Re: New Server, looking for some general advice

2020-05-11 Thread Antonino Sidoti
Hello,

I am using OpenSMTPD with the following;
Maildir
Dovecot/LMTP
Spamd
Dkimproxy
Dmarc (Domain)
SPF
Let’s Encrypt Certificates
Simple script for Spamd to obtain RBL lists
Filters for fcrDNS
Mutt Client
Virtual Users and Local user
Backup Mail server using Dovecot replication (Located in another country)
Dovecot Sieve for placing mail into particular folders
Rain loop WebMail client (running on another OpenBSD box)
Basic Monitoring using Monit

I am not using any backend Database.

The mail system I have configured is for me and a single domain at present. I 
don’t have any intention of scaling it out as I wanted to get off Office 365 as 
my primary aim. I like the control and being able to manage it, learnt a lot 
along the way.

Not sure if I gave you any answers but the information is out there and it 
takes time to get it right and obviously to meet your needs. The information in 
man is also very good as you know.

All my OpenBSD boxes are running at Vultr in two locations.

Good luck with your project, Happy to provide more information but better if we 
do that offline.

Nino


> On 11 May 2020, at 4:55 am, Chris Bennett  
> wrote:
> 
> Hi,
> I just added a new /27 server. So I haven't started anything except
> local for right now. It's using amd64 -current.
> I'm using A records for domain and mail.domain. No problem there.
> 
> It has one mail. address assigned right now. Different than domain IP.
> 
> What I want to achieve:
> 1. Use Maildir
> 
> 2. Use dkimproxy. I will add more domains after getting one setup right.
> 
> 3. Retrieve mail both locally and remotely. I am using neomutt over SSH
> right now, but I'm just not getting the conf file exactly right. Perhaps
> using IMAP address instead of the local directories would work better?
> Right now it recognizes mailboxes only partially correctly.
> This question might be better to ask on neomutt mailing list?
> 
> I'm guessing that dovecot will be best for remotely and locally. I
> previously used it for mbox quite a while ago over POP3.
> 
> 4. Use both local and virtual users. So I would like to prepare for the
> virtual users part at the start if possible. One step at a time is fine.
> 
> As far as DKIM, should I add the signature to the domain or mail.domain?
> I have already successfully added to mail.domain elsewhere, but is that
> right? dkimproxy man pages suggest just domain part
> 
> 5. Should I use lmtp?
> 6. Should I start with files first and move over to postgresql or
> straight to postgresql?
> 
> I have infinite (almost :-}) patience on this server since not a single
> important email will be going to it anytime soon.
> I haven't setup spamd yet and I'm unsure that I want to. It seems to
> cause me more grief than help. I'm using the opensmtpd filters elsewhere
> and they are fantastic!
> 
> I also don't have a problem reading code for answers as best as I can.
> I also have some filter code from others I need to look at (Thanks
> Edgar!)
> 
> I'm off to read the latest man pages.
> 
> Thanks so much for having such excellent software freeing me from the
> sendmail nightmare! Tons of work and I love it.
> 
> Thanks, 
> Chris Bennett
> 
> 
> 




Re: OpenSMTPd not respecting relay port?

2020-03-14 Thread Antonino Sidoti
Hello,

There is a really good example on how to do this; “man smtpd.conf”.

This is the what man page says;

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

listen on lo0

action "local_mail" mbox alias 
action "outbound" relay host smtp+tls://b...@smtp.example.com \
  auth 

match for local action "local_mail"
match for any action "outbound"

Nino

> On 15 Mar 2020, at 6:48 am, Oscar Carlsson  wrote:
> 
> Hi,
> 
> I'm trying to setup a relay on an OpenBSD machine.  But, no matter
> what I do, OpenSMTPd never seems to respect the port I specify, even
> when using smtps which _should_ default to port 465?
> 
> My smtpd.conf:
> 
> table aliases file:/etc/mail/aliases
> table secrets file:/etc/mail/secrets
> 
> listen on lo0
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> # action "relay" relay host smtp+tls://la...@my.domain.com:587 auth
> 
> action "relay" relay host smtps://la...@my.domain.com auth 
> 
> match for local action "local_mail"
> match for any action "outbound"
> 
> And a typical log entry when trying to send a mail:
> 
> Mar 14 20:17:33 brandmur smtpd[59200]: 14d126f717771342 mta connecting
> address=smtp://95.216.xxx.xx:25 host=my.domain.com
> Mar 14 20:17:44 brandmur smtpd[59200]: 14d126f809043707 smtp connected
> address=local host=brandmur.other.domain
> Mar 14 20:17:44 brandmur smtpd[59200]: 14d126f809043707 smtp message
> msgid=587c0286 size=396 nrcpt=1 proto=ESMTP
> Mar 14 20:17:44 brandmur smtpd[59200]: 14d126f809043707 smtp envelope
> evpid=587c0286517217d4 from= to=<
> oscar@my.domain>
> Mar 14 20:17:44 brandmur smtpd[59200]: 14d126f809043707 smtp
> disconnected reason=quit
> Mar 14 20:18:48 brandmur smtpd[59200]: 14d126f717771342 mta error
> reason=Connection timeout
> Mar 14 20:18:48 brandmur smtpd[59200]: smtp-out: Disabling route [] <-> 
> 95.216.xxx.xx (my.domain.com) for 15s
> Mar 14 20:18:48 brandmur smtpd[59200]: smtp-out: No valid route for
> [connector:[]->[relay:my.domain,smtp],0x0]
> 
> The receiving end is a postfix machine that otherwise works as
> expected.
> 
> Any ideas?
> 
> 
> Oscar
> 
> 




