > >queue: queue compression enabled >debug: pony: rsae_init >debug: pony: rsae_init >debug: smtp: will accept at most 498 clients >debug: smtpd: scanning offline queue... >debug: smtpd: offline scanning done >debug: queue: done loading queue into scheduler >1ae957d6afeb0dfa smtp connected address=209.85.208.171 >host=mail-lj1-f171.google.com >debug: looking up pki "mx1." >debug: session_start_ssl: switching to SSL >debug: pony: rsae_priv_enc >1ae957d6afeb0dfa smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 >smtp: 0x15892c37000: smtp_cert_verify_cb: no-client-cert >debug: smtp: SIZE in MAIL FROM command >expand: 0x1ed226c59018: expand_insert() called for >address:sergeyb@[parent=0x0, rule=0x0] >expand: 0x1ed226c59018: inserted node 0x1ed2341cb800 >expand: lka_expand: address: sergeyb@ [depth=0] >expand: 0x1ed226c59018: clearing expand tree >1ae957d6afeb0dfa smtp failed-command command="RCPT TO:" >result="550 Invalid recipient: " >1ae957d6afeb0dfa smtp disconnected reason=quit > >Sergey Hope that helps JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Confused by certificates
Hi >2019-01-06 16:21 skrev John Cox: >> Hi >> >> I'm using OpenSMTPD 6.4.0 >> >> I'm (at least) a little confused as to which sort of certs I should >> put in the pki cert and ca conf file entries (I can cope with the key >> entry!) >> >> I have an apparently functional ACME setup using the default >> acme-client supplied with openbsd. This gives me 3 sorts of cert: >> >> 1) Bare cert >> 2) Chain cert >> 3) Full chain cert >> >> I have pki cert set to the bare cert, and ca set to the chain cert - >> is that correct? or should I use the full chain cert for the pki cert? >> >> I ask because whilst the setup mostly morks I do get odd logging like >> this: >> >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting >> address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls >> ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 >> Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate >> verification succeeded on session 92975635cb3d86a4 >> Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery >> evpid=00fe7e3a0bda75cf from= >> to= rcpt= >> source="46.235.226.138" relay="212.54.58.11 >> (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 >> MXIN650 mail accepted for delivery >> ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" >> Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session >> 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting >> address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected >> Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta >> disconnected reason=quit messages=1 >> >> Where I seems to succeed with tls and then it says that it has failed. >> What is going on? I know I put 2 questions in one message but does anyone have any idea why I seem to both get a TLS success & a TLS failure here? >> >> Thanks >> >> John Cox > >You should use the full chain, so that any connecting computers can >verify the full certificate chain. :) > >This is a snippet from my configuration: > >pki mx.helloworld.online cert >"/etc/ssl/acme/mx.helloworld.online.fullchain.pem" >pki mx.helloworld.online key >"/etc/ssl/acme/private/mx.helloworld.online.key" > >Hope that helps in some way. Thanks - I think I understand what is needed for verification to take place, and as I am using a public CA to generate the certs. at least in theory, the chain part should be well known and therefore not needed or actually unwanted if the far end is going to verify the cert. (Unless, of course, the CA has generated intermediate certs between the well known root cert and my cert, in which case the chain is required to bridge the gap.) Fullchain shouldn't really be required unless you have a self-signed thing or want to persuade the far end to add your root cert to its cert stash. Nonetheless I equally understand that many implementations want a full chain so it must be available. The question is - how is the fullchain constructed - is it pki+ca or just pki, and if the latter then what is the ca statement meant to do for me? Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Confused by certificates
Hi I'm using OpenSMTPD 6.4.0 I'm (at least) a little confused as to which sort of certs I should put in the pki cert and ca conf file entries (I can cope with the key entry!) I have an apparently functional ACME setup using the default acme-client supplied with openbsd. This gives me 3 sorts of cert: 1) Bare cert 2) Chain cert 3) Full chain cert I have pki cert set to the bare cert, and ca set to the chain cert - is that correct? or should I use the full chain cert for the pki cert? I ask because whilst the setup mostly morks I do get odd logging like this: Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate verification succeeded on session 92975635cb3d86a4 Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery evpid=00fe7e3a0bda75cf from= to= rcpt= source="46.235.226.138" relay="212.54.58.11 (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0 MXIN650 mail accepted for delivery ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;" Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta disconnected reason=quit messages=1 Where I seems to succeed with tls and then it says that it has failed. What is going on? Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filter withdrawals
On Mon, 12 Sep 2016 11:11:09 +0200, you wrote: >>> I’d be up for it. Although I’m still running 5.9 on my mail server, I’m >>> thinking of upgrading. I knew that filters are experimental (and really to >>> test the API, not the filters themselves), however I’ve decided to use some >>> of them and would like to continue doing so. The dnsbl is the one I’d miss >>> the most. >>> >>> All other functionality in my config uses traditional approach, with >>> relaying over smtp to a daemon (spamd, clamav, dkim_proxy, etc) listening >>> on lo interface, and all seems to be working fine. >> >> Assuming that that is OpenBSD spamd then I may be able to help you >> with your dnsbl desire. >> >> I have a python script that runs every 15 mins (inside the spamd >> whitelist time) that checks for new entries, looks them up against a >> dnsbl and blacklists if appropriate. Note that this code would be >> provided "as is" & whilst it works for me I make no guarantees as to >> anything. It probably isn't suitable for anything vaguely high >> volume. >> >> A better hack than what I'm doing currently would be to abuse the >> spamd sync feature which provides a much more timely notification of >> activity, but I haven't found the round tuits to do it and am unlikely >> to do so. > >I am very interested in that script as well. Would be great to have a >blacklist function in spamd based on RBLs. OK - I've exported my scripts to github https://github.com/johncox44/spamd-util As stated - these are just what I am using, written by me for my own use. I may attempt to improve the (frankly non-existant) documentation over the next couple of days. I don't have a lot of time to maintain them or add features but I will look kindly on patches and will at least consider feature requests. Feel free to copy & adapt for your use Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Filter withdrawals
>> On 6 Sep 2016, at 14:10, Edgar Pettijohn wrote: >> >> I'm thinking of starting a support group for others suffering from filter >> withdrawal. Upgraded to 6.0 over the weekend and went back to using spampd >> and sieve. Is there any other options besides amavis? I really miss >> filter-regex. Haven't had any luck finding a replacement just curious if >> anyone out there has any suggestions. > >Hi, > >I’d be up for it. Although I’m still running 5.9 on my mail server, I’m >thinking of upgrading. I knew that filters are experimental (and really to >test the API, not the filters themselves), however I’ve decided to use some of >them and would like to continue doing so. The dnsbl is the one I’d miss the >most. > >All other functionality in my config uses traditional approach, with relaying >over smtp to a daemon (spamd, clamav, dkim_proxy, etc) listening on lo >interface, and all seems to be working fine. Assuming that that is OpenBSD spamd then I may be able to help you with your dnsbl desire. I have a python script that runs every 15 mins (inside the spamd whitelist time) that checks for new entries, looks them up against a dnsbl and blacklists if appropriate. Note that this code would be provided "as is" & whilst it works for me I make no guarantees as to anything. It probably isn't suitable for anything vaguely high volume. A better hack than what I'm doing currently would be to abuse the spamd sync feature which provides a much more timely notification of activity, but I haven't found the round tuits to do it and am unlikely to do so. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Incoming certificate verification
Hi > [snip] >yes, the rationale is explained in the commit log: > > Only enable SSL_VERIFY_PEER when the verify option is set on a listener. > > Always enabling SSL_VERIFY_PEER unnecessarily increases the number of > messages/bytes in the TLS handshake and increases our attack surface, > since we request and then process client certificates. Well I guess I disagree with the "unnecessarily" there, but thanks for the info. If I got together the effort to build a patch that gives an option to restore the old behaviour would: (a) there be any chance of the patch being accepted (i.e. is it against policy to allow this option to be enabled) (b) you prefer it to be a global or per-connection option and what would you like the syntax to be? (No guarantees that I will be able to find the time but given it is functionality that I want I guess I should try and put in the effort) Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Incoming certificate verification
Hi >Hi, > >I had misunderstood your mail and the issue when I first read this >so here's a new answer ;-) > > >On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote: >> Hi >> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS >> validation errors in the headers: >> >> TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 >> bits=256 verify=NO >> >> Prior to the upgrade I would get verify=YES. (I think it was the >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that >> did it - it was certainly about that time) >> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that >> makes no difference. >> > >Following suggestions from one of ourr libressl hackers we now only request >client certificate when 'tls-require verify' is specified. > >You can see the commit and rationale here: > > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup > > >verify=NO is the default, the only cases where you'll get another value >is if you requested verify and it succeeded. OK - Well at least it is working as intended. Can you (or they) explain the rationale behind this decision? I liked the old behaviour. Could I have an option to turn it on again (global or otherwise) please? I find more info is always useful when trying to work out what is going on. Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Incoming certificate verification
