Re: Unable to remove mail from queue

2020-06-03 Thread Gilles Chehade
this is due to a short-coming with how inflight envelopes are handled:

when a mail is passed from scheduler to mta, it is marked as "inflight" and
can't be removed until it comes back to scheduler.

this is usually not a big deal because an envelope is marked inflight only
a few seconds usually...

... except that eric@ and I came with an optimization to avoid envelopes
going back and forth into the scheduler when they have multiple routes or
when there's a chance a route gets enabled soon, they are kept in the MTA
for a bit longer, but this means that they can't be removed either.

we had discussed a quick fix for this but since the MTA layer is supposedly
going to be simplified a lot, it was not worth the effort.

I don't know where eric@ stands wrt this as of today


On Sun, May 31, 2020 at 8:00 PM Chris Bennett 
wrote:

> On Sun, May 31, 2020 at 05:24:18PM +0200, Mischa Peters wrote:
> > Hi All,
> >
> > I just noticed something strange on one of my mailservers running
> OpenSMTPd 6.7.0p1  (OpenBSD 6.7).
> > The mailserver was trying to deliver a spam mailbounce to fedex, it kept
> failing so I removed it from the queue.
> > The logs kept showing it was being delivered, eventhough nothing was
> showing in the queue.
> > After a restart of smtpd the message did show up in the queue again.
> >
> > root@smtp1:~ # smtpctl show queue
> > cd9b0933db878954|local|mta|auth|@|prvs=1417a4ec2a=bou...@nds.fedex.com
> |prvs=1417a4ec2a=bou...@nds.fedex.com
> |1590676002|1590676002|1590937323|0|inflight|99|
> >
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl remove
> cd9b0933db878954
> > 1 envelope removed
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl remove
> cd9b0933db878954
> > 0 envelope removed
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # ls -la
> > total 52
> > drwx--  2 _smtpq  wheel512 May 28 16:26 .
> > drwx--  3 _smtpq  wheel512 May 30 20:49 ..
> > -rw---  1 _smtpq  wheel316 May 28 16:26 cd9b0933db878954
> > -rw---  1 _smtpq  wheel  19296 May 28 16:26 message
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl show queue
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # rcctl restart smtpd
> > smtpd(ok)
> > smtpd(ok)
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # smtpctl show queue
> > cd9b0933db878954|local|mta|auth|@|prvs=1417a4ec2a=bou...@nds.fedex.com
> |prvs=1417a4ec2a=bou...@nds.fedex.com
> |1590676002|1590676002|1590937456|0|inflight|1|
> > root@smtp1:/var/spool/smtpd/queue/cd/cd9b0933 # ls -la
> > total 52
> > drwx--  2 _smtpq  wheel512 May 28 16:26 .
> > drwx--  3 _smtpq  wheel512 May 30 20:49 ..
> > -rw---  1 _smtpq  wheel316 May 28 16:26 cd9b0933db878954
> > -rw---  1 _smtpq  wheel  19296 May 28 16:26 message
> >
> > I assume this is not the expected result. :)
> > What else can I collect to pinpoint what is going on, before I rm the
> files?
> >
> > Mischa
> >
> >
>
> I also had this same problem. I rm'd the files.
> However, what is the right solution?
> (I was in a big rush and had to quickly solve the problem.)
>
> Chris Bennett
>
>
>
>


Re: 553 ORCPT address syntax errors on OpenBSD-6.6-current

2020-02-03 Thread Gilles Chehade
On Mon, Feb 03, 2020 at 06:37:38AM -0800, Scott Vanderbilt wrote:
> I'm starting to get several log entries for several errors of type:
> 
> 553ORCPT address syntax error
> 
> The error is intermittent since the server is able to process other incoming
> mails without error. For instance, I just sent myself an email from GMail,
> and it came through successfully.
> 
> Typical log entry will look like:
> 
> Feb?? 3 06:02:26 callistus smtpd[21460]: cb9690ea8af2a8ec smtp connected
> address=198.2.185.67 host=mail67.suw111.mcdlv.net
> Feb?? 3 06:02:26 callistus smtpd[21460]: cb9690ea8af2a8ec smtp tls
> ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
> Feb?? 3 06:02:27 callistus smtpd[21460]: cb9690ea8af2a8ec smtp
> failed-command command="RCPT TO:
> ORCPT=rfc822;li...@datagenic.com" result="553 ORCPT address syntax error"
> Feb?? 3 06:02:27 callistus smtpd[21460]: cb9690ea8af2a8ec smtp disconnected
> reason=quit
> 
> Mail logs prior to latest update to 6.6-current are free of these errors, so
> presumably the regression has been introduced in the latest snapshot
> (OpenBSD 6.6-current (GENERIC.MP) #628: Sat Feb?? 1 23:32:22 MST 2020). In
> fact, it looks as though it is related to this recent commit: 
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtp_session.c.diff?r1=1.422=1.423
> 
> In which case, it may be suggested that the change is being perhaps a little
> too strict.
> 

indeed addresses in ORCPT are prefixed with a character that's not allowed in
the mailaddr character set. the fix has been committed, thanks




Re: fix build on netbsd

2019-12-04 Thread Gilles Chehade
On Wed, Dec 04, 2019 at 07:27:07PM -0600, Edgar Pettijohn wrote:
> diff --git a/openbsd-compat/openbsd-compat.h
> b/openbsd-compat/openbsd-compat.h
> index 6c73e5b5..c7af0135 100644
> --- a/openbsd-compat/openbsd-compat.h
> +++ b/openbsd-compat/openbsd-compat.h
> @@ -122,7 +122,7 @@ int getpeereid(int , uid_t *, gid_t *);
> ??unsigned int arc4random(void);
> ??#endif
> 
> -#if defined(HAVE_ARC4RANDOM_STIR)
> +#if !defined(HAVE_ARC4RANDOM_STIR)
> ??void arc4random_stir(void);
> ??#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
> ??/* Recent system/libressl implementation; no need for explicit stir */
> 

with this, your build is fixed ?

I've been fixing the .c part of openbsd-compat but haven't worked on the
.h part yet, will have  look at it



-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



CVE-2019-19521 what about OpenSMTPD ?

2019-12-04 Thread Gilles Chehade
Hello,

In case you haven't seen, multiple CVE were released by Qualys:

https://www.openwall.com/lists/oss-security/2019/12/04/5

CVE-2019-19521 refers to an Authentication bypass allowing remote people
to authenticate to an OpenSMTPD without credentials.

A few people were wondering why we didn't publish a patch so here is the
explanation to clarify a bit.

TL;DR:
- if you're not on OpenBSD, you can disregard, you're not affected
- if you're on OpenBSD, run `syspatch` and, once done, restart smtpd, it
  is _normal_ that you don't see an smtpd patch


Details:

The CVE show-cases a vulnerability using smtpd, ldapd, radiusd, sshd and
su but the issue is really in a libc API they use: bsd_auth(3). There is
an incorrect code pattern which is coupled with an insufficient check to
the username, and this allows the authentication bypass that is shown on
multiple consumers.

So should you worry ?

If you're not using OpenBSD you can disregard this advisory, bsd_auth(3)
doesn't exist elsewhere.

If you're using OpenBSD, RUN `syspatch` RIGHT AWAY, then restart daemons
which perform user authentication. The issue being in the libc, you will
not see a patch for smtpd, it is normal, you still have to restart it so
it catches up the libc update.

If you're using an OpenBSD that's no longer supported (<=6.4) you're now
at risk and need to upgrade or disable network daemons that do auth.


Could your OpenSMTPD be used to send spam ?

If you're not using OpenBSD, nope.

If you're using OpenBSD, it's technically possible but unlikely. You can
check by going through your logs and looking for user "-schallenge". The
bypass only makes sense for setups that expose auth and provide rules to
match auth users.


If you have questions, you can follow up to this mail,
Cheers,


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Exploit CVE-2019-19521?

2019-12-04 Thread Gilles Chehade
On Wed, Dec 04, 2019 at 11:08:44PM +0100, Henry Jensen wrote:
> Hi,
> 

Hi,


> from https://seclists.org/oss-sec/2019/q4/120
> 
> ==
> 1.2. Case study: smtpd
> ==
> 
> To demonstrate how smtpd's authentication can be bypassed, we follow the
> instructions from the manual page of smtpd.conf:
> 
> [...]
>
> I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box.
> But I didn't get much further. After the authentication succeeded
> I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the
> connection was aborted. After I patched my system I could no longer get
> a 235 2.0.0 Authentication succeeded message
> 
> Question is: would it have been possible in the "real world" to exploit
> this to relay arbitrary messages (e.g. spam)?
> 

Yes it would have been most definitely possible now if you have yourself
relayed spam, I'll tell you that it's very unlikely this was used.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: opensmtpd setresgid ubuntu crash

2019-11-16 Thread Gilles Chehade
On Fri, Nov 15, 2019 at 12:03:01PM +0100, Martijn van Duren wrote:
> That seems to do the trick. Thanks.
> Sorry for the noise.
> 

I have traced back the issue to a pasto in configure.ac which caused the
setresuid.c file to be included on systems with setresuid() and this has
bad side-effects because the openbsd-compat setresuid() function will do
some funny things.

The portable branch should work again for all.

Writing this from a Debian/arm64 with a working smtpd

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: opensmtpd setresgid ubuntu crash

2019-11-15 Thread Gilles Chehade
Try using the 6.6.1p1 tag, I'm currently reworking the dev branch to completely revamp compat layer, things will be shaky for the next few daysOn Nov 15, 2019 11:22, Martijn van Duren  wrote:EHLO,

I'm currently trying to port filter-dnsbl to ubuntu, but I'm stuck at
not being able to startup smtpd. Is there anyone who has seen this
before and who has a (possible) solution?

This all is freshly installed.

OS: Ubuntu 18.04.3 LTS
OpenSMTPD: git portable (latest)
Installed packages:
- build-essential
- autoconf
- libtool
- libssl-dev
- libz-dev
- bison
- libasr-dev
- gdb
configure parameters: none
backtrace:
#0  setresgid (rgid=rgid@entry=1001, egid=1001, egid@entry=, sgid=1001, sgid@entry=) at setresgid.c:29
#1  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#2  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#3  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#4  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#5  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#6  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#7  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#8  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#9  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#10 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#11 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#12 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#13 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#14 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#15 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#16 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#17 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#18 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#19 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#20 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#21 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#22 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#23 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#24 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#25 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#26 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#27 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#28 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#29 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#30 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#31 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#32 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#33 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#34 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#35 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29


martijn@




Re: 6.6.1p1 fails to build on Void Linux

2019-11-11 Thread Gilles Chehade
On Mon, Nov 11, 2019 at 08:10:50PM -0600, epektasis wrote:
> Thank you for your reply.  Libevent-2.1.11_1 is installed.  So is
> autoconf-2.69_7, automake-1.16.1_2, bison-3.4.2_1, libtool-2.4.6_4, and
> libasr-1.0.3_1.  There are several fatal errors for some missing header
> files; I guess I'll try to track them down and see if I can get this
> going again.  I'll let you know.
> 

In some distributions, packages are split between two, so you have for
example libevent and libevent-dev, the former for runtime dependencies
and the second for build time dependencies with headers and such. This
may be the case here ?

I'm on my openbsd laptop right now, as soon as I boot on a Linux one I
will try to build on void linux and get back to you, cheers.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: 6.6.1p1 fails to build on Void Linux

2019-11-11 Thread Gilles Chehade
Very likely libevent is missing...

I fixed a configure bug where missing libevent caused a SSL test to fail and 
thus lead to a confusing error.



> On 12 Nov 2019, at 00:28, epektasis  wrote:
> 
> I'm trying to build opensmtpd-6.6.1p1 on an updated Void Linux.  Already
> overcame a couple of missing development packages by installing them.
> But I can't seem to get by this error, which occurs in the configure
> process just after opensslv.h is found (configure exit status 1):
> 
>configure error: error: *** Can't find recent LibreSSL crypto
>(see config.log for details)
> 
> LibreSSL 3.0.2_1 is installed.  So is libcrypto44 and 45 (for the
> latter, both 64 and 32 bit versions).  I read the README file and made
> sure the stated dependencies are installed.  Nothing in the config.log
> jumps out at me; I'll attach it nevertheless.
> 
> -- 
> 




Announce: OpenSMTPD 6.6.0 released

2019-10-26 Thread Gilles Chehade
OpenSMTPD 6.6.0 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and glibc-based Linux.

The archives are now available from the main site at www.OpenSMTPD.org

We would like to thank the OpenSMTPD community for their help in testing
the snapshots, reporting bugs, contributing code and packaging for other
systems.

This is a major release with multiple bug fixes and new features.


Dependencies note:
==

This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.

It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. In addition, the features parity is not respected,
some features will not be available with OpenSSL, like ECDSA server-side
certificates support in this release. OpenSSL library is considered as a
best effort target TLS library and provided as a commodity, LibreSSL has
become our target TLS library.


Changes in this release (since 6.4.0):
==

- various improvements to documentation and code
- reverse dns session matching criteria added to smtpd.conf(5)
- regex table lookup support added to smtpd.conf(5)
- introduced support for ECDSA certificates with an ECDSA privsep engine
- introduced builtin filters for basic filtering of incoming sessions
- introduced option to deliver junk to a Junk folder in mail.maildir(8)
- fixed the smtp(1) client so it uses correct default port for SMTPS
- fixed an smtpd(8) crash on excessively large input
- ensured mail rejected by an LMTP server stay queued


Experimental features:

- introduced a filters API to allow writing standalone filters for smtpd
- introduced proxy-v2 support allowing smtpd to operate behind a proxy


Checksums:
==

  SHA256 (opensmtpd-6.6.0.tar.gz) =
  fcf4496493d211c7024798b8107194ff6f2469b143b232f8559d36ce98d5d728

  SHA256 (opensmtpd-6.6.0p1.tar.gz) =
  75a420941963a672b21fe6c820c51de07f1ac94a0d6d4aa4f7364124d85efce9


Verify:
===

Starting with version 5.7.1, releases are signed with signify(1).

You can obtain the public key from our website, check with our community
that it has not been altered on its way to your machine.

   $ wget https://www.opensmtpd.org/archives/opensmtpd-20181026.pub

Once you are confident the key is correct, you can verify the release as
described below:

1- download both release tarball and matching signature file to same directory:

   for OpenBSD version:
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0.sum.sig
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0.tar.gz

   for portable version:
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0p1.sum.sig
   $ wget https://www.opensmtpd.org/archives/opensmtpd-6.6.0p1.tar.gz


2- use `signify` to verify that signature file is properly signed and that the
   checksum matches the release tarball you downloaded:

   for OpenBSD version:
   $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.6.0.sum.sig
   Signature Verified
   opensmtpd-6.6.0.tar.gz: OK

   for portable version:
   $ signify -C -e -p opensmtpd-20181026.pub -x opensmtpd-6.6.0p1.sum.sig
   Signature Verified
   opensmtpd-6.6.0p1.tar.gz: OK


If you don't get an OK message, then something is not right and you should not
install without first understanding why it failed.


Support:


You are encouraged to register to our general purpose mailing-list:
http://www.opensmtpd.org/list.html

The "Official" IRC channel for the project is at:
#OpenSMTPD @ irc.freenode.net


Support us:


The project is maintained by volunteers, you can support us by:

- donating time to help test development branch during development cycle
- donating money to either one of the OpenBSD or OpenSMTPD project
- sponsoring developers through direct donations or patreon
- sponsoring developers through contracts to write features

Get in touch with us by e-mail or on IRC for more informations.


Reporting Bugs:
===

Please read http://www.opensmtpd.org/report.html
Security bugs should be reported directly to secur...@opensmtpd.org
Other bugs may be reported to b...@opensmtpd.org


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Portable buildung issues

2019-10-22 Thread Gilles Chehade
Sorry, will expand:

We're in between two LibreSSL releases which is why the LibreSSL you're
using is not compatible.

When LibreSSL 3.0.2 is released, it will automagically build with it.
LibreSSL 3.0.1 development version is already working.

LibreSSL remains our target for both OpenBSD and portable but we're kind of
in a time warp right now in between two versions.

