Re: mlmmj, public-inbox broken after upgrade to (portable) 7.4.0p1

[Reio Remma]

Just in case, here are my notes from after upgrading to v7.3.0.

Good luck
Reio

On 19.08.2023 23:56, Reio Remma wrote:

I've now found two ways to get mlmmj working.

.forward file method fails with the lmtp action that I've been 
successfully using thus far because it tries to pass it to mlmmj as 
'smtpd' user:


action deliver_mlmmj    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


.forward file method starts working if I replace lmtp with expand-only 
- mail is passed to mlmmj as the user from userbase not as 'smtpd' user:


action deliver_mlmmj   expand-only virtual  userbase 



Using the mda action passing mail to mlmmj works both with and without 
the .forward file, both ways delivered as the user from userbase:


action deliver_mlmmj   mda "/usr/bin/mlmmj-receive -L 
/var/vmail/mlmmj/%{rcpt.domain}/%{rcpt.user}/" virtual 
 userbase 

Re: OpenSMTPD 7.3.0p2 released

[Reio Remma]

On 20.09.2023 16:58, Omar Polo wrote:

Hello,

The changelog for 7.3.0p2 is:

  - avoid potential use of uninitialized the bundled copy of
ASN1_time_parse

This could lead to a failure during STARTTLS and a subsequent
downgrade to plaintext.

  - backport the ENGINE removal to build with the latest LibreSSL


https://www.opensmtpd.org/archives/opensmtpd-7.3.0p2.tar.gz
https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/7.3.0p2

Cheers,

Omar Polo



Thanks a bunch! Already rebuilt and up and running on AlmaLinux 8.

Good luck
Reio

Re: Setting personal mailserver

[Reio Remma]

On 08.09.2023 09:42, Stuart Longland wrote:

Your options are:
1. set up a server outside your ISPs network that can transmit the 
message for you (e.g. if Internode decide to block port 25 or withdraw 
my public IP, I might use my secondary MX as the outbound mail server 
relay.)
2. use your ISPs mail server as a relay (after adding it to your SPF 
records along with any DKIM keys needed)

3. move to an ISP that lets you do this stuff

I'd suggest (3) is your best option… as trying to circumvent firewall 
rules will likely get you disconnected for violating their Terms of 
Service anyway.  (I note humaaraartha.in appears to be hosted by MTNL 
India, but their website is not responding for me at this time.)


You can get a virtual server for 5€/m with a static IP and configurable 
reverse DNS - the same price as getting a mere static IP from my ISP.


Good luck
Reio

Re: Setting personal mailserver

[Reio Remma]

Port 465 is the deprecated SMTPS submission port, you can't send mail to 
that.


If you're trying to send out e-mail from a residential IP (even with an 
unblocked outoing port 25), you'll find more problems e.g. receiving 
servers not accepting your e-mails because of your IP having no FCrDNS etc.


Good luck
Reio

On 02.09.2023 21:56, Sagar Acharya wrote:

Port 25 outgoing is blocked. You were correct. I swotched to port 465 with 
config

action "relay" relay host smtps://mydomain.com

Such is the error message:
Again there is "Network error on destination MXs"

mta connecting address=smtps://{ipv4}:465 host={xyz}
mta error reason=IO Error: Connection refused
smtp-out: Disabling route [] <-> {ipv4} for 15s
smtp-out: No valid route for 
[connector:[]->[relay:mydomain.com,port=465,smtps,mx],0x0]

DNS

mydomain.com     MX       10 mydomain.com
Port 465 is perfectly open from ISP.
Thanking you
Sagar Acharya
https://humaaraartha.in



2 Sept 2023, 19:58 by tphil...@potion-studios.com:


I tested all of the IPs from your output, and all of them listen on port 25 and 
a smtp server is answering. So if you are relaying to those via port 25, and 
you get a network error (I guess a timeout), then I guess your outgoing port 25 
is blocked. This is relatively common with residential uplinks, ask your ISP to 
open port 25 for you.

That said... I'm only guessing here.


On Sat, Sep 02, 2023 at 03:52:37PM +0200, Sagar Acharya wrote:


I made some progress. I am able to receive mails now but when I send mail from 
u...@mydomain.com to sagaracha...@tutanota.com using mutt , I get,

result="TempFail" stat="Network error on destination MXs"
smtp-out: Enabling route [] <-> 81.3.6.162 (w1.tutanota.de) smtp-out: Enabling route [] 
<-> 185.205.69.211 (185.205.69.211) smtp-out: Enabling route [] <-> 81.3.6.165 
(w4.tutanota.de)
mta error reason=Connection timeout


DNS

mydomain.com.    86400      IN        MX        10 mail.mydomain.com.

Thanking you
Sagar Acharya
https://humaaraartha.in



2 Sept 2023, 05:45 by bub...@live.de:


Hello, pls show your config file.

Mit freundlichen Grüßen, V.Bubnov


01.09.2023, в 21:43, Sagar Acharya  написал(а):

To enable being able to send mails from my server, I added tls certs.

Now when I send from this email id to u...@mydomain.com , I get the error below.

530
5.5.1 Invalid command: Must issue an AUTH command first (in reply to MAIL FROM 
command)

Since STARTTLS is working on 25, I think things should go smoothly but it isn't 
so. Please help. Thanking you
Sagar Acharya
https://humaaraartha.in



1 Sept 2023, 20:52 by sagaracha...@tutanota.com:


I used mutt for accessing mail. I still am unable to send mail using my server. 
I can receive mails.

I also completed the whitelist. How can I do this?

I want to allow access only upto 25MB attachments from whitelisted emails and 
allow only 1email (only text based) per day from non-whitelisted emails. How do 
I do that?

How do I limit overall size of mailbox and auto-delete old mails?

Thanking you
Sagar Acharya
https://humaaraartha.in



1 Sept 2023, 14:04 by tphil...@potion-studios.com:


 From the doc (smtpd.conf(5)):

maildir [pathname [junk]]
Deliver the message to the maildir in pathname if
specified, or by default to ~/Maildir.

So given your config, you seem to get exactly what you configured.

For your "whitelist", create the match rules for your domains, and for 
everything else use a reject rule at the end.





On Fri, Sep 01, 2023 at 09:59:31AM +0200, Sagar Acharya wrote:

I got a mail, which lies in Maildir, however no mailbox is configured. Is there 
a default mailbox in alpine and how do I access the mail contents in

~/Maildir

My mails are under

~/Maildir/new/

Also, how do I whitelist email ids, say, I want mails only from

f...@bar.com
f...@bar2.com
f...@bar3.com

That's it, no other mails.
Thanking you
Sagar Acharya
https://humaaraartha.in



1 Sept 2023, 12:42 by sagaracha...@tutanota.com:


How do I do that? What CLI tool do I use?

While starting the daemon, the configuration is OK as given in prompt.

With the DNS configuration I have, where can I send a mail, at 
u...@mydomain.com or at u...@mail.mydomain.com ?

Thanking you
Sagar Acharya
https://humaaraartha.in



31 Aug 2023, 01:06 by stu...@gathman.org:



On Wed, 30 Aug 2023, Sagar Acharya wrote:


I'm facing an issue similar to a person a while ago available on archive. I use 
alpine, and the conf is as below

There is nothing in the mailbox.


Are you looking with alpine, or with CLI tools like ls?  Use CLI tools to check 
that you've configured smtpd to store incoming mail where you think you have.

I go so far as to use raw IPv6 for personal mailbox on various overlay mesh 
vpns like Cjdns and Yggdrasil (giving you personal authenticated IPs 
independent of any ISP).  I just caught up with an online friend that moved 
from Hawaii to New York.  Still works despite changes in ISP and ICANN domains.

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

On 17.08.2023 21:32, Reio Remma wrote:

On 17.08.2023 19:43, Thomas Bohl wrote:


Interesting. Which man page please? I can't see it mentioned in 
smtpd.conf nor forward man pages.


The forward man pages says:
A .forward file contains a list of expansion values, as described in 
aliases(5).


So it is in aliases 5.

http://man.openbsd.org/aliases.5
...
|command
Pipe the message to command on its standard input. The command is run 
under the privileges of the daemon's unprivileged account.


I've now found two ways to get mlmmj working.

.forward file method fails with the lmtp action that I've been 
successfully using thus far because it tries to pass it to mlmmj as 
'smtpd' user:


action deliver_mlmmj    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


.forward file method starts working if I replace lmtp with expand-only - 
mail is passed to mlmmj as the user from userbase not as 'smtpd' user:


action deliver_mlmmj   expand-only virtual  userbase 



Using the mda action passing mail to mlmmj works both with and without 
the .forward file, both ways delivered as the user from userbase:


action deliver_mlmmj   mda "/usr/bin/mlmmj-receive -L 
/var/vmail/mlmmj/%{rcpt.domain}/%{rcpt.user}/" virtual  
userbase 

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

On 17.08.2023 19:43, Thomas Bohl wrote:


Interesting. Which man page please? I can't see it mentioned in 
smtpd.conf nor forward man pages.


The forward man pages says:
A .forward file contains a list of expansion values, as described in 
aliases(5).


So it is in aliases 5.

http://man.openbsd.org/aliases.5
...
|command
Pipe the message to command on its standard input. The command is run 
under the privileges of the daemon's unprivileged account.




I'm really curious how it managed to work before...

With smtpd:smtpd on mlmmj directories I'm getting:

lookup: match "l...@domain.com" as MAILADDR in table proc:recipients -> true
rule #2 matched: match from any for domain domains rcpt-to recipients 
action deliver_lmtp

lookup: lookup "l...@domain.com" as ALIAS in table proc:virtuals -> "23"
expand: 0x55727bc76760: expand_insert() called for 
username:23[parent=(nil), rule=(nil)]

expand: 0x55727bc76760: inserted node 0x55727bd82e20
expand: 0x55727bd81028: expand_insert() called for 
username:23[parent=0x55727bc79e60, rule=0x55727bc7a930, 
dispatcher=0x55727bc7aa00]

expand: 0x55727bd81028: inserted node 0x55727bd83380
expand: 0x55727bc76760: clearing expand tree
expand: 0x55727bc76760: freeing expand tree
debug: aliases_virtual_get: 'l...@domain.com' resolved to 1 nodes
expand: lka_expand: username: 23 [depth=1, sameuser=0]
lookup: lookup "23@" as ALIAS in table proc:virtuals -> none
lookup: lookup "23" as ALIAS in table proc:virtuals -> none
lookup: lookup "23" as USERINFO in table proc:userinfo -> 
"5000:5000:/var/vmail/mlmmj/domain.com/list"

mproc: lka -> parent : 4376 IMSG_LKA_OPEN_FORWARD
warn: smtpd: /var/vmail/mlmmj/domain.com/list/.forward: unsecure file
mproc: parent -> lka : 4376 IMSG_LKA_OPEN_FORWARD
imsg: lka <- parent: IMSG_LKA_OPEN_FORWARD (len=4376)
expand: ~/.forward failed for user 23
mproc: lka -> dispatcher : 54 IMSG_SMTP_EXPAND_RCPT
expand: 0x55727bd81028: clearing expand tree
imsg: dispatcher <- lka: IMSG_SMTP_EXPAND_RCPT (len=54)
smtp: 0x562572625500: >>> 524 5.2.4 Mailing list expansion problem: 


mproc: dispatcher -> lka : 98 IMSG_REPORT_SMTP_PROTOCOL_SERVER
mproc: dispatcher -> lka : 62 IMSG_??? (132)
fe30c5bd1dd8f509 smtp failed-command command="RCPT TO:" 
result="524 5.2.4 Mailing list expansion problem: "

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

On 15.08.2023 10:49, Thomas Bohl wrote:



You where already pretty close when you got this line though:
warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file
There was probably just wrong write permissions for the group.


...on the home directory. 


I changed permissions from 0700 vmail:vmail to 0750 vmail:smtpd and 
coaxed a new error out of mlmmj:


/usr/bin/mlmmj-receive[114552]: mlmmj-receive.c:112: Have to invoke 
either as root or as the user owning listdir Invoked with uid = [997]


So it seems OpenSMTPD is trying to deliver with uid 997 (which is 
'smtpd' user on the system), ignoring the uid/git from userinfo table.


v 6.8.0:

lookup: lookup "3" as USERINFO in table proc:userinfo -> 
"5000:5000:/var/vmail/domain/user"

debug: smtpd: forking mda for session eba6bc20bdd7e6b8: 3 as 3

lookup: lookup "23" as USERINFO in table proc:userinfo -> 
"5000:5000:/var/vmail/mlmmj/domain/list"

debug: smtpd: forking mda for session 358aa0231bcacbe7: 23 as 23

v 7.3.0:

lookup: lookup "3" as USERINFO in table proc:userinfo -> 
"5000:5000:/var/vmail/domain/user"

debug: smtpd: forking mda for session 8ed13ca11c1e1c09: 3 as smtpd

lookup: lookup "23" as USERINFO in table proc:userinfo -> 
"5000:5000:/var/vmail/mlmmj/domain/list"

debug: smtpd: forking mda for session 8ed13c9dff53f513: 23 as smtpd

Delivery to a regular user most likely succeeds because it's done over LMTP.

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

On 15.08.2023 08:25, Thomas Bohl wrote:

Hello,

I just found that my mailing lists have stopped working after the 
upgrade with the following error:


/usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat 
/var/vmail/mlmmj/domain/listname/: Permission denied


I recall reading the delivery user was changed at some point. Was it 
delivered by root before?