>There is a CA Option in smtpd.conf, for example (CA-ubuntu path) > >ca NAME certificate "/etc/ssl/certs/ca-certificates.crt" Yes - but what I want is the verification of "random" senders (I don't want to reject them - I just want the trace in the headers like I used to get previously) ca doesn't obviously do that - quoting the man page: ca hostname certificate cafile Associate a custom CA certificate located in cafile with hostname. If we were using that syntax then what I want would be hostname = * (and I do use the ca keyword for my custom routes) CApath / CAfile (and CRLfile) would normally be where to look up everything non-custom as used in sendmail & openssl. Either way - this used to work and it doesn't now. I'm perfectly happy to believe that I need a config file change to get it work again but what is wanted isn't obvious to me. Regards JC > >Regards, > >Marcel > > >Am 17.05.2016 um 09:47 schrieb John Cox: >> Hi >> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS >> validation errors in the headers: >> >> TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 >> bits=256 verify=NO >> >> Prior to the upgrade I would get verify=YES. (I think it was the >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that >> did it - it was certainly about that time) >> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that >> makes no difference. >> >> All logging suggests that cert validation is OK (though I note that I >> only ever get that message on outgoing lines, and never on incoming) >> >> What does OpenSMTPD use as its default cert store - as far as I can >> tell the .conf lacks CAfile or CApath options? >> >> Testing with openssl s_client suggests that my certs are generally in >> order >> >> Any clues? >> >> Many thanks >> >> John Cox >> >> >> Log file: >> >> >> May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting >> May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session >> 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18] >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session >> 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message >> daa12d76 on session 31086515f45c2260: from=, >> to=, size=793, ndest=1, proto=ESMTP >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to >> tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session >> 3108651f4a1f0980... >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session >> 31086515f45c2260 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session >> 3108651f4a1f0980 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on >> session 3108651f4a1f0980: version=TLSv1.2, >> cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate >> verification succeeded on session 3108651f4a1f0980 >> May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9: >> session=3108651f4a1f0980, from=, to=, >> rcpt=<->, source=46.235.226.138, relay=10.44.0.3 >> (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message >> accepted for delivery >> May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session >> 3108651f4a1f0980: 1 message sent. >> # >> >> >> Headers: >> >> Return-Path: j...@cix.co.uk >> Delivered-To: j...@uphall.net >> Received: from azathoth.uphall.net (azathoth.uphall.net >> [46.235.226.138]) >> by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286 >> TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 >> bits=256 verify=NO >> for ; >> Tue, 17 May 2016 08:27:48 +0100 (BST) >> Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18]) >> by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76 >> TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO >> for ; >> Tue, 17 May 2016 08:27:48 +0100 (BST) >> Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47 >> - >> Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18) >> by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016 >> 07:27:47 - >> From: John Cox >> To: John home Cox >> Subject: Incoming 2 >> Date: Tue, 17 May 2016 08:27:47 +0100 >> Message-ID: >> User-Agent: ForteAgent/7.10.32.1212 >> MIME-Version: 1.0 >> Content-Type: text/plain; charset=us-ascii >> Content-Transfer-Encoding: 7bit >> >> >> -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Incoming certificate verification
Hi Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS validation errors in the headers: TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO Prior to the upgrade I would get verify=YES. (I think it was the upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that did it - it was certainly about that time) I have now upgraded OpenSMTPD to the current 5.9.2 release and that makes no difference. All logging suggests that cert validation is OK (though I note that I only ever get that message on outgoing lines, and never on incoming) What does OpenSMTPD use as its default cert store - as far as I can tell the .conf lacks CAfile or CApath options? Testing with openssl s_client suggests that my certs are generally in order Any clues? Many thanks John Cox Log file: May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18] May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256 May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message daa12d76 on session 31086515f45c2260: from=, to=, size=793, ndest=1, proto=ESMTP May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session 3108651f4a1f0980... May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session 31086515f45c2260 May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session 3108651f4a1f0980 May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on session 3108651f4a1f0980: version=TLSv1.2, cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256 May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate verification succeeded on session 3108651f4a1f0980 May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9: session=3108651f4a1f0980, from=, to=, rcpt=<->, source=46.235.226.138, relay=10.44.0.3 (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message accepted for delivery May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session 3108651f4a1f0980: 1 message sent. # Headers: Return-Path: j...@cix.co.uk Delivered-To: j...@uphall.net Received: from azathoth.uphall.net (azathoth.uphall.net [46.235.226.138]) by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286 TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO for ; Tue, 17 May 2016 08:27:48 +0100 (BST) Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18]) by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76 TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO for ; Tue, 17 May 2016 08:27:48 +0100 (BST) Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47 - Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18) by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016 07:27:47 - From: John Cox To: John home Cox Subject: Incoming 2 Date: Tue, 17 May 2016 08:27:47 +0100 Message-ID: User-Agent: ForteAgent/7.10.32.1212 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: forwarding email server & gmail
Hi >Hi guys, > >I've been running OpenSMTPD for a long time now forwarding mail to my >gmail account. It's a pretty basic rig - there are just a series of >forwarding rules, and different @somedomain.com emails get forwarded >to different @gmail.com emails. I have DKIM, SPF, and even DMARC all >set up correctly. Outgoing emails that an authorized user on the MTA >sends are DKIM signed. Forwarding emails aren't, which is the correct >behavior. > >It turns out this all is a lot harder than I initially thought. Gmail >often blocks spam at the SMTP level. My server tries to deliver to my >gmail account a piece of spam email, gmail's SMTP servers say "no way >josé here's error 502", and then my server generates a bounce email. >This bounce email contains the spam contents of the email that was >initially sent, meaning now my server is sending spam across the >Internet! My fix for this was to patch [1] OpenSMTPD not to include >the body of the email, but rather only the headers. This prevents my >IP from being blacklisted _too_ quickly. But still, bounce messages >are sent, and sometimes my IP does get banned by an organization I >send email to, and I have to apply for whitelisting and it's a >tremendous PITA. The other issue is that Google is now in the habit of >replying "you're forwarding spam; don't do that; bye" to my server, >and it doesn't know that my server is just forwarding the message. As >such, my IP's reputation with Google is steadily becoming horrible >over time. > >Is there a good one-stop fix for this? The whole reason I'm still >using Gmail is because I like its spam filter! I certainly don't want >to run an additional spam filter on my OpenSMTPD machine. Are there >other configuration things I can do to make the situation better? I feel your pain. AFAIK there is no perfect solution - you cannot fix this completely. There are a couple of things you can do (that I do) 1) Run spamd or equivalent on your MTA to cut down on the amount of spam you accept. The less you accept the less you forward. Spamd (as shipped with openbsd) setup is a whole different subject outside the scope of this email - I ended up with a chunk of python monitoring what it does and giving it hints. 1b) Opensmtpd filters may also be your friend for filtering spam but I haven't tried them yet. 2) Rewrite the sender of anything you forward to be forward...@mymta.com. That way the bounce DSNs get routed to your MTA and you stop sending to the outside world. this does mean that any legit bounces also come to you but by this stage you are expecting teh delivery to work and getting early notification that it isn't might be valuable. # Forwarding # No destination as everything in should be reworked by accept from any for domain recipient virtual # Outgoing accept from local for any recipient relay as "forward...@mymta.com" pki mymta.com tls (Messages are from local by the time they have been rewritten) Hope that helps JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: strange behavior on delivering messages
>accept tagged CLAM_OUT for domain virtual relay via \ >lmtp://127.0.0.1 So is this line finally legal? Earlier versions of opensmtp would not let you mix virtual and relay via... (it is something I have always wanted and the reason why I am still running sendmail on my gateway, but opensmtpd at the final stage) Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Is my virtual user configuration correct?