Re: Questions About Filters

2020-01-03 Thread Antonino Sidoti
Hello Gilles,

Thank you for your response.

With regards to the question about negating ‘rdns’, can I explain how I 
understand it and maybe you can confirm either way.

Using the example,
filter f01 phase connect match !rdns disconnect "550 missing rDNS"

On connection (connect) we check (match) if reverse dns is invalid (!rdns) and 
if so then disconnect the session. For invalid, this would mean no reverse dns, 
or an incorrectly configured reverse dns. 

I did read the man page about ’smtpd.conf’, more so about filters and wanted be 
sure I comprehend it. 
 
Thanks

Nino


> On 4 Jan 2020, at 11:07 am, gil...@poolp.org wrote:
> 
> January 4, 2020 12:25 AM, "Antonino Sidoti"  wrote:
> 
>> Hello,
>> 
> 
> Hello,
> 
> 
>> I have some basic questions about filters?
>> 
>> What do we need to negate the rdns for the following command?
>> 
>> filter f01 phase connect match !rdns disconnect "550 missing rDNS”
>> 
> 
> I'm unsure I understand this question, the example you show negates rdns,
> this is what I use myself to junk incoming sessions without rdns.
> 
> 
>> Can someone please explain the difference between reject and disconnect when 
>> used in a filter?
>> 
> 
> Very simple.
> 
> When you use `reject` the command is rejected but the session isn't 
> disconnected.
> If a client had multiple mails for you, rejecting a mail can allow it to 
> submit a
> different mail before it gets disconnected.
> 
> When you use `disconnect` the client gets disconnected after the rejection, 
> so it
> has to connect again.
> 
> 
>> Many thanks
>> 
>> Nino
> 




Questions About Filters

2020-01-03 Thread Antonino Sidoti
Hello,

I have some basic questions about filters?

What do we need to negate the rdns for the following command?

filter f01 phase connect match !rdns disconnect "550 missing rDNS”

Can someone please explain the difference between reject and disconnect when 
used in a filter?

Many thanks

Nino





Static Table Entry - smtpd.conf

2019-04-21 Thread Antonino Sidoti
Hi,

Is it valid if I add a static table entry in “smtpd.conf” like so;

table blacklist { “@*.anonymous-email.*” }

I am getting junk email coming in which has multiple domain types and 
subdomains but it will consistently have a common naming of “anonymous-email”.

Example,

f...@e.anonymous-email.xyz 
f...@b.anonymous-email.info 
f...@a.anonymous-email.xyz 

Spamd is not stopping it so I though I can reject emails using a static table 
as noted above. Will my wildcard work?

Re: Announce: OpenSMTPD 6.4.1 released

2018-12-20 Thread Antonino Sidoti
HI,

Yes, I do have it. Sorry, I was thinking there will be another release as it 
was announce on the 16th December.