Only mails to root where delivered as root. But that possibility was 
removed for security reasons.


What user/permissions should I give the directory now? 


It must be owned by the user who makes the delivery. Is vmail or mlmmj 
a system user?


man forward
...
Permissions on the .forward file are very strict and expansion is
rejected if the file is group or world-writable; if the home directory is
group writeable; or if the file is not owned by the user.


I've been using mlmmj with this in the .forward file:

|/usr/bin/mlmmj-receive -L /var/vmail/mlmmj/domain/list/

Permissions 0700 and 0600 on /var/vmail/mlmmj and vmail:vmail user/group.

These worked with v6.8.0.

Re: Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

On 14.08.2023 11:29, Reio Remma wrote:

Hello!

I just found that my mailing lists have stopped working after the 
upgrade with the following error:


/usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat 
/var/vmail/mlmmj/domain/listname/: Permission denied


I recall reading the delivery user was changed at some point. Was it 
delivered by root before? What user/permissions should I give the 
directory now? 


After changing /var/vmail/mlmmj ownership to smtpd:smtpd I'm getting a 
new error:


warn: smtpd: /var/vmail/mlmmj/domain/listname/.forward: unsecure file
1dd7ff441affc273 smtp failed-command command="RCPT TO:" 
result="424 4.2.4 Mailing list expansion problem: "


The actual .forward file has 0400 permissions.

Reio

Permissions error when sending to mailing list after upgrade to v.7.3.0

[Reio Remma]

Hello!

I just found that my mailing lists have stopped working after the 
upgrade with the following error:


/usr/bin/mlmmj-receive[102515]: mlmmj-receive.c:122: Could not stat 
/var/vmail/mlmmj/domain/listname/: Permission denied


I recall reading the delivery user was changed at some point. Was it 
delivered by root before? What user/permissions should I give the 
directory now?


Thanks!
Reio

Re: Fwd: How do i set up a mailing list on opensmtpd?

[Reio Remma]

On 25.01.2023 14:36, eero pomell wrote:


-- Forwarded message -
From: *eero pomell* 
Date: Wed, 25 Jan 2023, 14:33
Subject: How do i set up a mailing list on opensmtpd?
To: 


How I setup a mailing list? Since /etc/aliases have to expand to names 
that are users in the system, I dont know how to do it. For example if 
there's a mailing list: l...@example.com, how would you make the 
server forward it to all the addresses in the list. After reading the 
manpage I still don't know how to do it.


Hello!

You'll need a mailing list management software to set up a list and then 
you can point towards it in a .forward file for l...@example.com:


|/usr/bin/mlmmj-receive -L /var/vmail/mlmmj/example.com/listname/

Good luck!

Reio

Re: Forward from to another MTA

[Reio Remma]

Hello!

I may be wrong, but list.domain.tld might be routed back to the same 
server (domain.tld)? Maybe you should be relaying to the Sympa server?


Good luck
Reio

On 16.08.2022 12:16, thiery wrote:

On 2022-08-16 10:13, Tassilo Philipp wrote:

I might misunderstand your question, but I noticed that your line:

  match for rcpt-to  action "mailinglist"

does not specify a "from" option, so it defaults to "from local". This
means it won't match for non-local IPs. Maybe that's the culprit?

hth


Hello,

Oh you right now I have another problem :
---
Aug 16 10:34:13 leeds smtpd[17062]: 039b2f6018e9c7ea smtp 
failed-command command="RCPT TO:" result="524 5.2.4 
Mailing list expansion problem: "

---

Errata:
---
My previous error was :
Aug 15 17:50:00 leeds smtpd[5281]: 7dae3f5b0d6ff768 smtp 
failed-command command="RCPT TO:" result="550 Invalid 
recipient: "

---

Let me try to rephrase my question :

I have two server, one with OpenSMTPd who manage email for my end 
users, another manage mailing lists with Sympa.


All incoming emails on OpenSMTPd are in @domain.tld. The mailing list 
software expect something in @list.domain.tld but they are aliased on 
the OpenSMTPd server as @domain.tld.


The aliases in  contain value like this :

mailinglist1: mailinglist1 @list.domain.tld (Without the space before @)

When my users send emails to mailinglist1 @domain.tld, I want 
OpenSMTPd to forward/relay them as mailinglist1 @list.domain.tld to 
the mailing list server and to do the same for all aliases in  
table.


How can I achieve that ? :)

Let me know if you need more clarity.

Best regards,
Yan 

Re: Opensmtpd tables

[Reio Remma]

On 09.08.2022 17:19, Quelrond wrote:

Hi,

I'm using OpenSMTPD on FreeBSD (in jails) as local SMTP relays for 
several applications.


Actually, I use file table as a source of information about valid 
senders IP:



...
table senders_static file:/usr/local/etc/mail/senders-static
...
match from src  for any action 
remote_delivery_via_relay_1

...


Now I want to search for current list dynamically using an external 
source of information. As I use Consul, it would perfect to query 
consul server(s) with http(s) requests and get the servers list from 
the received JSON data. Unfortunately, I cannot find the information 
about creating a new type of table, something like:



table senders_consul 
consul:http://consul1.domain.local:8080?service=myapp



Could someone assist me in such task, please?

Peter





Hello!

You'll want to have a look at table-procexec and may write your own backend.

table-procexec is still a work in process however.

https://poolp.org/posts/2020-05-28/may-2020-opensmtpd-6.7.1p1-release-table-procexec-and-many-pocs/
https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/table-procexec

Good luck
Reio

Re: Changing Log Messages

[Reio Remma]

Filters are indeed the way to go.

I'm personally using a reporter to log failed authentications which I'm 
feeding to fail2ban to block.


https://github.com/whataboutpereira/filter-auth

Good luck
Reio

On 22.06.2022 20:56, Pete wrote:

Hi,

the best is probably to implement a custom report ing filter that fits you 
needs.
http://man.openbsd.org/man7/smtpd-filters.7




Hi,
i would like to use crowdsec to evaluate my mail logs. My current idea is to 
block all users that try to login on port 25
```
smtp connected address=43.zzz.yy.xx host=
smtp failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command 
not supported"
```
So the trigger is line 2 but the ip address is in line 1
Unfortunately there seems to be no way for crowdsec parser to evaluate 2 lines
Is there any chance or idea how I could change the logs to include the address 
in line 2
Regards
Hagen Bauer

Re: OpenSMTPD and Debian unstable

[Reio Remma]

On 17.06.2022 09:40, s wrote:

Hi

I have used Let's Encrypt certificates in OpenSMTPD (6.8.0p2-4+b2). 
The OpenSSL package for the Debian bookworm/sid was updated from 
version 1.1.1o-1 to version 3.0.3-7. Now TLS no longer works and the 
log includes, for example:


Jun 16 17:36:39 abc smtpd[1610]: 1cc7ae11a090164a smtp connected 
address=209.85.221.50 host=mail-wr1-f50.google.com 

Jun 16 17:36:39 abc smtpd[1610]: 1cc7ae11a090164a smtp disconnected 
reason="io-error: error:0A080006:SSL routines::EVP lib"
Jun 17 02:01:30 abc smtpd[1610]: 1cc7b059a9080695 smtp connected 
address=203.147.7.226 host=
Jun 17 02:01:31 abc smtpd[1610]: 1cc7b059a9080695 smtp disconnected 
reason="io-error: error:0A0C0103:SSL routines::internal error"


Everything worked with the old OpenSSL version. Is it worth checking 
the mailserver-settings, the certificate, or trying to downgrade OpenSSL?


Relevant part my smtpd.conf:
pki mail.domain.com  cert 
"/etc/letsencrypt/live/mail.domain.com/fullchain.pem 
"
pki mail.domain.com  key 
"/etc/letsencrypt/live/mail.domain.com/privkey.pem 
"

...
listen on eth0 tls pki mail.domain.com  
hostname mail.domain.com  filter { "rdns", 
"fcrdn", "rspamd" }
listen on eth0 port 465 smtps pki mail.domain.com 
 hostname mail.domain.com 
 auth  filter "rspamd"
listen on eth0 port 587 tls-require pki mail.domain.com 
 hostname mail.domain.com 
 auth  filter "rspamd"


More info here:

https://github.com/OpenSMTPD/OpenSMTPD/issues/1171

Good luck
Reio

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Reio Remma]

On 17.04.2022 21:39, Beau Ford wrote:


On Sat, 16 Apr 2022, gil...@poolp.org wrote:

Hope the example above helps someone in the future. If future 
readers wonder how I handle multiple
recipients for a single alias, I just cc: the second or third 
recipient in .procmailrc ... so the

normal alias syntax of:

user joe,billy,bob

... is not actually possible ... I have to achieve that with procmail.



are you sure ?

I can't test right now but I don't see a reason why { u...@domain.com 
= "joe,billy,bob" }
would not work, if it really doesn't that may be a mistake on your 
side or a bug on

OpenSMTPD's




I can confirm ... this line works fine:


action "tones" mbox virtual { "to...@domain.com" = user1 }


... but if I change it to:


action "tones" mbox virtual { "to...@domain.com" = user1, user2 }


... I get:


Performing sanity check on smtpd configuration:
/usr/local/etc/mail/smtpd.conf:42: syntax error
/usr/local/etc/mail/smtpd.conf:62: no such dispatcher: tones


... and the same is true if I remove the space between the commas:


action "tones" mbox virtual { "to...@domain.com" = user1,user2 }



Did you try the exact example Gilles gave? With quoted { u...@domain.com 
= "user1, user2"} ?


Good luck
Reio

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Reio Remma]

On 14.04.2022 08:44, Beau Ford wrote:


Reio,

On Thu, 14 Apr 2022, Reio Remma wrote:

... and that line bombs out my configuration ... here is my entire 
configuration *including* these two additional lines.  This config 
works great if I remove the two new lines:


How exactly? What's the error?



Performing sanity check on smtpd configuration:
/usr/local/etc/mail/smtpd.conf:30: syntax error

... and no other details.


The "accept" is old syntax and doesn't work anymore since version... 
I can't remember. :)


So you'll want an action that delivers to mbox and an accompanying 
match rule.



Do you mean, literally, an "action" - as in:


action ...


If so, that is confusing because I already have this line:


action "local_mail" mbox alias 


... which basically does all delivery for me ... would I augment that 
with something like:



action "local_mail" mbox alias  virtual 


... or issue that same line twice, but slightly different:


action "local_mail" mbox alias 
action "local_mail" mbox virtual 


Gilles' guide for the new syntax suggests you're on the right track.

https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/

Unfortunately I've taken down my test OpenSMTPD server once my own 
configuration was settled, so I can't run any tests myself atm. :)


Good luck,
Reio

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Reio Remma]

On 14.04.2022 08:20, Beau Ford wrote:



On Mon, 11 Apr 2022, Reio Remma wrote:

Am I misremembering or is that a possibility - to implement the '@' 
catchall directly inside smtpd.conf without reference to lookup 
tables or virtusers (or aliases) ? 


There's this format for inline tables:

table "barbaz" { foo = bar, baz = qux }



OK, I added this line to my (working) smtpd.conf:


table catchall { "@" = username }


... so there is the static table ... and "username" is a real, actual 
UNIX user in the passwd file.  Not a virtual user.



Then I added this line:


accept for any virtual  deliver to mbox


... and that line bombs out my configuration ... here is my entire 
configuration *including* these two additional lines.  This config 
works great if I remove the two new lines:


How exactly? What's the error?

https://man.openbsd.org/smtpd.conf

The "accept" is old syntax and doesn't work anymore since version... I 
can't remember. :)


So you'll want an action that delivers to mbox and an accompanying match 
rule.


Good luck
Reio





table aliases file:/usr/local/etc/mail/aliases
table catchall { "@" = username }

filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
'.*\.dsl\..*' } \

    disconnect "550 no residential connections"

filter check_rdns phase connect match !rdns \
    disconnect "550 no rDNS"

filter check_fcrdns phase connect match !fcrdns \
    disconnect "550 no FCrDNS"

listen on 22.44.55.135 port 10028 tag DKIM
listen on 22.44.55.135 filter \
    { check_dyndns, check_rdns, check_fcrdns }
    listen on 22.44.55.135 port submission

    action "local_mail" mbox alias 
    action "relay_dkim" relay host smtp+notls://22.44.55.135:10027
    action "outbound" relay helo mail.domain.com

    accept for any virtual  deliver to mbox

    match tag DKIM for any action "outbound"
    match from any for domain "domain.com" action "local_mail"
    match from any auth for any action "outbound"
    match for local action "local_mail"
    match for any action "relay_dkim"



My goal is to add exactly one catchall rule and keep my config simple 
inside smtpd.conf without dealing with virtual users and 
virtusertable, etc.



Thanks.

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Reio Remma]

On 11.04.2022 18:05, Beau Ford wrote:
I feel like I saw an example once where the '@' catchall address was 
implemented neither in aliases nor in virtusers - there was actually a 
2-3 line configuration *directly inside* smtpd.conf that implemented 
the '@' catchall.


Am I misremembering or is that a possibility - to implement the '@' 
catchall directly inside smtpd.conf without reference to lookup tables 
or virtusers (or aliases) ? 