>I tried putting this line in smtpd.conf to test > >accept from any for any alias relay > >and got this error when checking the config > >$ sudo smtpd -n >/etc/mail/smtpd.conf:13: aliases/virtual may not be used with a relay rule That restriction has annoyed me too as it seems the obvious way of setting up routes like this (which I want to do as well) Regards John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls verify of CAcert certificates fails after upgrading to OpenBSD 5.6 and OpenSMTPD 5.4.3
Hi >This week I upgraded one of my OpenSMTPD email servers to OpenBSD >5.6/OpenSMTPD 5.4.3 and all of a sudden I started having all kinds of TLS >cert verification interoperability problems with my existing FreeBSD >OpenSMTPD 5.4.2 server. > >I was pulling my hair out trying to find out what heck was going on. After >much flailing and gnashing of teeth I finally found the answer. > >The CAcert root was pulled from OpenBSD 9 months ago, due to "strict >requirements on >redistribution". >http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/Attic/cert.pem?rev=1.24&content-type=text/x-cvsweb-markup > >This really sucks, because now I have setup my own Root CA for all my >private facing TLS only email servers or fork over yet more $$ to the >worthless commercial cert racket. > >I know this wasn't anything directly caused by OpenSMTPD, but if anyone >else is using CAcert.org certs and you're thinking about upgrading from >OpenBSD 5.5 to 5.6, watch out for this. If you only care about local interoperation why are you using an externally provided root cert, why not generate your own? I'll admit I haven't upgraded to 5.6 yet (and therefore to libressl) but under the old (openssl) regime it was easy enough to add your own root certificates to the main stash (or indeed add the CAcert.org one manually). Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [OpenSMTPD] master snapshot opensmtpd-201410040015 available
On Sat, 4 Oct 2014 00:18:27 +0200 (CEST), you wrote: >A new opensmtpd snapshot is available at: > >http://www.opensmtpd.org/archives/opensmtpd-201410040015.tar.gz > >Checksum: > > SHA256 (opensmtpd-201410040015.tar.gz) = > 6802f24d70bada0287c212816b717941c0e6ad94e92e159f66010cdf16e5a6da > >A summary of the content of this snapshot is available below. > >Please test and let us know if it breaks something! > >If this snapshot doesn't work, please also test with a previous one, >to help us spot where the issue is coming from. You can access all >previous snapshots here: > >http://www.opensmtpd.org/archives/ > >The OpenSMTPD team ;-) > > >Summary of changes since last snapshot (opensmtpd-201410012007): >--- > >- introduce "limit session" keywors do replace hardcoded rcpt and mail > limits in smtp [1] >- DSA keys are currently unsupported, still not a reason to crash in the > error path... >- when no domain is specified on mail from or rcpt to, assume local user >- fix support for tls+backup:// (accept ... relay backup tls) > >[1] Author: Renaud Allard I'm not quite sure what goes wrong but this fails for me: # smtpd -v -d debug: init ssl-tree info: loading pki information for yidhra.outer.uphall.net info: OpenSMTPD 201410040015 starting debug: bounce warning after 4h debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: startup [debug mode] debug: parent_send_config_ruleset: reloading filter: building simple chains... debug: init ssl-tree debug: parent_send_config: configuring pony process filter: building complex chains... info: loading pki keys for yidhra.outer.uphall.net debug: parent_send_config: configuring ca process filter: done building complex chains debug: ca_engine_init: using RSAX engine support debug: init private ssl-tree debug: smtp: listen on 127.0.0.1 port 25 flags 0x401 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x401 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:::1 port 25 flags 0x401 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25 flags 0x401 pki "yidhra.outer.uphall.net" debug: smtp: listen on 10.44.0.3 port 25 flags 0x401 pki "yidhra.outer.uphall.net" debug: pony: rsae_init debug: pony: rsae_init debug: smtp: will accept at most 3503 clients debug: queue: done loading queue into scheduler debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done debug: smtp: new client on listener: 0xe9edc7ef000 smtp-in: New session 07bcbbe39c23052f from host azathoth.uphall.net [46.235.226.138] debug: lka: looking up pki "yidhra.outer.uphall.net" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc debug: pony: rsae_init debug: pony: rsae_init debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp debug: pony: rsae_init debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp smtp-in: Started TLS on session 07bcbbe39c23052f: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-in: Client certificate verification succeeded on session 07bcbbe39c23052f debug: smtp: SIZE in MAIL FROM command warn: parent -> lka: pipe closed warn: queue -> lka: pipe closed warn: control -> lka: pipe closed warn: scheduler -> queue: pipe closed warn: ca -> control: pipe closed warn: pony -> lka: pipe closed # Is there any other info that would be useful? I think I can make this happen quite reliably. Regards John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Virtual + relay
Hi I am using opensmtpd-201410040015 I am trying to set up a border smtpd. It does not ever want to deliver any mail locally, all mail should be either sent into the outside world or forwarded internally. So: [Internet] <-> [Border] <-> [Internal] <-> {mailboxes + clients} I have a few virtual users that want to be forwarded to the outside world whether the messages originate internally or externally so table fwd-table {"a...@mydomain.com"="anne.of.clea...@henry8.com"} So the obvious line for internal delivery is: accept from any for domain "mydomain.com" virtual relay via tls://internal.mydomain.net pki border.mydomain.net verify however I am not allowed to mix virtual and relay. Is there any reason for this? And what would be the "approved" method of doing what I want? Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Bounce message creation & delivery control
Hi I have a set of email addresses that I forward on to other external addresses. I am getting a significant quantity of mail that targets these adresses but is rejected by the destination (because it is bad); the bounce message that I generate then fails to deliver because the sender was faked. Is there any way of selectively disabling the creation of bounce messages? I still want bounce messages for anything sent from a local address that I've failed to send but I'd like to stop generating bounces for failures to forward that simply clog up my mailq 'cos they will never be delivered. Or possibly, better still, redirect the bounces to a local address so I can see what is happening if there is a real problem. Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [OpenSMTPD] master snapshot opensmtpd-201406192229 available
Hi >User gilles has just rebuilt a master snapshot, available from: > >http://www.OpenSMTPD.org/archives/opensmtpd-201406192229.tar.gz > >Checksum: > > SHA256 (opensmtpd-201406192229.tar.gz) = > bd9c30a68b94b2533e8fd93b9669014d91fb3a0f83578413a7acc692c7f29bea > >A summary of the content of this snapshot is available below. > >Please test and let us know if it breaks something! > >If this snapshot doesn't work, please also test with a previous one, >to help us spot where the issue is coming from. You can access all >previous snapshots here: > >http://www.opensmtpd.org/archives/ > >The OpenSMTPD team ;-) > > >Summary of changes since last snapshot (opensmtpd-201406192203): >--- > >- unfuck build on OpenBSD 5.5 ... At least on trivial testing this one seems to work :-) Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: wildcard support?