On Tue, Oct 22, 2019, 16:23 Gilles Chehade  wrote:

> LibreSSL is supported and recommended, this really needs to be fixed
> before the 6.6.0p1 portable release.
>
> On Tue, Oct 22, 2019, 14:44 John Smith  wrote:
>
>> Hello,
>>
>> thanks very much for all your replies. In deed, I rebuild world replacing
>> openssl with libressl, basically only for opensmtpd. So it is the github
>> issue. I knew smtpd portable supports openssl, but it did not come to my
>> mind, that libressl is not supported at all for the portable version,
>> openssl being just being an extra service, so I thought I'll do it
>> something good.
>>
>> I'll revert to openssl and report back. May take a day or two.
>>
>> Thanks again
>>
>> Ede
>>
>>
>>


Re: Portable buildung issues

2019-10-22 Thread Gilles Chehade
LibreSSL is supported and recommended, this really needs to be fixed before
the 6.6.0p1 portable release.

On Tue, Oct 22, 2019, 14:44 John Smith  wrote:

> Hello,
>
> thanks very much for all your replies. In deed, I rebuild world replacing
> openssl with libressl, basically only for opensmtpd. So it is the github
> issue. I knew smtpd portable supports openssl, but it did not come to my
> mind, that libressl is not supported at all for the portable version,
> openssl being just being an extra service, so I thought I'll do it
> something good.
>
> I'll revert to openssl and report back. May take a day or two.
>
> Thanks again
>
> Ede
>
>
>


Re: upcoming 6.6.0 release

2019-10-17 Thread Gilles Chehade
On Thu, Oct 17, 2019 at 03:07:45PM +0300, Reio Remma wrote:
> On 17/10/2019 15:06, Gilles Chehade wrote:
> > On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote:
> > > On 17/10/2019 14:20, gil...@poolp.org wrote:
> > > > Hello misc@,
> > > > 
> > > > As some have noticed, the 6.6.0 tag was created on Github to match the 
> > > > code from smtpd in OpenBSD 6.6.
> > > > 
> > > > A portable branch, branch-6.6.0p1, has been forked from there and can 
> > > > be used to test the matching portable version:
> > > > 
> > > >   https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1
> > > > 
> > > > 
> > > > I have not tagged 6.6.0p1 yet because there's still some time and I 
> > > > want to gain confidence that it works for most systems and 
> > > > distributions we have supported so far.
> > > > 
> > > > Note that:
> > > > 
> > > > - this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
> > > > - musl-based distros may have issues at this point, they are being 
> > > > tracked down, musl is not a showstopper for me as we have had issues in 
> > > > previous releases too but if we can track down the problem I'd be happy 
> > > > (unsuccessful so far)
> > > > 
> > > > I _really_ need help on testing this as I had unexpected hand surgery 
> > > > and doing the tests myself is extremely long.
> > > > 
> > > > Please report as a follow up to this mail what you did test,
> > > > 
> > > > 
> > > Hello! Do you have any pointers as to what an SRS key should look like?
> > > 
> > just make it something hard to guess :-)
> > 
> 
> So it's just a few random letters? Reading "key" I always think of some kind
> of a hash. :)
> 

the key you set is rehashed so make it whatever you want


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: upcoming 6.6.0 release

2019-10-17 Thread Gilles Chehade
On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote:
> On 17/10/2019 14:20, gil...@poolp.org wrote:
> > Hello misc@,
> > 
> > As some have noticed, the 6.6.0 tag was created on Github to match the code 
> > from smtpd in OpenBSD 6.6.
> > 
> > A portable branch, branch-6.6.0p1, has been forked from there and can be 
> > used to test the matching portable version:
> > 
> >  https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1
> > 
> > 
> > I have not tagged 6.6.0p1 yet because there's still some time and I want to 
> > gain confidence that it works for most systems and distributions we have 
> > supported so far.
> > 
> > Note that:
> > 
> > - this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
> > - musl-based distros may have issues at this point, they are being tracked 
> > down, musl is not a showstopper for me as we have had issues in previous 
> > releases too but if we can track down the problem I'd be happy 
> > (unsuccessful so far)
> > 
> > I _really_ need help on testing this as I had unexpected hand surgery and 
> > doing the tests myself is extremely long.
> > 
> > Please report as a follow up to this mail what you did test,
> > 
> > 
> 
> Hello! Do you have any pointers as to what an SRS key should look like?
> 

just make it something hard to guess :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: filter-rspamd DKIM checks failing intermittently.

2019-10-16 Thread Gilles Chehade
On Wed, Oct 16, 2019 at 10:36:32PM +0300, Reio Remma wrote:
> So it's wasn't line breaks afterall.
> 
> It turned out that OpenSMTPD passes raw SMTP data lines to filters and raw
> SMTP lines have leading dot characters escaped by another dot, so .text
> became ..text. Feeding it to Rspamd like that made DKIM alignment tests
> fail, because body hash came out wrong.
> 
> A pull request has been submitted with a fix.
> 

nice catch :-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Gilles Chehade
Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma  wrote:

> On 13.10.2019 16:09, Reio Remma wrote:
>
> On 13.10.2019 16:05, Gilles Chehade wrote:
>
> I don't think that is the issue, it is probably the filter-rspamd
> reconstruction of the message that is incorrect.
>
>
> I was thinking along the same lines, but I'm not sure how OpenSMTPD splits
> strings before passing them to the filter. Can the filter then extract
> "leftover" line endings for incoming strings and make decision based on
> that when joining the strings before Rspamd?
>
> Do you experience the same yourself?
>
>
> strings.NewReader(strings.Join(s.tx.message, "\n"))
>
> Wonder if we should use \r\n here?
>
>
>
> Reio
>
>
>
> On Sun, Oct 13, 2019, 15:00 Martijn van Duren <
> opensm...@list.imperialat.at> wrote:
>
>> On 10/13/19 1:59 PM, Reio Remma wrote:
>> > Hello!
>> >
>> > I finally moved to Rspamd (2.0) on my production server and I'm seeing
>> > lots of failed DKIM checks, specifically dkim=fail (body hash did not
>> > verify).
>> >
>> >
>> > Authentication-Results: host.domain.com;
>> >  dkim=fail (body hash did not verify) header.d=facebookmail.com
>> > header.s=s1024-2013-q3 header.b=pNWbKJUd;
>> >  dmarc=pass (policy=reject) header.from=facebookmail.com;
>> >  spf=pass (host.domain.com: domain of notificat...@facebookmail.com
>> > designates 66.220.144.215 as permitted sender)
>> > smtp.mailfrom=notificat...@facebookmail.com
>> >
>> > My current stab-in-the-dark theory is that there might be something
>> > going on with line endings when mails are fed to Rspamd.
>> >
>> > Any better theories? :)
>>
>> It's a known issue that mails that don't end on \r\n (both \r\r\n and
>> \n) cause issues. There's efforts going on to see how we can remedy
>> this, but in the mean time tell your senders that they should fix their
>> mails (RFC5321):
>>In addition, the appearance of "bare" "CR" or "LF" characters in text
>>(i.e., either without the other) has a long history of causing
>>problems in mail implementations and applications that use the mail
>>system as a tool.  SMTP client implementations MUST NOT transmit
>>these characters except when they are intended as line terminators
>>and then MUST, as indicated above, transmit them only as a 
>>sequence.
>> >
>> > Thanks,
>> > Reio
>> >
>> >
>>
>>
>
>


Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Gilles Chehade
I don't think that is the issue, it is probably the filter-rspamd
reconstruction of the message that is incorrect.

On Sun, Oct 13, 2019, 15:00 Martijn van Duren 
wrote:

> On 10/13/19 1:59 PM, Reio Remma wrote:
> > Hello!
> >
> > I finally moved to Rspamd (2.0) on my production server and I'm seeing
> > lots of failed DKIM checks, specifically dkim=fail (body hash did not
> > verify).
> >
> >
> > Authentication-Results: host.domain.com;
> >  dkim=fail (body hash did not verify) header.d=facebookmail.com
> > header.s=s1024-2013-q3 header.b=pNWbKJUd;
> >  dmarc=pass (policy=reject) header.from=facebookmail.com;
> >  spf=pass (host.domain.com: domain of notificat...@facebookmail.com
> > designates 66.220.144.215 as permitted sender)
> > smtp.mailfrom=notificat...@facebookmail.com
> >
> > My current stab-in-the-dark theory is that there might be something
> > going on with line endings when mails are fed to Rspamd.
> >
> > Any better theories? :)
>
> It's a known issue that mails that don't end on \r\n (both \r\r\n and
> \n) cause issues. There's efforts going on to see how we can remedy
> this, but in the mean time tell your senders that they should fix their
> mails (RFC5321):
>In addition, the appearance of "bare" "CR" or "LF" characters in text
>(i.e., either without the other) has a long history of causing
>problems in mail implementations and applications that use the mail
>system as a tool.  SMTP client implementations MUST NOT transmit
>these characters except when they are intended as line terminators
>and then MUST, as indicated above, transmit them only as a 
>sequence.
> >
> > Thanks,
> > Reio
> >
> >
>
>


table-passwd

2019-09-17 Thread Gilles Chehade
Hello,

Is there anyone using table-passwd for _any_ other purposes than sharing
with Dovecot ?

I have built a fully virtual setup which shares credentials with Dovecot
and since I managed to do it _without_ table-passwd I'm wondering if the
table backend is really useful and if it was not created because soneone
had overlooked the first few lines of the Dovecot documentation stating:

"For a password database, it's enough to have only the user and password
 fields."

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Failed logins hammer/filter.

2019-09-17 Thread Gilles Chehade
On Mon, Sep 16, 2019 at 10:20:42AM +0300, Reio Remma wrote:
> Hello!
> 

Hello,


> Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login
> failures from IPs, but that doesn't work any more with the log format
> changed from:
> 
> smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr
> command="AUTH LOGIN (password)" result="535 Authentication failed"
> |
> smtp failed-command command="AUTH LOGIN (password)" result="535
> Authentication failed"
> 

using the human logs for this kind of programmatic stuff is no longer
supported, the proper way is to write a filter that registers for all
register events and parses that output instead.

we assume programs to read reports so the format is versionned and is
going to be easily parsed, we assume humans to read the logs so we're
going to adapt the logs without caring too much about scripts.


> Surprisingly SMTP isn't brute forced that much, but as I registered 472
> failed authentications from a single IP yesterday, I'm going to have a Go at
> a filter too. :)
> 

I do get a lot of brute-force but it mostly comes from compromised hosts
so filtering on !rdns, !fcrdns and matching some common dynamic patterns
kills the bulk of them.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Gilles Chehade
On Wed, Aug 28, 2019 at 10:55:05AM +0300, Reio Remma wrote:
> On 28/08/2019 10:44, gil...@poolp.org wrote:
> > 28 ao??t 2019 00:00 "Reio Remma"  a ??crit:
> > 
> > > On 27.08.2019 21:25, Richard Narron wrote:
> > > 
> > > > The OpenSMTPD portable version from 
> > > > https://github.com/OpenSMTPD/OpenSMTPD
> > > > works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
> > > > It took me a while to get it to work though.
> > > > I first downloaded the "current" portable version from
> > > > https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
> > > > And I got errors very similar to those of Denis Fateyev on Fedora 30.
> > > > Next I downloaded the portable version from github.com
> > > > and found that autoconf had not been run and this was no good.
> > > > Finally I discovered the post on the mailing list which mentioned the
> > > > "bootstrap" script and then I was able to download and build the 
> > > > portable
> > > > version from git.
> > > > The code shows version "6.6.0-portable".
> > > > It runs fine on Slackware64 current and I'm happy that it now works with
> > > > OpenSSL 1.1
> > > > Regards,
> > > > Richard Narron
> > > Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.
> > > 
> > > Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
> > > -l:libcrypto.a is the correct way
> > > to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up 
> > > using these (and -pthreads
> > > -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.
> > > 
> > I don't know about the -l:lib notation sorry
> > 
> > Out of curiosity, why would you want ssl statically compiled into OpenSMTPD 
> > ?
> > This means that when an issue hits OpenSSL, updating OpenSSL and restarting 
> > the daemon will not be
> > enough to be back on track.
> > 
> > In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
> > multi-threaded.
> 
> Hello!
> 
> CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c
> compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine
> with CentOS 7's old OpenSSL version.
> 
> I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL
> libraries. Without these I ran into errors hinting at threads and dl.
> 
> I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on a
> production machine. :)
> 

Understood !

OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get
solved by itself soon ;-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: tags on the portable branch?

2019-08-26 Thread Gilles Chehade
On Sun, Aug 25, 2019 at 07:16:23AM +0200, Harald Dunkel wrote:
> Hi Gilles,
> 
> On 8/24/19 9:14 PM, Gilles Chehade wrote:
> > 
> > This is expected.
> > 
> > Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x
> > 
> 
> do you think it would be possible to set a tag matching support
> for openssl 1.1.1c as well? The version I am using right now now
> is based on 772da22936c8d80f7ad3284ea7e5bdbfdbee2efb, but this
> might be too experimental for production use.
> 

I'm unsure I understand what you want :-/

OpenSSL 1.1.x is only supported in the development branch so you need to
track latest commit in branch 'portable': the commit you're using is one
of the development branch from two weeks ago, if you are happy with that
keep it, it's no less or more experimental than any commit in the branch
since you're already running development code.

I wouldn't know what to tag honestly


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: stumped on virtual aliases

2019-08-24 Thread Gilles Chehade
On Sat, Aug 24, 2019 at 04:14:21PM +0200, Joseph A Borg wrote:
> I???m trying to match an email: nos...@domain.tld to expand to 
> webmas...@domain.tld and deliver to local mailbox.
> 
> My setup is pretty simple and works well for virtual mailboxes linked to a 
> couple of virtual domains. now I???m trying t add aliases to some accounts.
> 
> From the error, it seems like smtpd is not transforming the alias address 
> into the final address for delivery.
> Seems like I???m not understanding how smtpd transforms an recipient address 
> in an  into the actual recipient for delivery.
> 
> I must be conceptually stumped on this one.
>
> [...]
> 
> the configuration files for the domain and tables follows.
> 
>
> # file:/etc/mail/domain.tld/accounts/valiases:
> =
> > nospam webmas...@domain.tld
> ## EOF
> 
> # file:/etc/mail/domain.tld/accounts/emails
> 
> > webmas...@domain.tld::/home/domain/mail/master
> > webdus...@domain.tld::/home/domain/mail/duster
> > webbus...@domain.tld::/home/domain/mail/buster
> ## EOF
> 

Your problem lies here.

expansion resolves an e-mail address into a user-part, so ultimately
what's looked up in a userbase is the part before '@'

if you're already using a virtual account, why not do something like
this ?

valiases:
==
nospam webmaster

emails:
==
webmaster   ::/hoome/domain/mail/master


if you really want the indirection, you can even:

nospam webmas...@domain.tld
webmas...@domain.tld   webmaster



> # file:/etc/mail/domain.sub.smtpd.conf
> =
> 
> > ## =
> > ## DOMAIN CONFIGURATION:
> > ## =
> > # TABLE DECLATATIONS:
> > # ---
> > table domains   \
> > file:/etc/mail/domain.tld/domains
> > table valiases  \
> > file:/etc/mail/domain.tld/accounts/valiases
> > table e-boxes   \
> > file:/etc/mail/domain.tld/accounts/emails
> > 
> > # ACTIONS
> > # ---
> > action valiases_set \
> > expand-only \
> > virtual 
> > action deliver_virtual_set  \
> > maildir \
> > userbase 
> > 
> > # MATCHES
> > # ---
> > match from any  \
> >   for domain   \
> >   action valiases_set
> > match from any  \
> >   for domain   \
> >   action deliver_virtual_set
> > 
> > 
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Service names in listen on directives

2019-08-24 Thread Gilles Chehade
On Sat, Aug 24, 2019 at 10:16:26PM +0200, Martijn van Duren wrote:
> On 8/24/19 10:06 PM, Gilles Chehade wrote:
> > On Sat, Aug 24, 2019 at 12:32:05PM -0700, Darren S. wrote:
> >> OpenBSD 6.5 amd64
> >> OpenSMTPD 6.5.0
> >>
> >> port [port]
> >> Listen on the given port instead of the default port 25.
> >>
> >> I wanted to confirm if service names are intended to be supported for
> >> `listen on` option in smtpd.conf.
> >>
> >> These result in syntax failure:
> >>
> >> listen on lo port smtp
> >> listen on lo port smtps
> >>
> >> These do not:
> >>
> >> listen on lo port 25
> >> listen on lo port 465
> >>
> >> This also does not:
> >>
> >> listen on lo port submission
> >>
> >> Found it curious that `submission` may be used in place of a port
> >> number but not the other service names.
> >>
> > 
> > this is because `smtp' and `smtps` are keywords, so they must be quoted:
> > 
> > listen on lo port "smtp"
> > 
> > 
> Don't know if there's interest, but considering the port argument is
> non-optional and smtp and smtps are valid (and imho not unreasonable)
> port names I reckon we could add them explicitly so they can be used
> without quotes.
> 

You beat me to it, yes this makes sense.


> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.258
> diff -u -p -r1.258 parse.y
> --- parse.y   23 Aug 2019 19:05:01 -  1.258
> +++ parse.y   24 Aug 2019 20:14:40 -
> @@ -1863,6 +1863,38 @@ opt_if_listen : INET4 {
>   free($2);
>   listen_opts.port = ntohs(servent->s_port);
>   }
> + | PORT SMTP {
> + struct servent *servent;
> +
> + if (listen_opts.options & LO_PORT) {
> + yyerror("port already specified");
> + YYERROR;
> + }
> + listen_opts.options |= LO_PORT;
> +
> + servent = getservbyname("smtp", "tcp");
> + if (servent == NULL) {
> + yyerror("invalid port: smtp");
> + YYERROR;
> + }
> + listen_opts.port = ntohs(servent->s_port);
> + }
> + | PORT SMTPS{
> + struct servent *servent;
> +
> + if (listen_opts.options & LO_PORT) {
> + yyerror("port already specified");
> + YYERROR;
> + }
> + listen_opts.options |= LO_PORT;
> +
> + servent = getservbyname("smtps", "tcp");
> + if (servent == NULL) {
> + yyerror("invalid port: smtps");
> + YYERROR;
> + }
> + listen_opts.port = ntohs(servent->s_port);
> + }
>   | PORT NUMBER   {
>   if (listen_opts.options & LO_PORT) {
>   yyerror("port already specified");
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Service names in listen on directives

2019-08-24 Thread Gilles Chehade
On Sat, Aug 24, 2019 at 12:32:05PM -0700, Darren S. wrote:
> OpenBSD 6.5 amd64
> OpenSMTPD 6.5.0
> 
> port [port]
> Listen on the given port instead of the default port 25.
> 
> I wanted to confirm if service names are intended to be supported for
> `listen on` option in smtpd.conf.
> 
> These result in syntax failure:
> 
> listen on lo port smtp
> listen on lo port smtps
> 
> These do not:
> 
> listen on lo port 25
> listen on lo port 465
> 
> This also does not:
> 
> listen on lo port submission
> 
> Found it curious that `submission` may be used in place of a port
> number but not the other service names.
> 

this is because `smtp' and `smtps` are keywords, so they must be quoted:

listen on lo port "smtp"


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: tags on the portable branch?

2019-08-24 Thread Gilles Chehade
On Sat, Aug 24, 2019 at 04:19:11PM +0200, Harald Dunkel wrote:
> On 8/23/19 9:55 PM, John Cox wrote:
> > Hi
> > 
> > Whilst I know it doesn't help you I just git cloned that URL and the
> > tag checkout just worked for me.  What happens if you make another new
> > (temporary) repo with clone and try again?
> > 
> > Regards
> > 
> > John Cox
> > 
> 
> Using a new clone, as suggested: The tag "opensmtpd-6.4.2p1" is available,
> but it doesn't build on Debian sid (openssl 1.1.1c). Full build.log is
> attached.
> 

This is expected.

Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x

See:

https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/



-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: tags on the portable branch?

2019-08-22 Thread Gilles Chehade
On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> would it be possible to set tags on the portable branch as well?
> Something like
> 
>   portable-6.4.1
> 
> would do.
> 
> This could help alot for creating some kind of "official" source
> package for Debian and Fedora/RedHat.
> 

you mean like this ? :-)

https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/opensmtpd-6.4.2p1

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: smtpd not passing data to rspamd

2019-08-22 Thread Gilles Chehade
On Wed, Aug 21, 2019 at 08:06:58PM +, Thomas Smith wrote:
> 
> ? Original Message ?
> On Wednesday, August 21, 2019 8:28 AM, Gilles Chehade  
> wrote:
> 
> > On Wed, Aug 21, 2019 at 03:22:39PM +, Thomas Smith wrote:
> >
> > > Hi,
> > > I've setup filter-rspamd with rspamd. Both appear to be running (smtpd 
> > > and rspamd), I'm able to query rspamd's controller, access the web UI; 
> > > smtpd is processing and delivering mail as expected.
> > > ps wuax | grep rspam
> > > root 86736 0.0 0.4 45236 4008 ?? I 6:30AM 0:00.05 rspamd: main process 
> > > (rspamd)
> > > _rspamd 32135 0.0 1.0 45344 10140 ?? S 6:30AM 0:00.23 rspamd: 
> > > rspamd_proxy process (localhost:11332) (rspamd)
> > > _rspamd 4059 0.0 1.4 45688 14632 ?? S 6:30AM 0:01.63 rspamd: controller 
> > > process (localhost:11334) (rspamd)
> > > _rspamd 16743 0.0 1.1 45384 11020 ?? S 6:30AM 0:00.33 rspamd: normal 
> > > process (localhost:11333) (rspamd)
> > > _smtpd 32851 0.0 0.4 105520 3624 ?? I 6:56AM 0:00.01 
> > > /usr/local/bin/filter-rspamd
> > > _smtpd 68802 0.0 0.1 844 808 ?? Ip 6:56AM 0:00.00 sh -c 
> > > /usr/local/bin/filter-rspamd
> > > However, I don't see any messages being processed by rspamd. Nor do I see 
> > > any indication that data is being sent to rspamd (nothing in the logs, no 
> > > stats appearing in the web UI).
> >
> > can you show full logs for a sample smtpd session that didn't go through 
> > rspamd ?
> 
> Is this what you're looking for?
> 
> Aug 21 12:42:22 host smtpd[71198]: 43e03ee20005a41f smtp connected 
> address=x.x.x.x host=***t.com
> Aug 21 12:42:23 host smtpd[71198]: 43e03ee20005a41f smtp message 
> msgid= size=338369 nrcpt=1 proto=ESMTP
> Aug 21 12:42:23 host smtpd[71198]: 43e03ee20005a41f smtp envelope 
> evpid= 
> from=<t.com> 
> to=<***.***>
> Aug 21 12:42:24 host smtpd[71198]: 43e03ee20005a41f smtp disconnected 
> reason=quit
> 
> The msgid reveals some additional data, but the server doesn't manage final 
> delivery--emails are received and relayed only. So the additional message 
> information is related to the outbound (relayed) email but I can provide if 
> needed.
> 

sorry but this is tricky to troubleshoot with so few logs, obfuscated on
top of it :-/

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



FLOSS Weekly 543 OpenSMTPD

2019-08-21 Thread Gilles Chehade
Hello everyone,

I was invited to talk a bit about SMTP and OpenSMTPD in FLOSS Weekly.

Here is the link in case you're interested:

 https://twit.tv/shows/floss-weekly/episodes/543

Cheers

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: smtpd not passing data to rspamd

2019-08-21 Thread Gilles Chehade
On Wed, Aug 21, 2019 at 03:22:39PM +, Thomas Smith wrote:
> Hi,
> 
> I've setup filter-rspamd with rspamd. Both appear to be running (smtpd and 
> rspamd), I'm able to query rspamd's controller, access the web UI; smtpd is 
> processing and delivering mail as expected.
> 
> ps wuax | grep rspam
> root 86736  0.0  0.4 45236  4008 ??  I   6:30AM0:00.05 rspamd: 
> main process (rspamd)
> _rspamd  32135  0.0  1.0 45344 10140 ??  S   6:30AM0:00.23 rspamd: 
> rspamd_proxy process (localhost:11332) (rspamd)
> _rspamd   4059  0.0  1.4 45688 14632 ??  S   6:30AM0:01.63 rspamd: 
> controller process (localhost:11334) (rspamd)
> _rspamd  16743  0.0  1.1 45384 11020 ??  S   6:30AM0:00.33 rspamd: 
> normal process (localhost:11333) (rspamd)
> _smtpd   32851  0.0  0.4 105520  3624 ??  I  6:56AM0:00.01 
> /usr/local/bin/filter-rspamd
> _smtpd   68802  0.0  0.1   844   808 ??  Ip  6:56AM0:00.00 sh -c 
> /usr/local/bin/filter-rspamd
> 
> However, I don't see any messages being processed by rspamd. Nor do I see any 
> indication that data is being sent to rspamd (nothing in the logs, no stats 
> appearing in the web UI).
> 

can you show full logs for a sample smtpd session that didnt go through rspamd ?


> smtpd.conf:
> filter "rspamd" proc-exec "/usr/local/bin/filter-rspamd"
> listen on egress tls hostname $mx_domain pki $mx_domain filter "rspamd"
> 
> 'smtpd -d -v':
> debug: smtp: listen on x.x.x.x port 25 flags 0x2401 pki "" ca ""
> 
> I also don't see any debug messages regarding rspamd.
> 

your config is correct


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Question about OpenSMTPD and Debian package and filters/spam filtering

2019-08-21 Thread Gilles Chehade
On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
> Hi!
> 

Hi,


> I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD 
> (6.0.3) for private email and am looking what my best options are to limit 
> spam.
> I know there are some filters from Joerg 
> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not 
> sure if these will work with my version of OpenSMTPD (I get a syntax error 
> when trying the old filter syntax).
> 
> I can also relay everything to Amavisd/SpamAssassin but then email won???t 
> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are 
> pretty resource intensive and will eat all my VPS memory ;) 
> 
> What would be my best option?
> 

6.0.3 is a fairly old version and there aren't many options available.

if you're forced to stick with that version, which suffers from at least
one denial of service as far as I know, your best option is to relay via
something like SpamPD so it can interface with SpamAssassin, but this is
not going to operate at SMTP level, it will happen at delivery time.

there will be no way of blocking at SMTP level before next release 6.6.0
that is going to happen in a few weeks, during October, so any option is
going to be post delivery: either as a custom MDA, or as a relay via for
some smtp proxy that will reinject in smtpd like the dkimproxy stuff.

your best option would really be to build from source 6.4.2: it will not
block at SMTP level but will provide mechanisms to ease interfacing with
spamassassin or rspamd for post-SMTP handling.

if you're not too easily scared, running the development version is good
too because it's very close to release now, very stable and will not get
much changes until October as I'm busy busy these days ;-)


> I like to do some DNSBL and SpamAsssassin checks if possible.
> 
> My config if that is to any use to give some insights:
> 
> pki server.pragmasec.nl certificate 
> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
> listen on localhost
> listen on eth0 port 25 tls pki server.pragmasec.nl hostname 
> server.pragmasec.nl auth-optional
> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname 
> server.pragmasec.nl auth
> table vdomains file:/etc/mail/domains
> table vusers file:/etc/mail/vusers
> expire 7d
> limit mta inet4
> accept from any for domain  virtual  deliver to mda 
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
> 
> Cheers,
> 
> Michiel
> 
> 
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: forcing SMTP authentication

2019-08-21 Thread Gilles Chehade
On Wed, Aug 21, 2019 at 07:39:42AM +0200, Selmeci Tam?s wrote:
> Hello!
> 
> In brief: STARTTLS is enabled, there is a self-signed certificate for
> encryption (better than nothing), smarthost is used to send mails from
> my domain. My problem is that it still accepts SMTP connections (over
> TLS) without authentication. What I want:
> - anybody can send email to my email address in my domain (now it's
> working);
> - relaying through my SMTP server is allowed only after successful
> authentication (now anybody can relay through my server without
> authentication, e.g. to send spams). Authentication should be based on
> regular /etc/passwd file (local users of the computer). In order to
> hide the passwords, STARTTLS should be used;
> 
> It's a rather simple configuration, but I wasn't able to set it up. If
> I put 'auth' into the 'listen on' line, it needs authentication to any
> access of the SMTP server, so other machines (e.g. from google.com)
> can't send me mails. Using 'authenticated' in 'accept from' directives
> also didn't do the trick appropriately (it wasn't able to receive any
> mails at all).
> 
> Could you please help me out with this?
> 
> Thanks, regards,
> ---
> ---
> pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt"
> pki mail.486.hu key "/etc/smtpd/mail.486.hu.key"
> 
> table cred file:/etc/smtpd/cred
> 
> listen on eth0  port 25 hostname mail.486.hu tls-require
> listen on localhost port 25 hostname mail.486.hu tls-require
> 

you should add:

listen on eth0 port 587 hostname mail.486.hu tls-require auth


> # Storing mails arriving at the domain '486.hu'.
> accept from any for domain 486.hu deliver to mbox
> 
> # If the recipient is out of domain '486.hu', the mail is relayed through the
> # smarthost using TLS and authentication, see 'cred' file.
> accept from any for ! domain 486.hu relay via
> tls+auth://t-onl...@mail.t-online.hu auth  
> 

That last rule is essentially "accept from any for (pretty much) any" so
you have created an open relay.

Replace the "from any" with "from local" so the rule reads as:

   accept from local for ! domain 486.hu relay via
  tls+auth://t-onl...@mail.t-online.hu auth  

This should be much better.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: filter assistance requested

2019-08-20 Thread Gilles Chehade
On Mon, Aug 19, 2019 at 01:48:05PM -0500, Edgar Pettijohn wrote:
> Nothing urgent here. Probably can wait for filter documentation. However, 
> I've been
> playing with filters off and on with limited success. It seems like data-line 
> will 
> be the most useful to filter on so thats been my focus lately. I have the 
> following
> script:
> 
> #!/usr/bin/perl
> 
> use strict;
> use warnings;
> use diagnostics;
> 
> open(my $fh, '>', '/tmp/log.txt') or die $!;
> 
> # remove line buffering
> select(STDOUT);
> $|++;
> select($fh);
> $|++;
> 
> print STDOUT "register|filter|smtp-in|data-line\n";
> print STDOUT "register|ready\n";
> 
> while ( <> ) {
> chomp; # get rid of newline
> 
> my @report = split /\|/;
> 
> next if $report[0] eq 'config';
> 
> foreach (@report) {
> print $fh "$_\|"; # just to see whats there
> }
>   print $fh "\n";
> 
> my $inbody = 0;
> my ($sid, $token, $line);
> $sid = $report[5];
> $token = $report[6];
> $line = $report[$#report];
> if ($report[0] eq 'filter' and $report[3] eq 'smtp-in' and $report[4] 
> eq 'data-line') {
> die "invalid filter command" if (scalar @report < 7);
> if ($line eq '') { print $fh "end of headers\n"; $inbody++; }
> if ($line eq '.') { print $fh "end of message\n"; $inbody--; }
> print $fh "filter-dataline|$token|$sid|$line\n";
> print STDOUT "filter-dataline|$token|$sid|$line\n";
> }
> }
> 
> close $fh;
> 
> 0;
> 
> It prints the following in /tmp/log.txt after a 
> $ echo "HI" | mail edgar
> 
> filter|0|1566239933.835511|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Received:
>  from localhost (deathstar.my.domain [local])|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Received: from localhost 
> (deathstar.my.domain [local])
> filter|0|1566239933.835523|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
>  by deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  by 
> deathstar.my.domain (OpenSMTPD) with ESMTPA id 7052ea5a
> filter|0|1566239933.835529|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
>  for ;|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  for 
> ;
> filter|0|1566239933.835533|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
>  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|  Mon, 19 Aug 2019 
> 13:38:53 -0500 (CDT)
> filter|0|1566239933.836673|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|From:
>  Edgar Pettijohn |
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|From: Edgar Pettijohn 
> 
> filter|0|1566239933.836681|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|Date:
>  Mon, 19 Aug 2019 13:38:53 -0500 (CDT)|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|Date: Mon, 19 Aug 2019 
> 13:38:53 -0500 (CDT)
> filter|0|1566239933.836685|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|To:
>  edgar|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|To: edgar
> filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a
> filter|0|1566239933.836692|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|HI|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|HI
> filter|0|1566239933.836695|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|.|
> end of message
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|.
> 
> I get the following response:
> deathstar$ sendmail: command failed: 550 5.7.1 Delivery not authorized, 
> message refused: Message is not RFC 2822 compliant
> 
> I see the same from a telnet session as well.
> 
> So there are 2 problems. First my script doesn't appear to acurately 
> determine that the headers are finished. Second mail
> doesn't go through. Any suggestions are appreciated.
> 

This error occurs when you don't have at least an empty line to separate
headers from the body.

