How do I only allow relay for authenticated users?
Hi, I just started with OpenSMTPD and I was able to get it up and running (with Dovecot) in just one day. It's a real pleasure to use and configure, so thank you! My question is: how do I only allow relay for authenticated users? Below is my current configuration largely based on the example1 from the FAQ. I'm running from source with opensmtpd-201702130941p1. table aliases file:/etc/mail/aliases table domains file:/etc/mail/domains table passwd passwd:/etc/mail/passwd table users file:/etc/mail/users table secrets file:/etc/mail/secrets pki ${cubevar_app_email_host} certificate "/etc/letsencrypt/live/${cubevar_app_email_host}/fullchain.pem" pki ${cubevar_app_email_host} key "/etc/letsencrypt/live/${cubevar_app_email_host}/privkey.pem" listen on eth0 inet4 port 25 tls pki ${cubevar_app_email_host} auth-optional listen on eth0 inet4 port 465 tls-require pki ${cubevar_app_email_host} auth listen on eth0 inet4 port 587 tls-require pki ${cubevar_app_email_host} auth accept from local for local alias deliver to lmtp "/run/dovecot/lmtp" rcpt-to accept from any for domain virtual deliver to lmtp "/run/dovecot/lmtp" rcpt-to #accept from any for any relay via tls+auth://la...@smtp.sendgrid.net auth If I understand the above correctly, somebody could connect to port 25, not authenticate, but still send an email which would relay to sendgrid. However, I don't want to enforce authentication on 25 because then I can't receive email for my domains as an MX server. -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: How do I only allow relay for authenticated users?
Hi, On 09/24/2017 12:12 PM, Bruno Pagani wrote: Hi, Le 24/09/2017 à 20:48, Kevin a écrit : My question is: how do I only allow relay for authenticated users? #accept from any for any relay via tls+auth://la...@smtp.sendgrid.net auth Just `accept from local` instead of `from any` in the line I’ve left above, and it should work the way you want. ;) Ah! I see now in the man page: "Any remote sender that passed SMTPAUTH is treated as if it was the server's local user that was sending the mail. This means that filter rules using from local will be matched." Thank you. -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory
Hi, Relaying is working but I see the following in my logs: warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory smtp-out: Server certificate verification failed on session [...] I'm running on Fedora 26 and the CA certs file is located in /etc/pki/tls/cert.pem. I reconfigured and recompiled with the correct path: # systemctl stop opensmtpd # cd /usr/local/src/opensmtpd-201702130941p1/ # ./configure --with-path-CAfile=/etc/pki/tls/cert.pem # grep -r /etc/pki/tls/cert.pem * config.log: $ ./configure --with-path-CAfile=/etc/pki/tls/cert.pem config.log:CA_FILE='/etc/pki/tls/cert.pem' config.status:ac_cs_config="'--with-path-CAfile=/etc/pki/tls/cert.pem'" config.status: set X /bin/sh './configure' '--with-path-CAfile=/etc/pki/tls/cert.pem' $ac_configure_extra_args --no-create --no-recursion config.status:S["CA_FILE"]="/etc/pki/tls/cert.pem" contrib/libexec/encrypt/Makefile:CA_FILE = /etc/pki/tls/cert.pem contrib/libexec/Makefile:CA_FILE = /etc/pki/tls/cert.pem contrib/libexec/mail.local/Makefile:CA_FILE = /etc/pki/tls/cert.pem contrib/Makefile:CA_FILE = /etc/pki/tls/cert.pem Makefile:CA_FILE = /etc/pki/tls/cert.pem mk/smtpctl/Makefile:CA_FILE = /etc/pki/tls/cert.pem mk/smtpd/Makefile:CA_FILE = /etc/pki/tls/cert.pem mk/Makefile:CA_FILE = /etc/pki/tls/cert.pem openbsd-compat/Makefile:CA_FILE = /etc/pki/tls/cert.pem # make # sudo make install # systemctl start opensmtpd However, the problem reoccurs with a new mail. I can workaround it with a symlink: # ln -s /etc/pki/tls/cert.pem /etc/ssl/cert.pem smtp-out: Server certificate verification succeeded on session [...] But I thought it was worth reporting to check if I'm doing something wrong or there's a bug. -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
pony express: smtpd: bind: Cannot assign requested address
" queue backend smtpd[21205]: debug: using "ramqueue" scheduler backend smtpd[21205]: debug: using "ram" stat backend smtpd[21205]: setup_peer: pony express -> control[21203] fd=5 smtpd[21206]: debug: init ssl-tree smtpd[21206]: info: loading pki information for db5.myplaceonline.com smtpd[21206]: debug: init ca-tree smtpd[21206]: debug: init ssl-tree smtpd[21206]: info: loading pki keys for db5.myplaceonline.com smtpd[21206]: debug: using "fs" queue backend smtpd[21206]: debug: using "ramqueue" scheduler backend smtpd[21206]: debug: using "ram" stat backend smtpd[21206]: setup_peer: queue -> control[21203] fd=5 smtpd[21206]: setup_peer: queue -> pony express[21205] fd=6 smtpd[21206]: setup_peer: queue -> lookup[21204] fd=7 smtpd[21205]: setup_peer: pony express -> klondike[21202] fd=6 smtpd[21205]: setup_peer: pony express -> lookup[21204] fd=7 smtpd[21205]: setup_peer: pony express -> queue[21206] fd=8 smtpd[21205]: setup_proc: pony express done smtpd[21201]: setup_done: pony[21205] done smtpd[21206]: setup_peer: queue -> scheduler[21207] fd=8 smtpd[21206]: setup_proc: queue done smtpd[21201]: setup_done: queue[21206] done systemd[1]: opensmtpd.service: Unit entered failed state. smtpd[21207]: setup_proc: scheduler done systemd[1]: opensmtpd.service: Failed with result 'exit-code'. smtpd[21207]: debug: bounce warning after 4h smtpd[21201]: setup_done: scheduler[21207] done smtpd[21201]: smtpd: setup done smtpd[21205]: pony express: smtpd: bind: Cannot assign requested address smtpd[21201]: debug: parent_send_config_ruleset: reloading smtpd[21201]: debug: parent_send_config: configuring pony process smtpd[21201]: debug: parent_send_config: configuring ca process smtpd[21202]: debug: init private ssl-tree smtpd[21203]: debug: control -> pony express: pipe closed smtpd[21203]: debug: control agent exiting smtpd[21206]: debug: queue -> pony express: pipe closed smtpd[21207]: debug: scheduler -> control: pipe closed smtpd[21207]: debug: scheduler agent exiting smtpd[21202]: debug: ca -> control: pipe closed smtpd[21202]: debug: ca agent exiting smtpd[21206]: debug: queue agent exiting smtpd[21201]: warn: parent -> pony: imsg_read: Connection reset by peer smtpd[21201]: smtpd: exiting: Connection reset by peer smtpd[21204]: debug: lka -> control: pipe closed smtpd[21204]: debug: lookup agent exiting Linux 4.12.13-200.fc25.x86_64 -- Kevin -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