Thanks

> On 20 Dec 2018, at 6:38 pm, Gilles Chehade  wrote:
> 
> On Thu, Dec 20, 2018 at 02:52:19PM +1100, Antonino Sidoti wrote:
>> HI,
>> 
>> I am on OpenBSD 6.4 and I have checked in the past few days for the new 
>> update via ???syspatch???. So far nothing has come through for OpenSmtpd.
>> 
> 
> Are you sure ?
> 
> I'm running OpenBSD 6.4 and I did get the update via syspatch a while ago:
> 
> $ uname -srm
> OpenBSD 6.4 amd64
> $ syspatch -l|grep smtpd
> 007_smtpd
> $
> 
> $ curl 
> https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/007_smtpd.patch.sig 
> <https://ftp.openbsd.org/pub/OpenBSD/patches/6.4/common/007_smtpd.patch.sig>2>/dev/null
>  |head -9
> untrusted comment: verify with openbsd-64-base.pub
> RWQq6XmS4eDAcT7iguLT8P2N4KVuxYXFb9rqG8JKe0uVSFR+dDlXh5TMkn8zF8IdAJrJRVOGSb9TxFjWlPKtBZLT/57ZH2pv0gk=
> 
> OpenBSD 6.4 errata 007, November 29, 2018
> 
> The mail.mda and mail.lmtp delivery agents were not reporting temporary
> failures correctly, causing smtpd to bounce messages in some cases where
> it should have retried them.
> 
> 
> 
> 
>>> On 17 Dec 2018, at 3:15 am, Gilles Chehade  wrote:
>>> 
>>> On Sun, Dec 16, 2018 at 11:11:23AM -0500, Matt Schwartz wrote:
>>>> Hi Gilles,
>>>> 
>>>> Stupid question but did these minor fixes come via a syspatch or do I need
>>>> to download and compile the tarball?
>>>> 
>>> 
>>> If you're on OpenBSD 6.4 and run syspatch, you will be fine.
>>> 
>>> 
>>>> On Sun, Dec 16, 2018, 11:05 AM Gilles Chehade >>> 
>>>>> Subject: Announce: OpenSMTPD 6.4.1 released
>>>>> 
>>>>> OpenSMTPD 6.4.1 has just been released.
>>>>> 
>>>>> OpenSMTPD is a FREE implementation of the SMTP protocol with some common
>>>>> extensions. It allows ordinary machines to exchange e-mails with systems
>>>>> speaking the SMTP protocol. It implements a fairly large part of RFC5321
>>>>> and can already cover a large range of use-cases.
>>>>> 
>>>>> It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and Linux.
>>>>> 
>>>>> The archives are now available from the main site at www.OpenSMTPD.org
>>>>> 
>>>>> We would like to thank the OpenSMTPD community for their help in testing
>>>>> the snapshots, reporting bugs, contributing code and packaging for other
>>>>> systems.
>>>>> 
>>>>> This is a minor release with critical and portability fixes.
>>>>> 
>>>>> Changes in this release (since 6.4.0):
>>>>> ==
>>>>> 
>>>>> - MDA exit status was improperly handled causing some temporary failures
>>>>> to be treated as permanent failures.
>>>>> - fix hardcoded libexec paths preventing proper packaging [1]
>>>>> - fix install of smtpctl to allow build/install as non-root
>>>>> 
>>>>> 
>>>>> [1] Author: Michael Figiel 
>>>>> 
>>>>> 
>>>>> Checksums:
>>>>> ==
>>>>> 
>>>>> SHA256 (opensmtpd-6.4.1.tar.gz) =
>>>>> 755580753b36a4072bffac4993d1db82129352a087830e125e257c3ce8c5921f
>>>>> 
>>>>> SHA256 (opensmtpd-6.4.1p1.tar.gz) =
>>>>> 1b5dabe822a0e0b2cfde067f673885a81211ae8f630ec88e4d70c81cad49a406
>>>>> 
>>>>> 
>>>>> Verify:
>>>>> ===
>>>>> 
>>>>> Starting with version 5.7.1, releases are signed with signify(1).
>>>>> 
>>>>> You can obtain the public key from our website, check with our community
>>>>> that it has not been altered on its way to your machine.
>>>>> 
>>>>>  $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
>>>>> 
>>>>> Once you are confident the key is correct, you can verify the release as
>>>>> described below:
>>>>> 
>>>>> 1- download both release tarball and matching signature file to same
>>>>> directory:
>>>>> 
>>>>>  for OpenBSD version:
>>>>>  $ wget https://www.opensmtpd.org/archives/opensmtpd-6.4.1.sum.sig
>>>>>  $ wget https://www.

Re: FAQ gone?

2018-12-19 Thread Antonino Sidoti
HI,

I agree with a user base option as well. If people from this mailing list would 
be willing to volunteer their setup/configuration into a wiki then I think it 
would be good way to share the knowledge about OpenSMTPD. I struggled quite a 
bit getting the information to put together my setup and I ended up grabbing 
snippets of information from various sites along with a lot of reading too, 
i.e. ‘man’ pages. Though ‘man’ pages can be daunting at first and takes time 
getting your head around the many options, switches and order of syntax.

I built my lab a few times before I got it right. Having a central place for 
information and seeing examples I think will be very helpful.   

