Re: request (privately) for maillog
Same here. I was on my way to grep through my maillog in order to find out more. Seems like it’s a general issue then? Kind regards Andreas > On 24. Feb 2020, at 18:58, epektasis wrote: > > I received the same message, for the same message number. > I get these every once in a while. FWIW. >T. > >> On Mon, Feb 24, 2020 at 06:41:19PM +0100, Peter J. Philipp wrote: >> Hi, >> >> I got another "bouncing messages from misc@opensmtpd.org" message. The >> particular message was 4669 that bounced. Yet I have no record of this in >> my maillog, so I suspect a DNS fault. >> >> Feb 24 12:07:04 was the time when the 4668 message came to me so I suspect >> that 4669 came after. >> >> I do have a query log for DNS and isolating the fault requires perhaps having >> some logs from opensmtpd.org for the mail to me (if possible). These logs >> should state if it was a DNS fault in their own wording. >> >> Every answered DNS packet should be accounted for. I have a fairly good >> idea >> of one of the vultr nameservers that opensmtpd.org uses but there is other >> addresses like IPv6 addresses that I'm not sure of. Being given a list of >> the nameservers would help me in the debug as well. >> >> Would opensmtpd.org be able to provide me the logs so I can attempt tracking >> the problem? >> >> Best Regards, >> -peter >> >> > > -- > >
Re: Interim mitigation for CVE-2020-7247
Or rather filter exploit_check phase mail-from match mail-from regex { '.*\;.*\;.*’ } disconnect "550 no exploiting, kthx” to be more specific on the semicolons as delimiter of the command? (sorry, as I said. regex is my nemesis :)) Best regards Andreas > On 29. Jan 2020, at 12:19, Andreas Broecking wrote: > > Hi all, > > first of all, thanks Gilles for the heads-up and a fix on short notice. > > For people like me who relay on the portable version and for systems which > relay on built packages as they lack the local development tools, a filter > should help to mitigate the problem until a package could be built on another > system. > > Shouldn’t something like > > filter exploit_check phase mail-from match mail-from regex { '<*\;*' } \ >disconnect "550 no exploiting, kthx” > > listen on $interface filter exploit_check > > sufficiently mitigate the problem? > I am not fluent in regex’ing so maybe I am missing an edge case. It does > prevent the example exploit and any others I’ve seen in the last hours. > > Best regards > Andreas
Interim mitigation for CVE-2020-7247
Hi all, first of all, thanks Gilles for the heads-up and a fix on short notice. For people like me who relay on the portable version and for systems which relay on built packages as they lack the local development tools, a filter should help to mitigate the problem until a package could be built on another system. Shouldn’t something like filter exploit_check phase mail-from match mail-from regex { '<*\;*' } \ disconnect "550 no exploiting, kthx” listen on $interface filter exploit_check sufficiently mitigate the problem? I am not fluent in regex’ing so maybe I am missing an edge case. It does prevent the example exploit and any others I’ve seen in the last hours. Best regards Andreas
Re: OpenSMTPD password encryption scheme.
Hey, I struggled with this issue as well on FreeBSD. This worked for me after a lot of tracing. 1. Create your PW hash with doveadm: echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2 This will cut the {BLF-CRYPT}… header created by doveadm. Opensmtpd uses crypt() to figure out the hash type and should role with it. 2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them without the {BLF-CRYPT} header passdb { driver = passwd-file args = scheme=blf-crypt /usr/local/etc/mail/passwd } This way you can use the same passwd table both for opensmtpd and dovecot. HTH Andreas > On 18. Sep 2018, at 09:06, Reio Remma wrote: > > Hello! > > I'm curious as to what determines the password scheme used by OpenSMTPD on a > Linux system (CentOS 7 in my case). When setting up the system I ended up > with using SHA512, because it seems to be what works both in OpenSMTPD and > Dovecot, but would really like to use Blowfish instead. Dovecot seems to work > with it, but is there any way I can make OpenSMTPD also agree with it? > > Thanks, > Reio > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org