unable to send mail from desktop mail client to remote email addresses
Hi all, Having just followed the setup instructions on Gilles HOWTO page here: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD 6.6-beta (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however, other deliveries (and mail retrieval) work. The pertinent log message looks like this: Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope evpid=2c41c5fc4a7e6c06 from= to= Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected reason=quit Oct 2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error reason=Connection timeout A couple of other relevant facts: 1. I can send mail from the command line to myself locally and download it via my mail client 2. I can send mail from other external addresses and download it via my mail client. My config files are ostensibly the same as those on the HOWTO page. Obviously happy to post them if needed. Thanks, Kevin
Re: unable to send mail from desktop mail client to remote email addresses
On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen wrote: > On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote: > > Hi all, > > > > Having just followed the setup instructions on Gilles HOWTO page here: > > > > > > > https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ > > > > > > ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD > 6.6-beta > > (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however, > > other deliveries (and mail retrieval) work. > > > > The pertinent log message looks like this: > > > > Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope > > evpid=2c41c5fc4a7e6c06 from= to= > > > Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected > > reason=quit > > Oct 2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error > > reason=Connection timeout > > Connection timeout sounds very much like your machine is not allowed to > send > outgoing mail via SMTP. Check for firewalls and the like. > > Also, > > [Thu Oct 03 09:24:37] peter@skapet:~$ host example.app > Host example.app not found: 3(NXDOMAIN) > [Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app > Host mx.example.app not found: 3(NXDOMAIN) > > Among the things you need in order to deliver mail, a valid domain is in > the top few. I think the basic requirements are indeed listed in the > article > (under "Requirements"), please go back and re-read, check that you have > all of those set up properly. > > I can see why you might think that given that I altered the real domain name to example.app. (I know it's frowned upon; I only did it because this is a new machine with a setup hobbling along. Bad Kevin... bad...) In any event, I'm *sure* the domain DNS part is right as I can _receive_ email just fine, including from the same @gmail address I'm writing this from, ergo, DNS resolution of the real domain (and its MX record) are fine. As for pf being the issue; it's disabled. # pfctl -s info Status: Disabled for 0 days 08:23:56 Debug: err Latest, greatest kernel running: $ dmesg | grep Open | tail -1 OpenBSD 6.6 (GENERIC) #326: Wed Oct 2 22:34:33 MDT 2019 One of the things that's puzzling is this part of the log: smtp disconnected reason=quit. If I can send the domain email, if I can retrieve email via Dovecot, if I can send mail to myself from the server's CLI (and even retrieve it remotely via my mail client), it seems like there's some knob missing that says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles' rules (and edited them for my own domain) , and it am no workie. Is there perhaps something else akin to the forwarding knob that lets PF forward packets between interfaces that either I've forgotten or was skipped in the HOWTO? Thanks, Kevin
Re: unable to send mail from desktop mail client to remote email addresses
On Thu, Oct 3, 2019 at 8:55 AM Reio Remma wrote: > On 03.10.2019 18:34, Kevin wrote: > > If I can send the domain email, if I can retrieve email via Dovecot, if I > can send mail to myself from the server's CLI (and even retrieve it > remotely via my mail client), it seems like there's some knob missing that > says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles' > rules (and edited them for my own domain) , and it am no workie. > > Is there perhaps something else akin to the forwarding knob that lets PF > forward packets between interfaces that either I've forgotten or was > skipped in the HOWTO? > > Thanks, > Kevin > > > What connection do you have? > Ironically / fittingly, Vultr, same as in Gilles' guide. Have been there for ~6 years now running OpenBSD for all my servers there. > If it's a home connection, then most ISP-s block sending mail directly to > port 25 (on the destination server). You want a static IP for a mail > server, with rDNS etc. set up. > RDNS is setup and matches the hostname.