There's this format for inline tables:

table "barbaz" { foo = bar, baz = qux }

https://github.com/poolpOrg/OpenSMTPD-book/blob/master/src/chapters/1070_Understanding_tables.md

Good luck!
Reio

Re: Why isn't there a simple way to add a catchall alias to OpenSMTP ?

[Reio Remma]

On 11.04.2022 10:53, Josey Smith wrote:

Might not be what you want, but this two part guide includes a simple
catchall inbox in part two:
https://prefetch.eu/blog/2020/email-server/ and
https://prefetch.eu/blog/2020/email-server-extras/

It also does use a @ in the aliases file. Does this only work with
virtual users?


Yes.

https://man.openbsd.org/table.5

Good luck
Reio

Re: Another Logging Query

[Reio Remma]

On 23.03.2022 23:41, Pete Long wrote:

Hi all,

When I run the following command, I see lots of useful information about
what's happening with OpenSMTPD; particularly with filters.

smtpd -dv -Tlookup

However, I can't seem to find a way to capture the output to a file. I've
tried 'tee' but my syntax is probably wrong.

Does the command above log events on a different level or are they
ephemeral?

Thanks for your time.


Pete.



iirc you can also force the running daemon to log to maillog or whatever 
it's logging to using 'smtpctl trace lookup' ('smtpctl untrace' to 
stop), also 'smtpctl log verbose' and 'smtpctl log brief' might come handy.


Good luck
Reio

Re: Filter Logging

[Reio Remma]

On 21.03.2022 15:54, Pete Long wrote:

Hi all,

I have a filter defined in smtpd.conf which looks like the following:

filter rejects phase data match mail-from  \
disconnect "550 Policy enforcement."

The referenced table contains a list of addresses in the following
formats:

@dailynuisance.tld
bigmarketing.tld
@weneverunsubsribeanyone.tld

First of all, are these valid formats for the filter?


I see I've set up blacklists with a table like this:

match \
  from any \
  for any \
  mail-from  \
  reject

Good luck
Reio

Re: DKIM signature verification fails with local recipient alias

[Reio Remma]

On 27.10.2021 20:04, p...@mostlybsd.com wrote:

Hello!

I noticed my system messages fail DKIM due to "signature verification
failed" and also when I send from a local user to a local user.

In /etc/mail/aliases I have:

root: usern...@example.net

This is the command I use to fail DKIM:

$ mail root

This is the command I use to pass DKIM:

$ mail usern...@example.net

The only difference I can see in the received message headers is
different To:

Failed DKIM:
To: r...@hostname.example.com

Passed DKIM:
To: usern...@example.net

And when running with the dkimsign -z option, I can see in the z=:

Failed DKIM:
To:=20root

Passed DKIM:
To:=20usern...@example.net

I have the following rules in /etc/mail/smtpd.conf
(non-applicable configurations redacted for brevity):

table aliases file:/etc/mail/aliases

filter "dkimsign_local_rsa" proc-exec "filter-dkimsign -z \
-d hostname.example.com -s 10172021 \
-k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign

listen on socket filter "dkimsign_local_rsa"
listen on lo0 filter "dkimsign_local_rsa"

action "local_mail" mbox alias 

match for local action "local_mail"

I'm sure I have some basic lack of understanding of smtpd.conf,
because it seems like the signature is being added before the alias is
expanded (if that is correct term). In going through smtpd.conf(5), I 
can't

figure out how to correct this.


I may be wrong, but I believe the domain for hostname.example.com should 
still be example.com


Good luck,
Reio

Re: Submission Creds only Accepted on LAN?

[Reio Remma]

On 08.08.2021 21:53, Pete Long wrote:

Hi Reio,

Yes it's set with SSL (as Apple's iPhone mail app shows) on port 587. The 
authentication method is 'password'.


Do you see from smtpd logs that a connection is made and credentials fail?




Pete.




On 8 Aug 2021, at 19:46, Reio Remma  wrote:

Hello!

Is your phone configured to submit to port 587?

Good luck
Reio


On 08.08.2021 20:56, Pete Long wrote:

Oops, I hope this is now visible.


Pete.



Begin forwarded message:

From: Pete Long 
Subject: Submission Creds only Accepted on LAN?
Date: 8 August 2021 at 18:46:49 BST
To: misc+h...@opensmtpd.org

Hi,

I've just begun using OpenSMTP and find it fascinating with its speed and 
simplicity.

All is working fine except for one issue I can't fix. If I send email from my 
computer to the OpenSMTP server on my LAN, the creds used for submission work 
fine.

However if I try the same thing from my phone over a 3G connection, the same 
creds fail. The username/password used is the same as my user account on the 
VMWare virtual server with FreeBSD 13.0 installed on which OpenSMTP is running 
ie. no seperate maps.

Here's the line in smtpd.conf that I think is relevant:

listen on em0 port submission filter { rspamd } tls-require pki mydomain.tld 
auth hostname mydomain.tld mask-src

All outbound mail passes through a smart host as per this line:

action "relay" relay host smtp+tls://myauthla...@smarthost.provider.tld:25 auth 
 helo mydomain.tld

By the way, I've tried removing the 'filter { rspamd }' section but the same 
result occurs: non-LAN submission attempts 'permfail' with the same creds that 
work on a LAN connection.

Can anyone help me here?

Let me know if you require more information.


Thanks.


Pete.

Re: Submission Creds only Accepted on LAN?

[Reio Remma]

Hello!

Is your phone configured to submit to port 587?

Good luck
Reio


On 08.08.2021 20:56, Pete Long wrote:

Oops, I hope this is now visible.


Pete.



Begin forwarded message:

*From: *Pete Long mailto:p...@valar.uk.net>>
*Subject: **Submission Creds only Accepted on LAN?*
*Date: *8 August 2021 at 18:46:49 BST
*To: *misc+h...@opensmtpd.org 

Hi,

I've just begun using OpenSMTP and find it fascinating with its speed 
and simplicity.


All is working fine except for one issue I can't fix. If I send email 
from my computer to the OpenSMTP server on my LAN, the creds used for 
submission work fine.


However if I try the same thing from my phone over a 3G connection, 
the same creds fail. The username/password used is the same as my 
user account on the VMWare virtual server with FreeBSD 13.0 installed 
on which OpenSMTP is running ie. no seperate maps.


Here's the line in smtpd.conf that I think is relevant:

listen on em0 port submission filter { rspamd } tls-require pki 
mydomain.tld auth hostname mydomain.tld mask-src


All outbound mail passes through a smart host as per this line:

action "relay" relay host 
smtp+tls://myauthla...@smarthost.provider.tld:25 
 auth  
helo mydomain.tld


By the way, I've tried removing the 'filter { rspamd }' section but 
the same result occurs: non-LAN submission attempts 'permfail' with 
the same creds that work on a LAN connection.


Can anyone help me here?

Let me know if you require more information.


Thanks.


Pete.

Re: IRC freenode #opensmtpd has reached user limit - can you increase?

[Reio Remma]

On 11.06.2021 14:02, Peter Thurner | Blunix GmbH wrote:

Hi,

I've been trying to join the #opensmtpd on freenode for a few days, however it 
seems to have reached its user limit. Can somebody please increase this? Thank 
you.



Hello! See this post from Gilles:


On 27.05.2021 00:48, gil...@poolp.org wrote:

Hellow,

There has been a hostile takeover of the freenode IRC network.

The new IRC channel for the project is #OpenSMTPD @ irc.libera.chat

Cheers,
Gilles

Re: New release libopensmtpd and filter-dkimsign

[Reio Remma]

On 10.06.2021 14:35, Simon Harrison wrote:

Hello. Just tried compiling on MX Linux 19.4 (Debian 10) and get this
error:

$ make -f Makefile.gnu
cc -I/home/simon/src/libopensmtpd-0.7/
-I/home/simon/src/libopensmtpd-0.7//openbsd-compat/ -Wall
-Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
-Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -fPIC
-DNEED_RECALLOCARRAY=1 -DNEED_STRLCAT=1 -DNEED_STRLCPY=1
-DNEED_STRTONUM=1   -c -o opensmtpd.o opensmtpd.c opensmtpd.c:27:10:
fatal error: event.h: No such file or directory #include 
^ compilation terminated. make: *** [: opensmtpd.o]
Error 1


Hello! I suspect it needs event.h from libevent.

Good luck!
Reio

Re: Filter issue

[Reio Remma]

Ahh, I see you have a problem with Rspamd instead. You should look into 
whitelists in Rspamd. Rspamd is very strict about broken headers, so you 
might want to see if you can send with proper headers from the sender 
side or add an exception in Rspamd.


Good luck
Reio

On 04.06.2021 14:56, François RONVAUX wrote:

Here is a message with the headers :
--
Return-Path: mailto:f...@test.example.org>>
Delivered-To: f...@example.org <mailto:f...@example.org>
X-Spam: yes
X-Spam-Score: 13.83 / 15
X-Spam-Status: Yes, score=13.833 required=15.000
        tests=[ARC_NA=0.000, ASN=0.000, BROKEN_HEADERS=10.000
        DMARC_POLICY_SOFTFAIL=0.100, FROM_EQ_ENVFROM=0.000, 
FROM_HAS_DN=0.000
        FROM_NEEDS_ENCODING=1.000, GREYLIST=0.000, 
MID_RHS_MATCH_FROM=0.000

        MIME_GOOD=-0.100, MIME_TRACE=0.000, PREVIOUSLY_DELIVERED=0.000
        RBL_SPAMHAUS_PBL=2.000, RCPT_COUNT_ONE=0.000, RCVD_COUNT_TWO=0.000
        RCVD_TLS_LAST=0.000, RCVD_VIA_SMTP_AUTH=0.000
        RECEIVED_SPAMHAUS_PBL=0.000, R_DKIM_NA=0.000, 
R_MIXED_CHARSET=0.833

        R_SPF_NA=0.000, TO_DN_NONE=0.000, TO_MATCH_ENVRCPT_ALL=0.000]
Received: from test.example.org <http://test.example.org> 
(test.example.org <http://test.example.org> [ip_address])
        by mx1.example.org <http://mx1.example.org> (OpenSMTPD) with 
ESMTPS id fb881b9c (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO)

        for mailto:f...@example.org>>;
        Thu, 27 May 2021 21:03:44 +0200 (CEST)
Received: from localhost (test.example.org <http://test.example.org> 
[local])
        by test.example.org <http://test.example.org> (OpenSMTPD) with 
ESMTPA id e5c30d49

        for mailto:f...@example.org>>;
        Thu, 27 May 2021 21:03:42 +0200 (CEST)
From: Firstname Lastname <mailto:f...@test.example.org>>

Date: Thu, 27 May 2021 21:03:42 +0200 (CEST)
To: f...@example.org <mailto:f...@example.org>
Subject: test test to mx1
Message-ID: <43f2f42880d1a...@test.example.org 
<mailto:43f2f42880d1a...@test.example.org>>

--

The filters mark the message as spam but it can not say if it is the 
rspamd of the senderscore filter.


This is why I tried to bypass these filters with the white list.

Regards.

Le ven. 4 juin 2021 à 12:51, Reio Remma <mailto:r...@mrstuudio.ee>> a écrit :


On 04.06.2021 13:44, François RONVAUX wrote:


So I have a domain "example.org  <http://example.org>", the MX for this domain 
is"mx1.example.org  <http://mx1.example.org>" with a real user "foo".
There is another server "test.example.org  <http://test.example.org>" with 
the same real user.

When I send a mail from "f...@test.example.org  <mailto:f...@test.example.org>" to"f...@example.org  
<mailto:f...@example.org>", the message lands into the junk folder of"f...@mx1.example.org  
<mailto:f...@mx1.example.org>", instead of landing into the inbox.


Is it junked by the Senderscore filter?

Good luck,
Reio

Re: Filter issue

[Reio Remma]

On 04.06.2021 13:44, François RONVAUX wrote:


So I have a domain "example.org  ", the MX for this domain is"mx1.example.org  
" with a real user "foo".
There is another server "test.example.org  " with the 
same real user.

When I send a mail from "f...@test.example.org  " to"f...@example.org  
", the message lands into the junk folder of"f...@mx1.example.org  
", instead of landing into the inbox.


Is it junked by the Senderscore filter?

Good luck,
Reio

Re: smtpctl spf walk -6 ?

[Reio Remma]

On 12.05.2021 14:33, Harald Dunkel wrote:

On 5/12/21 8:56 AM, nathanael wrote:


this is what i get on my machine:

~ echo spf.protection.outlook.com | smtpctl spf walk
40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
2a01:111:f400::/48
2a01:111:f403::/48
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
20.47.149.138/32
51.4.80.0/27
2a01:4180:4051:0800::/64
2a01:4180:4050:0800::/64
2a01:4180:4051:0400::/64
2a01:4180:4050:0400::/64

no idea why you don't see the ipv6 addresses



On OpenBSD 6.8 and 6.9 I get the expected result, too. The problem
shows up on Debian 10 and Unstable (opensmtpd 6.8.0p2).

Using strace I verified that smtpctl and dig connect to the same DNS
server. Yet dig reports the IPv6 addresses, smtptl spf walk doesn't.
Its unlikely that the DNS server drops the IPv6 addresses from a TXT
record, anyway.

Maybe its a problem of the BSD compatibility layer, included in
the portable version?