Based on your output, it seems that you are generating a bad line:

> filter|0|1566239933.836688|smtp-in|data-line|c0002b41f6bd164d|ef8747a12860387a|
> filter-dataline|ef8747a12860387a|c0002b41f6bd164d|ef8747a12860387a

There should be a | at the end of your filter-dataline because it is not
valid as is, I'll check why smtpd did not hit a fatal.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-20 Thread Gilles Chehade
On Fri, Aug 16, 2019 at 03:38:43AM +0600, Denis Fateyev wrote:
> Hello Gilles,
> 
> You are right, I tried "opensmtpd-6.4.2p1.tar.gz" release for some reasons,
> and it was failing to build.
> 
> The latest checkout from portable branch is fine, and doesn't bring any
> build issues anymore, it's great!
> I will test it for a while with some use cases.
> 
> 
> Out of curiosity, I have also tried it with openssl-1.0.2k (RHEL7) , and as
> expected it's failing.
> Mostly related to RSA methods. Just to note:
> https://kojipkgs.fedoraproject.org//work/tasks/2547/37062547/build.log
> 

yeah, the problem is described here:

https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/


long story short, the same code can't build for both 1.0.z and 1.1.z, to
support both requires using two different APIs.

it is technically doable but 1.0.z will be EOL a month or so after we'll
release our next major version so the work isn't worth it.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



[jungleboog...@gmail.com: Fwd: OpenSMTPD on FLOSS Weekly]

2019-08-20 Thread Gilles Chehade
- Forwarded message from jungle Boogie  -

From: jungle Boogie 
To: Misc@opensmtpd.org
Cc:
Bcc:
Date: Mon, 19 Aug 2019 10:16:34 -0700
Subject: OpenSMTPD on FLOSS Weekly
Hi All,

Gilles will be on FLOSS Weekly this Wednesday 21 August at 9:30am PT, 1630
UTC.

You can watch live at https://twit.tv/live

I'm looking forward to this interview!

Thanks for being on the show, Gilles.

Best,
j.b.

- End forwarded message -

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Simple rewrite-from filter in awk

2019-08-18 Thread Gilles Chehade
On Sun, Aug 18, 2019 at 06:49:25PM +0200, Jakub Jirutka wrote:
> Hi,
> 
> I was playing a bit with new proc filters and wrote a very simple filter
> for rewriting email address in both MAIL FROM command and From header
> with the specified email address... in just ~60 lines of AWK!
> 
> https://github.com/jirutka/opensmtpd-filter-rewrite-from
> 
> I'm really impressed how simple yet powerful is the new proc filter
> interface! The fact that you can implement a simple filter in fews lines
> of such limited language as AWK clearly proves the simplicity. No
> language-specific API and bindings, no complex formats or craps like
> gRPC, just plain old processes, stdin/stdout and simple line-oriented
> protocol with delimiter-separated fields. The proper Unix way. <3
> 

You. made. my. day :-)

I'm glad that I resisted the pressure to implement milters and to push a
ton of features in the daemon because the implementation is exactly what
we wanted to achieve: fast, easy and secure. Took time but we are there.

We lose the many milters that are available, but the simplicity allows a
rewrite of any filter we need in a very short time, including maybe some
milter interface on top of our implementation if someone feels like it.

Looking forward to see what the community builds with this !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: filter-senderscore for testing

2019-08-18 Thread Gilles Chehade
On Sun, Aug 18, 2019 at 10:39:29AM +0200, Gilles Chehade wrote:
> Hello,
> 
> I have written a second filter:
> 
>   https://github.com/poolpOrg/filter-senderscore
> 
> Senderscore is the reputation scoring built by Return-Path which some of
> the Big Mailers Corp feedback into.
> 
> It isn't bullet-proof but, while good reputations doesn't mean sender is
> good for real, bad reputations generally mean sender is bad for real.
> 
> I'd appreciate some testing and reporting ;-)
> 

Just for the record:

Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp connected 
address=23.129.64.207 host=207.emeraldonion.org
Aug 18 09:02:42 in smtpd[27481]: : senderscore(23.129.64.207) 
-> 127.0.4.8
Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp failed-command 
command="" result="550 your IP reputation is too low for this MX"
Aug 18 09:02:42 in smtpd[81815]: 0fc6a2f85d8dccfa smtp disconnected reason=quit
Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp connected 
address=23.129.64.216 host=
Aug 18 09:02:43 in smtpd[27481]: : senderscore(23.129.64.216) 
-> 127.0.4.2
Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp failed-command 
command="" result="550 your IP reputation is too low for this MX"
Aug 18 09:02:43 in smtpd[81815]: 0fc6a2f9cbd54d4e smtp disconnected reason=quit
Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp connected 
address=23.129.64.162 host=162.emeraldonion.org
Aug 18 09:02:51 in smtpd[27481]: : senderscore(23.129.64.162) 
-> 127.0.4.4
Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp failed-command 
command="" result="550 your IP reputation is too low for this MX"
Aug 18 09:02:51 in smtpd[81815]: 0fc6a2face31cde3 smtp disconnected reason=quit
Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp connected 
address=23.129.64.162 host=162.emeraldonion.org
Aug 18 09:02:52 in smtpd[27481]: : senderscore(23.129.64.162) 
-> 127.0.4.4
Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp failed-command 
command="" result="550 your IP reputation is too low for this MX"
Aug 18 09:02:52 in smtpd[81815]: 0fc6a2fb4fd79b8c smtp disconnected reason=quit
Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp connected 
address=193.169.252.212 host=
Aug 18 09:07:09 in smtpd[27481]: : 
senderscore(193.169.252.212) -> 127.0.4.0
Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp failed-command 
command="" result="550 your IP reputation is too low for this MX"
Aug 18 09:07:09 in smtpd[81815]: 0fc6a2fc398ab74f smtp disconnected reason=quit


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



filter-senderscore for testing

2019-08-18 Thread Gilles Chehade
Hello,

I have written a second filter:

  https://github.com/poolpOrg/filter-senderscore

Senderscore is the reputation scoring built by Return-Path which some of
the Big Mailers Corp feedback into.

It isn't bullet-proof but, while good reputations doesn't mean sender is
good for real, bad reputations generally mean sender is bad for real.

I'd appreciate some testing and reporting ;-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: filter-rspamd available for testing

2019-08-17 Thread Gilles Chehade
On Fri, Aug 16, 2019 at 12:02:29AM +0200, Jakub Jirutka wrote:
> Hi Gilles,
> 
> I'm testing OpenSMTPD on Alpine Linux (musl libc) built from the last
> commit from the portable branch [1] and filters don't work.
> 
> The filter script gets the following lines on the start of OpenSMTPD:
> 
> config|smtp-session-timeout|300\n
> config|ready\n
> 
> Right after reading "config|ready" I print the following lines to STDOUT:
> 
> register|filter|smtp-in|data-line\n
> register|filter|smtp-in|commit\n
> register|ready\n
> 
> No problem so far. But when I send a message via sendmail(1), OpenSMTPD
> processes it, but doesn't feed any input to the script. The script is
> running and when I kill OpenSMTPD, it's gracefully exited (STDIN??? is
> closed, the script finishes).
> 
> I've even tried to register all the reporters and filters as
> filter-rspamd do, i.e. emit exactly the same output, but no change.
> 
> My smtpd.conf:
> 
> table aliases file:/etc/smtpd/aliases
> filter "my-filter" proc-exec "/etc/smtpd/filter.sh"
> listen on lo filter "my-filter"
> 
> action "local" mbox alias 
> match for local action "local"
> 
> Jakub
> 
> [1]:
> https://github.com/OpenSMTPD/OpenSMTPD/commit/772da22936c8d80f7ad3284ea7e5bdbfdbee2efb
> 

Are you sure you're not enqueuing the mail through the local socket ?

Note that 'listen on lo0' is a network listener and does not catch mails
that are submitted through the 'mail' command for instance.

Try adding 'listen on socket' and let me know if it works better.


> P.S.: misc+get-04...@opensmtpd.org doesn't work.
> 

never used it, i'll look

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-15 Thread Gilles Chehade
Hu, this doesn't look like latest checkout from portable, can you double
check ?

Le mer. 14 août 2019 à 22:17, Denis Fateyev  a écrit :

> Hello Gilles,
>
> Tried to rebuild on Fedora 30, but got compile errors (providing below
> with warnings in case if you find them useful):
> --- < cut here > ---
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
>  -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
> './'`../../smtpd/ca.c
> ../../smtpd/aliases.c: In function 'aliases_get':
> ../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
> [-Wunused-but-set-variable]
>56 |  struct table*userbase = NULL;
>   |   ^~~~
> ../../smtpd/aliases.c: In function 'aliases_virtual_get':
> ../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not
> used [-Wunused-but-set-variable]
>   114 |  struct table*userbase = NULL;
>   |   ^~~~
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
>  -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-compress_backend.o `test -f
> '../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
>   204 |*errstr = X509_verify_cert_error_string(xsc->error);
>   |   ^~
> ../../smtpd/ca.c: At top level:
> ../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
> incomplete type
>   307 | static RSA_METHOD rsae_method = {
>   | ^~
> ../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
>   308 |  "RSA privsep engine",
>   |  ^~~~
> ../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
>   309 |  rsae_pub_enc,
>   |  ^~~~
> ../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
>   310 |  rsae_pub_dec,
>   |  ^~~~
> ../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
>   311 |  rsae_priv_enc,
>   |  ^
> ../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
>   312 |  rsae_priv_dec,
>   |  ^
> ../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
>   313 |  rsae_mod_exp,
>   |  ^~~~
> ../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
>   314 |  rsae_bn_mod_exp,
>   |  ^~~
> ../../smtpd/ca.c:314:2: note: (near initialization for 

filter-rspamd available for testing (repost)

2019-08-14 Thread Gilles Chehade
Hello,

It seems that I forgot to setup a proper outgoing route yesterday, so my
mail announcing availability of filter-rspamd has been SPF-rejected by a
bunch of hosts...

Here's a link to the mail archive:

   https://www.mail-archive.com/misc@opensmtpd.org/msg04472.html

Note that since then, the port has been committed to OpenBSD !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: AUTH failures requires restarting smtpd

2019-08-10 Thread Gilles Chehade
On Sat, Aug 10, 2019 at 02:24:57PM -0500, Edgar Pettijohn wrote:
> 
> On Aug 10, 2019 1:05 PM, Gilles Chehade  wrote:
> >
> > On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote:
> > > 
> > > On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
> > > >
> > > > On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > > > > Not sure exactly when this started, but I get authentication errors 
> > > > > that require smtpd to be restarted. Here are some logs and other 
> > > > > pertinent data.
> > > > > 
> > > > > Thanks,
> > > > > 
> > > > > Edgar
> > > > > 
> > > > Hi,
> > > > Can you check if there are any issues with the connection to the MySQL 
> > > > database during the time of the credentials lookup fails?
> > > >
> > > > I've had similar issues with Postgresql databases in the past (many 
> > > > OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> > > > due to restarting the psql database. This was not handled well by 
> > > > OpenSMTPD.
> > > >
> > > > br,
> > > >
> > > > -- 
> > > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > > >
> > > 
> > > Maybe something similar. Mysqld is running and double checking the SQL 
> > > from the command line works. Plus dovecot is using the same without error.
> > > 
> > > Thanks,
> > > 
> >
> > Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because
> > they've been out of my sight for a while.
> >
> > -- 
> > Gilles Chehade  @poolpOrg
> >
> > https://www.poolp.org?? patreon: 
> > https://www.patreon.com/gilles
> >
> 
> 
> Thanks.  As an update I upgraded to a snapshot last week with no change. Have 
> a cron job restarting smtpd every hour as a workaround.

You should create an issue on our issue tracker so I don't forget about
this in a week

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: AUTH failures requires restarting smtpd

2019-08-10 Thread Gilles Chehade
On Mon, Jul 22, 2019 at 11:52:45AM -0500, Edgar Pettijohn wrote:
> 
> On Jul 22, 2019 8:17 AM, Andreas Karlsson  wrote:
> >
> > On 2019-07-21 18:25, Edgar Pettijohn wrote:
> > > Not sure exactly when this started, but I get authentication errors that 
> > > require smtpd to be restarted. Here are some logs and other pertinent 
> > > data.
> > > 
> > > Thanks,
> > > 
> > > Edgar
> > > 
> > Hi,
> > Can you check if there are any issues with the connection to the MySQL 
> > database during the time of the credentials lookup fails?
> >
> > I've had similar issues with Postgresql databases in the past (many 
> > OpenSMTPD versions ago) where the psql tcp connection was disconnected 
> > due to restarting the psql database. This was not handled well by OpenSMTPD.
> >
> > br,
> >
> > -- 
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
> 
> Maybe something similar. Mysqld is running and double checking the SQL from 
> the command line works. Plus dovecot is using the same without error.
> 
> Thanks,
> 

Once I tag OpenSMTPD 6.6.0 in August, I'll have a look at extras because
they've been out of my sight for a while.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: smtpd / mail.lmtp rewrites from address, breaking lmtp

2019-08-10 Thread Gilles Chehade
On Wed, Jun 26, 2019 at 10:56:50AM +0100, Michal Krzysztofowicz wrote:
> Hi All,
> 

Hi,

> I???ve been using OpenSMTPD on OpenBSD to run my email server since at least 
> 2015, and this setup has been working really well for me since. 
> 
> [...]
>
> Am I missing something in the configuration, or is this something that needs 
> to be fixed in smtpd? 
> 
> I???m running OpenBSD 6.5 patched to 005_libssl (so I guess it???s the 
> -stable flavour), with stock OpenSMTPD distributed with OpenBSD 6.5. 
> 

Sorry, it took a while to start looking at this.

We're very close to 6.6 freeze so I'm not comfortable addressing this in
the current timeframe.

A possible fix to your issue would be to add ' to the allowed charset in
util.c, can you try and see if it is enough to solve your issue ?

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Invalid mbox entries

2019-08-09 Thread Gilles Chehade
On Fri, Aug 09, 2019 at 01:19:25AM +0200, Michael Warmuth-Uhl wrote:
> Hi Gilles,
> 
> On 8/8/19 9:30 AM, Gilles Chehade wrote:
> > What happens if you call mail.local directly, bypassing smtpd altogether ?
> 
> Thanks for your hint. It helped finding the issue.
> 
> $ cat .forward
> | /usr/local/bin/procmail
> 
> So it seems procmail is not nice to the mboxes anymore. Removing
> it everything is fine again.
> 

there's an option to let procmail prepend the From delimiter but I don't
recall what it is, know that it exists though.

it was not necessary with OpenBSD 6.3 because OpenSMTPD was doing things
wrong by prepending it itself in some cases and not in others.

with OpenBSD 6.4, the mda layer was normalized so that there are not any
special cases anymore, which means the procmail command line option must
be used now.

that being said, please don't use procmail, the code is unreadable so it
is impossible to audit (not exagerating, have a look for yourself), it's
also requesting to be setuid which is a red flag and finally there are a
few modern alternatives that are far better, fdm being one of them.

Friends don't let friends use procmail.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: Invalid mbox entries

2019-08-08 Thread Gilles Chehade
Since its mail related, here is fine.What happens if you call mail.local directly, bypassing smtpd altogether ?Are other people on the list experiencing this ?Le 8 août 2019 10:50, Michael Warmuth  a écrit :Hello,



> Very weird because mail.local which is used for mbox delivery 

> adds the line unconditionally.



To make sure it's not dovecot removing these lines I stopped it and 

received another mail.



"From" line is still missing.



   $ ls -l /usr/libexec/mail.local

   -r-xr-xr-x  1 root  bin  26320 Apr 14 11:31 /usr/libexec/mail.local



Looks good. It is identical to the one in base65.tgz.



> How did you update ?



I followed the "manual upgrade" processes:



 http://www.openbsd.org/faq/upgrade64.html#NoInstKern

 http://www.openbsd.org/faq/upgrade65.html#NoInstKern



As it appears to be more an OpenBSD issue, shall I move to the

OpenBSD mailing list?