Re: unable to send mail from desktop mail client to remote email addresses
2476 ?? I 11:41PM0:00.02 dovecot/log _dovecot 35238 0.0 0.2 616 2344 ?? I 11:41PM0:00.02 dovecot/anvil root 27271 0.0 0.5 2748 5300 ?? I 11:41PM0:00.09 dovecot/config _dovecot 24598 0.0 0.2 676 2480 ?? I 11:41PM0:00.02 dovecot/stats mx$ ps aux | grep spam root 35077 0.0 0.4 41748 3756 ?? I 11:41PM0:00.09 rspamd: main process (rspamd) _rspamd 17847 0.0 0.7 41908 7380 ?? S 11:41PM0:01.48 rspamd: rspamd_proxy process (localhost:11332) (rspamd) _rspamd 35396 0.0 1.3 42840 13092 ?? S 11:41PM0:08.62 rspamd: controller process (localhost:11334) (rspamd) _rspamd 9697 0.0 1.0 42676 9896 ?? S 11:41PM0:01.55 rspamd: normal process (localhost:11333) (rspamd) _smtpd2006 0.0 0.3 106116 3544 ?? I 9:41AM0:00.01 /usr/local/libexec/smtpd/filter-rspamd mx$ ps aux | grep redis _redis 86838 0.0 0.3 14468 2860 ?? S 11:41PM0:19.81 redis-server: /usr/local/sbin/redis-server 127.0.0.1:6379 (redis-server) On Thu, Oct 3, 2019 at 9:11 AM Edgar Pettijohn wrote: > Could you post your config. > > Thanks > On Oct 3, 2019 10:34 AM, Kevin wrote: > > > > On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen > wrote: > > On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote: > > Hi all, > > > > Having just followed the setup instructions on Gilles HOWTO page here: > > > > > > > https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ > > > > > > ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD > 6.6-beta > > (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however, > > other deliveries (and mail retrieval) work. > > > > The pertinent log message looks like this: > > > > Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope > > evpid=2c41c5fc4a7e6c06 from= to= > > > Oct 2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected > > reason=quit > > Oct 2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error > > reason=Connection timeout > > Connection timeout sounds very much like your machine is not allowed to > send > outgoing mail via SMTP. Check for firewalls and the like. > > Also, > > [Thu Oct 03 09:24:37] peter@skapet:~$ host example.app > Host example.app not found: 3(NXDOMAIN) > [Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app > Host mx.example.app not found: 3(NXDOMAIN) > > Among the things you need in order to deliver mail, a valid domain is in > the top few. I think the basic requirements are indeed listed in the > article > (under "Requirements"), please go back and re-read, check that you have > all of those set up properly. > > > I can see why you might think that given that I altered the real domain > name to example.app. (I know it's frowned upon; I only did it because this > is a new machine with a setup hobbling along. Bad Kevin... bad...) > > In any event, I'm *sure* the domain DNS part is right as I can _receive_ > email just fine, including from the same @gmail address I'm writing this > from, ergo, DNS resolution of the real domain (and its MX record) are fine. > > As for pf being the issue; it's disabled. > > # pfctl -s info > Status: Disabled for 0 days 08:23:56 Debug: err > > Latest, greatest kernel running: > > $ dmesg | grep Open | tail -1 > OpenBSD 6.6 (GENERIC) #326: Wed Oct 2 22:34:33 MDT 2019 > > One of the things that's puzzling is this part of the log: > > > smtp disconnected reason=quit. > > > If I can send the domain email, if I can retrieve email via Dovecot, if I > can send mail to myself from the server's CLI (and even retrieve it > remotely via my mail client), it seems like there's some knob missing that > says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles' > rules (and edited them for my own domain) , and it am no workie. > > Is there perhaps something else akin to the forwarding knob that lets PF > forward packets between interfaces that either I've forgotten or was > skipped in the HOWTO? > > Thanks, > Kevin > >
Re: unable to send mail from desktop mail client to remote email addresses
On Thu, Oct 3, 2019 at 11:31 AM Nick Ryan wrote: > Have you contacted vultr? Their faq states it could be blocked and its > worth checking with them. > > Do you allow outbound SMTP? > <https://www.vultr.com/resources/faq/?query=Smtp#outboundsmtp> > > In some instances, outbound traffic to the SMTP port may be blocked for > new accounts. If you encounter this restriction, contact our support team > from the customer portal. > > SOLVED! Winner, winner, chicken dinner! Just reporting back here that Nick Ryan has nailed the issue: Vultr. Apparently they're borderline militant anti-spammers who block SMTP by default and also refuse to unblock it for you for any kind of promotional emailing including to double- and triple- opt-in verified contacts. IOW: practically speaking, you can't use a Vultr instance for mailing anything resembling "marketing" emails, because, let's be honest here, you're GOING to get spam complaints... all businesses do, no matter how 'clean' your list and how white hat and ethical you are as a business. Heck, I had an instance years ago where GoDaddy (hate them) threatened to revoke a domain registration because exactly *ONE* person complained that I was a spammer over the course of *years*. Said grouser had originally gotten onto my list back in 2008... I emailed him a handful of times a year for the next few years with no issues, then in 2014 (yes, six YEARS he was on my list), he complains to GoDaddy that I'd "spammed" him. (I didn't.) Luckily, I keep all the original sign-up info (IP, user_agent, etc), so I was able to get out of the issue, but that *was*a complaint. Would Vultr terminate my hosting with them after that? From their TOS it sure seems like it. S... as much as I like them technologically, I'm looking for a new ISP now. (Anyone got recommendations for cloud-based OpenBSD hosts? I'm done hosting bare metal...) Thanks for the help everyone (double thanks to Nick Ryan), and let this serve as future notice to anyone RTFAs, attempts to redact or withhold information when you're seeking help from the list is just stupid. Even the *tiniest detail* can be THE key to solving your issue. Disclose anything or figure it out on your own. Kevin
Xombrero and the presentation link
Hi, Firstly I haven't used smtpd outside of it's default config yet but intend to as a backup relay today and later move my main server, so thanks for creating OpenSMTPD when trying to view the presentation with xombrero I enabled javascript but the controls do not appear and using the url bar is a bit cumbersome. The following messages were shown in the console. Do you believe this to be a xombrero bug but also is javascript needed for navigation aside from to find browser bugs? ;-) ** Message: console message: https://www.opensmtpd.org/presentations/asiabsdcon2013-smtpd/ @0: Warning: Problem parsing viewBox="0 0 100 100%" ** Message: console message: https://www.opensmtpd.org/presentations/asiabsdcon2013-smtpd/ @0: Warning: Problem parsing viewBox="0 0 null null" ___ wrapped ___ ** Message: console message: https://www.opensmtpd.org/presentations/asiabsdcon2013-smtpd/ @0: Warning: Problem parsing viewBox="0 0 100% 100%" ** Message: console message: https://www.opensmtpd.org/presentations/asiabsdcon2013-smtpd/ @0: Warning: Problem parsing viewBox="0 0 null null" ___ Thanks, Kc -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [Bulk] Xombrero and the presentation link
previously on this list Kevin Chadwick contributed: > when trying to view the presentation with xombrero I enabled > javascript but the controls do not appear and using the url bar is > a bit cumbersome. Print works well though; printing the whole presentation as a pdf. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
slide 34 resolver not chrooted