Regards
Harri


I see the same on CentOS 8 with 6.8p2:

echo spf.protection.outlook.com | smtpctl spf walk

40.92.0.0/15
40.107.0.0/16
52.100.0.0/14
104.47.0.0/17
51.4.72.0/24
51.5.72.0/24
51.5.80.0/27
20.47.149.138/32
51.4.80.0/27

Good luck,
Reio

Re: Handling of local delivery errors: TempFail on 5xx?

[Reio Remma]

On 08.04.2021 09:48, Tom Szilagyi wrote:

I can provoke this on two occasions:

1. User does not exist:

Apr 8 08:03:45 mail smtpd[26476]: 5d56b355f19e7a92 mda delivery
evpid=9d6aa2bcd0d53c97 from=
to= rcpt=
user=vmail delay=10s result=TempFail stat=Error (temporary failure:
"mail.lmtp: LMTP server error: 550 5.1.1 
User doesn't exist: nosuchaddr...@example.com")


Does this not mean, that the user exists in OpenSMTPD, but doesn't exist 
in LMTP side? That's a server problem and should be resolved, making it 
a temporary error. Unless you haven't set up the users database in your 
OpenSMTPD and just send everything to your LMTP server.



2. User quota is full:

Apr 8 07:45:39 mail smtpd[1517]: 65b4cb1b1ad15fa4 mda delivery
evpid=3a1e3c3302257a66 from=
to= rcpt= user=vmail
delay=10s result=TempFail stat=Error (temporary failure: "mail.lmtp:
LMTP server error: 552 5.2.2  Quota exceeded
(mailbox for user is full)")


Quota may be resolved in the next minute by the user, so it's also not a 
permanent error.



Local delivery is handed over to Dovecot via:
   action "domain_mail" lmtp "/var/dovecot/lmtp" rcpt-to virtual 


My config rejects no-existing users immediately within the SMTP connection:

match from any for domain  rcpt-to  action deliver_lmtp

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


Do you have user checking in your match rule?

Good luck!
Reio

Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

[Reio Remma]

On 16.08.2020 03:15, Fabian Müller wrote:


So what we know: It has something to do with the mysql-tables. What I 
don’t understand is, what opensmtpd is trying to do which leads to 
that error. To my understanding opensmtpd should only try to connect 
to the database if it needs to read from the tables, which – if just 
starting up – obviously is not the case.




IIRC OpenSMTPD opens the connection to MySQL server at startup. Just 
like it opens all other tables at startup.


Anything in MySQL logs? I'm fairly certain it is a connection issue.

Like Edgar recommended, try running smtpd -dv possibly with trace 
enabled as well.


Good luck,
Reio

Re: syslog logging changed ?

[Reio Remma]

On 26.06.2020 18:03, Harald Dunkel wrote:

Hi folks,

before 6.7 the smtpd log file entries were easy to find: Just
look for "smtpd" in /var/log/mail.log.

With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
as expected, so I wonder wth?


Regards
Harri



Unfortunately something has broken since last release.

I was unable to track it down myself:

https://github.com/OpenSMTPD/OpenSMTPD/issues/1059

Good luck!
Reio

OpenSMTPD 6.7.0 issue on CentOS 8.

[Reio Remma]

Hello!

I just thought to try out current portable and built and RPM
based on my 6.6.4 RPM, which went fine. However when running
the daemon, syslog messages are broken.

May  2 12:32:13 centos8 smtpd[124028]: info: OpenSMTPD 6.7.0-portable starting
May  2 12:32:50 centos8 journal[124033]: y express[124033]: 6ad20154b7c9470a 
smtp connected address=local host=centos8

 ^^

Any ideas what might be causing it?

Thanks!
Reio

Re: OpenSMTPd + Dovecot + mlmmj infinite loop while sending messages from localhost to any remote addresses

[Reio Remma]

Try running 'smtpd -d -T rules' and see what rule you're hitting.

Or alternatively 'smtpctl trace rules' and look at maillog and later 
turn it off with 'smtpctl untrace rules'.


match auth most likely doesn't work at all if you submit to port 25 
without authentication.


Good luck,
Reio

On 10/03/2020 15:35, Martin wrote:

table reject-subnet file:/etc/mail/reject-subnet (contains 192.168.2.0/24)
table reject-domain file:/etc/mail/reject-domain (contains nothing)
table reject-domain file:/etc/mail/reject-domain-helo (contains nothing)

action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "spampd-in" relay host smtp://127.0.0.1:10025
action "dkim-sign" relay host smtp://127.0.0.1:1027
action "outbound" relay src  helo-src 

match from src  for any reject
match from any mail-from  for any reject
match from any helo  for any reject

match from local for local action "local-aliases"
match tag SPAM_IN fro local action "local-aliases"
match from any for domain  action "virtual-users"
match tag SPAM_IN from any for domain  action "virtual-users"

match tag DKIM_OUT for any action "outbound"
match auth from any for any action "outbound"


‐‐‐ Original Message ‐‐‐
On Tuesday, March 10, 2020 1:22 PM, Reio Remma  wrote:


On 10/03/2020 15:18, Martin wrote:


Hello list,
Undefined problem with mail infinite looping if I send messages from mail
server's localhost to any domains outside.
If I sent mail from mail server itself (from localhost) to aliased
addresses and virtuals on the same mail's server domain, all the
messages delivered fine even sent from localhost.
In two sentences:
Sending from localhost to 'remote' addresses > infinite loop
Sending from localhost to 'local' aliases and virtual users > all
works fine
In both ways I'm using Mutt locally on mail server. Mutt connects to
127.0.0.1:25 in clear without any auth.
$ cat /etc/smtpd.conf
...
table aliases db:/etc/mail/aliases.db
table virtuals db:/etc/mail/virtuals.db
listen on lo0 tls pki smtp.domain.tld mask-src no-dsn hostname
 tag SMTP
action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "outbound" relay src  helo-src 
match auth from any for any action "outbound"

What are your other match rules (in correct order)?

Reio





--
Tervitades
Reio Remma

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee

Re: OpenSMTPd + Dovecot + mlmmj infinite loop while sending messages from localhost to any remote addresses

[Reio Remma]

On 10/03/2020 15:18, Martin wrote:

Hello list,

Undefined problem with mail infinite looping if I send messages from mail
server's localhost to any domains outside.

If I sent mail from mail server itself (from localhost) to aliased
addresses and virtuals on the same mail's server domain, all the
messages delivered fine even sent from localhost.

In two sentences:
Sending from localhost to 'remote' addresses > infinite loop
Sending from localhost to 'local' aliases and virtual users > all 
works fine


In both ways I'm using Mutt locally on mail server. Mutt connects to 
127.0.0.1:25 in clear without any auth.


$ cat /etc/smtpd.conf
...
table aliases db:/etc/mail/aliases.db
table virtuals db:/etc/mail/virtuals.db

listen on lo0 tls pki smtp.domain.tld mask-src no-dsn hostname
 tag SMTP

action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "outbound" relay src  helo-src 

match auth from any for any action "outbound"


What are your other match rules (in correct order)?

Reio

Re: OpenSMTPD on CentOS 8.

[Reio Remma]

On 7. Mar 2020, at 04:27, Ihor Antonov  wrote:
> 
> On 2020-03-07 02:30, Reio Remma wrote:
>>> On 07.03.2020 0:41, Ihor Antonov wrote:
>>> On 2020-03-06 23:05, Reio Remma wrote:
>>>> Hello!
>>>> 
>>>> I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
>>>> failure on the old machine). I've successfully built an RPM of OpenSMTPD 
>>>> for
>>>> CentOS 8 and it's running nicely, however I've a problem with the global
>>>> crypto policies in CentOS 8.
>>>> 
>>>> Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
>>>> got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
>>>> the whole system from DEFAULT to LEGACY crypto policy?
>>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
>>> sinice it is considered to be not safe)
>> 
>> Because my thinking is it's better than the plain text the clients fall back
>> to. Or is it not so?
> 
> Good question. Will other smtp servers fall back to plaintext if
> TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not
> force TLSv1.3 yet, but I also really dont want to communicate with
> systems that are so outdated that they dont support TLSv1.2. But that is
> a matter of personal choice probably.

I did have an overly optimistic experiment some time ago where IIRC I 
restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per 
day from banks, government agencies, etc. being lost. Unfortunately there are a 
lot of outdated set and forget servers out there (like our old qmail setup that 
had TLSv1 as max).

Reio

Re: OpenSMTPD on CentOS 8.

[Reio Remma]

On 07.03.2020 0:41, Ihor Antonov wrote:

On 2020-03-06 23:05, Reio Remma wrote:

Hello!

I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
failure on the old machine). I've successfully built an RPM of OpenSMTPD for
CentOS 8 and it's running nicely, however I've a problem with the global
crypto policies in CentOS 8.

Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
the whole system from DEFAULT to LEGACY crypto policy?

Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
sinice it is considered to be not safe)


Because my thinking is it's better than the plain text the clients fall 
back to. Or is it not so?


Reio

OpenSMTPD on CentOS 8.

[Reio Remma]

Hello!

I was forced to upgrade our mail server to CentOS 8 (thanks to hardware 
failure on the old machine). I've successfully built an RPM of OpenSMTPD 
for CentOS 8 and it's running nicely, however I've a problem with the 
global crypto policies in CentOS 8.


Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has 
anyone got any experience on how to allow TLSv1 for OpenSMTPD without 
downgrading the whole system from DEFAULT to LEGACY crypto policy?


OpenSMTPD has "smtp ciphers" directive which does overwrite the global 
ciphers set by the crypto policy, but there doesn't seem to be a way to 
set minimum TLS version for OpenSMTPD.


Any help would be welcome!

Thanks!
Reio

Re: request (privately) for maillog

[Reio Remma]

On 24.02.2020 19:41, Peter J. Philipp wrote:

Hi,

I got another "bouncing messages from misc@opensmtpd.org" message.  The
particular message was 4669 that bounced.  Yet I have no record of this in
my maillog, so I suspect a DNS fault.


I received the same message - suspect the problem was on the list side.

Good luck
Reio

Re: 421 errors

[Reio Remma]

On 18/02/2020 01:48, Jeff Moskow wrote:

Hi,

I recently replaced an older Linux Postfix server with a new OpenBSD
(6.6) and OpenSMTPD 6.6.0.

Most things are working fine, but email sent to my secondary MX server
never get accepted by my OpenSMTPD server -- they always get a 421 error
that looks like this:

smtp failed-command command="DATA" result="421 try again later"

The secondary MX server is running OpenBSD/postfix and reports message
statuses like this:

(host foo.bar.com[192.168.2.2] said: 421 try again later (in reply to 
end of DATA command))

Does anyone have some suggestions on what I should be looking for/at to
diagnose/fix this problem?

Thanks,
Jeff



Hello!

If possible, try running OpenSMTPD in debug mode: 'smtpd -dv' and see if 
it provides more info.


Other than that, do you maybe have greylisting implemented?

Good luck,
Reio

Re: filter bug?

[Reio Remma]

Hello!

The token|session id in v0.4 of the filter protocol were swapped to the 
more sensible session id|token order in v0.5. I believe the docs are 
still being worked on and will apply to the v0.5 protocol.


For example filter-rspamd was recently updated to work with both 
versions, switching the argument order as needed.


Good luck,
Reio

On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 states 
the following:


 For all phases, excepted "data-line", the responses must follow the same
 construct, a message type "filter-result", followed by the unique 
session

 id, the opaque token, a decision and optional decision-specific
 parameters:

   filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the 
banner is

 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is 
the ISC


# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar

Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

[Reio Remma]

On 29/01/2020 00:30, gil...@poolp.org wrote:

Hello misc@,

Qualys has found a critical vulnerability leading to a possible privilege 
escalation.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

We'll provide more details when the advisory will be out and I'll take time to 
write
about how this bug was made possible, but in the meantime get your setups fixed 
!



Thanks a lot for the heads up! Updated my CentOS 7 packages.

Thanks,
Reio

Re: Unable to use .forward with snmpd

[Reio Remma]

What about perms on the initially generated .forward file?

Reio

On 18.12.2019 19:50, Юрий Иванов wrote:

I've created directory through regular RoundCube web interface.
Base directory:
suser@webmail:~$ ll Maildir/
total 188
drwx-- 13 suser suser  4096 Dec 18 19:42 ./
drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
...
drwx--  2 suser suser 12288 Dec 18 19:41 cur/
-rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
-rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
-r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
-rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
...
-rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
drwx--  2 suser suser  4096 Dec 18 18:01 new/
-rw---  1 suser suser    53 Dec 17 09:42 subscriptions
drwx--  2 suser suser  4096 Dec 18 18:00 tmp/

Admin dir, that was created via roundcube web interface:
suser@webmail:~$ ll Maildir/.admin/
total 32
drwx--  5 suser suser 4096 Dec 16 19:26 ./
drwx-- 13 suser suser 4096 Dec 18 19:42 ../
drwx--  2 suser suser 4096 Dec 16 19:26 cur/
-rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
...

suser@webmail:~$ ll Maildir/.admin/cur/
total 8
drwx-- 2 suser suser 4096 Dec 16 19:26 ./
drwx-- 5 suser suser 4096 Dec 16 19:26 ../

Normal home directory:
suser@webmail:~$ ll
total 256
drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
-rw---  1 suser suser    875 Dec 16 20:24 .bash_history
-rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
-rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
-rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
-rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
-rw---  1 root  root    1129 Dec 11 09:42 .viminfo
drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/

*От:* Edgar Pettijohn 
*Отправлено:* 18 декабря 2019 г. 19:28
*Кому:* misc@opensmtpd.org ; Юрий Иванов 


*Тема:* Re: Unable to use .forward with snmpd


On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance

Re: How to display ip address in syslog on linux?