Hi >I need block some sender like "bounce--xxx@*" but I would like to >configure like: > > >table sender_deny { "bounce-*-*@*" } > > >The below case is working well for www-data@* > > >table sender_deny { "www-data@*" } That feature would make me very happy too :-) Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
On Mon, 9 Jun 2014 10:16:43 +0200, you wrote: >On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote: >> Hi >> >> >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been >> >>the case for many years >> > >> >To parrot this on all of my various instances OpenSMTPD and not I get tons >> >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck >> >every now and again I see SSLv2 attempts which for most of my instances get >> >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. >> >But seriously for email any transport encryption is better than none and >> >OpenSMTPD's default should be the best way to handle opportunistic TLS >> >where you always try to use the highest protocol version supported with the >> >best ciphers supported, and there shouldnt need to be a knob for it. >> >> Whilst I agree with what you are saying for general purpose mail >> servers, I can see applications where enforced encryption levels are >> worth having. I can see that some company gateways, where they know >> all of the other endpoints, might wish to enforce appropriate >> encryption as everybody who should be talking to that MTA should be >> capable of it and anything else is therefore spam or hacking. This is >> particularly plausible on any link where TLS or SSL is already >> mandatory. >> > >please define "enforced encryption levels" ? Tricky - I don't have a specific use case in mind, but I worked on building a military email system (X.400 based - it was that long ago, though they may still use it for all I know) and they were pretty keen on nailing down exactly what was expected on each link. >pretty much anyone tweaking ssl_ciphers will actually downgrade security >or/and break interop with other servers. some people may know how to tie >things further for their specific use-cases but the minute we add a knob >other people will start using it and shoot themselves in the foot. Sadly that is the case with pretty much all security, but the lack of an ability to check/filter based on what security level has been negotiated means that those people who _do_ know what they are doing can't. I'm still annoyed by the general (not smtpd particularly) impossibility of having usefully functioning CRLs, which are pretty much a requirement of any PK system but have been generally ignored to date. >At the time being we're looking to is to have the bul0k of users safe by >default and we're looking for more: > > https://twitter.com/Mayeu/status/474109854651785216 > >"the magic of OpenSMTPD, you do no TLS configuration and you're graded A > by default <3 (test here: starttls.info)" I do not disagree >Im not saying that this will hold true forever but at this point in time >I would prefer that we dont have ssl_ciphers and that any improvement we >do is made to the default until we exhausted all possibilities to do so. Fair enough - I just felt it was worth adding another point of view to the discussion. Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How to configure encryption ciphers and SSL/TLS protocols
Hi >>That's not correct no, I get plenty of TLS 1.0 trafic and it has been >>the case for many years > >To parrot this on all of my various instances OpenSMTPD and not I get tons >of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck >every now and again I see SSLv2 attempts which for most of my instances get >killed. I haven't seen one on my OpenSMTPD instance yet but its only time. >But seriously for email any transport encryption is better than none and >OpenSMTPD's default should be the best way to handle opportunistic TLS >where you always try to use the highest protocol version supported with the >best ciphers supported, and there shouldnt need to be a knob for it. Whilst I agree with what you are saying for general purpose mail servers, I can see applications where enforced encryption levels are worth having. I can see that some company gateways, where they know all of the other endpoints, might wish to enforce appropriate encryption as everybody who should be talking to that MTA should be capable of it and anything else is therefore spam or hacking. This is particularly plausible on any link where TLS or SSL is already mandatory. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [OpenSMTPD] master snapshot opensmtpd-201405142324 available
Hi >hi, > >can you reproduce the problem easily ? I believe so - seemed to happen every time for every message, on an admittedly limited sample as I stopped trying to use it quite quickly at that point... If you want some specific debug I'm happy to try again. Thanks JC >Gilles > > >On Thu, May 15, 2014 at 09:21:04AM +0100, John Cox wrote: >> Hi >> >> It almost works for me on OpenBSD5.5-stable. >> >> Compiles, runs, delivers and then dies >> >> Many thanks >> >> John Cox >> >> # smtpd -d -v >> debug: init ssl-tree >> info: loading pki information for yidhra.outer.uphall.net >> info: OpenSMTPD 201405142324 starting >> debug: bounce warning after 4h >> debug: using "fs" queue backend >> debug: using "ramqueue" scheduler backend >> debug: using "ram" stat backend >> info: startup [debug mode] >> debug: parent_send_config_ruleset: reloading >> filter: building simple chains... >> debug: init ssl-tree >> debug: parent_send_config: configuring pony process >> filter: building complex chains... >> info: loading pki keys for yidhra.outer.uphall.net >> debug: parent_send_config: configuring ca process >> filter: done building complex chains >> filter: done building default chain >> debug: init private ssl-tree >> debug: ca_engine_init: using RSAX engine support >> debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki >> "yidhra.outer.uphall.net" >> debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki >> "yidhra.outer.uphall.net" >> debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki >> "yidhra.outer.uphall.net" >> debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25 >> flags 0x1 pki "yidhra.outer.uphall.net" >> debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki >> "yidhra.outer.uphall.net" >> debug: pony: rsae_init >> debug: pony: rsae_init >> debug: smtp: will accept at most 3503 clients >> debug: queue: done loading queue into scheduler >> debug: smtpd: scanning offline queue... >> debug: smtpd: offline scanning done >> debug: smtp: new client on listener: 0x114602434000 >> smtp-in: New session 9485f27f7b43e5d1 from host 10.44.1.11 >> [10.44.1.11] >> debug: lka: looking up pki "yidhra.outer.uphall.net" >> debug: session_start_ssl: switching to SSL >> smtp-in: No PKI entry for requested SNI "smtp.outer.uphall.net"on >> session 9485f27f7b43e5d1 >> debug: pony: rsae_priv_dec >> smtp-in: Started TLS on session 9485f27f7b43e5d1: version=TLSv1/SSLv3, >> cipher=AES128-SHA, bits=128 >> smtp: 0x1145f9b6f000: fd 5 from queue >> smtp: 0x1145f9b6f000: fd 7 from filter >> debug: filter: tx data (255) for req 9485f27f7b43e5d1 >> debug: filter: tx data (314) for req 9485f27f7b43e5d1 >> debug: smtp: 0x1145f9b6f000: data io done (569 bytes) >> filter: deferring eom query... >> debug: filter: tx done for req 9485f27f7b43e5d1 >> filter: running eom query... >> debug: 0x1145f9b6f000: end of message, msgflags=0x >> smtp-in: Accepted message 62ceecb7 on session 9485f27f7b43e5d1: >> from=, to=, size=569, ndest=1, >> proto=ESMTP >> debug: scheduler: evp:62ceecb7d179e5ef scheduled (mta) >> debug: mta: received evp:62ceecb7d179e5ef for >> debug: mta: draining >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] >> refcount=1, ntask=1, nconnector=0, nconn=0 >> debug: mta: querying MX for >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]... >> debug: mta: >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] >> waiting for MX >> debug: MXs for domain azathoth.uphall.net: >> 46.235.226.138 preference -1 >> debug: mta: ... got mx (0x114600112a20, azathoth.uphall.net, >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]) >> debug: mta: draining >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] >> refcount=1, ntask=1, nconnector=0, nconn=0 >> debug: mta: querying source for >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]... >> debug: mta: ... got source for >> [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]: >> 10.44.0.3 >> debug: mta: new >> [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetabl
Re: [OpenSMTPD] master snapshot opensmtpd-201405142324 available