Thank you,



Michael






Re: Invalid mbox entries

2019-08-07 Thread Gilles Chehade
Very weird because mail.local which is used for mbox delivery adds the line unconditionally.How did you update ?Le 8 août 2019 00:30, Michael Warmuth-Uhl  a écrit :Hello,

since my yesterday's update to OpenBSD 6.5 (from 6.3 via 6.4),
smtpd does create invalid mbox entries for one of my mailboxes:

   ... (previous mail)
   +zip-3.0p1   create/update ZIP files compatible with PKZip(tm)

   Return-Path: 
   Delivered-To: a...@suljee.de
   Received: from georgi.suljee.de (x5f72144c.dyn.telefonica.de [...])
   by nar.suljee.de (OpenSMTPD) with ESMTPSA id 04986583
(TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO)
   for ;
   Wed, 7 Aug 2019 07:42:34 +0200 (CEST)
   To: Michael Warmuth-Uhl 
   From: Michael Warmuth-Uhl 

The initial "From" header is missing.

This happens for all new mails to that mbox. For others it's working
fine.

The mbox is rather big (500MB).

I saw no relevant log entries.

Programs parsing (dovecot) the mbox are not happy.

What could be the reason? How can I fix this?

Thank you,

Michael



Details:

smtpd.conf
==
pki mail.suljee.de cert "/etc/ssl/mail.suljee.de.crt"
pki mail.suljee.de key "/etc/ssl/private/mail.suljee.de.key"

table aliases db:/etc/mail/aliases.db
table relayauth file:/etc/mail/relayauth
table virtusers file:/etc/mail/virtusertable
table domains file:/etc/mail/hosteddomains

listen on lo0
#listen on egress tls    pki mail.suljee.de
listen on egress
listen on egress smtps  pki mail.suljee.de auth  tag
t_authenticated

#accept from any for domain suljee.de alias  deliver to mbox
#accept from any for domain "*.suljee.de" alias  deliver to mbox
#accept from any for domain  virtual  deliver to mbox
#accept for local alias  deliver to mbox
#accept tagged t_authenticated for any relay
#accept from local for any relay

action "local_mail" mbox alias 
action "virt_user" mbox virtual 
action "relay" relay

match auth from any for domain suljee.de action "local_mail"
match  from any for domain suljee.de action "local_mail"
match auth from any for domain "*.suljee.de" action "local_mail"
match  from any for domain "*.suljee.de" action "local_mail"
match auth from any for domain  action "virt_user"
match  from any for domain  action "virt_user"
match auth from any for local action "local_mail"
match  from any for local action "local_mail"
#match tag t_authenticated action "relay"
match from local for any action "relay"
match auth from any for any action "relay"


dmesg
=

Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2019 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.5 (GENERIC) #158: Sun Apr 14 04:07:14 MDT 2019
    dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 1073741824 (1024MB)
avail mem = 1037697024 (989MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root: Sun Fire V120 (UltraSPARC-IIe 548MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 3.3) @ 548 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 512K
external (64 b/l)
psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c000-dfff
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 "Sun Simba" rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 12 function 0 "Sun RIO EBus" rev 0x01
"flashprom" at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59
lom0 at ebus0 addr 20-23 ivec 0x2a: LOMlite2 rev 3.12
alipm0 at pci1 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: 74KHz
clock
iic0 at alipm0
"max1617" at alipm0 addr 0x18 skipped due to alipm0 bugs
spdmem0 at iic0 addr 0x54: 256MB SDRAM registered ECC PC133CL2
spdmem1 at iic0 addr 0x55: 256MB SDRAM registered ECC PC133CL2
spdmem2 at iic0 addr 0x56: 256MB SDRAM registered ECC PC133CL2
spdmem3 at iic0 addr 0x57: 256MB SDRAM registered ECC PC133CL2
ebus1 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
power0 at ebus1 addr 2000-2007 ivec 0x25
com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
com0: console
com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
gem0 at pci1 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 0x7c6,
address 00:03:ba:27:38:63
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI
0x0010dd, model 0x0002
ohci0 at pci1 dev 12 function 3 "Sun USB" rev 0x01: ivec 0x7e4, version
1.0, legacy support
pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3:
DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 0x7cc for native-PCI interrupt
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
gem1 at pci1 dev 5 function 1 "Sun ERI Ether" rev 0x01: ivec 0x7dc,
address 00:03:ba:27:38:64
ukphy1 at gem1 phy 

Re: Limit max recipients per mail setting gone?

2019-08-06 Thread Gilles Chehade
On Sun, Aug 04, 2019 at 04:45:17PM +, mabi wrote:
> Hello,
> 
> In previous versions of OpenSMTPD I remember there was the following setting:
> 
> limit session max-rcpt
> 
> which one could use to limit the maximum recipients per mail. This setting 
> seem to have been removed or I can't find it in OpenSMTPD 6.5...
> 
> Is there maybe a new setting name to achieve the same limit?
> 

Indeed, this somehow didn't get documented, please open an issue on our
tracker so I take care of this when I get home in a few days.

meanwhile, smtp limits are as follow:

smtp limit max-mails  = max number of mails per session
smtp limit max-rcpt   = max number of recipient per transaction


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: git portable branch: Failed to parse smarthost

2019-08-06 Thread Gilles Chehade
On Mon, Aug 05, 2019 at 07:14:17PM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> trying the new smtpd with openssl support on Debian I get the
> following error:
> 
> Aug  5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost 
> smtp://someh...@mail.somehost.de
> 
> Mail is not forwarded, of course.
> 
> 
> The config file says
> 
> :
> table localnet { 10.0.0.0/24, 2001:db8:1f24:b803::/64 }
> table secrets file:/etc/secrets
> :
> action "relay_somehost"   relay host smtp://someh...@mail.somehost.de 
> auth  mail-from "@example.de"
> :
> match from src  for any action "relay_somehost"
> match from local  for any action "relay_somehost"
> 
> 
> The secrets file is:
> 
> somehost postmas...@x.mail.somehost.de:geheim
> 
> 
> AFAICS the syntax follows the man page, so why does it complain?
> I don't see it. Every helpful hint is highly appreciated.
> 

you're using an auth label but this requires a secure transport.

from smtpd.conf(5):

 The label corresponds to an entry in a credentials table,
 as documented in table(5).  It is used with the
 "smtp+tls" and "smtps" protocols for authentication.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: unsubscribe old email address?

2019-08-06 Thread Gilles Chehade
You have to send a mail to misc+unsubscr...@opensmtpd.org from the e-mail address you want to unsubscribe.You can't unsubscribe other addresses.If you need help, contact me off listLe 6 août 2019 11:30, Harald Dunkel  a écrit :Hi folks,



https://www.opensmtpd.org/list.html doesn't tell how to unsubscribe

an old EMail address, that cannot be used for sending EMails anymore.

The same page doesn't list an administrative user, either, so please

excuse sending this question to this mailing list.



I tried to send an EMail (new address) to misc+unsubscr...@opensmtpd.org

saying

	unsubscribe o...@example.com



but this didn't work as expected. The EMail address was ignored.





Every helpful hint is highly appreciated.

Harri






OpenSMTPD 6.4.2 released to address errata

2019-08-02 Thread Gilles Chehade
Helo,

A reliability issue has been reported yesterday that allows a remote MTA
to crash OpenSMTPD by causing it to hit one of its sanity check and exit
with fatal(). Highly annoying but not dangerous.

On OpenBSD, the issue is fixed in -current and the fix is backported for
OpenBSD 6.4 and OpenBSD 6.5:

   - on current, update your tree and rebuild smtpd or install snapshot
   - on 6.4 or 6.5, running `syspatch` will properly update your smtpd


On other systems, I have just published a new release 6.4.2p1 which only
consists of the previous 6.4.1p1 release but with errata diff applied. I
have updated our website front page to provide the tarball and signature
as direct links.

Alternatively, you can grab the release from our github mirror under the
tag opensmtpd-6.4.2p1:

   https://github.com/OpenSMTPD/OpenSMTPD/tree/opensmtpd-6.4.2p1

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: smtpd accept client certificate only from a specific CA

2019-07-29 Thread Gilles Chehade
On Sun, Jul 28, 2019 at 08:37:54PM +, L??vai, D??niel wrote:
> Hi Gilles,
> 
> Did you by any chance have time to look at #926? It there something wrong 
> with my setup or is this a kind of a regression?
> Thanks for any info on this!
> 

Nope, if I had you would know ;-)

I'm working pretty much alone on smtpd these days and I'm not full-time,
so unless an issue is security related, it can take a bit of time before
I tackle it.

Patience.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



any kibana guru around ?

2019-07-26 Thread Gilles Chehade
helo,

I'm currently testing a new filter, filter-jsonlog.

The filter basically rebuilds the state of SMTP sessions and for each of
the SMTP events that occur in a session it will output the session state
to syslog in json format.

Injecting the json objects to an elasticsearch allows creating dashboard
for pretty much anything you can think of because the session states can
allow correlating any information together.

see: https://twitter.com/PoolpOrg/status/1154858074273996802

The problem is that while I worked with ELK gurus in the past who helped
me understand how to properly craft logs to ease creation of dashboards,
I suck at actaully creating these dashboards.

If there are a few people around with ELK knowledge, it would be nice to
give me some help in showcasing what can be achieved with this feature.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: smtpd accept client certificate only from a specific CA

2019-07-26 Thread Gilles Chehade
On Fri, Jul 26, 2019 at 08:19:33AM +, L??vai, D??niel wrote:
> Hi all!
> 
> Running OpenBSD 6.5-stable, I have this on my relay host:
> 
> smtpd.conf:
> ca myCA cert "/path/to/myCA.pem"
> 
> listen on egress port submission \
> tls-require verify \
> ca myCA
> 
> Now with that I expected that it'll only accept smtp clients that provide a 
> certificate signed by myCA, but it turns out it accepts any certificate that 
> is trusted based on the default /etc/ssl/certs.pem file.
> Besides (re)moving the stock certs file or any other intrusive/ugly 
> workaround, is there any way I could force a CA for those connections?
> 

Your expectations are also mine.

Please open an issue on our bug tracker, I'll have a look at it shortly
as I recently did work in that area and it worked as I expected, so I'm
a bit surprised.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



filter-rspamd testing

2019-07-26 Thread Gilles Chehade
Hello,

I've written a filter for rspamd integration in OpenSMTPD.

I tested the filter on my laptop for a while but I need to test it on my
MX now so... here's a mail which went through rspamd ;-)

Please report if you see my MX misbehaving, some mails not reaching this
list or anything unusual !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-07-24 Thread Gilles Chehade
On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote:
> Hi Gilles,
> 
> On 7/23/19 11:58 AM, Gilles Chehade wrote:
> > Hello people,
> > 
> > The portable branch of OpenSMTPD should build with OpenSSL again as long
> > as your system is using >= 1.1.x
> > 
> 
> This is excellent news. I highly appreciate the new portable
> version. This solves a lot of problems in my environment.
> 

great ;-)


> > OpenSMTPD portable has been built and tested with Ubuntu only, please do
> > provide feedback !
> > 
> 
> On a first build (Debian 9) configure returned an error
> 
> checking if programs using libevent functions will link... no
> checking openssl/opensslv.h usability... yes
> checking openssl/opensslv.h presence... yes
> checking for openssl/opensslv.h... yes
> configure: error: *** Can't find recent LibreSSL libcrypto (see config.log 
> for details) ***
> 
> 
> but actually libevent was missing:
> 
> :
> configure:19442: checking openssl/opensslv.h usability
> configure:19442: gcc -c -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
> -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
> -D_BSD_SOURCE -D_DEFAULT_SOURCE  -I/usr/local/ssl/include  conftest.c >&5
> configure:19442: $? = 0
> configure:19442: result: yes
> configure:19442: checking openssl/opensslv.h presence
> configure:19442: gcc -E -I/usr/local/ssl/include  conftest.c
> configure:19442: $? = 0
> configure:19442: result: yes
> configure:19442: checking for openssl/opensslv.h
> configure:19442: result: yes
> configure:19468: gcc -o conftest -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
> -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
> -D_BSD_SOURCE -D_DEFAULT_SOURCE  -I/usr/local/ssl/include  
> -L/usr/local/ssl/lib  conftest.c -lcrypto -lssl -levent -lasr -lcrypt 
> -lresolv  >&5
> /usr/bin/ld: cannot find -levent
> collect2: error: ld returned 1 exit status
> :
> 
> After installing the missing package it built fine.
> 

This is a known issue, I'm working on simplifying the configure layer as
a there is a lot of room for improvement.

I have tried to tackle this multiple times but not successfully yet ;-)


> I will check runtime ASAP.
> 

Great !

Keep on providing feedback please !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



new reporting events

2019-07-14 Thread Gilles Chehade
Hello,

New interesting features have been completed, some committed to -current
while others are still on my laptop.

Here's a short summary, I'll write about them in details when I'm having
my next hack week in... a week :-)

1- reporting API has been extended to report link-reset and link-auth so
   filters can detect that a session has been reset, or that it has been
   authenticated for a user.

2- reporting API for smtp-out is implemented and being tested on my side
   but it's now possible to write reporting-only filters for trafic that
   is outgoing.

3- OpenSMTPD still assumes LibreSSL to be its target but given changes I
   committed to LibreSSL recently, code can be written in a way that let
   OpenSMTPD build on OpenSSL 1.1.x with very minimal diff that is again
   acceptable for me.

Only 1- has been committed at this point, 2- needs more testing before I
am comfident about committing. 3- is not merge in portable branch yet as
I focused on making it work, not ensuring the compat layer was correctly
handling systems with LibreSSL or handling systems with OpenSSL and with
a base arc4random() function.

Note that I'm PARTICULARLY thrilled about 1- and 2-, because it means we
are now VERY VERY VERY sysadmin friendly when it comes to monitoring and
alerting: pushing useful metrics to elasticsearch has become trivial. It
is likely I'll release a filter-elastic if there is interest.

Stay tuned !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



heads up about ongoing work

2019-07-06 Thread Gilles Chehade
helo,

it's been a while since my last informative mail to the list and it is a
shame given the amount of work achieved in 2019 so far.

those reading my blog posts are aware of some of the ongoing work that i
mentioned there but since not everyone reads it, here's a quick summary:


1- the filter API is working, minor bugs are being fixed and there are a
   few useful filters already written (though not published yet since we
   have not had a public release with the API contract yet, that's meant
   to be for November).

2- i have a native filter-rspamd about to be completed which is going to
   be solving most of our user requests wrt filters given that rspamd is
   capable of doing dnsbl, greylisting, interfacing with amavisd, do the
   dkim signing and verifying, and spam filtering, everything configured
   directly in rspamd. users that don't want to use rspamd can still use
   other filters dealing with just one subset of the features but I will
   at least be able to say: install filter-rspamd for most requests :-)

3- smtp-out reporting is being worked on and will provide the same level
   of reporting for outgoing connections that we have for incoming ones,
   which is basically complete reporting of all SMTP events.

4- i have been working hard on converting OpenSMTPD to libtls so that it
   is no longer relying on the OpenSSL API for TLS. In the short term it
   means that it will become very hard to run OpenSMTPD with OpenSSL for
   people who were still trying to avoid LibreSSL through local patches,
   but once we've switched to libtls, work can start to create a version
   of libtls that works with OpenSSL, this will keep most complexity out
   of OpenSMTPD and make us work again with OpenSSL without hacks.


Cheers,

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: what's your LMTP use-case

2019-07-06 Thread Gilles Chehade
On Fri, Jul 05, 2019 at 04:57:51PM +0200, Gilles Chehade wrote:
> helo,
> 
> this is just a question out of curiosity
> 
> I know plenty of people use the lmtp action to deliver mail through LMTP
> and I'm genuinely curious: what is your use-case ?
> 
> Why do you deliver to LMTP ?
> 

Thanks for your answers, both public and private :-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



what's your LMTP use-case

2019-07-05 Thread Gilles Chehade
helo,

this is just a question out of curiosity

I know plenty of people use the lmtp action to deliver mail through LMTP
and I'm genuinely curious: what is your use-case ?

Why do you deliver to LMTP ?

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: tls no-verify

2019-07-04 Thread Gilles Chehade
4 juillet 2019 16:04 "Henry Jensen"  a écrit:
>
> I see. Is this the default behavior? I noticed that
> 
> action "relay" relay host smtp://my.internal.server tls no-verify
> 
> and
> 
> action "relay" relay host smtp://my.internal.server
> 
> (opportunistic TLS) leads to the same result: the mail is transferred using 
> TLS. Only when I use
> 
> action "relay" relay host smtp://my.internal.server tls
> 
> an error occurs "reason=SSL certificate check failed".
> 

no the default behaviour is opportunistic tls, so it'll do tls no-verify
but will fallback to plaintext if no tls is available.

tls no-verify won't hard fail if certificate is invalid, but it won't go
to plaintext either.