[Reio Remma]

On 01.12.2019 1:46, Demetri A. Mkobaranov wrote:

On 11/30/19 6:56 PM, Reio Remma wrote:


I made a filter for myself to log failed auth attempts with IP to use 
in fail2ban.

do you mean a fail2ban filter?



It's a reporter filter in OpenSMTPD that gathers IP addresses for failed 
auth and then writes them to maillog:


Nov 27 01:02:26 host smtpd[29787]: auth-reporter: failed authentication 
from user=username address=113.172.130.229 host=static.vnpt.vn


Fail2ban takes it from there.

Re: How to display ip address in syslog on linux?

[Reio Remma]

On 30.11.2019 18:50, Demetri A. Mkobaranov wrote:

Hello,

I'm trying to write a fail2ban filter for v.0.6.0.2 running on Debian 
10 but I don't see the ip address of the client displayed in syslog.


smtpctl log verbose doesn't help.

This is all I get:

Nov 30 16:48:29 dctl smtpd[9063]: 9ecee3c84e91538d smtp 
event=authentication user=i...@example.com result=permfail
Nov 30 16:48:30 dctl smtpd[9063]: smtp-in: Failed command on session 
9ecee3c84e91538d: "AUTH PLAIN (...)" => 535 Authentication failed


Is there any way to force smtpd to log the ip address of the client?


I made a filter for myself to log failed auth attempts with IP to use in 
fail2ban.


Good luck,
Reio

Re: Mailing list expansion problem.

[Reio Remma]

On 02.11.2019 0:41, Reio Remma wrote:

On 31.10.2019 10:06, gil...@poolp.org wrote:

October 26, 2019 1:23 PM, "Reio Remma"  wrote:


On 26/10/2019 14:18, Reio Remma wrote:


On the subject of catch all aliases, I tried adding one to my setup > with odd 
results.

My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual >  
userbase 

match from any for domain  rcpt-to  action > deliver_lmtp

To get catch all working, I had to remove rcpt-to  from > the match:

match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient:

One I removed the actual catch all alias and sent mail to a > non-existent 
account, the usual:

550 Invalid recipient:

turned into:

524 5.2.4 Mailing list expansion problem:

Any ideas how I could use a catch all alias _and_ get a proper 550 > Invalid 
recipient if I don't?

This is all with the current (v6.6) portable from a week ago or so.

This error occurs when aliases expansion encounters an error during its 
processing,
there's not enough info here to understand what happened in the expansion loop:

- it is likely a table content issue either in virtuals or in userinfo table or 
both
- using `smtpd -dv -T expand` will help you understand what went wrong during 
expansion

Gilles


A couple of hours reading code and I'm fairly certain catchall aliases 
don't work at all with database backends.


Mailaddr lookups from static tables use mailaddr_match to compare 
address parts with catchall aliases, but table-mysql for example 
doesn't do any extra work.


expand: 0x23b6628: expand_insert() called for 
address:du...@domain.com[parent=(nil), rule=(nil)]

expand: 0x23b6628: inserted node 0x23b8320
expand: lka_expand: address: du...@domain.com [depth=0]
lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table static: -> 
true
lookup: match "sen...@gmail.com" as MAILADDR in table proc:blacklist -> 
false

lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table proc:domains -> true
lookup: match "du...@domain.com" as MAILADDR in table proc:recipients -> 
false
lookup: match "209.85.167.41" as NETADDR in table static: -> 
false

lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table static: -> 
true
lookup: match "209.85.167.41" as NETADDR in table static: -> 
false

lookup: match "209.85.167.41" as NETADDR in table static:sources -> false
no rule matched

The only query I see in the query log is trying to match the full 
recipient address:


SELECT mailaddr FROM virtuals WHERE mailaddr = 'du...@domain.com'

This works:

match from any for domain  rcpt-to {'@domain.com', ... } action 
deliver


This doesn't:

match from any for domain  rcpt-to  
action deliver

Re: Mailing list expansion problem.

[Reio Remma]

On 31.10.2019 10:06, gil...@poolp.org wrote:

October 26, 2019 1:23 PM, "Reio Remma"  wrote:


On 26/10/2019 14:18, Reio Remma wrote:


On the subject of catch all aliases, I tried adding one to my setup > with odd 
results.

My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual >  
userbase 

match from any for domain  rcpt-to  action > deliver_lmtp

To get catch all working, I had to remove rcpt-to  from > the match:

match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a > non-existent 
account, the usual:

550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 > Invalid 
recipient if I don't?

This is all with the current (v6.6) portable from a week ago or so.


This error occurs when aliases expansion encounters an error during its 
processing,
there's not enough info here to understand what happened in the expansion loop:

- it is likely a table content issue either in virtuals or in userinfo table or 
both
- using `smtpd -dv -T expand` will help you understand what went wrong during 
expansion

Gilles


A couple of hours reading code and I'm fairly certain catchall aliases 
don't work at all with database backends.


Mailaddr lookups from static tables use mailaddr_match to compare 
address parts with catchall aliases, but table-mysql for example doesn't 
do any extra work.


Reio

Re: Announce: OpenSMTPD 6.6.0 released

[Reio Remma]

On 26.10.2019 16:18, Gilles Chehade wrote:

OpenSMTPD 6.6.0 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and glibc-based Linux.


If anyone on CentOS 7 wants to give it a go, I've uploaded a fresh 
CentOS 7 RPM here:


https://github.com/whataboutpereira/OpenSMTPD/releases

It's built statically against OpenSSL 1.1.1d and therefore supports TLS 
v1.3.


Good luck,
Reio

Re: Mailing list expansion problem.

[Reio Remma]

On 26/10/2019 14:18, Reio Remma wrote:
On the subject of catch all aliases, I tried adding one to my setup 
with odd results.


My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match from any for domain  rcpt-to  action 
deliver_lmtp


To get catch all working, I had to remove rcpt-to  from 
the match:


match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a 
non-existent account, the usual:


550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 
Invalid recipient if I don't? 


This is all with the current (v6.6) portable from a week ago or so.

Mailing list expansion problem.

[Reio Remma]

On the subject of catch all aliases, I tried adding one to my setup with 
odd results.


My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match from any for domain  rcpt-to  action deliver_lmtp

To get catch all working, I had to remove rcpt-to  from the 
match:


match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a non-existent 
account, the usual:


550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 
Invalid recipient if I don't?


Thanks,
Reio

Re: Accept mail for all recipients

[Reio Remma]

On 26/10/2019 13:35, Sergey Seacher wrote:

Hello!

How can I make, opensmtpd accept mail for all recipients: that are 
present in the file /etc/opensmtpd/aliases and that are not present?

I had the rule in my /etc/opensmtpd/smtpd.conf file:

accept \
   from any \
   for domain domain.ltd alias  \
   deliver to lmtp "/run/dovecot/lmtp" rcpt-to

I have changed this rule to:

accept \
   from any \
   for domain domain.ltd \
   deliver to lmtp "/run/dovecot/lmtp" rcpt-to

Now, if I send to any recipient in my domain, for example 
rggg...@domain.ltd, I receive error 550, but I need mail to be deliver 
to i...@domain.ltd


Do you mean a catch all alias? Try adding to your aliases file:

@domain.ltd i...@domain.ltd

And re-add alias  to your accept rule.

Good luck,
Reio

Re: Portable buildung issues

[Reio Remma]

Looks suspiciously like this.

https://github.com/OpenSMTPD/OpenSMTPD/issues/944

Good luck,
Reio

On 22/10/2019 14:45, gil...@poolp.org wrote:

we really really really need more details, I have no idea what system that is 
:-)

October 22, 2019 1:38 PM, "John Smith"  wrote:


Hello,

cloned today, I am having problems building smtpd. After configure:

/data/git/opensmtp # make
make all-recursive
make[1]: Entering directory '/data/git/opensmtp'
Making all in openbsd-compat
make[2]: Entering directory '/data/git/opensmtp/openbsd-compat'
gcc -DHAVE_CONFIG_H -I. -I.. -I../smtpd -I../openbsd-compat 
-I../openbsd-compat/err_h
-I/usr/include -march=skylake -fomit-frame-pointer -O2 -pipe -fPIC -DPIC -Wall 
-Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
-Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
-D_DEFAULT_SOURCE
-c -o arc4random.o arc4random.c
arc4random.c:167:21: error: macro "arc4random_stir" passed 1 arguments, but 
takes just 0
arc4random_stir(void)
^
arc4random.c:168:1: error: expected '=', ',', ';', 'asm' or '__attribute__' 
before '{' token
{
^
make[2]: *** [Makefile:445: arc4random.o] Error 1
make[2]: Leaving directory '/data/git/opensmtp/openbsd-compat'
make[1]: *** [Makefile:418: all-recursive] Error 1
make[1]: Leaving directory '/data/git/opensmtp'
make: *** [Makefile:350: all] Error 2

Any idea what I might be missing? As I have a rather minimal system, some 
package my be lacking.
Any further details that are needed?

Thanks

Ede

Re: upcoming 6.6.0 release

[Reio Remma]

On 18/10/2019 10:40, Reio Remma wrote:

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match 
the code from smtpd in OpenBSD 6.6.


A portable branch, branch-6.6.0p1, has been forked from there and can 
be used to test the matching portable version:


 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I 
want to gain confidence that it works for most systems and 
distributions we have supported so far.


Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being 
tracked down, musl is not a showstopper for me as we have had issues 
in previous releases too but if we can track down the problem I'd be 
happy (unsuccessful so far)


I _really_ need help on testing this as I had unexpected hand surgery 
and doing the tests myself is extremely long.


Please report as a follow up to this mail what you did test,

Thanks,
Gilles



Once I chewed through it, SRS works nicely. Running on CentOS 7. I've 
been running 6.6 current for a while now without problems. 


And this is with OpenSSL 1.1.1d statically compiled into OpenSMTPD 
communicating nicely with TLSv1.3.


With GMail servers, that is. :)

Reio

Re: upcoming 6.6.0 release

[Reio Remma]

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,

Thanks,
Gilles



Once I chewed through it, SRS works nicely. Running on CentOS 7. I've 
been running 6.6 current for a while now without problems.


Reio

Re: upcoming 6.6.0 release

[Reio Remma]

On 17/10/2019 15:06, Gilles Chehade wrote:

On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote:

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

  https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,



Hello! Do you have any pointers as to what an SRS key should look like?


just make it something hard to guess :-)



So it's just a few random letters? Reading "key" I always think of some 
kind of a hash. :)


Reio

Re: upcoming 6.6.0 release

[Reio Remma]

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,




Hello! Do you have any pointers as to what an SRS key should look like?

Thanks,
Reio

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

So it's wasn't line breaks afterall.

It turned out that OpenSMTPD passes raw SMTP data lines to filters and 
raw SMTP lines have leading dot characters escaped by another dot, so 
.text became ..text. Feeding it to Rspamd like that made DKIM alignment 
tests fail, because body hash came out wrong.


A pull request has been submitted with a fix.

This how seems to be a problem with Rspamd:

arc=reject (signature check failed: fail, {[1] = sig:google.com:reject});

Good luck,
Reio

On 13.10.2019 17:43, Reio Remma wrote:

Things seem to have gotten worse on Google Groups front though:

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
arc=reject (signature check failed: fail, {[1] = 
sig:google.com:reject});
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.215.186 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com
Authentication-Results: orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.215.186 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com

---

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.222.184 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com;
arc=reject (signature check failed: fail, {[1] = sig:google.com:reject})
Authentication-Results: orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.222.184 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com

On 13.10.2019 16:37, Reio Remma wrote:

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.45 as permitted sender)smtp.mailfrom=gil...@gmail.com
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.42 as permitted sender)smtp.mailfrom=gil...@gmail.com

On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter.
Can the filter then extract "leftover" line endings for
incoming strings and make decision based on that when joining
the strings before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Re: Problem using senders table in listen directive

[Reio Remma]

I just tested with MySQL and the result is the same.

smtpd -dv -T lookup yielded:

de334c3363d95880 smtp authentication user=u...@host.com result=ok
debug: smtp: SIZE in MAIL FROM command
debug: lka: mailaddrmap senderalias:u...@host.com
lookup: lookup "u...@host.com" as MAILADDRMAP in table proc:senderalias 
-> error: No such file or directory

warn: failure during mailaddrmap lookup senderalias:u...@host.com

Preceeded by:

senderalias[36753]: debug: (re)connecting
senderalias[36753]: debug: connected

So the table is loaded but it tries to look up from a file maybe?

Good luck,
Reio

On 14/10/2019 13:32, y38...@protonmail.com wrote:

Hello Giovanni,

I just gave it a try. The order of the operands of the LIKE operator doesn't 
make any difference. I just tested it manually against my sqlite database. The 
returned results are identical.