If the only nameserver entry in /etc/resolv.conf is say 127.0.0.1 or localhost such as when using unbound couldn't opensmtpds resolver read that line and chroot without issues like dhcp changes? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, 7 Aug 2014 18:34:19 +0200 Alexander Schrijver wrote: > without issues like dhcp changes? > > I think the problem is that you can't read the file again after being > chrooted. > So you won't know if it's updated. Yeah I'm not sure whether it is worth the effort but I was thinking if a user has set a localhost as the nameserver then can we be very close to certain that they are not going to change the resolv.conf? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, 7 Aug 2014 19:39:28 +0200 Alexander Schrijver wrote: > > Yeah I'm not sure whether it is worth the effort but I was thinking if > > a user has set a localhost as the nameserver then can we be very close > > to certain that they are not going to change the resolv.conf? > > Having two DNS resolvers behave completely different because they're using > different configuration data seems confusing and dangerous to me. In the localhost case? Changing your DNS randomly on a mail server seems confusing and dangerous to me. As a client well shouldn't you be using crypto/submission and not trusting DNS in any way? All I am wondering is how many use base unbound or a static setup with opensmtpd and if there should atleast be a nob to turn chroot on/off? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: slide 34 resolver not chrooted
On Thu, 7 Aug 2014 20:41:39 +0200 Gilles Chehade wrote: > Nope there's currently no way to turn chrooting for the lookup process. > It's not really a resolver thing, we could have the resolver code in a > chroot with some refactoring, but we need a process that does not run > chrooted for other lookup purposes and it's more convenient to have the > resolver code handled by the process. Fair enough and thanks for replying. I expected that there was probably more to it and it had already been considered and possibly discussed too much already. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Can smtps replace starttls and is there any point
I am not talking about submission which I guess is what the smtps option is for and I know GPG is the best method and I also know that spamd causes plain text transmissions. With STARTTLS I believe there is a clear text race where an attacker can create a response stating STARTTLS is unsupported resulting in cleartext transmission which I believe would not be the case for smtps. So is there any point in using secure? I guess both can't be run on port 25 and I guess no-one would use SMTPS if it was running on port 25 but thought I would ask if anyone knew of an RFC of SMTPS on another port or replacing STARTTLS or any other tips about this. Thanks, Kc -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Can smtps replace starttls and is there any point
previously on this list Kevin Chadwick contributed: > With STARTTLS I believe there is a clear text race where an attacker can > create a response stating STARTTLS is unsupported resulting in > cleartext transmission which I believe would not be the case for smtps. If as I guess there isn't any good solution? Would it be an idea and how much effort would it be to track servers supporting STARTTLS and refuse plain text in the future. Or is it enough to know a request for STARTTLS means that an IP supports STARTTLS for a short period? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Can smtps replace starttls and is there any point
previously on this list Gilles Chehade contributed: > > that connection can be man-in-the-middle'd, which leads to the attacker > > being able to make it appear so that the mailserver doesn't support > > STARTTLS. > > > > I've seen this in practice at my old school for one. > > > > Yes, I know that :-) > > But I don't understand why it is a problem. > > OpenSMTPD does opportunistic-TLS and an attacker doing a MITM will only > be able to skip STARTTLS in a situation where..., well... we would have > falled back to plaintext anyway if the server didn't offer STARTTLS. RFC 3207 I may well have confused you by the race part as my memory was obviously hazy and I was thinking there were multple TCP sessions involved, sorry about that. I need to re-learn utilising greater consideration before posting. ___ A man-in-the-middle attack can be launched by deleting the "250 STARTTLS" response from the server. This would cause the client not to try to start a TLS session. Another man-in-the-middle attack is to allow the server to announce its STARTTLS capability, but to alter the client's request to start TLS and the server's response. In order to defend against such attacks both clients and servers MUST be able to be configured to require successful TLS negotiation of an appropriate cipher suite for selected hosts before messages can be successfully transferred. The additional option of using TLS when possible SHOULD also be provided. An implementation MAY provide the ability to record that TLS was used in communicating with a given peer and generating a warning if it is not used in a later session. ___ However with SMTPS using a dedicated port means everything is encrypted from the getgo and bugs causing downgrade attacks have been fixed rather than it being a design problem. I guess what I was wondering was if anything has improved or if the last sentence above could be utilised or optionally rejected rather than warned about whilst taking onboard DOS. In my latter email I see now that I was forgetting that all a client sends is an EHLO and in any case the following could be modified by the attacker in the first place. EHLO mail.example.com STARTTLS-ENABLED -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
and greyscanner
I may have come across some information about rewriting envelopes but I am struggling to find it right now. With OpenSMTPD you can use bob+compa...@bobs.com, which is great. My existing server however already uses bob-compa...@bobs.com and on that system I can specify the character after which the rest is forgotten but many addresses are already in use with a - character. Is it possible to change the character to a minus or rewrite the envelope or better still use the same program I use with greyscanner for spamd with a recipient as an argument and so returning 1 or 0 for in smtpd.conf (greyscanner_checkrcpt.pl etc.)? Thanks, Kc -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [Bulk] and greyscanner
previously on this list Kevin Chadwick contributed: > I may have come across some information about rewriting envelopes but I > am struggling to find it right now. > > With OpenSMTPD you can use bob+compa...@bobs.com, which is great. > > My existing server however already uses bob-compa...@bobs.com and on > that system I can specify the character after which the rest is > forgotten but many addresses are already in use with a - character. > > Is it possible to change the character to a minus or rewrite the > envelope or better still use the same program I use with greyscanner > for spamd with a recipient as an argument and so returning 1 or 0 for > in smtpd.conf (greyscanner_checkrcpt.pl etc.)? > > Thanks, > Kc I haven't the time to switch my main server now to opensmtpd but when I do would an external program check patch have a good chance of being accepted and so worth looking at coding? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: [Bulk] and greyscanner
On Thu, 14 Aug 2014 02:35:10 +0200 Gilles Chehade wrote: > An external program check has a very low chance of being accepted. > > We have a filter API that let's you do that kind of thing, you don't > even need us to accept anything if you use it ;-) Ok, thanks for the info. I'll look into the API and character changing ability though I'm snowed under too, so it will be a while. Cheers, Kc -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
potential makemap man page improvements