> On 13 Dec 2018, at 9:48 am, Edgar Pettijohn  wrote:
> 
> I feel the manual pages are really enough. However, somesort of wiki that
> the userbase could keep updated without intervention may work out.
> 
> Edgar
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Announce: OpenSMTPD 6.4.1 released

2018-12-19 Thread Antonino Sidoti
HI,

I am on OpenBSD 6.4 and I have checked in the past few days for the new update 
via “syspatch”. So far nothing has come through for OpenSmtpd.

> On 17 Dec 2018, at 3:15 am, Gilles Chehade  wrote:
> 
> On Sun, Dec 16, 2018 at 11:11:23AM -0500, Matt Schwartz wrote:
>> Hi Gilles,
>> 
>> Stupid question but did these minor fixes come via a syspatch or do I need
>> to download and compile the tarball?
>> 
> 
> If you're on OpenBSD 6.4 and run syspatch, you will be fine.
> 
> 
>> On Sun, Dec 16, 2018, 11:05 AM Gilles Chehade > 
>>> Subject: Announce: OpenSMTPD 6.4.1 released
>>> 
>>> OpenSMTPD 6.4.1 has just been released.
>>> 
>>> OpenSMTPD is a FREE implementation of the SMTP protocol with some common
>>> extensions. It allows ordinary machines to exchange e-mails with systems
>>> speaking the SMTP protocol. It implements a fairly large part of RFC5321
>>> and can already cover a large range of use-cases.
>>> 
>>> It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and Linux.
>>> 
>>> The archives are now available from the main site at www.OpenSMTPD.org
>>> 
>>> We would like to thank the OpenSMTPD community for their help in testing
>>> the snapshots, reporting bugs, contributing code and packaging for other
>>> systems.
>>> 
>>> This is a minor release with critical and portability fixes.
>>> 
>>> Changes in this release (since 6.4.0):
>>> ==
>>> 
>>> - MDA exit status was improperly handled causing some temporary failures
>>>  to be treated as permanent failures.
>>> - fix hardcoded libexec paths preventing proper packaging [1]
>>> - fix install of smtpctl to allow build/install as non-root
>>> 
>>> 
>>> [1] Author: Michael Figiel 
>>> 
>>> 
>>> Checksums:
>>> ==
>>> 
>>>  SHA256 (opensmtpd-6.4.1.tar.gz) =
>>>  755580753b36a4072bffac4993d1db82129352a087830e125e257c3ce8c5921f
>>> 
>>>  SHA256 (opensmtpd-6.4.1p1.tar.gz) =
>>>  1b5dabe822a0e0b2cfde067f673885a81211ae8f630ec88e4d70c81cad49a406
>>> 
>>> 
>>> Verify:
>>> ===
>>> 
>>> Starting with version 5.7.1, releases are signed with signify(1).
>>> 
>>> You can obtain the public key from our website, check with our community
>>> that it has not been altered on its way to your machine.
>>> 
>>>   $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub
>>> 
>>> Once you are confident the key is correct, you can verify the release as
>>> described below:
>>> 
>>> 1- download both release tarball and matching signature file to same
>>> directory:
>>> 
>>>   for OpenBSD version:
>>>   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.4.1.sum.sig
>>>   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.4.1.tar.gz
>>> 
>>>   for portable version:
>>>   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.4.1p1.sum.sig
>>>   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.4.1p1.tar.gz
>>> 
>>> 
>>> 2- use `signify` to verify that signature file is properly signed and that
>>> the
>>>   checksum matches the release tarball you downloaded:
>>> 
>>>   for OpenBSD version:
>>>   $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.4.1.sum.sig
>>>   Signature Verified
>>>   opensmtpd-6.4.1.tar.gz: OK
>>> 
>>>   for portable version:
>>>   $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.4.1p1.sum.sig
>>>   Signature Verified
>>>   opensmtpd-6.4.1p1.tar.gz: OK
>>> 
>>> 
>>> If you don't get an OK message, then something is not right and you should
>>> not
>>> install without first understanding why it failed.
>>> 
>>> 
>>> Support:
>>> 
>>> 
>>> You are encouraged to register to our general purpose mailing-list:
>>>http://www.opensmtpd.org/list.html
>>> 
>>> The "Official" IRC channel for the project is at:
>>>#OpenSMTPD @ irc.freenode.net
>>> 
>>> 
>>> Reporting Bugs:
>>> ===
>>> 
>>> Please read http://www.opensmtpd.org/report.html
>>> Security bugs should be reported directly to secur...@opensmtpd.org
>>> Other bugs may be reported to b...@opensmtpd.org
>>> 
>>> --
>>> Gilles Chehade @poolpOrg
>>> 
>>> https://www.poolp.org tip me: https://paypal.me/poolpOrg
>>> 
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>> 
>>> 
> 
> -- 
> Gilles Chehade   @poolpOrg
> 
> https://www.poolp.org  tip me: 
> https://paypal.me/poolpOrg 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org 
> 
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org 
> 