Hi It almost works for me on OpenBSD5.5-stable. Compiles, runs, delivers and then dies Many thanks John Cox # smtpd -d -v debug: init ssl-tree info: loading pki information for yidhra.outer.uphall.net info: OpenSMTPD 201405142324 starting debug: bounce warning after 4h debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: startup [debug mode] debug: parent_send_config_ruleset: reloading filter: building simple chains... debug: init ssl-tree debug: parent_send_config: configuring pony process filter: building complex chains... info: loading pki keys for yidhra.outer.uphall.net debug: parent_send_config: configuring ca process filter: done building complex chains filter: done building default chain debug: init private ssl-tree debug: ca_engine_init: using RSAX engine support debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: pony: rsae_init debug: pony: rsae_init debug: smtp: will accept at most 3503 clients debug: queue: done loading queue into scheduler debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done debug: smtp: new client on listener: 0x114602434000 smtp-in: New session 9485f27f7b43e5d1 from host 10.44.1.11 [10.44.1.11] debug: lka: looking up pki "yidhra.outer.uphall.net" debug: session_start_ssl: switching to SSL smtp-in: No PKI entry for requested SNI "smtp.outer.uphall.net"on session 9485f27f7b43e5d1 debug: pony: rsae_priv_dec smtp-in: Started TLS on session 9485f27f7b43e5d1: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp: 0x1145f9b6f000: fd 5 from queue smtp: 0x1145f9b6f000: fd 7 from filter debug: filter: tx data (255) for req 9485f27f7b43e5d1 debug: filter: tx data (314) for req 9485f27f7b43e5d1 debug: smtp: 0x1145f9b6f000: data io done (569 bytes) filter: deferring eom query... debug: filter: tx done for req 9485f27f7b43e5d1 filter: running eom query... debug: 0x1145f9b6f000: end of message, msgflags=0x smtp-in: Accepted message 62ceecb7 on session 9485f27f7b43e5d1: from=, to=, size=569, ndest=1, proto=ESMTP debug: scheduler: evp:62ceecb7d179e5ef scheduled (mta) debug: mta: received evp:62ceecb7d179e5ef for debug: mta: draining [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying MX for [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]... debug: mta: [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] waiting for MX debug: MXs for domain azathoth.uphall.net: 46.235.226.138 preference -1 debug: mta: ... got mx (0x114600112a20, azathoth.uphall.net, [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]) debug: mta: draining [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] refcount=1, ntask=1, nconnector=0, nconn=0 debug: mta: querying source for [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]... debug: mta: ... got source for [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=]: 10.44.0.3 debug: mta: new [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x1] debug: mta: connecting with [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x0] debug: mta-routing: searching new route for [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x0]... debug: mta-routing: selecting candidate route 10.44.0.3 <-> 46.235.226.138 debug: mta-routing: spawning new connection on 10.44.0.3 <-> 46.235.226.138 debug: mta: 0x1145ff354000: spawned for relay [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] debug: mta: connecting with [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x0] debug: mta: cannot use [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=] before 2s debug: mta-routing: no route available for [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x0]: must wait a bit debug: mta: retrying to connect on [connector:10.44.0.3->[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=],0x0] in 2s
datalen mismatch with opensmtpd-201405121706 and permissions question
Hi Having got the snapshot to compile on OpenBSD5.5-stable I tried it out. I get datalen errors when I try to send mail to it. Any clues? Everything works OK on 5.4.2. (run output below) As a probably separate question, what permissions should there be on /var/spool/smtpd/*? I had to create user _smtpq to run the snapshot and it seemed to want ownership of most of that directory. Current setup - is this correct?: # ls -la /var/spool/smtpd/ total 36 drwx--x--x8 rootwheel 512 May 13 09:55 . drwxr-xr-x 11 rootwheel 512 Mar 5 16:21 .. drwx-- 27 _smtpq wheel 1024 Feb 23 11:44 corrupt drwx--2 _smtpq wheel 512 May 13 09:59 incoming drwxrwxrwt2 rootwheel 512 Dec 9 20:27 offline drwx-- 16 _smtpq wheel 512 May 13 09:55 purge drwx-- 258 _smtpq wheel 3584 Feb 11 11:00 queue drwx--2 _smtpq wheel 512 May 13 09:59 temporary # Many thanks JC # smtpd -d -v debug: init ssl-tree info: loading pki information for yidhra.outer.uphall.net info: OpenSMTPD 201405121706 starting debug: bounce warning after 4h debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: startup [debug mode] debug: parent_send_config_ruleset: reloading filter: building simple chains... debug: init ssl-tree debug: parent_send_config: configuring pony process filter: building complex chains... info: loading pki keys for yidhra.outer.uphall.net debug: parent_send_config: configuring ca process filter: done building complex chains filter: done building default chain debug: init private ssl-tree debug: ca_engine_init: using RSAX engine support debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki "yidhra.outer.uphall.net" debug: pony: rsae_init debug: pony: rsae_init debug: smtp: will accept at most 3503 clients debug: queue: done loading queue into scheduler debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done debug: smtp: new client on listener: 0x56a7dae3000 smtp-in: New session fe1876ed47d20e57 from host 10.44.1.11 [10.44.1.11] debug: lka: looking up pki "yidhra.outer.uphall.net" debug: session_start_ssl: switching to SSL smtp-in: No PKI entry for requested SNI "smtp.outer.uphall.net"on session fe1876ed47d20e57 debug: pony: rsae_priv_dec smtp-in: Started TLS on session fe1876ed47d20e57: version=TLSv1/SSLv3, cipher=AES128-SHA, bits=128 smtp: 0x56a8451: fd 5 from queue smtp: 0x56a8451: fd 7 from filter debug: filter: tx data (255) for req fe1876ed47d20e57 debug: filter: tx data (314) for req fe1876ed47d20e57 debug: smtp: 0x56a8451: data io done (255 bytes) smtp: 0x56a8451: eom. datalen=255 filter: datalen mismatch on session fe1876ed47d20e57: 569/255: Undefined error: 0 smtp-in: Failed command on session fe1876ed47d20e57: "DATA" => 530 Message rejected debug: filter: tx done for req fe1876ed47d20e57 smtp-in: Received disconnect from session fe1876ed47d20e57 debug: smtp: 0x56a8451: deleting session: disconnected debug: smtp: new client on listener: 0x56a7dae3000 smtp-in: New session fe1876f6e4a24c68 from host azathoth.uphall.net [46.235.226.138] debug: lka: looking up pki "yidhra.outer.uphall.net" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc debug: pony: rsae_init debug: pony: rsae_init debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp debug: pony: rsae_init debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp debug: pony: rsae_pub_dec debug: pony: rsae_bn_mod_exp smtp-in: Started TLS on session fe1876f6e4a24c68: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtp-in: Client certificate verification succeeded on session fe1876f6e4a24c68 debug: smtp: SIZE in MAIL FROM command debug: aliases_virtual_get: 'r...@yidhra.outer.uphall.net' resolved to 1 nodes debug: aliases_get: returned 1 aliases smtp: 0x56a8451: fd 5 from queue smtp: 0x56a8451: fd 7 from filter debug: filter: tx data (297) for req fe1876f6e4a24c68 debug: filter: tx data (2461) for req fe1876f6e4a24c68 debug: smtp: 0x56a8451: data io done (297 bytes) smtp: 0x56a8451: eom. datalen=297 filter: datalen mismatch on session fe1876f6e4a24c68: 2758/297: Undefined error: 0 smtp-in: Failed command on session fe1876f6e4a24c68: "DATA" => 530 Message rejected debug: filter: tx done for req fe1876f6e4a24c68 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Building snapshots on 5.5-stable?
Hi >On Tue, May 06, 2014 at 10:17:01AM +0100, John Cox wrote: >> Hi >> >> Is it possible to build snapshots on OpenBSD-5.5-Stable (built from >> source because as far as I can tell the release ISO still contains >> Heartbleed)? >> >> Neither the OpenBSD or the Portable version works for me. I can >> understand that the OpenBSD version tracks current and may fail to >> build at any point, but I was hopeful theat the portable vsrsion might >> be more portable... >> >> I'd like to follow this project and maybe help if I ever have the time >> (which is, at the moment, I admit, unlikely) but I really don't have >> the time to try and follow OpenBSD-current >> >> Many thanks >> >> John Cox > >Hi, > >Sorry for the breakage. The new snapshot should now work on both >current and stable. Please try it out. Sadly it still doesn't build - the problem has moved on: cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c /home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c: In function 'res_query': /home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c:63: warning: comparison between signed and unsigned /home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c: In function 'res_search': /home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c:105: warning: comparison between signed and unsigned cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../res_search_async.c cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c /home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c: In function '__res_send': /home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c:55: warning: comparison between signed and unsigned cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c /home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c: In function 'res_send_async': /home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c:70: warning: cast discards qualifiers from pointer target type cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../asr/sethostent.c cc -O2 -pipe -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb -I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201405071639/smtpd/../asr/event_asr_run.c cc -o smtpd aliases.o bounce.o ca.o compress_backend.o config.o control.o crypto.o delivery.o dict.o dns.o envelope.o esc.o expand.o forward.o iobuf.o ioev.o limit.o lka.o lka_session.o log.o mda.o mproc.o mta.o mta_session.o parse.o pony.o queue.o queue_backend.o ruleset.o runq.o scheduler.o scheduler_backend.o smtp.o smtp_session.o smtpd.o ssl.o ssl_privsep.o ssl_smtpd.o stat_backend.o table.o to.o tree.o util.o waitq.o compress_gzip.o delivery_filename.o delivery_maildir.o delivery_mbox.o delivery_mda.o delivery_lmtp.o table_db.o table_getpwnam.o table_proc.o table_static.o queue_fs.o queue_null.o queue_proc.o queue_ram.o scheduler_ramqueue.o scheduler_null.o scheduler_proc.o stat_ramstat.o asr.o asr_debug.o asr_utils.o getaddrinfo.o getaddrinfo_async.o gethostnamadr.o gethostnamadr_async.o getnameinfo.o getnameinfo_async.o getnetnamadr.o getnetnamadr_async.o getrrsetbyname.o getrrsetbyname_async.o res_debug.o res_init.o res_mkquery.o res_query.o res_search_async.o res_send.o res_send_async.o sethostent.o event_asr_run.o -levent -lutil -lssl -lcrypto -lm -lz asr.o(.text+0x5c7): In function `asr_resolver_done'
Building snapshots on 5.5-stable?