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: dkim proxy

2019-07-04 Thread Gilles Chehade
On Thu, Jul 04, 2019 at 02:17:28PM +0200, Julien HAUTEFEUILLE wrote:
> Hello,
> 

Hello,


> I am using OpenBSD 6.5 with Opensmtpd successfully.
> Nevertheless, I have a question about the dkim proxy.
> 
> I was inspired by the configuration available on the author's website.
> 
> https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
> 

I'm not the author of dkim proxy :-)


> On this site the passage through the dkim proxy is done in this way:
> 
> match tag DKIM for any action "send"
> match for any action "sendtodkimproxy"
> 
> On some other sites, I have seen configurations like this one:
> 
> # with dkim sign
> match tag DKIM for any action "send"
> match auth tag DKIM from any for any action "send"
> 
> # without
> match auth from any for any action "sendtodkimproxy"
> match for any action "sendtodkimproxy"
> 
> What do you think is the best way to do this?
> 

Most definitely the second one, not the one on my blog.

A long time ago, there was no such thing as matching 'auth'.

OpenSMTPD assumed any authenticated user to be a "local" user, so if you
read my blog post with that perspective, it makes sense.

Nowadays, authenticated users and local users are considered differently
so you need to match 'auth' to catch authenticated users.


> Thank you for any suggestions you may have.
> 

use the #2 method :-)



-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: tls no-verify

2019-07-04 Thread Gilles Chehade
On Thu, Jul 04, 2019 at 01:29:43PM +0200, Henry Jensen wrote:
> Greetings,
> 
> using OpenBSD 6.5 with OpenSMTPD which forwards to an internal mail
> server which uses an internal certifiate.
> 
> 
> from smtpd.conf:
> action "local" mbox alias 
> action "relay" relay host smtp://my.internal.server tls no-verify
> 
> match for local action "local"
> match for any action "relay"
> 
> 
> However, when relaying to that server I get such messages in the log,
> despite "tls no-verify" is set:
> 
> smtp-out: Server certificate verification failed on session 3ba547f4f7b77d56c
> 
> 
> What am I doing wrong?
> 

nothing

no-verify only means that if certificate does not validate, connection
will be dropped, the log will still be visible.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: RBLs?

2019-07-03 Thread Gilles Chehade
On Wed, Jul 03, 2019 at 08:22:59AM +, mabi wrote:
> ? Original Message ?
> On Wednesday, July 3, 2019 9:39 AM, Giovanni Bechis  
> wrote:
> 
> > I think it could be possible to write a filter-spamassassin, that way smtpd 
> > could reject based on SpamAssassin tags.
> 

yes, that is definitely doable


> Good idea, I might look at this alternative when I have a moment to write 
> something in Ruby interfacing OpenSMTPD<->SA. Is there any documentation 
> available to the filter "API"? I didn't find anything on opensmtpd.org. Or 
> should I just check the source code of already existing filters as example?
> 

the filter API is not yet documented, i'm working on it at the moment.

if you plan on working on filters, you should join our IRC channel or be
prepared to face subtle changes that aren't documented yet ;-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: relay from authenticated users only

2019-07-03 Thread Gilles Chehade
On Wed, Jul 03, 2019 at 07:36:43AM +0200, Selmeci Tam?s wrote:
> Somebody suggested me to have a look at OpenSMTPD-extras. It contains
> table-passwd. I've got an idea. What if I wrote a custom module that is
> about to be called by OpenSMTPD upon authentication like table-passwd?
> (table-passwd requires another file to store credentials in, and I
> insist on using /etc/passwd only). 
> 

auth uses the system users by default so you don't need a custom module.

i don't know what version you are using, what system you are using, if a
package was used or if you built yourself, etc... so i'll just guess the
configure options used to build opensmtpd were not correct if auth isn't
using your system users out of the box.


> The only question is that is it possible to perform this kind of
> authentication in plain text? In other words, will OpenSMTPD call my
> module if plain text authentication is tried by the client? (I don't
> have enough capacity now to play with self-signed certificates, TLS
> etc) Yes, I know, there are security concerns... But technically, is it
> possible with OpenSMTPD?
>

no, OpenSMTPD will not advertise AUTH over plaintext channels.

it is not an SMTP limitation, it is a decision we made years ago and you
will not have a work-around for this.

there's no excuse in 2019 to allow AUTH over plaintext :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: RBLs?

2019-07-02 Thread Gilles Chehade
On Tue, Jul 02, 2019 at 06:54:02AM +, mabi wrote:
> ? Original Message ?
> On Sunday, June 30, 2019 1:46 PM, Gilles Chehade  wrote:
> 
> > I'm currently working on bringing a filter-rspamd to life, see:
> >
> > https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/
> 
> Fantastic Gilles, thanks for your great work! I am looking forward to try 
> this filter out.
> 
> [...]
>
> So basically I am not interested in the score but just in a boolean 
> true/false if the mail is spam or not and then have OpenSMTPD refuse the 
> submission/relaying of the mail to further mail servers on the internet.
> 

yes, filter-rspamd will apply the policy configured in rspamd.

if you configure rspamd to flag spam mail as reject, smtpd will reject them.


> My impression is that this right now is not possible with OpenSMTPD. Am I 
> right here?
> 

No, it is not possible with OpenSMTPD.

You need a filter to do this and filter-rspamd is such a filter.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: RBLs?

2019-06-30 Thread Gilles Chehade
On Sat, Jun 29, 2019 at 01:03:46PM +, Mik J wrote:
>  Hello,

Hello,


> I'm also interested in this topic. A lot of spam are still passing through.
> On my personal mailbox, I receive almost no spam.But on addresses that are 
> visible on a website I receive spam, two/three per day many are blocked 
> though.
> I have the same strategy as Thomas and use spamd and spam trap mails.
> 

I'm currently working on bringing a filter-rspamd to life, see:

https://poolp.org/posts/2019-06-30/june-2019-report-fion-bpg-and-smtpd/


> Joerg your filter looks nice but I don't understand how it works.I'm looking 
> forward to have something native with opensmtpd, spam is a pain.
>

I don't understand what you mean by "native".


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Introduction

2019-06-26 Thread Gilles Chehade
On Tue, Jun 25, 2019 at 08:15:22PM -0700, tyler wrote:
> Hey all,
> 

Hey tyler,


> I'm a newbie who started his own email server as a side project. Nothing
> serious or as a job, but as a proverbial "middle finger" to gmail and yahoo,
> etc, and some personal enrichment. I've been a fan of OpenBSD for many years
> now, so OpenSMTPD was the obvious choice. This is email address runs on it,
> on a VPS.
> 

\o/


> I've really enjoyed the experience. It didn't take long to set up and after
> tinkering with my domain's DNS records seems to work flawlessly, except for
> unexplained Proofpoint blocks.
> 

These happen even to the best of us.


> Hope you all are having a wonderful day.
> 

Enjoy your stay around,

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match unknown rDNS

2019-05-29 Thread Gilles Chehade
On Wed, May 29, 2019 at 09:54:36AM +0200, Pierre-Edouard wrote:
> 
> Le 26/05/2019 ?? 17:22, Gilles Chehade a ??crit??:
> > On Sun, May 26, 2019 at 09:53:46AM +0200, Pierre-Edouard wrote:
> > > Hi All,
> > > 
> > Hi,
> > 
> > 
> > > I am currently running OpenSMTPD on OpenBSD 6.5 GENERIC.MP#0 amd64
> > > 
> > > I am trying to "filter" connexions coming from hosts that don't have any
> > > rdns defined.
> > > Such hosts appear as  in the logs.
> > > 
> > > I've tried the following without any results :
> > > 
> > > 
> > > table bots {"NXDOMAIN", "\" , ".*unknown.*", "^$" }
> > > match from rdns regex  for any reject
> > > 
> > > but this rule never matches and hosts without rDNS are still able to send 
> > > me
> > > mail :(
> > > 
> > > Any ideas ?
> > > 
> > the 'from rdns' criteria will fail to match if the client doesn't have a
> > reverse dns, so a way to catch them would be:
> > 
> >  match !from rdns regex '^.*$' [...]
> > 
> > i'll have a look at how to extend the criteria so we can do:
> > 
> >  match !from rdns [...]
> > 
> > but this is not the highest thing in my prio list right now :-)
> > 
> > 
> Thanks for your answer !
> 
> Unfortunately the workaround above does not work, it does not match with no
> rDNS hosts :-(
> 

okie dokie, can you fill a feature request on our tracker at github ?

i'll take care of it soon

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match unknown rDNS

2019-05-26 Thread Gilles Chehade
On Sun, May 26, 2019 at 09:53:46AM +0200, Pierre-Edouard wrote:
> Hi All,
> 

Hi,


> I am currently running OpenSMTPD on OpenBSD 6.5 GENERIC.MP#0 amd64
> 
> I am trying to "filter" connexions coming from hosts that don't have any
> rdns defined.
> Such hosts appear as  in the logs.
> 
> I've tried the following without any results :
> 
> 
> table bots {"NXDOMAIN", "\" , ".*unknown.*", "^$" }
> match from rdns regex  for any reject
> 
> but this rule never matches and hosts without rDNS are still able to send me
> mail :(
> 
> Any ideas ?
>

the 'from rdns' criteria will fail to match if the client doesn't have a
reverse dns, so a way to catch them would be:

match !from rdns regex '^.*$' [...]

i'll have a look at how to extend the criteria so we can do:

match !from rdns [...]

but this is not the highest thing in my prio list right now :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Too many recipients with even 6-7 emails in CC: field

2019-05-24 Thread Gilles Chehade
On Fri, May 24, 2019 at 07:09:38AM +0200, Jean Louis wrote:
> Hello,
> 
> I am using OpenSMTPD as packaged in Hyperbola
> GNU/Linux-libre, it says version 6.0.2p1-3.
> 
> If I place 6-7 recipients in CC: field, I will get
> other messages delivered by one of them or two, I
> did not yet determine exact number is coming back
> with the local (OpenSMTPD) mailer daemon issue
> "too many recipients".
> 
> I have tried to setup max-rcpt, but it does not
> help.
> 
> Does anybody knows how to solve this?
> 

ams-1$ nc localhost 25
220 poolp.org ESMTP OpenSMTPD
EHLO localhost
250-poolp.org Hello localhost [127.0.0.1], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250 HELP
MAIL FROM:
250 2.0.0: Ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
RCPT TO:
250 2.1.5 Destination address valid: Recipient ok
^C

I think your issues isn't with OpenSMTPD but more likely with your
client :-|

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: LMTP dovecot doesn't accept bounces

2019-05-19 Thread Gilles Chehade
On Sun, May 19, 2019 at 12:16:40PM +0200, David Flatz wrote:
> Gilles Chehade (2019-05-19 10:39+0200):
> > On Sun, May 19, 2019 at 10:24:07AM +0200, Gilles Chehade wrote:
> > > On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote:
> > > > Delivery to dovecot works pretty good for normal mails locally with 
> > > > sendmail
> > > > and from remote.  However, when opensmtpd generates a bounce dovecot 
> > > > won't
> > > > accept it and returns following error message "501 5.5.4 Invalid FROM:
> > > > Missing domain".
> > > >
> > > > [...]
> > > >
> > > > It seems like opensmtpd uses an envelope from for the bounces that 
> > > > dovecot
> > > > doesn't like.  Is there a way to make opensmtpd to either use an empty
> > > > envelope from (since those seem fine to dovecot) or add a domain?
> > > >
> > > > Thanks again and have a great weekend!
> > > >
> > > 
> > > Yup, the fix will be committed to -current today
> > > 
> > 
> > can you test the following diff and tell me if it makes things better ?
> > 
> > it essentially reverts a commit from months ago which we thought was the
> > proper way to deal with this, but was actually made necessary because of
> > another issue in mda_variables.c
> > 
> > I think this diff should properly fix your issue.
> > 
> > [...]
> 
> Thanks for the diff.  I get this error with a similar diff (I'm using
> portable 6.4.1p2):
> 
> smtpd[6600]:  mda delivery evpid=4bbf012508df6894 from=<> 
> to= rcpt= user=username delay=0s 
> result=PermFail stat=Error ("smtpd: No such file or directorymda command line 
> could not be expanded")
> 
> --- smtpd/parse.y 2018-12-17 13:58:15.0 +0100
> +++ smtpd/parse.y 2019-05-19 10:58:38.678223391 +0200
> @@ -617,11 +617,11 @@
> } dispatcher_local_options
> | LMTP STRING {
>   asprintf(>u.local.command,
> - PATH_LIBEXEC"/mail.lmtp -f %%{mbox.from} -d %s %%{user.username}", 
> $2);
> + PATH_LIBEXEC"/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", 
> $2);
> } dispatcher_local_options
> | LMTP STRING RCPT_TO {
>   asprintf(>u.local.command,
> - PATH_LIBEXEC"/mail.lmtp -f %%{mbox.from} -d %s %%{dest}", $2);
> + PATH_LIBEXEC"/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2);
> } dispatcher_local_options
> | MDA STRING {
>   asprintf(>u.local.command,
> 

care to try building from the github repo ?

my diff assumes a previous fix to mda_variables.c:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/mda_variables.c.diff?r1=1.4=1.5=h

"""
in mda variables expansions, do not consider empty strings as errors since
an empty %{sender} is really a mailer-daemon and not an error

reported and initial diff by Lauri Tirkkonen 
commit is a revised version of the diff based on a discussion with eric@
"""

It was committed five months ago, after 6.4.1p2 which is why you get the
error with my new diff.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: LMTP dovecot doesn't accept bounces

2019-05-19 Thread Gilles Chehade
On Sun, May 19, 2019 at 10:24:07AM +0200, Gilles Chehade wrote:
> On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote:
> > Hello everybody
> > 
> 
> Hello,
> 
> 
> > Delivery to dovecot works pretty good for normal mails locally with sendmail
> > and from remote.  However, when opensmtpd generates a bounce dovecot won't
> > accept it and returns following error message "501 5.5.4 Invalid FROM:
> > Missing domain".
> > 
> > [...]
> > 
> > It seems like opensmtpd uses an envelope from for the bounces that dovecot
> > doesn't like.  Is there a way to make opensmtpd to either use an empty
> > envelope from (since those seem fine to dovecot) or add a domain?
> > 
> > Thanks again and have a great weekend!
> > 
> 
> Yup, the fix will be committed to -current today
> 

can you test the following diff and tell me if it makes things better ?

it essentially reverts a commit from months ago which we thought was the
proper way to deal with this, but was actually made necessary because of
another issue in mda_variables.c

I think this diff should properly fix your issue.


Index: parse.y
===
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.251
diff -u -p -r1.251 parse.y
--- parse.y 13 Feb 2019 22:57:08 -  1.251
+++ parse.y 19 May 2019 08:35:09 -
@@ -664,11 +664,11 @@ MBOX {
 } dispatcher_local_options
 | LMTP STRING {
asprintf(>u.local.command,
-   "/usr/libexec/mail.lmtp -f %%{mbox.from} -d %s %%{user.username}", 
$2);
+   "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", 
$2);
 } dispatcher_local_options
 | LMTP STRING RCPT_TO {
asprintf(>u.local.command,
-   "/usr/libexec/mail.lmtp -f %%{mbox.from} -d %s %%{dest}", $2);
+   "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2);
 } dispatcher_local_options
 | MDA STRING {
asprintf(>u.local.command,




-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: LMTP dovecot doesn't accept bounces

2019-05-19 Thread Gilles Chehade
On Sat, May 18, 2019 at 02:55:05PM +0200, David Flatz wrote:
> Hello everybody
> 

Hello,


> Delivery to dovecot works pretty good for normal mails locally with sendmail
> and from remote.  However, when opensmtpd generates a bounce dovecot won't
> accept it and returns following error message "501 5.5.4 Invalid FROM:
> Missing domain".
> 
> [...]
> 
> It seems like opensmtpd uses an envelope from for the bounces that dovecot
> doesn't like.  Is there a way to make opensmtpd to either use an empty
> envelope from (since those seem fine to dovecot) or add a domain?
> 
> Thanks again and have a great weekend!
> 

Yup, the fix will be committed to -current today

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Gilles Chehade
On Fri, May 17, 2019 at 02:13:46PM +0200, Harald Dunkel wrote:
> Hi Gilles,
> 

Hi,

> I understand that ssl support is a highly complex issue, making it
> necessary to focus and to get rid of the cruft.
> 
> It would be a pity if opensmtpd becomes "OpenBSD-only", though.
> 

I agree and being the one in charge of portable OpenSMTPD these days you
can trust me that I'm highly annoyed by this situation because I wish we
were available to everyone.