Syntax Check Please

2018-11-01 Thread Antonino Sidoti
Hi,

I am planning the changeover to the new OpenSMTPD syntax and would like a 
sanity check on the configuration below please? My current (working) 
configuration is shown using the syntax for OpenBSD 6.3 plus my version of new 
syntax;

#
# OpenSMTPD v6.04 config
#

pki mail.stonyrange.com certificate "/etc/ssl/stonyrange.com.fullchain.pem"
pki mail.stonyrange.com key "/etc/ssl/private/stonyrange.com.key"

table aliases file:/etc/mail/aliases
table vdomains file:/etc/mail/vdomains
table vusers file:/etc/mail/vusers
table passwd passwd:/etc/mail/passwd

table blackhole { "@tiscali.it" }

listen on lo0
listen on lo0 port 10028 tag DKIM_OUT
listen on egress port smtp tls pki mail.stonyrange.com auth-optional 
listen on egress port submission tls-require pki mail.stonyrange.com auth 


reject from any sender  for any

accept from local for local alias  deliver to lmtp "/var/dovecot/lmtp" 
rcpt-to
accept from any for domain  virtual  deliver to lmtp 
"/var/dovecot/lmtp" rcpt-to
accept tagged DKIM_OUT for any relay
accept from local for any relay via smtp://127.0.0.1:10027

#
# OpenSMTPD v6.4 config - *** NEW SYNTAX ***
#

pki mail.stonyrange.com cert "/etc/ssl/stonyrange.com.fullchain.pem"
pki mail.stonyrange.com key "/etc/ssl/private/stonyrange.com.key"

table aliases file:/etc/mail/aliases
table vdomains file:/etc/mail/vdomains
table vusers file:/etc/mail/vusers
table passwd file:/etc/mail/passwd

table blackhole { "@tiscali.it" }

listen on lo0
listen on lo0 port 10028 tag DKIM_OUT
listen on egress port smtp tls pki mail.stonyrange.com auth-optional
listen on egress port submission tls-require pki mail.stonyrange.com auth 


action a01 alias  lmtp "/var/dovecot/lmtp" rcpt-to
action a02 virtual  lmtp "/var/dovecot/lmtp" rcpt-to
action a03 relay host smtp://127.0.0.1:10027

match from any mail-from  for any reject

match from local for local action a01
match from any for domain  action a02
match tag DKIM_OUT for any action a03

Many thanks

Nino


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



SPAMD - Grey Listing

2018-10-01 Thread Antonino Sidoti
Hi,

I notice that Spamd is not adding clients to the ‘spamdb’ and labelling with 
“GREY”. 

Oct  1 17:43:24 obsd-svr3 spamd[84545]: (GREY) 67.219.xxx.250: 
 -> 
Oct  1 17:43:24 obsd-svr3 spamd[16185]: Trapping 67.219.xxx.250 for tuple 
67.219.xxx.250 test.network-tools.com  

Oct  1 17:43:24 obsd-svr3 spamd[84545]: 67.219.149.250: disconnected after 13 
seconds.

obsd-svr3$ spamdb | grep GREY

No result

obsd-svr3$ spamdb | grep 67.219.xxx.250
TRAPPED|67.219.xxx.250|1541490191

As noted above the client is “TRAPPED” for which I understand it is 
blacklisted. I am running ‘spamd’ in default mode and only added -v flag in 
'/etc/rc.conf.local’;

spamd_flags=-v

The ‘spamd’ process is like so;

obsd-svr3$ ps -aux | grep spam
_spamd   54244  0.0  0.1   580  1496 ??  Ssp   Sat03PM0:15.98 
/usr/libexec/spamlogd -l pflog1
_spamd   10589  0.0  0.1  9712  1552 ??  Ssp5:40PM0:00.11 spamd: (pf 
 update) (spamd)
_spamd   84545  0.0  0.2  9924  5012 ??  Sp 5:40PM0:00.19 spamd: [priv] 
(greylist) (spamd)
_spamd   16185  0.0  0.1  9692  1524 ??  Ip 5:40PM0:00.00 spamd: 
(/var/db/spamd update) (spamd)

Thanks




Re: Reject Senders by IP address - SMTPD

2018-09-28 Thread Antonino Sidoti
Hi Gilles
Therefore in my case I can remove the “reject” statement and let the packet 
filter block the IP. I don’t want the offending IP to even reach the mail 
server. 