Greetings,
   Michael

‐‐‐ Original Message ‐‐‐
Am Montag, Oktober 14, 2019 9:15 AM schrieb Giovanni Bechis 
:


On 10/12/19 4:46 PM, y38...@protonmail.com wrote:


SELECT (username||'@'||domain) FROM users WHERE ? LIKE mailbox

I think it should read
SELECT (username||'@'||domain) FROM users WHERE mailbox LIKE ?
typo or error ?

Giovanni

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

Things seem to have gotten worse on Google Groups front though:

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
arc=reject (signature check failed: fail, {[1] = 
sig:google.com:reject});
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.215.186 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com
Authentication-Results: orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.215.186 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com

---

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.222.184 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com;
arc=reject (signature check failed: fail, {[1] = sig:google.com:reject})
Authentication-Results: orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.222.184 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com

On 13.10.2019 16:37, Reio Remma wrote:

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.45 as permitted sender)smtp.mailfrom=gil...@gmail.com
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.42 as permitted sender)smtp.mailfrom=gil...@gmail.com

On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


    On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the
strings before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: h

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain of misc@opensmtpd.org designates 
45.76.46.201 as permitted sender) smtp.mailfrom=misc@opensmtpd.org

Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of misc@opensmtpd.org designates 
45.76.46.201 as permitted sender) smtp.mailfrom=misc@opensmtpd.org

---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of gil...@gmail.com designates 
209.85.128.45 as permitted sender) smtp.mailfrom=gil...@gmail.com

Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of gil...@gmail.com designates 
209.85.128.42 as permitted sender) smtp.mailfrom=gil...@gmail.com


On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


    On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the strings
before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: host.domain.com
<http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject)
header.from=facebookmail.com <http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>:
domain of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both
\r\r\n and
\n) cause issues. There's efforts going on to see how we
can remedy
this, but in the mean time tell your senders that they
should fix their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF"
characters in text
   (i.e., either without the other) has a long history of
causing
   problems in mail implementations and applications that
use the mail
   system as a tool.  SMTP client implementations MUST NOT
transmit
   these characters except when they are intended as line
terminators
   and then MUST, as indicated above, transmit them only as
a 
   sequence.
>
> Thanks,
> Reio
>
>

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the strings
before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: host.domain.com
<http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject)
header.from=facebookmail.com <http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>:
domain of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both
\r\r\n and
\n) cause issues. There's efforts going on to see how we can
remedy
this, but in the mean time tell your senders that they
should fix their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF"
characters in text
   (i.e., either without the other) has a long history of
causing
   problems in mail implementations and applications that
use the mail
   system as a tool.  SMTP client implementations MUST NOT
transmit
   these characters except when they are intended as line
terminators
   and then MUST, as indicated above, transmit them only as
a 
   sequence.
>
> Thanks,
> Reio
>
>

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:
I don't think that is the issue, it is probably the filter-rspamd 
reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how OpenSMTPD 
splits strings before passing them to the filter. Can the filter then 
extract "leftover" line endings for incoming strings and make decision 
based on that when joining the strings before Rspamd?


Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren 
mailto:opensm...@list.imperialat.at>> 
wrote:


On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server and I'm
seeing
> lots of failed DKIM checks, specifically dkim=fail (body hash
did not
> verify).
>
>
> Authentication-Results: host.domain.com <http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject) header.from=facebookmail.com
<http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>: domain
of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix
their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF" characters
in text
   (i.e., either without the other) has a long history of causing
   problems in mail implementations and applications that use the
mail
   system as a tool.  SMTP client implementations MUST NOT transmit
   these characters except when they are intended as line terminators
   and then MUST, as indicated above, transmit them only as a 
   sequence.
>
> Thanks,
> Reio
>
>

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

On 13.10.2019 16:05, Gilles Chehade wrote:
I don't think that is the issue, it is probably the filter-rspamd 
reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how OpenSMTPD 
splits strings before passing them to the filter. Can the filter then 
extract "leftover" line endings for incoming strings and make decision 
based on that when joining the strings before Rspamd?


Do you experience the same yourself?

Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren 
mailto:opensm...@list.imperialat.at>> 
wrote:


    On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server and I'm
seeing
> lots of failed DKIM checks, specifically dkim=fail (body hash
did not
> verify).
>
>
> Authentication-Results: host.domain.com <http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject) header.from=facebookmail.com
<http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>: domain
of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix
their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF" characters
in text
   (i.e., either without the other) has a long history of causing
   problems in mail implementations and applications that use the mail
   system as a tool.  SMTP client implementations MUST NOT transmit
   these characters except when they are intended as line terminators
   and then MUST, as indicated above, transmit them only as a 
   sequence.
>
> Thanks,
> Reio
>
>

Re: filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

On 13.10.2019 15:59, Martijn van Duren wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:

Hello!

I finally moved to Rspamd (2.0) on my production server and I'm seeing
lots of failed DKIM checks, specifically dkim=fail (body hash did not
verify).


Authentication-Results: host.domain.com;
      dkim=fail (body hash did not verify) header.d=facebookmail.com
header.s=s1024-2013-q3 header.b=pNWbKJUd;
      dmarc=pass (policy=reject) header.from=facebookmail.com;
      spf=pass (host.domain.com: domain of notificat...@facebookmail.com
designates 66.220.144.215 as permitted sender)
smtp.mailfrom=notificat...@facebookmail.com

My current stab-in-the-dark theory is that there might be something
going on with line endings when mails are fed to Rspamd.

Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix their
mails (RFC5321):
In addition, the appearance of "bare" "CR" or "LF" characters in text
(i.e., either without the other) has a long history of causing
problems in mail implementations and applications that use the mail
system as a tool.  SMTP client implementations MUST NOT transmit
these characters except when they are intended as line terminators
and then MUST, as indicated above, transmit them only as a 
sequence.


I'm not sure Facebook will listen to me! :)

Reio

filter-rspamd DKIM checks failing intermittently.

[Reio Remma]

Hello!

I finally moved to Rspamd (2.0) on my production server and I'm seeing 
lots of failed DKIM checks, specifically dkim=fail (body hash did not 
verify).



Authentication-Results: host.domain.com;
    dkim=fail (body hash did not verify) header.d=facebookmail.com 
header.s=s1024-2013-q3 header.b=pNWbKJUd;

    dmarc=pass (policy=reject) header.from=facebookmail.com;
    spf=pass (host.domain.com: domain of notificat...@facebookmail.com 
designates 66.220.144.215 as permitted sender) 
smtp.mailfrom=notificat...@facebookmail.com


My current stab-in-the-dark theory is that there might be something 
going on with line endings when mails are fed to Rspamd.


Any better theories? :)

Thanks,
Reio

Re: Repeated 421 try again later erros

[Reio Remma]

On 09.10.2019 23:13, Matt Schwartz wrote:

Hello List,

I am getting a lot of repeated 421 try again later errors from various 
lists that I am a member of. There is one in particular that is coming 
from outbound.foodtecsolutions.com 
. Here is an excerpt from my 
/var/log/maillog. I am running OpenBSD 6.6-current #344.


Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp connected 
address=52.201.148.113 host=outbound.foodtecsolutions.com 

Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp 
failed-command command="DATA" result="421 try again later"
Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp disconnected 
reason=quit


Below is my smtpd.conf file:
pki "mail" cert "/etc/ssl/mail.crt"
pki "mail" key "/etc/ssl/private/mail.key"

table aliases file:/etc/mail/aliases
table credentials passwd:/etc/mail/credentials
table extras file:/etc/mail/extras
table relays file:/etc/mail/relays
table rejects file:/etc/mail/rejects
table virtuals file:/etc/mail/virtuals

filter check_rejects phase connect match rdns regex  \
        disconnect "554 Forbidden"
filter check_rdns phase connect match !rdns \
        disconnect "554 No Reverse DNS Configured"
filter rspamd proc-exec "filter-rspamd"

listen on lo filter rspamd
listen on egress tls pki "mail" hostname "mail.goblackcat.com 
" \

        filter {check_rejects, check_rdns, rspamd}
listen on egress port submission tls-require pki "mail" hostname 
"mail.goblackcat.com " \

        auth  filter {check_rejects, check_rdns, rspamd}

action "local_mail" mbox alias 
action "virtual_mail" maildir "/var/vmail/%{dest.domain}/%{dest.user}" 
junk \

        virtual 
action "outbound" relay

match for local action "local_mail"
match !from src  mail-from "@goblackcat.com 
" reject
match from any for domain "goblackcat.com " 
action "virtual_mail"

match auth from any for any action "outbound"
match for any action "outbound"

I am out of ideas with which to troubleshoot. I am already running 
smtpd with -v switch for more verbosity.


Thanks,
Matt


Greylisting at work?

Good luck,
Reio

OpenSMTPD sendmail and Message-Id.

[Reio Remma]

Hello!

I'm curious as to what the norm is with Message-Id when sending mail 
from command line or scripts.


I notice mails sent by cron (CentOS 7) are all without Message-Id when 
they're passed to OpenSMTPD.


As I see cron should use sendmail.opensmtpd to send mail.

Is it a problem with cron not supplying a Message-Id header?

Thanks,
Reio

Re: unable to send mail from desktop mail client to remote email addresses

[Reio Remma]

On 03.10.2019 18:34, Kevin wrote:
If I can send the domain email, if I can retrieve email via Dovecot, 
if I can send mail to myself from the server's CLI (and even retrieve 
it remotely via my mail client), it seems like there's some knob 
missing that says, "All auth'd users to relay," yet, I've 
copied-and-pasted Gilles' rules (and edited them for my own domain) , 
and it am no workie.


Is there perhaps something else akin to the forwarding knob that lets 
PF forward packets between interfaces that either I've forgotten or 
was skipped in the HOWTO?


Thanks,
Kevin


What connection do you have? If it's a home connection, then most ISP-s 
block sending mail directly to port 25 (on the destination server). You 
want a static IP for a mail server, with rDNS etc. set up.


Good luck,
Reio

Re: need help

[Reio Remma]

On 30/09/2019 16:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Is it OpenBSD only atm?

On CentOS 7:

$ make
Makefile:26: *** missing separator.  Stop.

Reio

FCrDNS.

[Reio Remma]

Hello!

I just had to share this. :)

I made a makeshift reporter to see how many incoming SMTP connections 
would fail on our server:


fcrdns-reporter: fcrdns-failure address=89.248.160.66 
host=no-reverse-dns-configured.com result="Hostname resolved to a 
different IP"


Someone out there has a good sense of humour! :D

Good luck,
Reio

Re: smtpd / mail.lmtp rewrites from address, breaking lmtp

[Reio Remma]

On 17.09.2019 1:08, Michal Krzysztofowicz wrote:

Thanks for looking after this. Unfortunately, no dice:
Sep 16 21:57:13 atlantic smtpd[83146]: 70aec8652b2efbe8 mda delivery evpid=0f662ffc0f395dbe 
from= to= rcpt= 
user=me delay=0s result=PermFail stat=Error ("/bin/sh: no closing quote”)



’ is not in MAILADDR_ALLOWED, ' and `  are though.

I'll test the slash issue tomorrow once I figure out how to apply the 
patch. Nearly 20 years have passed since I last applied one. :D


Good luck,
Reio

Failed logins hammer/filter.

[Reio Remma]

Hello!

Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login 
failures from IPs, but that doesn't work any more with the log format 
changed from:


smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr 
command="AUTH LOGIN (password)" result="535 Authentication failed"

|
smtp failed-command command="AUTH LOGIN (password)" result="535 
Authentication failed"


Surprisingly SMTP isn't brute forced that much, but as I registered 472 
failed authentications from a single IP yesterday, I'm going to have a 
Go at a filter too. :)


All the best,
Reio

Re: smarthost + aliases

[Reio Remma]

On 14.09.2019 3:05, Edgar Pettijohn wrote:

On Sat, Sep 14, 2019 at 12:32:22AM +0200, Thomas Schweikle wrote:

Hi!

Trying to set up opensmtpd as a simple single mta relaying all mail to a
smarthost. But ...

Config:
listen on localhost
table aliases db:/etc/aliases.db
table secrets db:/etc/smtpd.secrets.db
expire 4h


Add:

accept for local alias  deliver to mbox
accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth



Hello! You may also look into forward-only if you want them to be 
forwarded to external addresses:


accept from local for local alias  forward-only

Good luck,
Reio

Re: Filters and rctp-to rewrite.

[Reio Remma]

On 09.09.2019 20:03, Giovanni Bechis wrote:

I'm currently using amavisd-new with the quarantine feature, but I'm itching to 
switch to Rspamd (greylisting here I come!).


amavisd-new 2.12 has rspamd support, have you tried it ?


Curious! I see the project has again switched hands, if you mean this one?

https://gitlab.com/amavis/amavis

I'll have a look at it. Then again with Rspamd and filter-rspamd we 
could cut down a lot of complexity.


Reio

Re: Filters and rctp-to rewrite.

[Reio Remma]

On 09.09.2019 18:13, Martijn van Duren wrote:

On 9/9/19 3:37 PM, Reio Remma wrote:

Hello!

Slowly digging into filters.

Now I'm curious if it's possible to modify the recipient after say spam
check in data-line? I get the impression that rewriting rcpt-to at that
stage is impossible, but my goal would be to redirect/quarantine high
scoring spam to a special e-mail address.

Would it be doable somehow?

Thanks!
Reio


It is not.

What you might be able to do is add an additional header and somehow let
an lmtp server make the decision based on the header.