Hi Is it possible to build snapshots on OpenBSD-5.5-Stable (built from source because as far as I can tell the release ISO still contains Heartbleed)? Neither the OpenBSD or the Portable version works for me. I can understand that the OpenBSD version tracks current and may fail to build at any point, but I was hopeful theat the portable vsrsion might be more portable... I'd like to follow this project and maybe help if I ever have the time (which is, at the moment, I admit, unlikely) but I really don't have the time to try and follow OpenBSD-current Many thanks John Cox Trying to build opensmtpd-201404151425 fails: cc -O2 -pipe -I -DNEED_EVENT_ASR_RUN -g3 -ggdb -I/home/jc/opensmtpd-201404151425/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201404151425/smtpd/../dict.c cc -O2 -pipe -I -DNEED_EVENT_ASR_RUN -g3 -ggdb -I/home/jc/opensmtpd-201404151425/smtpd/.. -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING -c /home/jc/opensmtpd-201404151425/smtpd/../dns.c /home/jc/opensmtpd-201404151425/smtpd/../dns.c:32:17: error: asr.h: No such file or directory /home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: warning: its scope is only this definition or declaration, which is probably not what you want /home/jc/opensmtpd-201404151425/smtpd/../dns.c:59: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:60: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:61: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function 'dns_imsg': /home/jc/opensmtpd-201404151425/smtpd/../dns.c:225: warning: implicit declaration of function 'getnameinfo_async' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:226: warning: assignment makes pointer from integer without a cast /home/jc/opensmtpd-201404151425/smtpd/../dns.c:227: warning: implicit declaration of function 'event_asr_run' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:253: warning: implicit declaration of function 'res_query_async' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:253: warning: assignment makes pointer from integer without a cast /home/jc/opensmtpd-201404151425/smtpd/../dns.c:276: warning: assignment makes pointer from integer without a cast /home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level: /home/jc/opensmtpd-201404151425/smtpd/../dns.c:296: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:297: error: conflicting types for 'dns_dispatch_host' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: error: previous declaration of 'dns_dispatch_host' was here /home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function 'dns_dispatch_host': /home/jc/opensmtpd-201404151425/smtpd/../dns.c:304: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c:313: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c:314: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c:316: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c:317: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level: /home/jc/opensmtpd-201404151425/smtpd/../dns.c:330: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:331: error: conflicting types for 'dns_dispatch_ptr' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:59: error: previous declaration of 'dns_dispatch_ptr' was here /home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function 'dns_dispatch_ptr': /home/jc/opensmtpd-201404151425/smtpd/../dns.c:337: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c:338: error: dereferencing pointer to incomplete type /home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level: /home/jc/opensmtpd-201404151425/smtpd/../dns.c:345: warning: 'struct asr_result' declared inside parameter list /home/jc/opensmtpd-201404151425/smtpd/../dns.c:346: error: conflicting types for 'dns_dispatch_mx' /home/jc/opensmtpd-201404151425/smtpd/../dns.c:60: error: previous declaration of 'dns_dispatch_mx' was here /home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function 'dns_dispatch_mx': /home/jc/opensmtpd-20
Re: Should we use DKIM and SPF?
On Fri, 25 Apr 2014 06:55:48 -0700, you wrote: >On Thu, Apr 24, 2014 at 11:13 AM, Ashish SHUKLA wrote: > >> On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun >> said: >> > Hi >> >> > I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I >> > have previously run with those, but I am in doubt. >> >> > I am thinking about the "worth" of those technologies? >> >> > I used to think SPF was a good idea, but SPF fails if someone forwards >> > email to another server. Then the forwarding server is not listed in >> > the SPF entry and the destination mail server will reject the email. >> >> SRS[1][2]. >> >> References: >> [1] http://www.openspf.org/SRS >> [2] http://www.libsrs2.org/ >> >> SPF itself is a decent idea this was just bound to happen since it makes >the assumption that all valid mail from a domain >only comes from servers that the domain knows about which may not >necessarily be the case (see mailing lists) but this is >one of the reasons to use both DKIM and SPF. generally if one passes it >scores high enough to cancel out that the other failed. >DKIM is supposed to prove that messages are authentic, not SPF. SPF is >setup to prove that a sending server has the right >to send on behalf of a domain. They really are meant to work hand in hand >and solve different problems. So if you were using DKIM and SPF >SRS would not be an issue since the DKIM info in the header proves the >message came from a valid source. Unfortunately the whole point of SPF (unlike Sender-ID which works much better and on much the same principles) is that you can reject the message before receiving it so you wouldn't have the DKIM stuff (which I think requires you to have the entire message?). JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Should we use DKIM and SPF?
Hi >On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun >said: >> Hi > >> I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I >> have previously run with those, but I am in doubt. > >> I am thinking about the "worth" of those technologies? > >> I used to think SPF was a good idea, but SPF fails if someone forwards >> email to another server. Then the forwarding server is not listed in >> the SPF entry and the destination mail server will reject the email. > >SRS[1][2]. > >References: >[1] http://www.openspf.org/SRS >[2] http://www.libsrs2.org/ Yes that does provide a (horrid) workaround (the mail from field was never meant to carry trace info), but it relies on _other mtas_ using it and in my experience a fair quantity don't. It is annoying to have your mail bounce just because you have set up correct SPF records. JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [OpenSMTPD] master snapshot opensmtpd-201403261203 available
Hi >User gilles has just rebuilt a master snapshot, available from: > >http://www.OpenSMTPD.org/archives/opensmtpd-201403261203.tar.gz > >Checksum: > > SHA256 (opensmtpd-201403261203.tar.gz) = > 3fc464a8a26aa3c7adcd1d79e69e2830a2b6ab8ce438d1f70becab11b00dfedb > >A summary of the content of this snapshot is available below. > >Please test and let us know if it breaks something! I tried building the tar on OpenBSD 5.4 and got: cc -o smtpd aliases.o bounce.o ca.o compress_backend.o config.o control.o crypto.o delivery.o dict.o dns.o envelope.o esc.o expand.o forward.o iobuf.o ioev.o limit.o lka.o lka_session.o log.o mda.o mfa.o mfa_session.o mproc.o mta.o mta_session.o parse.o queue.o queue_backend.o ruleset.o runq.o scheduler.o scheduler_backend.o smtp.o smtp_session.o smtpd.o ssl.o ssl_privsep.o ssl_smtpd.o stat_backend.o table.o to.o tree.o util.o waitq.o compress_gzip.o delivery_filename.o delivery_maildir.o delivery_mbox.o delivery_mda.o delivery_lmtp.o table_db.o table_getpwnam.o table_proc.o table_static.o queue_fs.o queue_null.o queue_proc.o queue_ram.o scheduler_ramqueue.o scheduler_null.o scheduler_proc.o stat_ramstat.o -levent -lutil -lssl -lcrypto -lm -lz dns.o(.text+0x102): In function `async_event_dispatch': /home/jc/opensmtpd-201403261203/smtpd/../dns.c:532: undefined reference to `asr_run' collect2: ld returned 1 exit status *** Error 1 in smtpd (:96 'smtpd') *** Error 1 in /home/jc/opensmtpd-201403261203 (:48 'all') $ Any clues? Also it looks like there are no snapshot release tags in the git repository on github after opensmtpd-201402281146p1 Is this the case or has my git-foo failed me? (I'd prefer to use git to keep up to date rather than the tar files) Many thanks JC >If this snapshot doesn't work, please also test with a previous one, >to help us spot where the issue is coming from. You can access all >previous snapshots here: > >http://www.opensmtpd.org/archives/ > >The OpenSMTPD team ;-) > > >Summary of changes since last snapshot (opensmtpd-201403051037): >--- > >- various minor ldap fixes, table_ldap still broken >- attach filters to listeners instead of having a global chain >- no longer create the local listener inside smtp_enqueue >- at startup, create two "internal" listeners: local and bounces >- have users enqueue through the local listener >- have bounces enqueue through the bounces listener >- allow plugging a filter chain to the enqueue listener >- various internal structures cleanups >- experimental lua binding filter >- disable imsg buffers profiling unless requested >- enqueuer no longer adds user-agent if missing > >- SMTPD_QUEUE_USER IS NOW MANDATORY !!! > >- more informative log message on unknown SNI. >- remove old instructions about sendmail >- do not wake up every 10 seconds to call purge_task >- enqueuer now updates domain for From, To, Cc, Bcc headers >- reword table error message to make it more clear >- allow mda and lmtp deliveries to be done with a dedicated user >- update asr related code after latest API changes -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Bounces without Bodies
>At 02:31 10-03-2014, Marcus MERIGHI wrote: >>Which to me still seems unfixable as you did not provide anything >>tangible. > >Some people use SPF. SPF certainly looks like a useful tool for helping with checking sender identity, but it doesn't look even close to trivial to implement, and there may not be BSD-license libraries out there (I haven't looked) But on the other hand if I am wrong about the ease of implementation then it looks like an excellent idea. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Bounces without Bodies
Hi >> [snip] >> Given the similarities in the feel of the conf file to pf.conf I would >> try to tend towards that (well tested) model where possible to try and >> keep the confusion for new users as low as possible. >> > >I don't really agree here, the first match approach is much simpler when >dealing with mail because you can view each rule as a template, either >an envelope matches the template and goes in or it doesn't match the >template and gets rejected. We don't deal with the many strange cases >that PF has to deal with and using a first-match approach makes our >rules evaluation much much simpler. I think we are just going to have to disagree on this. And given that you are the one writing the code - you get the final say :-) Many thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Bounces without Bodies
Hi >>[snip] >> as knobs for global default overrides, which can be overriden at the >> rule level, like we do for "expire" > >All good points, and I'm inclined to agree with you that we receive >some nice granularity by doing it on accept rather than on listen >(since you've already solved the context issue I mentioned). One >further suggestion along the same lines as your preference: > >What about unifying the global override with the rule-based config, to >have one line that's something like: > >bounce from u...@domain.org with-body expire 4d >bounce to ot...@otherdomain.org only-headers expire 5w >bounce to @blah.org only-headers expire 20m >bounce from @where.org with-body expire 8d >bounce only-headers expire 1d Is this in addition to the "accept" rules previously discussed or instead of it? >And this would use the same rule based "first match" logic as all >others. The precise meanings of "to" and "from" will need to be >refined a bit further, but this is the general idea. What do you think >of that? First match feels OK to me in cases where processing stops on that line, but if processing continues then pf-like last match seems a better fit to me. Given the similarities in the feel of the conf file to pf.conf I would try to tend towards that (well tested) model where possible to try and keep the confusion for new users as low as possible. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Non "quick" virtual rules?