Thanks for the clarification. 



> On 28 Sep 2018, at 7:25 pm, Gilles Chehade  wrote:
> 
>> On Fri, Sep 28, 2018 at 09:14:17AM +0000, Antonino Sidoti wrote:
>> Hi Peter
>> 
> 
> Hi,
> 
>> I am using spamd. 
>> 
>> So the ???reject??? statement still logs the connection as seen in the log 
>> sample I provided. I was expecting to see a different log entry along the 
>> lines of ???source IP rejected???. The log information gives me the 
>> impression that the ???reject??? is not working. 
>> 
>> Happy to configure a table in ???pf.conf??? and block the IP that way. 
>> But then what is the point of the ???reject??? in the smtpd.conf?
>> 
> 
> The ruleset within smtpd only cares about envelopes.
> 
> It doesn't accept or reject clients, it accept or rejects envelopes so they
> do or do not enter the queue for delivery.
> 
> Gilles
> 
> 
> 
> 
>>>> On 28 Sep 2018, at 6:56 pm, Peter N. M. Hansteen  wrote:
>>>> 
>>>> On Fri, Sep 28, 2018 at 08:30:55AM +, Antonino Sidoti wrote:
>>>> table shithole file:/etc/mail/blacklist
>>>> 
>>>> The file ???blacklist??? contain the IP addresses that I wish to block, 
>>>> one per line. I also have added a reject statement to my ???smtpd.conf??? 
>>>> like so;
>>>> 
>>>> reject from source  for any
>>>> 
>>>> What I notice is that it does not block the IP address and it continues to 
>>>> attempt a connection to the mail server. The IP address in question is 
>>>> showing up in ???/var/log/maillog??? like so;
>>>> 
>>>> Sep 28 18:22:12 obsd-svr3 smtpd[68949]: b6ab24ef369520cc smtp 
>>>> event=failed-command address=185.xxx.xxx.254 host=185.xxx.xxx.254 
>>>> command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not 
>>>> supported???
>>>> 
>>>> Any idea why the reject statement does not work? 
>>> 
>>> Well, the mail does get rejected, doesn't it?
>>> 
>>> it's possible that a simple pf.conf with a table you block from, fed from 
>>> the file you already have would be the solution
>>> your're looking for. Perhaps supplemented with a spamd(8) setup.
>>> 
>>> a couple of writeups of mine that you might find useful:
>>> 
>>> https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html
>>> https://bsdly.blogspot.com/2013/05/keep-smiling-waste-spammers-time.html
>>> 
>>> It's also possible that the enumerated badness from 
>>> https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html could 
>>> usefully supplement your data sources.
>>> 
>>> All the best,
>>> Peter
>>> 
>>> -- 
>>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>>> "Remember to set the evil bit on all malicious network traffic"
>>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>> 
>>> -- 
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>> 
> 
> -- 
> Gilles Chehade
> 
> https://www.poolp.org  @poolpOrg


Re: Testing SMTP Authentication CLI

2018-09-08 Thread Antonino Sidoti
Hi,

Here you go,

pki mail.example.com certificate "/etc/ssl/example.com.fullchain.pem"
pki mail.example.com key "/etc/ssl/private/example.com.key"

table aliases file:/etc/mail/aliases
table vdomains file:/etc/mail/vdomains
table vusers file:/etc/mail/vusers
table creds file:/etc/mail/creds

listen on lo
listen on lo port 10028 tag DKIM_OUT
listen on egress port smtp tls pki mail.example.com auth-optional
listen on egress port submission tls-require pki mail.example.com auth 

accept from local for local alias  deliver to lmtp "/var/dovecot/lmtp" 
rcpt-to
accept from any for domain  virtual  deliver to lmtp 
"/var/dovecot/lmtp" rcpt-to
accept tagged DKIM_OUT for any relay
accept from local for any relay via smtp://127.0.0.1:10027

Maybe I am using the openssl command wrong. I just want to confirm the SMTP 
user credentials via the CLI.


> On 9 Sep 2018, at 2:44 pm, ed...@pettijohn-web.com wrote:
> 
> Without your smtpd.conf it's hard to know, but I suspect you don't have 
> 'auth' on port 25. 
> On Sep 8, 2018 11:16 PM, Antonino Sidoti  wrote:
>> 
>> 
>> 
>> There was an error while decoding the 
>> message.(���z+�v�b�fj�ʋ���.n�+)z{&��h��{.n�+���zwZ���Ϯ�˛���m�)z{&��h�



Testing SMTP Authentication CLI

2018-09-08 Thread Antonino Sidoti
Hi,

I am using a table in my configuration for user credentials in ’smtpd.conf';

table creds file://etc/mail/creds

I have also created the password using ‘smtpctl encrypt’ and added that to the 
file along with a username.
The file ‘creds’ contains;

bob$2b$10$encrytedpassword

I would like to test the configuration from CLI on my MacBook and using;

openssl s_client -connect mail.example.com:25 -starttls smtp. 