Assuming it's correct I wonder if something along the lines of the following would improve the makemap man page virtual domains section. I tried a few different things to get majordomo and the power of virtual domains working, including a second deliver to mda before noticing the 'extension' keyword. Admittedly I should have realised but sometimes your concentration can run thin. Virtual domains being a complete map is also mentioned on the github wiki but I am not sure it is in the man pages yet? "Virtual domains represent a complete map of accepted addresses resulting in a ``550 Invalid Recipient'' message being returned for any non existing mapping. As an extension to aliases(5) everything that can be done with aliases(5) including piping to commands can also be done with virtual domains. The flexibility of virtual domains means that only a single accept rule within smtpd.conf(5) may match per domain." --- /usr/share/man/man8/makemap.8 Mon Jan 19 02:54:26 2015 +++ /tmp/man/man8/makemap.8 Sat Mar 14 15:58:41 2015 @@ -108,6 +108,20 @@ .Xr smtpd 8 will perform the lookups in that specific order. .Pp +Virtual domains represent a complete map of accepted addresses +resulting in a +.Dq 550 Invalid Recipient +message being returned for any non existing mapping. As an +extension to +.Xr aliases 5 +everything that can be done with +.Xr aliases 5 +including piping to commands can also be done with virtual +domains. The flexibility of virtual domains means that only a +single accept rule within +.Xr smtpd.conf 5 +may match per domain. +.Pp To create single virtual address, add .Dq u...@example.com user to the users map. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Case sensitivity in automatic folder filtering by tag
If the filesystem supports case sensitivity then I can understand users expecting the current behaviour but it doesn't seem practical to me and I couldn't see a format specifier to lowercase deliveries to Maildir expanding to just TAG. When someone sends to a tag user+...@users.org and there is an existing folder Tag then it works great and I really love it, however I am sure I cannot always trust senders to keep the case correct. Am I missing a configuration tweak? Or Should traditional after delivery filters be used in this case or is a patch needed for a caseless folder search to be done and using closest match in case of multiple folders? Thanks, Kc -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Case sensitivity in automatic folder filtering by tag
On Sat, 28 Mar 2015 08:55:24 -0700 Seth wrote: > > If the filesystem supports case sensitivity then I can understand users > > expecting the current behaviour but it doesn't seem practical to me and > > I couldn't see a format specifier to lowercase deliveries to Maildir > > expanding to just TAG. > > > > When someone sends to a tag user+...@users.org and there is an existing > > folder Tag then it works great and I really love it, however I am sure > > I cannot always trust senders to keep the case correct. > > > > Am I missing a configuration tweak? > > I use the lowercase delivery option to address this issue. > > accept from deliver to maildir > "/var/vmaildir/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}/mail/" I was using %{user.username:lowercase} which seems to deliver to the exact same place as %{dest.user:lowercase|strip} As far as I can tell so far, this has no bearing on lower casing the TAG? (portion after the + and before the @). %{rcpt:lowercase} could work but would break my dovecot config that relies on the username and would create uglier directories too. I guess there isn't a tweak currently and so should decide if I have time for a patch, the filter api or simply traditional client filtering as I had to use with qmail anyway. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Case sensitivity in automatic folder filtering by tag
On Sat, 28 Mar 2015 08:55:24 -0700 Seth wrote: > > > If the filesystem supports case sensitivity then I can understand users > > > expecting the current behaviour but it doesn't seem practical to me and > > > I couldn't see a format specifier to lowercase deliveries to Maildir > > > expanding to just TAG. > > > > > > When someone sends to a tag user+...@users.org and there is an existing > > > folder Tag then it works great and I really love it, however I am sure > > > I cannot always trust senders to keep the case correct. > > > > > > Am I missing a configuration tweak? > > > > I use the lowercase delivery option to address this issue. > > > > accept from deliver to maildir > > "/var/vmaildir/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}/mail/" > As far as I can tell so far, this has no bearing on lower casing the > TAG? (portion after the + and before the @). Doh!, when I did that test I was editing the from any rule and sending from local. I thought it was strange that it did the same thing. So... Ace, this feature can work this way but you need a dot in front of the folder for IMAP client compatibility and I'll have to find a way to automatically check for new folders regularly or on client startup. /%{user.username}/.%{dest.user:lowercase}" Still trying to decide if it's worse but leaning to actually better? than a patch or filter which only delivers if the directory already exists (still creates both) and may save me the time I haven't got, Thanks. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Slight correction on "Does anyone else have an issue establishing a starttls to this host."
http://marc.info/?l=openbsd-misc&m=142842356024311&w=2 When I looked at the actual traffic it appeared that it gets one step further and the connection actually stops at OpenSMTPD sending a client hello via STARTTLS with no further response from the other side. If someone can say it happens to them too but not to any/many other hosts then I'd be glad to chalk it down to a bad implementation on their side? I haven't found any others like this yet. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."
On Wed, 08 Apr 2015 13:27:48 -0700 Seth wrote: > Do you have a test email address we can try sending something to which > uses that server? > Sent privately Also, whether this hangs /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp -CAfile /etc/ssl/cert.pem > Starttls.info gives it a crappy score BTW > > Protocol > Supports SSLV2. More info. > Supports SSLV3. That probably explains a lot and makes me feel better too, Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."
On Wed, 08 Apr 2015 19:55:52 -0700 Seth wrote: > > Also, whether this hangs > > > > /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp > > -CAfile /etc/ssl/cert.pem > > I ran the command above on an OpenBSD 5.6-release host and it stopped > responding at the "250 8BITMIME" line at the bottom. Hmm, now I am puzzled as that is what should happen. You don't have /usr/bin/openssl and /usr/sbin/openssl installed do you? I guess you ran the same as above but /usr/sbin on 5.6 as it has moved to /usr/bin/ on 5.7 Also have you applied the ssl patches from www.openbsd.org/errata56.html or by using mtiers openup tool (no building). Particularly 005 that disables sslv3? On my 5.6 box it stops at CONNECTED and the traffic shows client hello like for OpenSMTPD (well actually a certificate receipt can be seen in the encrypted traffic but not much more). -debug shows it ending with Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Should I add tls enforcement to issue 502
For a minute I thought the following was possible that my old server couldn't do. I know gpg is the solution but getting people to use it can sometimes be easy and sometimes impossible and so there are times when you are on the border of what you are comfortable sending in plain text. accept tagged DKIM for any recipient relay tls accept tagged DKIM for any recipient relay verify accept tagged DKIM for any relay Is there a way of doing this already and/or is it worth adding to a new issue or to the existing. "https://github.com/OpenSMTPD/OpenSMTPD/issues/502"; "OpenSMTPd should accept alias rules in relay declarations #502." There is a DANE issue already, so maybe it's not necessary? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."