I should clarify something:

I didn't wake up in a mood to kill OpenSSL support in OpenSMTPD. I built
OpenSMTPD on a range of machines and realized that, again, I had made no
change to the TLS layer but build was broken on half the machines. I did
not remove the support, it removed itself when a new version came and it
broke existing code. After spending two days trying to unbreak things, I
decided to put a stop to this madness and remove all of OpenSSL-specific
kludge, ifdefs and autoconf pieces. If OpenSSL can be made to work so we
don't have to keep adding conditional tests here and there, I'll be more
than happy, in the meanwhile I'm not taking the extra load of work.

LibreSSL can be built on machines with OpenSSL and coexist, I've done it
on several systems (FreeBSD and various Linux distros) so my take now is
that there's no reason not to package it as an alternative and OpenSMTPD
can depend on it. There's no good reason not to support both...

To finish, I had someone tell me in private that he did not want to rely
on LibreSSL because he didn't trust it... some of the commits to our TLS
layer were actually done or suggested by the LibreSSL folks. We have the
same code standards, to trust us but not LibreSSL is really absurd :-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: openssl support

2019-05-17 Thread Gilles Chehade
On Fri, May 17, 2019 at 10:00:42AM +0200, Harald Dunkel wrote:
> Hi folks,
> 

Hi,


> I wonder what became of
> 
>   https://github.com/OpenSMTPD/OpenSMTPD/issues/534
> 
> ? IMHO this issue was closed way too early. Are all OS distros
> happy with opensmtpd going libressl-only? Will the rest follow?
> 
> 

Ticket was created in 2015, we're in 2019, it was not closed too early.

To put it blunt, there's no way I can make all distros happy, and in the
meantime I get to do the additional work of trying to satisfy all of the
different openssl builds, some distros using very old versions that lack
features we are forced to ifdef (ie: SNI, AES-GCM, ...), some others are
even using different configure flags which end up creating very slightly
different libraries carrying the same version, ...

I'm no longer interested in having to cope with that, having ifdefs that
make the code less readable and create versions of smtpd that I will not
be able to properly test because _my_ version never enters an ifdef.

My target is now LibreSSL with all of the features we need, and there is
no specific code to accomodate OpenSSL. If we can _also_ support OpenSSL
by writing code which works for both, I'll happily adapt code so that it
makes both happy but I will not support OpenSSL-specific bits anymore.

I will also make it clear that we only support the LATEST LibreSSL, that
means that I will not accomodate all versions of LibreSSL either.

If you have diffs that allow OpenSMTPD to build with latest LibreSSL and
latest stock OpenSSL (no weird enable/disable configure flags) and which
only achieve so through use of common APIs, I'll accept them happily.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-10 Thread Gilles Chehade
May 10, 2019 10:55 AM, "Harald Dunkel"  wrote:

> Hi folks,
> 
> for testing purposes I have to setup opensmtpd 6.0.3 to
> redirect all outgoing EMails from a list of stage systems to a
> dedicated internal account. smtpd.conf is attached.
> 
> Problem is, there is an invalid recipient error for sending
> an EMail from such a stage system:
> 
> [...]
> 
> If I replace the "deliver to mda ..." by a usual relay statement,
> then the EMail is relayed, so I have to assume that the "deliver
> to mda" somehow affects filtering EMails.
> 

without your configuration it's hard to determine what's wrong


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Filters guidance request

2019-04-30 Thread Gilles Chehade
Yes to clarify further, I bought myself another release cycle ;-)

The filter code in 6.5 is voluntarily undocumented as both grammar and
protocol didn't have enough time to "rest" for us to spot things which
would appear better after a few months of being in use.

Now that the stable release is out I will start documenting and making
some of the changes I wanted so that it's "stable" in 6.6.

If you're a developer, you can use filters in 6.5, you just need to be
advanced enough to read code.


On Sat, Apr 27, 2019 at 01:03:57AM +0200, Martijn van Duren wrote:
> See https://poolp.org/, there are some things available, but as far as  
> I'm aware everything is still experimental.
> 
> martijn@
> 
> On 4/26/19 9:45 PM, Aham Brahmasmi wrote:
> > Namaste misc,
> > 
> > I was wondering whether the absence of filters on the 6.5 [1] and
> > current smtpd.conf(5) [2] manpages along with the modest OpenSMTPD 6.5.0
> > release notes [3] should be read into.
> > 
> > In other words, are filters ready for general use?
> > 
> > Dhanyavaad.
> > 
> > Regards,
> > ab
> > [1] - https://man.openbsd.org/OpenBSD-6.5/smtpd.conf
> > [2] - https://man.openbsd.org/smtpd.conf
> > [3] - https://www.openbsd.org/65.html
> > -|-|-|-|-|-|-|--
> > 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to setup a "clean MTA" in 2019?

2019-04-03 Thread Gilles Chehade
On Tue, Apr 02, 2019 at 01:02:20PM +0200, Joel Carnat wrote:
> Hi,
> 

Hi,

> Reading the Internet and looking at actual public DNS records and email
> headers, there seem to be disagreements regarding the usage of things
> like DMARC/DKIM/SPF. Some discussions are sometimes old (like 2014) and
> have not been rediscussed recently.
> 
> So far, I identified the followings:
> - MUST: have a proper Reverse DNS
> - MUST: have a proper HELO/EHLO value (matching DNS)
> - MAY:  have SPF configured to announce official MTA
> - MAY:  have DKIM configured to sign outgoing emails
> - MAY:  have DMARC set with p=none // many MTA won't check
> - DONT: have DMARC set with p=(quarantine|reject)  // may break things
> 
> What would be the recommandations from the OpenSMTPD project as of 2019
> when one want to setup an MTA? Are those MUST/MAY/DONT correct? Are
> there more things to add to this checklist?
> 
> Thank you.
> 

No wonder there is no consensus: there's no "right" list, it depends for
the most part on the reputation of the sender (reputation being trickier
than just "IP reputation" as most people think) so different people will
have different experience of what works and what doesn't.

I will write an in-depth article describing my way of modeling this, but
in the mean time I'll tell you the following:

Today, SMTP exchanges rely on a proof of work.

Some recipient domains require a lot of work from senders, others won't,
and with that in mind your list of things to setup may differ on who you
are sending from, who you are sending to, the volumes of mails you send,
the type of mails you send, etc...

My very own minimal would be:
- have a dedicated IP address for mail with correct rDNS and fc-rDNS
- setup the mta to support TLS (if needed, not the case on OpenSMTPD)
- setup the mta to use a EHLO name matching DNS for the IP
- setup SPF
- setup DKIM

That would be my very very very very minimum requirements.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Filter email where sender and rcpt-to are the same

2019-02-20 Thread Gilles Chehade
On Wed, Feb 20, 2019 at 04:57:08PM +0100, Mischa wrote:
> 
> 
> > On 6 Feb 2019, at 17:24, Mischa  wrote:
> > 
> >> On 6 Feb 2019, at 15:38, Gilles Chehade  wrote:
> >> 
> >> On Wed, Feb 06, 2019 at 11:42:19AM +0100, Mischa wrote:
> >>> Hi All,
> >>> 
> >>> There has been a new scam going around for some time now where you get an 
> >>> email from your own email address to your email address.
> >>> For people that don't know better it's scares the s**t out of them as the 
> >>> email is like:
> >>> 
> >>> Hey I hacked your account as you can see since I am sending this email 
> >>> from your own account.
> >>> etc..
> >>> 
> >>> Is there a quick way to filter email where the sender and rcpt-to are the 
> >>> same?
> >>> Has anybody created a filter already to easily do this?
> >>> 
> >>> Thanx!
> >>> 
> >> 
> >> I used to have a rule to reject any mail from my domain but which were
> >> not originating from trusted machines nor authenticated users.
> >> 
> >> not tested here but something along the lines of:
> >> 
> >>   match !from local mail-from "@opensmtpd.org" reject
> >>   match !auth from any mail-from "@opensmtpd.org" reject
> >> 
> >> there are other ways too
> > 
> > Let me see if some modified version of those rules work, the difference is 
> > that the MX is for incoming email only, outbound is taking a different 
> > route.
> > 
> > Thanx Gilles!
> 
> I have been trying to do things like:
> 
> match from any rcpt-to "openbsd @ high5.nl" mail-from "openbsd @ high5.nl" 
> reject
> (without the spaces of course)
> 
> But it's not working. :/
> Is there again parts of the rule I am missing?
> 

yes, you lack the "for" part, making your rules assume "for local", this
should be better:

match from any mail-from "open...@high5.nl" \
  for any rcpt-to "open...@high5.nl"\
  reject

the criterias are really separate one from another, each performing their
own match so you really need the rule to describe every criteria, it will
not infer "for" based on "rcpt-to"



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Filter email where sender and rcpt-to are the same

2019-02-06 Thread Gilles Chehade
On Wed, Feb 06, 2019 at 11:42:19AM +0100, Mischa wrote:
> Hi All,
> 
> There has been a new scam going around for some time now where you get an 
> email from your own email address to your email address.
> For people that don't know better it's scares the s**t out of them as the 
> email is like:
> 
> Hey I hacked your account as you can see since I am sending this email from 
> your own account.
> etc..
> 
> Is there a quick way to filter email where the sender and rcpt-to are the 
> same?
> Has anybody created a filter already to easily do this?
> 
> Thanx!
> 

I used to have a rule to reject any mail from my domain but which were
not originating from trusted machines nor authenticated users.

not tested here but something along the lines of:

match !from local mail-from "@opensmtpd.org" reject
match !auth from any mail-from "@opensmtpd.org" reject

there are other ways too

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Upgrade from OpenBSD 6.2-stable to 6.4-stable, new syntax .. mlmmj anyone?

2019-02-05 Thread Gilles Chehade
On Tue, Feb 05, 2019 at 05:35:56PM +0100, Tor Houghton wrote:
> On Tue, Feb 05, 2019 at 04:40:20PM +0100, Gilles Chehade wrote:
> > 
> > You should really avoid using mlmmj from the config or aliases file.
> > 
> > You can easily plug mlmmj from .forward files which is much safer.
> > 
> 
> I see.
> 
> I shall put aside some time and do this.
> 
> Thanks again,
> 
> Tor
> 

$ doas grep misc /etc/mail/aliases-opensmtpd.org
misc:   lists
$ doas grep lists /etc/passwd
lists:*:1034:1034::/home/lists:/bin/sh
$ cat ~lists/.forward
|/usr/local/bin/mlmmj-recieve -L 
/var/spool/mlmmj/%{rcpt.domain:lowercase}/%{rcpt.user:lowercase|strip}/
$

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Upgrade from OpenBSD 6.2-stable to 6.4-stable, new syntax .. mlmmj anyone?

2019-02-05 Thread Gilles Chehade
On Tue, Feb 05, 2019 at 04:26:11PM +0100, Tor Houghton wrote:
> > 
> > Try:
> > 
> > action "mlmmj" mda "/usr/local/bin/mlmmj-recieve -L 
> > /var/spool/mlmmj/%{rcpt.user:lowercase|strip}/" virtual 
> > 
> > match from any for domain  action "mlmmj"
> > 
> > 
> 

You should really avoid using mlmmj from the config or aliases file.

You can easily plug mlmmj from .forward files which is much safer.



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match rule seems to be failing in -current

2019-01-29 Thread Gilles Chehade
On Tue, Jan 29, 2019 at 04:23:23PM +0100, Mischa wrote:
> > On 29 Jan 2019, at 16:20, Gilles Chehade  wrote:
> > 
> > On Tue, Jan 29, 2019 at 01:10:47PM +0100, Mischa wrote:
> >> Hi Gilles,
> >> 
> >>> well, providing the full session log from connect to disconnect without
> >>> altering it would be a good start to troubleshoot.
> >> 
> >> Yeah... not really going to happen on public mailinglist. :/
> >> It has the email address of one of my customers and there isn't anything I 
> >> want to do with the rcpt-to.
> >> 
> >> The IP address is part of src (www-relays), which I checked and double 
> >> checked. :)
> >> 
> >> The only thing I can think of is that the mail-from is not matched in 
> >> www-senders file.
> >> Just saw I missed one IP, but that is ok, so you get the drift. 
> >> 
> >>> I think you are missing a "for any" on some rules which causes them to
> >>> not be matched.
> >> 
> >> I would like this email to match the following rule:
> >> 
> >> match from src  mail-from  action "relay"
> >> action "relay" relay
> >> 
> > 
> > for starters, you lack a 'for any' in that rule, so it will only match
> > for recipients that are on a local domain (ie: `hostname` & localhost)
> 
> That makes perfect sense! 
> It's working as expected now. Thanx Gilles!
> 

np

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match rule seems to be failing in -current

2019-01-29 Thread Gilles Chehade
On Tue, Jan 29, 2019 at 01:10:47PM +0100, Mischa wrote:
> Hi Gilles,
> 
> > well, providing the full session log from connect to disconnect without
> > altering it would be a good start to troubleshoot.
> 
> Yeah... not really going to happen on public mailinglist. :/
> It has the email address of one of my customers and there isn't anything I 
> want to do with the rcpt-to.
> 
> The IP address is part of src (www-relays), which I checked and double 
> checked. :)
> 
> The only thing I can think of is that the mail-from is not matched in 
> www-senders file.
> Just saw I missed one IP, but that is ok, so you get the drift. 
> 
> > I think you are missing a "for any" on some rules which causes them to
> > not be matched.
> 
> I would like this email to match the following rule:
> 
> match from src  mail-from  action "relay"
> action "relay" relay
> 

for starters, you lack a 'for any' in that rule, so it will only match
for recipients that are on a local domain (ie: `hostname` & localhost)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match rule seems to be failing in -current

2019-01-29 Thread Gilles Chehade
On Tue, Jan 29, 2019 at 12:41:17PM +0100, Mischa wrote:
> 
> 
> > On 29 Jan 2019, at 12:30, Gilles Chehade  wrote:
> > 
> > On Fri, Jan 25, 2019 at 02:08:41PM +0100, Mischa wrote:
> >> Hi All,
> >> 
> > 
> > Hi,
> > 
> > 
> >> ### smtpd.conf
> >> pki mx1.domain1.nl cert "/etc/ssl/mx1.domain1.nl.fullchain.pem"
> >> pki mx1.domain1.nl key "/etc/ssl/private/mx1.domain1.nl.key"
> >> 
> >> table names file:/etc/mail/hostnames
> >> table aliases file:/etc/mail/aliases
> >> table www-relays file:/etc/mail/www-relays
> >> table www-senders file:/etc/mail/www-senders
> >> table relay-domains file:/etc/mail/relay-domains
> >> table reject-email file:/etc/mail/reject-email
> >> 
> >> table domains sqlite:/etc/mail/sqlite.conf
> >> table virtuals sqlite:/etc/mail/sqlite.conf
> >> table credentials sqlite:/etc/mail/sqlite.conf
> >> 
> >> filter check-fcrdns builtin connect fcrdns disconnect "550 fc-rDNS"
> >> 
> >> listen on mx1.domain1.nl port 25 tls pki mx1.domain1.nl hostnames  
> >> filter check-fcrdns
> >> 
> >> action "local" mbox alias 
> >> action "maildir" maildir "/var/mail/virtual/%{dest:lowercase}/" virtual 
> >> 
> >> action "relay" relay
> >> action "smartrelay" relay host smtp://mail.domain1.nl
> >> 
> >> match from any rcpt-to  for any reject
> >> match from src  !mail-from  for any reject
> >> match from src  mail-from  action "relay"
> >> match from any for domain  action "smartrelay"
> >> match from any for domain  action "maildir"
> >> match from local action "smartrelay"
> >> match for any action "relay"
> >> ###
> >> 
> >> # cat www-relays 
> >> 46.23.xx.yy
> >> 
> >> # cat www-senders 
> >> w...@www.domain2.nl
> >> 
> >> As soon as an email is send from one of the www-relays with the
> >> sender that is in www-senders I am getting the following error on
> >> the sending mail server (FreeBSD w/ dma):
> >> 
> >> Jan 18 15:56:12 www dma[2eb801]: new mail from user=www uid=80 
> >> envelope_from=
> >> Jan 18 15:56:12 www dma[2eb801]: mail to= queued as 
> >> 2eb801.801a2d0a0
> >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying delivery
> >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: using smarthost 
> >> (mx1.domain1.nl:25)
> >> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying remote delivery to 
> >> mx1.domain1.nl [46.23.xx.zz] pref 0
> >> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: remote delivery to 
> >> mx1.domain1.nl [46.23.xx.zz] failed after RCPT TO: 550 Invalid recipient
> >> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: delivery failed, bouncing as 
> >> 2eb803
> >> 
> >> 
> >> OpenSMTPD is saying (grep "00a1b263550db3c7" /var/log/maillog):
> >> 
> >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected 
> >> address=46.23.xx.yy host=46-23-xx-yy.domain1.nl
> >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command 
> >> command="RCPT TO:" result="550 Invalid recipient"
> >> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp disconnected 
> >> reason=disconnect
> >> 
> >> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected 
> >> address=46.23.xx.xx host=www.domain2.nl
> >> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command 
> >> command="RCPT TO:" result="550 Invalid recipient"
> >> 
> >> 
> >> Anybody have an idea?
> >> 
> > 
> > can you run smtpd with -dv -T rules and provide log of which rule is
> > matched ?
> 
> It says no rules are matched. Which makes sense from a failure perspective, 
> as it's unable to deliver the email locally.
> But the content in the files hasn't changed since the upgrade to the new 
> syntax.
> 
> debug: lka: helo names:46.23.88.60
> ed537f31142afcea smtp connected address=46.23.xx.xx host=46-23-xx.xx.high5.nl
> no rule matched
> ed537f31142afcea smtp failed-command command="RCPT TO:" 
> result="550 Invalid recipient"
> ed537f31142afcea smtp disconnected reason=disconnect
> 
> Is there a way to get the sender information in the debug?
> 

well, providing the full session log from connect to disconnect without
altering it would be a good start to troubleshoot.