>[snip] >Well you don't see the issue for your use-case, the issue is that >for pretty much every other use-case this is not what's desired. My argument would be that if you don't want that behaviour then you shouldn't use the modifier, however ... >We discussed shortly a new kind of rules with eric@ yesterday, it >is not too hard to implement so maybe we'll go that path. It is >inspired by PF: > >match for any virtual tag MATCHED >accept tagged MATCHED for any virtual relay >accept for any relay > >this way you would only match the relay rule if the match rule has >properly set the tag. ... that works for me too. >we're not going to implement this for the time being, it still has >to be discussed and the semantics clearly defined, but that's >something that is likely to happen in the future. Well as long as it is on the list then that is good. Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Non "quick" virtual rules?
Hi >> Is there any chance we could have a rule of the form >> >> accept for any virtual no-bounce relay >> >> such that if the virtual lookup fails then processing continues to the >> next line rather than generating a bounce message. This would >> simplify the generation of forwarding tables. >> > >the "processing continues" is not going to happen because it leads to >issues: > > accept for any virtual no-bounce relay > accept for any relay > >and suddenly instead of failing you match another rule that was not >meant to be matched, and the mail gets relayed instead of being >rejected. Actually that is exactly what I want to happen - I really don't see the issue. I can cope with rules that fall through (or don't if marked quick) in pf.conf and I can cope with it here. >> Maybe >> >> accept for recipient virtual relay >> >> would do, where the 2nd entry in the vmap is ignored would do? >> >> What I'm trying to avoid is having to list users that I want forwarded >> twice: once in a filter and once in a vmap, as that always leads to >> mismatches and confusion. The solution would (of course) be to have >> script that auto-generates the appropriate files but I'd much rather >> avoid that level of complexity if I can. >> > > >technically this can be made to work if using a backend that can >share a table between different kinds of lookups (sql, ldap, ...) >some people are using the same table for credentials and userbase >using the sqlite backend for instance I'd really prefer not to have to have an entire database setup just to run my MTA Regards JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Non "quick" virtual rules?
Hi Is there any chance we could have a rule of the form accept for any virtual no-bounce relay such that if the virtual lookup fails then processing continues to the next line rather than generating a bounce message. This would simplify the generation of forwarding tables. Maybe accept for recipient virtual relay would do, where the 2nd entry in the vmap is ignored would do? What I'm trying to avoid is having to list users that I want forwarded twice: once in a filter and once in a vmap, as that always leads to mismatches and confusion. The solution would (of course) be to have script that auto-generates the appropriate files but I'd much rather avoid that level of complexity if I can. Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Bounces without Bodies
Hi > [snip] >if at the listen-level, we decide that it is not possible to have the >mechanism apply to a specific domain, it applies to all domains that >will be match on that interface. > > listen on lo0 bounce all-content > listen on fxp0 bounce headers-only > > accept from any for domain poolp.org deliver to maildir > accept from any for domain opensmtpd.org deliver to maildir > >in this case, mail to @opensmtpd.org will have a different bounce >strategy depending on the interface used to connect, but once >connected to a specific interface, the bounce strategy will be the >same for all domains. > > >if at the rule-level, we decide that we can apply this to a specific >domain but not another, so more granularity ... > > listen on lo0 > listen on fxp0 > > accept from any for domain poolp.org deliver to maildir bounce all-content > accept from any for domain opensmtpd.org deliver to maildir bounce > headers-only > >in this case, it is when an envelope matches a rule that we decide which >strategy we want to use. two different domains accessed from the same > > >I favor the second one because using tags we can achieve hybrid models: > > listen on lo0 tag LOCAL > listen on fxp0 tag EXTERNAL > > accept tagged LOCAL from any for domain poolp.org deliver to maildir bounce > all-content > accept tagged EXTERNAL from any for domain poolp.org deliver to maildir > bounce headers-only > >where a single domain can have different policies depending on the >interface it accepted mail from. I like this (the second) model as I want to control DSN generation by destination as well as source. Or the fully mixed model where there are global defaults overridden by this sort of syntax > [snip] Many thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [OpenSMTPD] master snapshot opensmtpd-201402271419 available
Does this fix my maildir issue? Thanks JC On Thu, 27 Feb 2014 14:23:01 +0100 (CET), you wrote: >User gilles has just rebuilt a master snapshot, available from: > >http://www.OpenSMTPD.org/archives/opensmtpd-201402271419.tar.gz > >Checksum: > > SHA256 (opensmtpd-201402271419.tar.gz) = > f11d4e516eb0474d321c5515646f9f05fa71382bbfaac6a8b6a886c534afa865 > >A summary of the content of this snapshot is available below. > >Please test and let us know if it breaks something! > >If this snapshot doesn't work, please also test with a previous one, >to help us spot where the issue is coming from. You can access all >previous snapshots here: > >http://www.opensmtpd.org/archives/ > >The OpenSMTPD team ;-) > > >Summary of changes since last snapshot (opensmtpd-201402071556): >--- > >- sync man page changes from OpenBSD >- tweak usage() >- implement "smtpctl show status" [1] >- do not lookup pki based on hostname if specified in listener >- document table_socketmap >- add support for initial-response for AUTH LOGIN [2] >- in MTA block-tree use strcasecmp() to compare domains >- fix off-by-one leading to bogus hoststats tree >- fix possible crash in multi-message transactions, introduced by DSN > >[1] Author: Sunil Nimmagadda >[2] Author: Nicolas EDEL -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Why can't I have virtual and relay via together?
Hi I have a m/c that receives mail on the border of my domain. It doesn't want to deliver any mail itself it just wants to deliver to the mailstore. However it does want to do any required forwarding and/or rejection to prevent needless internal message traffic (and to prevent confusion if the message was spoofed). So I thought that this should work: table localdomains {"example.net"} table virtuser file:/etc/mail/virtuser [pki stuff] listen on all secure pki smarthost.example.net accept from source mailstore.example.net\ for !domain \ relay pki smarthost.uphall.net accept from !source mailstore.example.net\ for domain virtual \ relay via tls://mailstore.example.net pki smarthost.example.net But I get # smtpd -n /etc/mail/smtpd.conf:22: aliases/virtual may not be used with a relay rule I understand what the error is saying but why is this enforced? Thanks JC -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Macro expansion
I tried to use this: smarthost = "smarthost.example.net" from any relay via tls://$smarthost however from the debug it looks like the macro did not expand and (unsurprisingly) the system couldn't find the system "$smarthost" to relay to. Should this work or is the macro prevented from expanding due to not being preceded by whitespace? Could I use a macro for a longer bit of syntax e.g. smart_relay = "relay via tls://smarthost.example.net pki smarthost.example.net verify" from any smart_relay And if so (a) how can I get quotes into a macro and (b) can I use other macros inside a macro? Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: cert.pem missing
Hi >I see this in my logs a lot: >Dec 9 19:17:51 frisell smtpd[8813]: warn: unable to load CA file >/etc/ssl/cert.pem: No such file or directory > > >On my system (gentoo), /etc/ssl/ has a directory called certs which >has multiple pems. How to handle this? I'm guessing slightly but, openssl has (at least) two schemes for handling certificate verification: bundles and directories with certificates (and hashes). A bundle, which is what I think opensmtpd wants, is simply all the certs that you want to treat as roots concatenated into one file. There is sometimes a size limit on what works for this. A directory, which is what sendmail seems to want, is a lot of files which each contains 1 cert with a file name derived from their hash value (or quite commonly sym links named after the hash value of the cert files they point to). I have some perl scripts that will take apart bundles and convert to the hash form, but not the other way round. If you want to check that your bundle or dir is working correctly then "openssl verify" is your friend (you will need to read the man page carefully). It is worth noting that from what I've read on this mailing list that pki example.net ca /etc/ssl/certs.pem is not the same thing as the sendmail define(`confCACERT', `CERT_DIR/local_certs/ca_example.net.crt') I believe that the pki line specifies a bundle to search for verification and I'm pretty sure that the sendmail line defines a cert (or small cert bundle) that is sent along with your local cert as a list of preferred ca's that the other end should use (and maybe can also show your chain of trust - I think this protocol element is often abused, misunderstood or ignored). TLS is the next thing I intend to play with in my opensmtpd setup and I haven't had actual experience of setting it up yet so the above should be taken with a pinch of salt. But I have made sendmails version work properly for me with both public root certs and locally generated certs at the same time so I have some background on what I'm expecting to happen. Wishlist pki example.net cacert_path /etc/ssl/certs - equivalent to sendmail define(`confCACERT_PATH', `CERT_DIR/certs') also a source match on cert issuer and/or cert name like the sendmail access db line: CertIssuer:/C=GB/ST=England/L=Gotham/O=WayneEnterprises/OU=BatCave/CN=cave.net/emailAddress=b...@cave.net RELAY I use the above to give allow relaying from any site that connects via TLS with a cert that I have signed without the need for separate auth. It also allows me to verify the cert chains of random sites that are relaying mail to me without letting them relay onwards. Also CRL bundles or CRL dirs Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: "source table" syntax
Thanks you very much for you continuing explanations. I'll see if I can find to fold some of what you have clarified into the wiki, but it might take till Christmas before I have any concentrated spare time to do that. (It might be nice if there was a link to the wiki somewhere obvious on www.opensmtpd.org as I'm not sure where it is meant to be - the wiki I found on github looks very empty) > [snip] >> I spent quite a while wondering why "from source em2 for any >> deliver..." (where em2 is a valid interface used in a previous listen >> statement) didn't do what I wanted (due to inadequate man reading). >> Some sort of error or warning in cases like that would be useful or is >> there some reason why it was accepted but just failed to match >> anything I tried? >> > >It is accepted because it's a string and we should support hostnames in >there but now that you mention it we haven't tried this in a while as >most people including ourselves use ip addresses, tables or networks >here, I'll give a try and fix if it's broken. So how was my em2 being interpreted? Was it being looked and translated to an IP address via DNS (as em2.example.net) when the smtpd.conf was parsed or when a message comes in? In either of these two case I would hope for at least a warning that it couldn't resolve. Or was it some sort of text match - if so against what? Many thanks John Cox P.S. When, if ever, is smtpd.conf reread? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Alias tables - why would you ever use alias rather than virtual?