On Thu, 09 Apr 2015 09:54:17 -0700 Seth wrote: > > On my 5.6 box it stops at CONNECTED and the traffic shows client hello > > like for OpenSMTPD (well actually a certificate receipt can be seen in > > the encrypted traffic but not much more). > > Only thing I can think of is that you're running a different version of > LibreSSL. I can also try the command from a FreeBSD host if that's of any > value. I lowered my MTU to 1492 from 1500 and now it works fine. When I upgraded my connection to fibre I set the link to an MTU of 1508. I think I may have noticed that the ppp link didn't accept that though or I've missed an MTU on a firewall and removed the max-mss. So it seems demon.co.uk can't handle fragmentation and neither does Yahoo which I thought was a separate issue as it was switching between a reputation message and unexpected termination. Thanks Seth for all the help and testing libressl, getting me to finally look at my own network and sorry for the noise everyone. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: THE SAD STATE OF SMTP ENCRYPTION - is OpenSMTPD also vulnerable?
On Mon, 11 May 2015 17:15:35 +0200 Gilles Chehade wrote: > I can't honestly recall if we still do this without checking first, but there > was some code in OpenSMTPD to always attempt SMTPS before attempting STARTTLS > when trying to do opportunistic crypto. This means that for hosts that would > setup both SMTPS and STARTTLS, we would always take SMTPS. > > In practice, I'm not even sure we still do this because our stats showed that > we _never_ exchanged with a host over SMTPS, no hosts ever offers it. I wonder what is best more likely and easier to accomplish or gain traction. SMTPS or DNSSEC DNSSEC causes problems but people seem to be wanting it enough to implement it anyway, though many providers still including I believe Google cloud dns do not. I am still in two minds about it. SMTPS would be best and doesn't create problems but is getting traction mainly a matter of getting postfix, exim and opensmtpd to enable it "by default"? How long would either take to become widespread? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: smtpd fails on automatic startup
> > > > For testing purposes, I changed my smtpd.conf to listen on 127.0.0.1 > > instead of enp0s4 and it did not crash on startup, so that tells me that > > our > > troubleshooting is on the right track. > > > > Hmm, I also did some testing. I added "ExecStartPre=/usr/bin/ip a" to the > smtpd service. That showed that the interface smtpd should listen on is > already configured by the time smtpd starts, but it still fails with > "fatal: smtpd: bind: Cannot assign requested address". > > I also ran smtpd straced, but that made the main process exit with status 1 > without reporting any error. So that didn't really help. I'm really curious > what address smtpd is trying to bind to. > > -- > Maarten Nothing personal and I hope you get it sorted soon but I can't help LMAO when I consider the arch list telling me systemd was "simpler", oh and NTP was simple and so why it hadn't had any security bugs found among other things that have proven false/true! (At the same time I completely accept that it takes little skill but care and time to play it safe) I have always much preferred OpenBSD's rc scripts and init to most if not all and don't like parallel start especially on HDD but how about trying OpenRC or OpenBSD even? Would that not solve this problem perhaps with added benefits WRT OpenBSD usage? -- KISSIS - Keep It Simple So It's Securable -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: The death of TLSv1.0
> All I know is that I don't want to be blacklisted by VISA and MasterCard > because I'm failing PCI compliance. I want to continue accepting credit > cards, but I also want to keep using stock OpenSMTPD on OpenBSD. I guess I may be missing some idiocy of PCI DSS compliance but why do you need incoming TLS SMTP connections and what does that have to do with VISA and Mastercard. STARTTLS is NOT secure *TODAY* unfortunately in almost if not any case or any encryption method. Are you using a client cert or something? -- KISSIS - Keep It Simple So It's Securable -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: latest OpenSSL causes OpenSMTPD to segv
> This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd > to crash as soon as the RSA engine is used (ie: whenever there's crypto) > > A quick workaround is to not upgrade to 1.0.2f yet and maybe ask OpenSSL > why a "patchlevel" release contains more than patches. > > Meanwhile, we're investigating how we're going to unfuck this. Does this affect other projects? I am simply wondering what the odds are of this being hostility or stupidity? -- KISSIS - Keep It Simple So It's Securable -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Debugging MySQL backend
Hi, I've been using opensmtpd for a few weeks for my personal e-mails, and it's been working well. At work we usually install postfix + postfixadmin + dovecot for our clients, but I've decided to try and replace postfix with opensmtpd. I am also trying to replace postfixadmin with vimbadmin, but that shouldn't really be relevant to my problem. With my current setup, I get a 550 invalid recipient when I try to send an e-mail to an existing account on the server, and I can't figure out a way to debug the MySQL backend. Here are the configurations : cat /etc/smtpd-mysql.conf hostlocalhost usernameuser passwordpass databasevimbadmin # Alias lookup query # # rows >= 0 # fields == 1 (user varchar) # query_aliasSELECT goto AS user FROM alias WHERE address =? AND active = '1'; # Domain lookup query # # rows == 1 # fields == 1 (domain varchar) # query_domainSELECT domain FROM domain WHERE domain =? AND backupmx = '0' AND active = '1'; # User lookup query # # rows == 1 # fields == 3 (uid int, gid int, directory varchar) # query_userinfoSELECT uid, gid, homedir FROM mailbox WHERE username =? AND active = '1'; # Credentials lookup query # # rows == 1 # fields == 2 (username varchar, password varchar) # query_credentialsSELECT username, password FROM mailbox WHERE username =? AND active = '1'; cat /etc/smtpd.conf listen on localhost table vusers mysql:/etc/smtpd-mysql.conf table vdomains mysql:/etc/smtpd-mysql.conf table aliases mysql:/etc/smtpd-mysql.conf accept from any for domain virtual deliver to mda "/usr/lib/dovecot/dovecot-lda -f %{sender} -d %{dest}" accept from local for any relay I have changed the SQL queries according to the database, but even when I enable the global MySQL logs, I don't get the queries logged (Only the prepare queries when I start smtpd). So I have no idea what queries opensmtpd is actually sending (or what results it gets), and when I run it in debug mode I don't get much informations : smtp-in: session 193a8b1376aabfb1: connection from host localhost [IPv6:::1] established debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes smtp-in: session 193a8b1376aabfb1: received invalid command: "RCPT TO: " I'm guessing the result aren't formatted like opensmtpd is expecting them (since it's more targeted at dovecot and postfix), but I can't figure out what is wrong. Thanks ! Regards, Kevin Lemonnier -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Debugging MySQL backend
> can you run with -T tables -T lookup ? Here is the output with this : lookup: check "ipv6:::1" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes lookup: check "local" as NETADDR in table static: -> found lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> "t...@domain.tld" debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes smtp-in: session 420e7f864e710497: received invalid command: "RCPT TO: " Thanks for the help, Kevin Lemonnier -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Password encryption
On Sun, 6 Aug 2017 14:32:16 +0200 > The next question would be ...why does it work for other ppl? I use system accounts and some scripts but if you need a database then I can't help. It's not actually that difficult once you work it out to sync system pwd.db files actually and you get the OpenBSD login system too. Not that I have done this but I did used to create small pwd.db files inside web chroots. I've removed the need to now though. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: please share your configuration files with us
I sent my elansys one direct, should I have posted it to the list?