The connection is successful and I can see TLS handshake, etc. 
I now enter ‘helo’ and 'auth login’, each are successful.

Now going further, how can I test the user credentials using an ‘openssl’ 
connection? I am confident that ‘smtpctl encrypt’ it is using BLF-CRYPT, though 
what do I do to input the username and password to test the credentials?

Regards Nino

Re: Sending mail from PowerShell via OpenSMTPD fails.

2018-09-04 Thread Antonino Sidoti
Hi 
I would check Firewall in Windows for port 587 outbound or temporarily turn it 
off and test it again. 

Nino

> On 5 Sep 2018, at 5:52 am, Reio Remma  wrote:
> 
> Hello!
> 
> I've a backup script in Windows that sends an e-mail upon completion.
> 
> The mail goes out successfully if I use port 25 on the mail server but fails 
> unspectacularly with no specific error message on OpenSMTPD side when I try 
> to submit it authenticated on port 587.
> 
> I suspect it's a PowerShell issue, but just in case, here are OpenSMTPD logs 
> from the attempt.
> 
> IIRC authenticated submission used to work with our old QMail server.
> 
> PowerShell merely states:
> 
> Send-MailMessage : Authentication failed.
> + Send-MailMessage @param
> + ~~~
> + CategoryInfo  : InvalidOperation: 
> (System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
> + FullyQualifiedErrorId : 
> SmtpException,Microsoft.PowerShell.Commands.SendMailMessage
> 
> Regular OpenSMTPD logs state:
> 
> Sep  4 22:21:33 host smtpd[1011]: 676cdf15bd475b2d smtp event=connected 
> address=10.0.8.2 host=10.0.8.2
> Sep  4 22:21:34 host smtpd[1011]: 676cdf15bd475b2d smtp event=starttls 
> address=10.0.8.2 host=10.0.8.2 ciphers="version=TLSv1.2, 
> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
> Sep  4 22:21:34 host smtpd[1011]: 676cdf15bd475b2d smtp event=closed 
> address=10.0.8.2 host=10.0.8.2 reason=disconnect
> 
> 
> OpenSMTPD with trace states:
> 
> Sep  4 22:28:12 host smtpd[28824]: 1358b9537a51618f smtp event=starttls 
> address=10.0.8.2 host=10.0.8.2 ciphers="version=TLSv1.2, 
> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
> Sep  4 22:28:12 host smtpd[28824]: mproc: pony -> control : 41 
> IMSG_STAT_INCREMENT
> Sep  4 22:28:12 host smtpd[28824]: smtp: 0x239f1a0: STATE_TLS -> STATE_HELO
> Sep  4 22:28:12 host smtpd[28822]: imsg: control <- pony: IMSG_STAT_INCREMENT 
> (len=41)
> Sep  4 22:28:12 host smtpd[28822]: ramstat: increment: smtp.tls
> Sep  4 22:28:12 host smtpd[28822]: ramstat: smtp.tls (0x2193800): 0 -> 1
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN  fd=16 to=30 fl=R ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=15 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< EHLO Silencio
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_HELO -> STATE_HELO
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-host.domain.ee 
> Hello Silencio [10.0.8.2], pleased to meet you
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-8BITMIME
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 
> 250-ENHANCEDSTATUSCODES
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-SIZE 104857600
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-DSN
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-AUTH PLAIN LOGIN
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250 HELP
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT  fd=16 to=30 fl=W ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=0 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN  fd=16 to=30 fl=R ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=37 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< AUTH login 
> cmVpb0BtcnN0dXVkaW8uZWX=
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_HELO -> 
> STATE_AUTH_USERNAME
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 334 VXNlcm5hbXU6
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT  fd=16 to=30 fl=W ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=0 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN  fd=16 to=30 fl=R ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=18 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< OGlyNW1GTnp6eg==
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_AUTH_USERNAME -> 
> STATE_AUTH_PASSWORD
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 334 UGFzc3dvcmQ6
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT  fd=16 to=30 fl=W ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=0 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DISCONNECTED 
>  ssl=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 ib=0 ob=0>
> Sep  4 22:28:13 host smtpd[28824]: 1358b9537a51618f smtp event=closed 
> address=10.0.8.2 host=10.0.8.2 reason=disconnect
> 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Credentials Table

2018-08-27 Thread Antonino Sidoti
Hi Matt,

Can you please describe your setup with regards to two seperate password files? 
I have had second thoughts and will be adding Dovecot into my setup. IMAP is 
very convenient and allows me some flexibility.