Hi Ah! thanks for that I now understand. But that does mean it is tricky to achieve something that delivers to all users and has a default without listing all users. I don't believe that this works? table aliases { jimbo = jim } table catch { "@" = clara } accept for domain example.net alias deliver to mbox accept for domain example.net virtual deliver to mbox as the first line will match and bounces er...@example.net if ernie isn't a user without getting to the line below. This isn't a problem for me as I have few enough users that listing all of them isn't any sort of an issue, but I can see it is something that might be wanted Many thanks John Cox >> I'm clearly missing something here - it seems to me that virtual is a >> pure superset of alias - why would you ever want to use alias? >> >> Thanks >> > >Nope, virtual is not a superset of alias and it has different semantics. > >Think of it as follows: > >Whenever you send a mail to a mail system, you have an input and output. >The input is the recipient mail address, the output is the end-user that >can be local (including a program, a file, ...) or not. > > >When dealing with aliases, you assume that the domain accept mails for >all of its system users. The aliases mapping does not need to know about >every user on the system, it only needs to know about some possible >transformations it should apply before the envelope is attempted for a >delivery. > >When dealing with virtual, you assume that the domain does not accept >mail for all system users. The virtual mapping has to know about every >single recipient for a domain. > >Real-life example, take opensmtpd.org: > >table aliases { root = gilles } >accept for domain opensmtpd.org alias deliver to mbox > >If you send mail to e...@opensmtpd.org it will work because he has a >system account. If you send mail to root@, it will work because it's >transformed to gilles@ who has a system account. > >table vmap { root = gilles } >accept for domain opensmtpd.org vmap deliver to mbox > >now, no one but root@ is an acceptable input, so sending mail to >r...@opensmtpd.org delivers to the system user gilles... but if >you send mail to gil...@opensmtpd.org, it's not part of the input >list and it's rejected. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Alias tables - why would you ever use alias rather than virtual?
Hi I'm clearly missing something here - it seems to me that virtual is a pure superset of alias - why would you ever want to use alias? Thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
"source table" syntax
Hi I think that the definition of "from source table" in the man page has a small typo. It should be "from source " as the <>s are required for the table. If the <>s are omitted then an ip range can be used inline? I spent quite a while wondering why "from source em2 for any deliver..." (where em2 is a valid interface used in a previous listen statement) didn't do what I wanted (due to inadequate man reading). Some sort of error or warning in cases like that would be useful or is there some reason why it was accepted but just failed to match anything I tried? A small wishlist: For static or file source tables or other cases where ip addresses can be resolved it would be nice if I could have {smarthost.example.net}. It would also save a bunch of copy/paste (with consequent possible typos) if the syntax was extended to allow something like "from {local, source , $smarthost} for any deliver..." which would expand to 3 rules like a pf group. Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How exactly do I get forwarding to work?
Hi 1st off, very many thanks for your prompt and illuminating reply. I'll get the current version of OpenSMTPD and try to make it work shortly. There's one bit I don't quite understand in your reply though: >> accept from any for domain example.net\ >> alias \ >> deliver to maildir %(user.directory)/Maildir >> >> seems clearly wrong as we don't want to deliver there. So we have to >> split the forwarding rules from the alias rules? >> > >The "deliver" part is the default action, it will only be matched for >aliases entries that map to local users, if a user has an alias that >has an email address as a target, mail will match that action first >so the deliver part will be discarded. That is excellent, but could you expand on what happens there. The alias expands to an email address - so far so good - it isn't delivered locally because it isn't a local address - yes - but what happens next? Does smtpd run the entire ruleset over the new destination address from the start, does it continue to run the ruleset from the current line (i.e. earlier rules aren't checked) or is there some other auto-magic that forwards it to the right destination? Sorry to take up your time, but I'd really like to understand what is actually meant to happen so I don't waste your time in the future. Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
How exactly do I get forwarding to work?
Hi I want to migrate from sendmail but I'm a bit confused by the documentation and as I don't have a dummy system to play on I thought I'd ask first rather than thowing (too much) legit mail down the plughole. I have an vanilla OpenBSD 5.4 system with whichever version of OpenSMTPD comes with that. I have a smarthost: smart.example.net to which I wish to send all outgoing mail I am running on: server.internal.example.net I want to deal with messages for example.net and fakedomain.co.uk I want to relay & deliver messages sent to me from my local net. I want to deliver messages sent from the smart host. No messages should arrive from the "outside world" except from the smart host. I have some local users: al...@example.net, b...@example.net, cl...@example.net I have some virtual users: xav...@example.net, y...@example.net, zan...@example.net + all the usual system ones. I have some dead users that I would like to bounce, preferably with custom error messages for some of them: noth...@example.net, oldc...@example.net (like you can in the sendmail access db) Mail sent to fakedomain.co.uk should be delivered to clara Some virtual users want to be delivered to local mailboxes and some want to be forwarded to external addresses xavier -> e...@nomail.org yola -> bob zander -> fr...@external.com clara would like all mail to local domains that is otherwise unrecognised to be delivered to her. (Actually, ideally, she would like anything matching clara-*@example.net to be delivered to her, but I suspect that wildcarding in aliases is a bit hopeful and I don't get it in sendmail without more effort than I'm prepared to put in) All the local delivery stuff seems obvious enough, id rejection seems obvious though the custom error stuff is missing I think (I thought I'd seen mention of it but it isn't obvious in the man file now I look). I'm much less sure about the forwarding - in sendmail simply adding the line xavier: e...@nomail.org to the aliases file does the trick, but accept from any for domain example.net\ alias \ deliver to maildir %(user.directory)/Maildir seems clearly wrong as we don't want to deliver there. So we have to split the forwarding rules from the alias rules? accept from any for domain example.net\ virtual relay via tls://smart.example.net verify accept from any for domain example.net\ alias \ deliver to maildir %(user.directory)/Maildir This looks like it should work as long as a lack of match in causes the rule to fail - this isn't obvious one way or the other from the man page. Otherwise I guess I need a "recipient" filter - if so can this be the same table I use for the "virtual" mapping or is that illegal because it has values too? I like the look of opensmtpd a lot, but a few more examples in the man pages or elsewhere with some of the alias & virtual tables populated might make understanding exactly what it can do a lot clearer. Many thanks John Cox -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org