myca submission and letsencrypt smtp
Is it possible to have both? letsencrypt for tls on port 25 for remote servers to verify and tls-require verify auth on port 587 permitting self signed certificates signed by myca only for client authentication without any risk of arbitrary CAs providing forged certificates. Perhaps I can move /etc/ssl/cert.pem, though I guess that may break ftp etc. I am trying to replace ssh for client access to mail as it cannot be as energy efficient considering it is not email client controlled and so more like a VPN I understand email isn't the most secure but for internal comms on controlled servers it is secure and highly functional. Thanks, KC
Re: myca submission and letsencrypt smtp
Perhaps stunnel may work for port 25, though I guess I would lose some of opensmtpds priv sep features
Including remote addresses in smtpd syslog output
Hi folks, I'm new around here. I'm a happy OpenSMTPD user (on FreeBSD), and I maintain SSHGuard (https://www.sshguard.net/), a program that reads system logs and adds temporary firewall rules. Some SSHGuard users want to use SSHGuard with OpenSMTPD. OpenSMTPD 6.6.0 appears to log SMTP sessions: May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp connected address=a.b.c.d host=a.b.c.d Subsequent things that happen during that session look like: May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command command="AUTH LOGIN (password)" result="535 Authentication failed" Chasing changes in syslog output is a part of maintaining software like SSHGuard. Unfortunately, my parser (which recently learned how to pledge!) is a bit dull and would require some re-education to remember SMTP sessions and their associated IP addresses. So, my questions are: Why did OpenSMTPD stop reporting IP addresses on every line? Is there any chance that OpenSMTPD can put IP addresses back on every line? Regards, Kevin -- Kevin Zheng kevinz5...@gmail.com | kev...@berkeley.edu XMPP: kev...@eecs.berkeley.edu
Re: Including remote addresses in smtpd syslog output
Hi Gilles, On 5/26/20 12:04 AM, gil...@poolp.org wrote: > We now provide a reporting API which is basically a stream of events that can > be consumed by tools. It is a line-based format which is not meant to be read > by humans but meant to be easily parsed by tools and that provides all of the > information necessary to replicate the session states. Using this stream, one > can write a tiny filter which aggregates info and outputs logs tailored for a > specific third-party application with a guarantee that it won't break when we > make a subtle change to the maillog format. If I were working on SSHGuard for > example, I'd write an sshguard-exporter script that reads the stream and that > outputs to syslog a format SSHguard recognizes. This way, an smtpd user would > simply: > > filter sshguard proc-exec "sshguard-exporter" > listen on all filter sshguard > action "foobar" relay filter sshguard > > SSHguard itself would never need to be altered to follow changes in logs. Thanks makes sense to me. I was vaguely aware that actions and filters became available, but I didn't know that they could do this. I think this is exactly what I was looking for. Thanks, Kevin -- Kevin Zheng kevinz5...@gmail.com | kev...@berkeley.edu XMPP: kev...@eecs.berkeley.edu
550 Invalid recipient errors
Hi, I just upgraded various system packages on Fedora 37 and restarted and now I'm getting "550 Invalid recipient" errors in OpenSMTPD to valid email addresses. This might be an interaction with Fedora somehow but I'm a bit stuck and need help understanding what's causing the problem! I can receive email fine but can't send email. Here is a reproduction with /usr/sbin/smtpd -dv: debug: init ssl-tree info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: OpenSMTPD 6.8.0p2 starting debug: init ssl-tree debug: init ssl-tree info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "fs" queue backend debug: init ssl-tree debug: init ssl-tree info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "fs" queue backend info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: scheduler -> control[1149] fd=4 debug: init ssl-tree info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: lookup -> control[1149] fd=4 debug: init ssl-tree debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED debug: using "ramqueue" scheduler backend debug: using "fs" queue backend setup_peer: queue -> control[1149] fd=4 debug: using "ram" stat backend setup_peer: pony express -> control[1149] fd=4 setup_peer: lookup -> pony express[1151] fd=5 info: loading pki information for REDACTED debug: init ca-tree debug: init ssl-tree info: loading pki keys for REDACTED setup_peer: queue -> pony express[1151] fd=5 debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: klondike -> control[1149] fd=4 setup_peer: lookup -> queue[1152] fd=6 setup_peer: klondike -> pony express[1151] fd=5 debug: using "fs" queue backend setup_peer: queue -> lookup[1150] fd=6 setup_peer: queue -> scheduler[1153] fd=7 setup_peer: pony express -> klondike[1148] fd=5 setup_peer: pony express -> lookup[1150] fd=6 debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: control -> klondike[1148] fd=4 setup_peer: pony express -> queue[1152] fd=7 setup_done: ca[1148] done setup_proc: klondike done setup_peer: control -> lookup[1150] fd=5 setup_peer: control -> pony express[1151] fd=6 setup_peer: scheduler -> queue[1152] fd=5 setup_peer: control -> queue[1152] fd=7 setup_peer: control -> scheduler[1153] fd=8 setup_done: control[1149] done setup_done: lka[1150] done setup_proc: lookup done setup_done: pony[1151] done setup_done: queue[1152] done setup_proc: queue done setup_proc: pony express done setup_done: scheduler[1153] done smtpd: setup done debug: parent_send_config_ruleset: reloading debug: parent_send_config: configuring pony process debug: parent_send_config: configuring ca process debug: init private ssl-tree setup_proc: scheduler done debug: bounce warning after 4h setup_proc: control done debug: rsa_engine_init: using RSA privsep engine debug: ecdsa_engine_init: using ECDSA privsep engine debug: smtp: listen on 127.0.0.1 port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on [::1] port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on 164.92.78.241 port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on 10.48.0.7 port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on [2604:a880:4:1d0::69c:8000] port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on [fe80::3b10:2bab:9fcb:c98f] port 25 flags 0x409 pki "REDACTED" ca "" debug: smtp: listen on 127.0.0.1 port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on [::1] port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on 164.92.78.241 port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on 10.48.0.7 port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on [2604:a880:4:1d0::69c:8000] port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on [fe80::3b10:2bab:9fcb:c98f] port 587 flags 0x469 pki "REDACTED" ca "" debug: smtp: listen on 127.0.0.1 port 10028 flags 0x400 pki "" ca "" debug: smtp: listen on [::1] port 10028 flags 0x400 pki "" ca "" debug: smtp: listen on 127.0.0.1 port 10030 flags 0x400 pki "" ca "" debug: smtp: listen on [::1] port 10030 flags 0x400 pki "" ca "" debug: pony: rsae_init debug: pony: rsae_init debug: smtp: will accept at most 262139 clients
Re: 550 Invalid recipient errors
This was working before and I didn't change my configuration but maybe something has been wrong all along. As far as I understand, external mail comes in with: action "process_dkim" relay host smtp://127.0.0.1:10027 match from local for any action "process_dkim" This sends the mail to a DKIM proxy on port 10027 which then sends it back to 10028. This is tagged with: listen on lo port 10028 tag DKIM And then this gets processed with: action "process_outbound" relay host tls+auth://label@REDACTED auth match tag DKIM for any action "process_outbound" On Fri, Feb 10, 2023 at 8:12 AM Tobias Fiebig < tob...@reads-this-mailinglist.com> wrote: > Heho, > might be missing this, but you do not have a relay rule for outbound, > let alone anything for auth? > > With best regards, > Tobias > > On Fri, 2023-02-10 at 07:58 -0600, Kevin G wrote: > > # Accept incoming mail to local users from the local machine: > > action "process_local_mail" lmtp "/run/dovecot/lmtp" rcpt-to alias > > > > match from local for local action "process_local_mail" > > > > # Accept external mail tagged after processing by SPAMPD and put in > > Dovecot. We don't bother with checking spam of > > # authenticated users relaying mail, so we only worry about incoming > > spam > > into Dovecot, so we only configure anti-spam > > # in Dovecot. > > action "process_spampd" lmtp "/run/dovecot/lmtp" rcpt-to virtual > > > > match tag SPAMPD for domain action "process_spampd" > > > > # Accept external mail and forward to spampd on port 10029 which will > > relay > > it back into us on port 10030 > > action "process_relay" relay host smtp://127.0.0.1:10029 > > match from any for domain action "process_relay" > > > > # Accept DKIM-processed mails for final relay: > > action "process_outbound" relay host tls+auth://label@REDACTED auth > > > > match tag DKIM for any action "process_outbound" > > > > # Accept incoming mail from authenticated users who want to send > > email to > > domains we don't manage, and send it to DKIM: > > action "process_dkim" relay host smtp://127.0.0.1:10027 > > match from local for any action "process_dkim" > > -- > Dr.-Ing. Tobias Fiebig > T +31 616 80 98 99 > M tob...@fiebig.nl > > >
Re: 550 Invalid recipient errors
Yes, you are right, it is now accepting the mail but it is not relaying perhaps due to this warning: warn: Failed to parse smarthost tls+auth://la...@smtp.postmarkapp.com On Fri, Feb 10, 2023 at 8:28 AM Tobias Fiebig < tob...@reads-this-mailinglist.com> wrote: > Heho, > > On Fri, 2023-02-10 at 08:18 -0600, Kevin G wrote: > > action "process_dkim" relay host smtp://127.0.0.1:10027 > > match from local for any action "process_dkim" > As i read the config... > > > > let alone anything for auth? > There is no rule matching auth to this action. > > try: > > match from auth for any action "process_dkim" > > With best regards, > Tobias > > -- > Dr.-Ing. Tobias Fiebig > T +31 616 80 98 99 > M tob...@fiebig.nl > > >
Re: 550 Invalid recipient errors
Nevermind, I had to change tls+auth to smtp+tls. Maybe what happened is when I set this mail server up, I made such fixes but forgot to apply them to my configurator so then when I went to update the server, it used the old config template with these mistakes. Thank you so much for your very quick help! Have a good weekend. On Fri, Feb 10, 2023 at 8:50 AM Kevin G wrote: > Yes, you are right, it is now accepting the mail but it is not relaying > perhaps due to this warning: > > warn: Failed to parse smarthost tls+auth://la...@smtp.postmarkapp.com > > On Fri, Feb 10, 2023 at 8:28 AM Tobias Fiebig < > tob...@reads-this-mailinglist.com> wrote: > >> Heho, >> >> On Fri, 2023-02-10 at 08:18 -0600, Kevin G wrote: >> > action "process_dkim" relay host smtp://127.0.0.1:10027 >> > match from local for any action "process_dkim" >> As i read the config... >> >> > > let alone anything for auth? >> There is no rule matching auth to this action. >> >> try: >> >> match from auth for any action "process_dkim" >> >> With best regards, >> Tobias >> >> -- >> Dr.-Ing. Tobias Fiebig >> T +31 616 80 98 99 >> M tob...@fiebig.nl >> >> >>