Thanks

On 28 Aug 2018, at 7:55 am, Matt Schwartz 
mailto:matt.schwart...@gmail.com>> wrote:

I feel more comfortable having two separate password files for Dovecot and 
OpenSMTPD. Yes, it's more administrative work but it works fine for my purposes.

On Mon, Aug 27, 2018, 2:40 PM Bruno Pagani wrote:
The passwd option exists actually, but is provided by opensmtpd-extras.

And that’s what I use since it allows keeping the same file for opensmtpd and 
dovecot.

Regards,
Bruno

Le 27 août 2018 09:31:54 GMT+02:00, Antonino Sidoti 
mailto:n...@sidoti.id.au>> a écrit :
HI,

Base on the feedback I am going to use the ‘file’ option for the credentials 
table in my smtpd.conf;

table passed file:/etc/mail/passwd

Thanks

On 27 Aug 2018, at 5:24 pm, Matt Schwartz 
mailto:matt.schwart...@gmail.com>> wrote:

I simply use the file type. For example:
table credentials file:/etc/mail/credentials.

I do it this way because it is the simplest form. All I have in the credentials 
file is username:password. Use smtpctl encrypt to generate the encrypted 
password for the user. Finally, use smtpctl update table credentials to tell 
smtpd about the changes.

On Sun, Aug 26, 2018, 11:35 PM Antonino Sidoti wrote:
Hi,

When using a credentials table (man table), what table type do I use with 
regards to using the table in a smtpd.conf configuration?

I have created this table in my smtpd.conf but I am not sure it is correct?

table passwd file:/etc/mail/passwd

Though I have seen a sample configuration from another site using a different 
table type;

table passwd passwd:/etc/mail/passwd

Reading the man page, it does not make any reference to the table type using 
‘passwd’. It only talks about ‘file’ and ‘db’.

Nino




Re: Credentials Table

2018-08-27 Thread Antonino Sidoti
HI,

Base on the feedback I am going to use the ‘file’ option for the credentials 
table in my smtpd.conf;

table passed file:/etc/mail/passwd

Thanks

On 27 Aug 2018, at 5:24 pm, Matt Schwartz 
mailto:matt.schwart...@gmail.com>> wrote:

I simply use the file type. For example:
table credentials file:/etc/mail/credentials.

I do it this way because it is the simplest form. All I have in the credentials 
file is username:password. Use smtpctl encrypt to generate the encrypted 
password for the user. Finally, use smtpctl update table credentials to tell 
smtpd about the changes.

On Sun, Aug 26, 2018, 11:35 PM Antonino Sidoti wrote:
Hi,

When using a credentials table (man table), what table type do I use with 
regards to using the table in a smtpd.conf configuration?

I have created this table in my smtpd.conf but I am not sure it is correct?

table passwd file:/etc/mail/passwd

Though I have seen a sample configuration from another site using a different 
table type;

table passwd passwd:/etc/mail/passwd

Reading the man page, it does not make any reference to the table type using 
‘passwd’. It only talks about ‘file’ and ‘db’.

Nino



Credentials Table

2018-08-26 Thread Antonino Sidoti
Hi,

When using a credentials table (man table), what table type do I use with 
regards to using the table in a smtpd.conf configuration?

I have created this table in my smtpd.conf but I am not sure it is correct? 

table passwd file:/etc/mail/passwd

Though I have seen a sample configuration from another site using a different 
table type;

table passwd passwd:/etc/mail/passwd

Reading the man page, it does not make any reference to the table type using 
‘passwd’. It only talks about ‘file’ and ‘db’. 

Ninob��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Dovecot - Do I need this?

2018-08-25 Thread Antonino Sidoti
Hi,

I am currently building a mail server using OpenSMTPD on OpenBSD 6.3

I see a lot of examples on the web about configurations and nearly all of them 
are using a combination of OpenSMTPD, Dovecot, Spamassassin and so on. I 
understand the reason behind the selection of software and the intended purpose 
of each software.

My question is, Can I use OpenSMTPD with Spamd (OpenBSD - Spamd, Greylisting, 
Graytrapping) and not have anything to do with Dovecot or any other MDA. I also 
know the configuration is having a syntax change (pool.org) and I see that they 
have no reference to Dovecot or other third party software. In particular, 
pools.org has reference to Maildir in their configuration examples and that is 
what I am trying to achieve too in OpenSMTPD.

Nino
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org