I haven't used lmtp myself, no clue if this actually works, but it's
worth investigating :-)

Please reply to the threat if you managed to make it work.


Thanks Martijn and Gilles for the confirmation!

I'm currently using amavisd-new with the quarantine feature, but I'm 
itching to switch to Rspamd (greylisting here I come!).


I'm using the quarantine to keep an eye on mails with a medium spam 
score so we won't lose the occasional legit mail with a higher than 
normal spam score. Additionally I can train these borderline mails 
correctly as ham/spam.


I now see Rspamd has a metadata exporter feature I could probably use to 
copy spammy mails to the quarantine mail address.


There are also Dovecot's sieve scripts. I'll have to see which work better.

Thanks,
Reio

Filters and rctp-to rewrite.

[Reio Remma]

Hello!

Slowly digging into filters.

Now I'm curious if it's possible to modify the recipient after say spam 
check in data-line? I get the impression that rewriting rcpt-to at that 
stage is impossible, but my goal would be to redirect/quarantine high 
scoring spam to a special e-mail address.


Would it be doable somehow?

Thanks!
Reio

Re: Virtual User handling

[Reio Remma]

> On 07.09.2019 12:53, Ede Wolf wrote:
> Excellent idea, however, the error stays the same. No change, despite copying 
> the whole opensmtpd folder to /usr/local/libexec
> 
> result=TempFail stat=Error (temporary failure: "mail.lmtp: No such file or 
> directoryconnect")

I purposefully mistyped the Dovecot LMTP socket in my config and got the same 
message.

Sep  7 13:26:28 host smtpd[26873]: 7cde0d1cf207f8f3 mda delivery 
evpid=b96774ed55a5492e from=<> to=<> rcpt=<> user=3 delay=0s result=TempFail 
stat=Error (temporary failure: "mail.lmtp: No such file or directoryconnect")

I suspect your problem is that there is no Cyrus LMTP listening in 
/run/cyrus/socket/lmtp:

action "deliver" lmtp "/run/cyrus/socket/lmtp" rcpt-to user lmtpd

Do you actually use Cyrus IMAP?

Good luck,
Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 05/09/2019 13:32, Martijn van Duren wrote:

On 9/5/19 11:55 AM, Reio Remma wrote:

On 05/09/2019 11:33, gil...@poolp.org wrote:

Yes, see the smtpd.conf(5) man page:

filter myreporter proc-exec "/tmp/reporting.sh"

listen on [...] filter myreporter

mproc: pony -> lka : 291 IMSG_SMTP_EXPAND_RCPT

SMTPD seems to get stuck here with no errors. This is with the simple:

filter reporter proc-exec "/etc/opensmtpd/reporter.sh"

#!/bin/sh
while read line; do
     echo $line >> /var/log/opensmtpd.log
done

Reio


You need to register what events you want to receive and finish up with
register|ready.

$ cat test.sh
#!/bin/sh

while read line; do
 echo $line >&2
 if [ "${line%%\|*}" == "config" ]; then
 if [ "${line#*\|}" == "ready" ]; then
 echo "register|report|smtp-in|link-connect"
 echo "register|ready"
 fi
 continue
 fi
done

Possible values for report are (from lka_report.c):
static struct smtp_events {
 const char *event;
} smtp_events[] = {
 { "link-connect" },
 { "link-disconnect" },
 { "link-greeting" },
 { "link-identify" },
 { "link-tls" },
 { "link-auth" },

 { "tx-reset" },
 { "tx-begin" },
 { "tx-mail" },
 { "tx-rcpt" },
 { "tx-envelope" },
 { "tx-data" },
 { "tx-commit" },
 { "tx-rollback" },

 { "protocol-client" },
 { "protocol-server" },

 { "filter-response" },

 { "timeout" },
};

Possible values for filter are:
static struct filter_exec {
 enum filter_phase   phase;
 const char *phase_name;
 int(*func)(struct filter_session *, struct filter 
*, uint64_t, const char *);
} filter_execs[FILTER_PHASES_COUNT] = {
 { FILTER_CONNECT,   "connect",  filter_builtins_connect },
 { FILTER_HELO,  "helo", filter_builtins_helo },
 { FILTER_EHLO,  "ehlo", filter_builtins_helo },
 { FILTER_STARTTLS,  "starttls", filter_builtins_notimpl },
 { FILTER_AUTH,  "auth", filter_builtins_notimpl },
 { FILTER_MAIL_FROM, "mail-from",filter_builtins_mail_from },
 { FILTER_RCPT_TO,   "rcpt-to",  filter_builtins_rcpt_to },
 { FILTER_DATA,  "data", filter_builtins_notimpl },
 { FILTER_DATA_LINE, "data-line",filter_builtins_notimpl },
 { FILTER_RSET,  "rset", filter_builtins_notimpl },
 { FILTER_QUIT,  "quit", filter_builtins_notimpl },
 { FILTER_NOOP,  "noop", filter_builtins_notimpl },
 { FILTER_HELP,  "help", filter_builtins_notimpl },
 { FILTER_WIZ,   "wiz",  filter_builtins_notimpl },
 { FILTER_COMMIT,"commit",   filter_builtins_notimpl },
};

reports come in in the format:
report||

filters come in in the format:
filter|||

Note that filters require a proceed, rewrite, reject, or disconnect
reply in the form:

filter-result|||proceed
filter-result|||reject|
filter-result|||disconnect|
filter-result|||rewrite|

Note that this is mostly stable, but some changes may occur, so
keep track of the version. Minor versions are backwards compatible,
major versions are not.



Thanks! I'll keep digging. :)

Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 05/09/2019 11:33, gil...@poolp.org wrote:

Yes, see the smtpd.conf(5) man page:

filter myreporter proc-exec "/tmp/reporting.sh"

listen on [...] filter myreporter


smtp: 0x271c2c0: <<< EHLO localhost
mproc: pony -> lka : 49 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
mproc: pony -> lka : 50 IMSG_??? (129)
smtp: 0x271c2c0: STATE_CONNECTED -> STATE_HELO
smtp: 0x271c2c0: >>> 250-host.domain.com Hello localhost [local], 
pleased to meet you

mproc: pony -> lka : 102 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: >>> 250-8BITMIME
mproc: pony -> lka : 47 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: >>> 250-ENHANCEDSTATUSCODES
mproc: pony -> lka : 58 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: >>> 250-SIZE 104857600
mproc: pony -> lka : 53 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: >>> 250 HELP
mproc: pony -> lka : 43 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: IO_LOWAT 
smtp: 0x271c2c0: IO_DATAIN 
smtp: 0x271c2c0: <<< MAIL FROM:
mproc: pony -> lka : 72 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
mproc: pony -> queue : 8 IMSG_SMTP_MESSAGE_CREATE
imsg: queue <- pony: IMSG_SMTP_MESSAGE_CREATE (len=8)
queue-backend: queue_message_create() -> 1 (df19e22a)
mproc: queue -> pony : 16 IMSG_SMTP_MESSAGE_CREATE
imsg: pony <- queue: IMSG_SMTP_MESSAGE_CREATE (len=16)
mproc: pony -> lka : 37 IMSG_REPORT_SMTP_TX_BEGIN
smtp: 0x271c2c0: >>> 250 2.0.0 Ok
mproc: pony -> lka : 70 IMSG_??? (134)
mproc: pony -> lka : 47 IMSG_REPORT_SMTP_PROTOCOL_SERVER
smtp: 0x271c2c0: IO_LOWAT 
smtp: 0x271c2c0: IO_DATAIN 
smtp: 0x271c2c0: <<< RCPT TO:
mproc: pony -> lka : 63 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
mproc: pony -> lka : 291 IMSG_SMTP_EXPAND_RCPT

SMTPD seems to get stuck here with no errors. This is with the simple:

filter reporter proc-exec "/etc/opensmtpd/reporter.sh"

#!/bin/sh
while read line; do
    echo $line >> /var/log/opensmtpd.log
done

Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 05/09/2019 11:33, gil...@poolp.org wrote:

Yes, see the smtpd.conf(5) man page:

filter myreporter proc-exec "/tmp/reporting.sh"

listen on [...] filter myreporter


Ahh, that's what it is now. I looked at the man page looking for 
"report". :)


Thanks!
Reio





September 5, 2019 10:30 AM, "Reio Remma"  wrote:


On 03/09/2019 21:32, gil...@poolp.org wrote:


September 3, 2019 8:29 PM, "Reio Remma"  wrote:


On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is > 
interested on giving it a
try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0 
(current portable).

Good luck,
Reio

Nice

I wonder why you didn't parse the reporting output though, it would have been 
much much simpler :-)

About that:

proc reporting "/tmp/reporting.sh"
report smtp on reporting

The 2nd line gives smtpd -n a syntax error. Has the syntax changed between your 
post and now? :)

Reio

Re: New syntax and virtual aliases to remote addresses.

[Reio Remma]

On 05/09/2019 11:32, gil...@poolp.org wrote:

could be interesting to implement a tls builtin filter, so you could:

 filter check-tls phase mail-from match !tls junk

and flag non tls options as spam, without discarding them completely


You know, I was hoping you'd say that! :D

I would so very much like to run with TLS only, but alas I have people 
here that need all these plain text private mails from their banks etc. :P


I've already started to send out mails to point it out to them (bank, 
government institutions, etc). Even our old QMail (RIP) had TLSv1 in it. 
There's just no excuse.


And the most absurd fact. Postfix needs a setting to turn on 
opportunistic TLS on outgoing mail. They default to none.


Oh I'm angry today. In a positive way! :)

Reio


September 5, 2019 8:38 AM, "Reio Remma"  wrote:


On 02/09/2019 18:37, Reio Remma wrote:


On 02/09/2019 18:36, Reio Remma wrote:


Now I ended up switcing to tls-require on port 25. I wonder how much >> spam 
that will take down!
:)

Well, that's depressing.

On the spam front - requiring TLS apparently cuts off about 99% of spam 
(SpamAssassin is
practically out of work), but we do get the occasional legit non-TLS connection 
and I'm having to
switch back to optional TLS. :/

So TLS is 20 years old but they're (banks etc) still sending somewhat private 
info in plain text.

'twas fun while it lasted. :)

I'm going to start schooling them one by one.

Reio

Re: New syntax and virtual aliases to remote addresses.

[Reio Remma]

On 05/09/2019 09:38, Reio Remma wrote:

On 02/09/2019 18:37, Reio Remma wrote:

On 02/09/2019 18:36, Reio Remma wrote:

Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


On the spam front - requiring TLS apparently cuts off about 99% of 
spam (SpamAssassin is practically out of work), but we do get the 
occasional legit non-TLS connection and I'm having to switch back to 
optional TLS. :/ 


Now I'm thinking I should look into getting SpamAssassin score mails by 
lacking TLS.


Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 03/09/2019 21:32, gil...@poolp.org wrote:

September 3, 2019 8:29 PM, "Reio Remma"  wrote:


On 27.04.2018 12:26, Reio Remma wrote:


Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is > 
interested on giving it a
try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0 
(current portable).

Good luck,
Reio

Nice

I wonder why you didn't parse the reporting output though, it would have been 
much much simpler :-)



About that:

proc reporting "/tmp/reporting.sh"
report smtp on reporting

The 2nd line gives smtpd -n a syntax error. Has the syntax changed 
between your post and now? :)


Reio

Re: New syntax and virtual aliases to remote addresses.

[Reio Remma]

On 02/09/2019 18:37, Reio Remma wrote:

On 02/09/2019 18:36, Reio Remma wrote:

Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


Well, that's depressing.

On the spam front - requiring TLS apparently cuts off about 99% of spam 
(SpamAssassin is practically out of work), but we do get the occasional 
legit non-TLS connection and I'm having to switch back to optional TLS. :/


So TLS is 20 years old but they're (banks etc) still sending somewhat 
private info in plain text.


'twas fun while it lasted. :)

I'm going to start schooling them one by one.

Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 04/09/2019 01:43, Edgar Pettijohn wrote:

On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:

On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
interested on giving it a try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
(current portable).

Good luck,
Reio


deathstar$ ./opensmtpd.pl
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
523, near "} ) "


Perl, I don't like you anymore.

Want to give it another try to see if I'm still using 
experimental/removed features? :)


Good luck,
Reio

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 04.09.2019 1:43, Edgar Pettijohn wrote:

On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:

On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
interested on giving it a try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
(current portable).

Good luck,
Reio


Lots of errors with newer perls. :(

deathstar$ perl -v

This is perl 5, version 28, subversion 2 (v5.28.2) built for amd64-openbsd

deathstar$ ./opensmtpd.pl
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
523, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 527.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
527, near "};"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 541.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
541, near "} )"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 553.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
553, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 557.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
557, near "};"
./opensmtpd.pl has too many errors


Meh. CentOS 7 indeed has an older version for me to test with:

$ perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for 
x86_64-linux-thread-multi

(with 39 registered patches, see perl -V for more detail)

Re: OpenSMTPD-Logwatch script.

[Reio Remma]

On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is 
interested on giving it a try, it's now at:


https://github.com/whataboutpereira/OpenSMTPD-Logwatch


Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0 
(current portable).


Good luck,
Reio

Re: New syntax and virtual aliases to remote addresses.

[Reio Remma]

On 02/09/2019 18:36, Reio Remma wrote:

On 02/09/2019 17:05, gil...@poolp.org wrote:

September 2, 2019 3:35 PM, "Reio Remma"  wrote:

Hello!

I was able to have virtual aliases pointing to external addresses 
with the old syntax, but it

doesn't seem to work like that with new rules:

Not awake enough to process what follows but the new syntax certainly 
allows this

as my whole infrastructure depends on it ;-)

I suspect that there's a problem with the ruleset that prevents 
external addresses

from matching a rule themselves.


Looking at you config at 
https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/


Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


I also notice you're not using match auth anywhere, I think this might 
make the difference for mails from remote addresses to virtuals 
aliased to another remote address. I didn't have auth in the old config.


Reio




action filter_incoming relay host smtp://127.0.0.1:10024
action sign_outgoing   relay host smtp://127.0.0.1:10026
action relay_outgoing  relay
action deliver_lmtp    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match tag FILTERED for domain  action deliver_lmtp
match tag SIGNED   for any action relay_outgoing
match auth from any    for domain  action deliver_lmtp
match from any for domain  rcpt-to  
action filter_incoming

match auth from any    for any action sign_outgoing

Old rules were:

accept tagged Filtered for domain  virtual  
userbase  deliver to lmtp

"/var/run/dovecot/lmtp" rcpt-to
accept from local  for domain  virtual  
userbase  deliver to lmtp

"/var/run/dovecot/lmtp" rcpt-to
accept from !local for domain  recipient  
relay via smtp://127.0.0.1:10024

accept tagged Signed   for any relay
accept from local  for any relay via smtp://127.0.0.1:10026

recipi...@mydomain.com used to be nicely redirected to a remote 
recipi...@someotherdomain.com, but

with the new syntax it doesn't hit any rules.

I found that adding "match tag FILTERED for any action 
relay_outgoing" after "match tag FILTERED

for domain  action deliver_lmtp" solves the issue.

I suspect that the old "accept tagged Filtered" went straight to MTA 
after expanding the virtual

alias?

Does it sound right to "match tag FILTERED for any" after dealing 
with FILTERED for our domains?


Can I do anything about DKIM breaking for forwarded mails?

Thanks,
Reio





--
Tervitades
Reio Remma


MR Stuudio 25 aastat

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee

New syntax and virtual aliases to remote addresses.

[Reio Remma]

Hello!

I was able to have virtual aliases pointing to external addresses with 
the old syntax, but it doesn't seem to work like that with new rules:


action filter_incoming relay host smtp://127.0.0.1:10024
action sign_outgoing   relay host smtp://127.0.0.1:10026
action relay_outgoing  relay
action deliver_lmtp    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match tag FILTERED for domain  action deliver_lmtp
match tag SIGNED   for any action relay_outgoing
match auth from any    for domain  action deliver_lmtp
match from any for domain  rcpt-to  action 
filter_incoming

match auth from any    for any action sign_outgoing

Old rules were:

accept tagged Filtered for domain  virtual  userbase 
 deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to
accept from local  for domain  virtual  userbase 
 deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to
accept from !local for domain  recipient  relay 
via smtp://127.0.0.1:10024

accept tagged Signed   for any relay
accept from local  for any relay via smtp://127.0.0.1:10026

recipi...@mydomain.com used to be nicely redirected to a remote 
recipi...@someotherdomain.com, but with the new syntax it doesn't hit 
any rules.


I found that adding "match tag FILTERED for any action relay_outgoing" 
after "match tag FILTERED for domain  action deliver_lmtp" 
solves the issue.


I suspect that the old "accept tagged Filtered" went straight to MTA 
after expanding the virtual alias?


Does it sound right to "match tag FILTERED for any" after dealing with 
FILTERED for our domains?


Can I do anything about DKIM breaking for forwarded mails?

Thanks,
Reio

Re: Virtual User handling

[Reio Remma]

On 30/08/2019 18:00, Ede Wolf wrote:

Hello,

While trying to learn opensmtpd, amongst other things I am struggeling 
with the virtual user handling - for a non virtual domain setup.


From what I have been able to understand so far it seems, as if there 
is no way to deliver mails to a lmtp socket, if there is not at least 
some reference/mapping to a system user?


accept from any for domain "example.com" recipient  alias 
 deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody


where vusers contains:
b...@example.com

However, despite being listed in vusers, when trying to send a mail to 
bob, it gets rejected with "550 Invalid recipient". Creating a 
systemuser "bob" makes it work. But then I do not need the vusers 
table, so I am wondering, is it possible to get along without the need 
for a system user?
Now the man page mentions a userbase parameter, and I assume, the 
according table has to be in the format of the userinfo table 
mentioned in tables(5)?
What then effectively again refers to a system user - just with a 
mapping in between.


For virtual aliases you need to have a mapping of a virtual address to a 
user:


table vusers { b...@example.com = bob }

You might try this:

accept from any for domain "example.com" virtual  deliver to 
lmtp "/run/cyrus/lmtp" rcpt-to


The userbase parameter is handy if you deliver to mailboxes straight 
from OpenSMTPD or you want OpenSMTPD to read the users .forward files:


table userinfo { bob = 5000:5000:/var/mail/example.com/bob }

accept from any for domain "example.com" virtual  userbase 
 deliver to lmtp "/run/cyrus/lmtp" rcpt-to


Good luck,
Reio

Re: Virtual User handling

[Reio Remma]

On 02/09/2019 10:35, Ede Wolf wrote:

Hello Edgar,

thanks very much for your in depth reply and the effort you've put 
into it.


As for the "user" keyword, the way I understand this, it that it 
equals the "as" statement in the old version.


... lmtp "/run/cyrus/lmtp" rcpt-to ->as nobody<-


I'm using multiple virtual domains myself and delivering to Dovecot via 
LMTP with no user parameter. I _suspect_ it's more useful when you let 
OpenSMTPD to deliver straight to mailboxes.


Back to your reply: That catchall from your example in "@ catchall" is 
not a keyword, is it? But a local user accout?


@example.com need to be aliased to a real mail account to receive all these.


> but some real user has to own the mailbox...

Care to explain, why is that? From my unknowledgable point of view, 
the mailbox handling should be done on the other side of the lmtpd 
socket. This misconception is at the very heart of my question.


Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
is translating the aliases and which rules it's matching etc.


Good luck,
Reio

Re: Building 6.4.2p1 without ssl?

[Reio Remma]

/../smtpd/ca.c: In function 'ca_engine_init':
../../smtpd/ca.c:493:38: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   if (!ENGINE_set_name(e, rsae_method.name)) {
  ^
../../smtpd/ca.c:511:27: error: 'RSA_FLAG_SIGN_VER' undeclared (first 
use in this function); did you mean 'RSA_FLAG_EXT_PKEY'?

  if (rsa_default->flags & RSA_FLAG_SIGN_VER)
   ^
   RSA_FLAG_EXT_PKEY
../../smtpd/ca.c:511:27: note: each undeclared identifier is reported 
only once for each function it appears in
../../smtpd/ca.c:515:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.rsa_mod_exp = NULL;
  ^
../../smtpd/ca.c:517:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.bn_mod_exp = NULL;
  ^
../../smtpd/ca.c:519:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.rsa_keygen = NULL;
  ^
../../smtpd/ca.c:520:13: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

  rsae_method.flags = rsa_default->flags |
 ^
../../smtpd/ca.c:522:13: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

  rsae_method.app_data = rsa_default->app_data;
 ^
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:19: error: storage size of 'rsae_method' isn't known
 static RSA_METHOD rsae_method = {
   ^~~
make[3]: *** [Makefile:742: ../../smtpd/smtpd-ca.o] Error 1
make[3]: Leaving directory '/root/build/opensmtpd-6.4.2p1/mk/smtpd'
make[2]: *** [Makefile:371: all-recursive] Error 1
make[2]: Leaving directory '/root/build/opensmtpd-6.4.2p1/mk'
make[1]: *** [Makefile:418: all-recursive] Error 1
make[1]: Leaving directory '/root/build/opensmtpd-6.4.2p1'
make: *** [Makefile:350: all] Error 2




--
Tervitades
Reio Remma


MR Stuudio 25 aastat

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee

Question about match auth with the new syntax.

[Reio Remma]

Hello!

I've pretty much converted my setup to the new syntax now and I'm 
wondering if I get this right.


I understand that from local was changed to not include authenticated 
users, but my question is does "match auth" match both authenticated and 
local users?


I currently have - "match auth from any for any action dkim" - and I see 
that I can send mail from command line using that rule, so I'm guessing 
yes. :)


Maybe the man page could reflect these bits for match auth and match 
from local.


Thanks!
Reio

Re: OpenSMTPD build on OpenSSL 1.1.x

[Reio Remma]

On 28/08/2019 11:30, Gilles Chehade wrote:

OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get
solved by itself soon ;-)


Unfortunately not for CentOS 7. :D

They have a policy of not making major version upgrades during the 
lifecycle of an OS version. :(


Suspect I'll have to look at migrating everything tp CentOS 8 when that 
comes out.


Reio

Re: OpenSMTPD build on OpenSSL 1.1.x

[Reio Remma]

On 28/08/2019 10:44, gil...@poolp.org wrote:

28 août 2019 00:00 "Reio Remma"  a écrit:


On 27.08.2019 21:25, Richard Narron wrote:


The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
It took me a while to get it to work though.
I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
And I got errors very similar to those of Denis Fateyev on Fedora 30.
Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.
Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.
The code shows version "6.6.0-portable".
It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1
Regards,
Richard Narron

Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a -l:libcrypto.a 
is the correct way
to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using 
these (and -pthreads
-ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.


I don't know about the -l:lib notation sorry

Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ?
This means that when an issue hits OpenSSL, updating OpenSSL and restarting the 
daemon will not be
enough to be back on track.

In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
multi-threaded.


Hello!

CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c 
compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine 
with CentOS 7's old OpenSSL version.


I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL 
libraries. Without these I ran into errors hinting at threads and dl.


I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on 
a production machine. :)


Thanks!
Reio

Re: OpenSMTPD build on OpenSSL 1.1.x

[Reio Remma]

On 28/08/2019 01:00, Reio Remma wrote:
The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:

Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from=  to=  rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"


Funnily this sole test e-mail managed to get us Spamhaus banned due to 
using localhost.localdomain. :D


Good luck,
Reio

Re: OpenSMTPD build on OpenSSL 1.1.x

[Reio Remma]

On 27.08.2019 21:25, Richard Narron wrote:

The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2

It took me a while to get it to work though.

I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz

And I got errors very similar to those of Denis Fateyev on Fedora 30.

Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.

Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.

The code shows version "6.6.0-portable".

It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1

Regards,
Richard Narron


Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
-l:libcrypto.a is the correct way to get OpenSSL 1.1.1c statically 
compiled into OpenSMTPD? I ended up using these (and -pthreads -ldl) and 
managed to build an RPM based on 6.0.3 RPM from CentOS 7.


The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:


Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable starting
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting 
address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls 
ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check 
result="success"
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from= to= rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"

More testing will have to wait until tomorrow. :)

Good luck,
Reio

Re: Multiple query_mailaddr when using table_postgresql not possible

[Reio Remma]

On 12/08/2019 12:32, mabi wrote:

Hello,

I would like to add an extra table in a PostgreSQL database to define domain 
names which I will reject mails from (mostly spam domains) on my OpenBSD 6.5 MX 
server.

For that I would need to add the following query_mailaddr to my 
/etc/mail/postgresql.conf file as documented here 
(https://github.com/OpenSMTPD/OpenSMTPD-extras/pull/54):

query_mailaddr SELECT address FROM rejects WHERE address=?

The problem is that I already have a query_mailaddr entry in that file which is 
the following:

query_mailaddr SELECT destination FROM vusers WHERE email = 
REGEXP_REPLACE($1,'(.*)\+[\w-]+@(.*)','\1@\2');

and which I need in order to define my valid recipients using the following 
table/match rule:

table recipients postgres:/etc/mail/postgresql.conf
match from any for domain  rcpt-to  action "relay_amavis"

so, when I start smtpd I get the following error:

domains[19067]: warn: duplicate key query_mailaddr
domains[19067]: fatal: error parsing config file

Does anyone know how I can still achieve that? Maybe with another type of 
"query_" but which one?

Best regards,
Mabi


Whilst I have no experience with the new OpenSMTPD, I have my 6.0.3 
working with MySQL and 2 separate query_mailaddr (recipients and 
blacklist). I solved it by simply putting the blacklist query_mailaddr 
in a separate config file.


table recipients  mysql:/etc/opensmtpd/mysql.conf
table blacklist   mysql:/etc/opensmtpd/mysql-blacklist.conf

Good luck,
Reio

Re: 550 invalid recipient issue

[Reio Remma]

On 19/03/2019 04:53, Gabriele Tofano wrote:

I discovered the below after running a smtpd -dv -Tlookup:

lookup: check "17.58.63.178" as NETADDR in table static: -> 0
lookup: check "17.58.63.178" as NETADDR in table static: -> found
lookup: check “domain.com" as DOMAIN in table static: -> found
lookup: lookup “user1" as USERINFO in table getpwnam: -> 0

Why osmtpd is looking for user1 in table getpwnam? What table is that?


Maybe share your whole lookup debug log.

I see it's looking up user1 instead of us...@domain.com, which it means 
it's matching the action with alias rule, not the action with virtuals rule.


Good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org