I think you are missing a "for any" on some rules which causes them to
not be matched.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: match rule seems to be failing in -current

2019-01-29 Thread Gilles Chehade
On Fri, Jan 25, 2019 at 02:08:41PM +0100, Mischa wrote:
> Hi All,
> 

Hi,


> ### smtpd.conf
> pki mx1.domain1.nl cert "/etc/ssl/mx1.domain1.nl.fullchain.pem"
> pki mx1.domain1.nl key "/etc/ssl/private/mx1.domain1.nl.key"
> 
> table names file:/etc/mail/hostnames
> table aliases file:/etc/mail/aliases
> table www-relays file:/etc/mail/www-relays
> table www-senders file:/etc/mail/www-senders
> table relay-domains file:/etc/mail/relay-domains
> table reject-email file:/etc/mail/reject-email
> 
> table domains sqlite:/etc/mail/sqlite.conf
> table virtuals sqlite:/etc/mail/sqlite.conf
> table credentials sqlite:/etc/mail/sqlite.conf
> 
> filter check-fcrdns builtin connect fcrdns disconnect "550 fc-rDNS"
> 
> listen on mx1.domain1.nl port 25 tls pki mx1.domain1.nl hostnames  
> filter check-fcrdns
> 
> action "local" mbox alias 
> action "maildir" maildir "/var/mail/virtual/%{dest:lowercase}/" virtual 
> 
> action "relay" relay
> action "smartrelay" relay host smtp://mail.domain1.nl
> 
> match from any rcpt-to  for any reject
> match from src  !mail-from  for any reject
> match from src  mail-from  action "relay"
> match from any for domain  action "smartrelay"
> match from any for domain  action "maildir"
> match from local action "smartrelay"
> match for any action "relay"
> ###
> 
> # cat www-relays 
> 46.23.xx.yy
> 
> # cat www-senders 
> w...@www.domain2.nl
> 
> As soon as an email is send from one of the www-relays with the
> sender that is in www-senders I am getting the following error on
> the sending mail server (FreeBSD w/ dma):
> 
> Jan 18 15:56:12 www dma[2eb801]: new mail from user=www uid=80 
> envelope_from=
> Jan 18 15:56:12 www dma[2eb801]: mail to= queued as 
> 2eb801.801a2d0a0
> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying delivery
> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: using smarthost (mx1.domain1.nl:25)
> Jan 18 15:56:12 www dma[2eb801.801a2d0a0]: trying remote delivery to 
> mx1.domain1.nl [46.23.xx.zz] pref 0
> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: remote delivery to mx1.domain1.nl 
> [46.23.xx.zz] failed after RCPT TO: 550 Invalid recipient
> Jan 18 15:56:13 www dma[2eb801.801a2d0a0]: delivery failed, bouncing as 2eb803
> 
> 
> OpenSMTPD is saying (grep "00a1b263550db3c7" /var/log/maillog):
> 
> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected 
> address=46.23.xx.yy host=46-23-xx-yy.domain1.nl
> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command 
> command="RCPT TO:" result="550 Invalid recipient"
> Jan 18 15:56:13 mx1 smtpd[36743]: 00a1b263550db3c7 smtp disconnected 
> reason=disconnect
> 
> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp connected 
> address=46.23.xx.xx host=www.domain2.nl
> Jan 18 14:10:04 mx1 smtpd[36743]: 00a1b263550db3c7 smtp failed-command 
> command="RCPT TO:" result="550 Invalid recipient"
> 
> 
> Anybody have an idea?
> 

can you run smtpd with -dv -T rules and provide log of which rule is
matched ?




-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: "Pipelining not supported" when connecting to port smtp or submission through OpenSSL command line utility

2019-01-22 Thread Gilles Chehade
On Sat, Jan 19, 2019 at 02:03:33PM -0600, ed...@pettijohn-web.com wrote:
> On Sat, Jan 19, 2019 at 08:12:29PM +0100, Johannes Krottmayer wrote:
> > Hello,
> > 
> > I have a question or a problem of understanding.
> > 
> > When I try to connect through the the command line utility openssl to
> > port smtp or submission I get this output:
> > 
> > $ openssl s_client -connect odin42:25
> 
> openssl s_client -connect host:port -starttls smtp
> 
> I did the same thing and forgot the starttls bit. The whole pipelining
> thing doesn't really help to figure it out though.
> 

yes :-/

the problem is that the SMTP engine expects an SMTP session, and instead
it receives a blob which violates the protocol and likely contains a new
line that triggers pipeline violation mechanism.

maybe we can do better, will talk with others.



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

2019-01-22 Thread Gilles Chehade
On Tue, Jan 22, 2019 at 01:11:44AM +0100, Eric Elena wrote:
> On Mon, 21 Jan 2019 11:08:02 +0100 Gilles Chehade wrote:
> > I may sound a bit harsh, but starting a thread with "this is my last try
> > or I'll switch" (as if it actually matters) right before telling someone
> > who wants to help you that you actually tried _nothing_ then blaming the
> > code improvements for a use-case that could have never worked because it
> > not only uses the wrong _documented_ mechanism but also because the code
> > to make your use-case work has never existed, kinds of irritates me.
> > 
> > I don't get royalties on smtpd install, please install whatever software
> > fits your use case, this is how proper engineering works.
> 
> First of all thank you Gilles (and all the others who contributed to
> this project) for your amazing work on OpenSMTPD!
> 
> That said, there is a kind of sender rewriting mechanism in OpenSMTP.
> Well, it works for me (tm) I'm not saying it's perfect, it might be an
> overkill but at least it does what I want it to do. The conf is
> included below (only the part for rewriting the sender
> address):
>
> [...]
>
> When a mail is received (listen on all):
> - check if it is rejected
> - if not, if the email if for toto@my.domain, forward it to the very
> same OpenSMTP daemon on port 10030 using the authenticated user foo and
> using masq@my.domain as the MAIL-FROM in the SMTP session (enveloppe)
> - when an email is received on port 10030, tag it with the label MASQ.
> The authenticated user is allowed to send an email as the user
> masq@my.domain. The keyword masquerade modifies the From header (the
> message itself) to match the address given in the SMTP session
> - at that point, the sender address is rewritten both in the SMTP
> session and the headers
> - if the email is for toto@my.domain and is tagged with the label MASQ,
> the virtual user address is expanded to the real email address
> - continue like a normal message
> 
> There is probably room for improvement but I hope this helps.
> 

indeed, a bit overkill and now that we have removed the blockers we must
come up with a simpler way to achieve that...

but what you did, that's smart :-)


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

2019-01-22 Thread Gilles Chehade
On Mon, Jan 21, 2019 at 01:04:16PM -0600, Adam Thompson wrote:
> 
> > Also, this is a recipient translation mechanism, similar to aliases, and
> > not a sender rewriting mechanism which we do not have at this point.
> > [...]
> > virtual _now_ only works on recipients, not senders ?
> > the virtual code hasn't changed, it works the way it always did.
> > 
> > there is no way it could ever do what you're describing or attempting to
> > do given that it doesn't operate at all anywhere near the message. there
> > is no way it has ever parsed:
> 
> This is all very surprising to hear.  The existing system works (somehow).
> So I am apparently misunderstanding what is happening, because with the
> configuration as shown, telling the various broken email senders to use that
> box as their mailhost _somehow_ fixes the bogus From: headers and envelopes.
> 

the entire virtual expansion happens between the client sending RCPT TO,
and the server responding Ok to that RCPT TO. virtual does not know of a
sender, never, and it is done before the message is actually received so
it doesn't know headers, which is why i'm 100% confident there isn't one
chance it could ever do what you describe.


> Oh, this just occurred to me as I'm writing:  I really hope I didn't switch
> to a different MTA on that system years ago, and then just forgot to check
> which MTA was actually running.  If that's the case, I'm not going to bother
> posting an update, because I'll be busy banging my head on the wall and then
> hiding in shame.
> 

that is a more likely possibility.


> > > I'm not convinced the new smtpd.conf grammar improves anything at
> > > all, but I assume it must help someone or it wouldn't have
> > > changed... but I believe my use case got thrown out with the
> > > bathwater, so to speak.  Oh, well.  :-(
> > This is bullshit.
> > The grammar doesn't reduce the functional scope, it can only expand it.
> 
> I'm taking your word for it - you will know far better than I do!
> 
> 
> > What you are describing has never existed in smtpd, there's never been
> > code to translate sender addresses and there's a good reason for that:
> 
> Good reasons aside, I still need to accommodate other vendor's broken mail
> implementations, because I can't fix them.  I know of multiple reasons
> source rewriting is a bad idea, in general, but I get paid to make stuff
> work, not just say that it's broken.
> 

oh, don't get me wrong, i'm not saying there's a good reason not to have
this rewriting, what i was saying is that there was a good reason why it
was not doable before the grammar change.

it is a useful feature which is part of my todo and which i will work on
as time allows.


> > it not considered doable before the grammar change...
> > But sure, blame it on the grammar.
> 
> I believed that the grammar change had rendered my use case impossible
> because  was now limited to local delivery methods.  Clearly I was
> wrong... and not even in the way I thought I might be wrong.
> 

yes, that's true.

using 'virtual' on relay rules didn't transform anything whatsoever, the
code had an explicit check to not enter the transformation lookups if we
were in a relay rule.

the new grammar just made it clear that what you were trying to do could
not work rather than accepting the criteria and disregarding it.


> > I may sound a bit harsh, but starting a thread with "this is my last try
> > or I'll switch" (as if it actually matters)
> 
> My apologies - that was meant to sound more like "I have a plan B so if this
> isn't possible, that's OK but I've wasted so much time on this I'm kinda
> running out of time, please tell me if I should just stop now and switch".
> I know *exactly* how much OpenBSD devs care if I use their code or not!  I
> do not want to be "that asshole", although it seems I've succeeded again -
> sorry.
> 
> Thank you for taking the time to reply.  Now I'm going to go check that mail
> server a 7,000,000th time, this time to see what MTA is actually *running*,
> not just *configured*.  I'm not sure whether I want it to be such a blatant
> mistake on my part or not... if yes, this all makes sense but I'm an idiot,
> whereas if no, then WTF, how is it working at all?
> 
> FWIW: I am much happier with OpenSMTPd than with other MTAs because of its
> forward-declarative configuration syntax.  Thank you for your work on
> bringing a modern, lean, secure(-er) MTA into existence.
> 

np ;-)



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: disclaimer

2019-01-21 Thread Gilles Chehade
On Fri, Jan 18, 2019 at 02:56:10PM +0300, Tevfik Ceydeliler wrote:
> Hi
> 
> Is there anu way to add diclaimer?? into?? mail by using smtpd?
> 

Not yet possible easily, no

Will be doable with the next release


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]

2019-01-21 Thread Gilles Chehade
sorry, I obviously f-up my last mail, this one is fixed ;-)


On Sun, Jan 20, 2019 at 04:14:05PM -0600, Adam Thompson wrote:
> As it turns out, no, that doesn't work.
> Trying to fix up broken sender mail domain-parts only simply gets me a "5.2.4 
> Mailing list expansion problem" error, with no debug output to suggest why.
> 
> In this test case, my translations map had:
> 
>   @bad.athompso.net @good.athompso.net
> 

What is a translation map ?

There is no such thing in OpenSMTPD (as of today).


> in it.  Obviously, this is a test setup :).
> Smtpd.conf itself consisted of:
> 
>   listen on all received-auth
>   smtp max-message-size 100M
>   table translations file:/etc/mail/translations  # ORIG->NEW 
> mappings
>   table allowed-hosts file:/etc/mail/allowed-hosts# Who can 
> connect?  (bare IP addresses or CIDR subnets)
>   action translate lmtp "/var/run/lmtp.sock" virtual
> # 1st pass on allowed rewrite mail
>   action forward forward-only 
> # and now it's not our problem anymore
>   match for any from local action forward # 2nd pass for 
> reinjected mail, this time just forward it
>   match for any from src  action translate # inbound mail 
> - hand it to LMTP, translating as we go
>
>


from table(5):

 Aliasing tables
 
 Aliasing tables are mappings that associate a recipient to one or many
 destinations.  They can be used in two contexts: primary domain aliases
 and virtual domain mapping.
 
 [...]
 
 In a virtual domain context, the key is either a user part, a full email
 address or a catch all, following selection rules described in
 smtpd.conf(5), and the value is one or many recipients as described in
 aliases(5):

   user1   otheruser
   us...@example.org   otheruser1,otheruser2
   @example.orgotheru...@example.com
   @   catch...@example.com


You're feeding the virtual table with invalid values.

Also, this is a recipient translation mechanism, similar to aliases, and
not a sender rewriting mechanism which we do not have at this point.


> A cursory glance at the source code (yikes, it's been a long time since I was 
> a programmer) suggests that virtual now only works on recipients, not 
> senders.  Which is too bad for me, as that means I'll have to switch at least 
> one box to use Postfix.
>

virtual _now_ only works on recipients, not senders ?

the virtual code hasn't changed, it works the way it always did.

there is no way it could ever do what you're describing or attempting to
do given that it doesn't operate at all anywhere near the message. there
is no way it has ever parsed:

@bad.athompso.net @good.athompso.net

and the only thing that changed is that such errors are now visible from
the session as:

5.2.4 Mailing list expansion problem

instead of an invalid recipient error like it probably did in 6.3


> I'm not convinced the new smtpd.conf grammar improves anything at all, but I 
> assume it must help someone or it wouldn't have changed... but I believe my 
> use case got thrown out with the bathwater, so to speak.  Oh, well.  :-(
>

This is bullshit.

The grammar doesn't reduce the functional scope, it can only expand it.

What you are describing has never existed in smtpd, there's never been
code to translate sender addresses and there's a good reason for that:

it not considered doable before the grammar change...

But sure, blame it on the grammar.


> (If anyone cares, the bad sender addresses are mostly alerts coming from 
> older Sun ALOMs and at least one Lexmark printer that also sends email with 
> broken From addresses.)
> 

I may sound a bit harsh, but starting a thread with "this is my last try
or I'll switch" (as if it actually matters) right before telling someone
who wants to help you that you actually tried _nothing_ then blaming the
code improvements for a use-case that could have never worked because it
not only uses the wrong _documented_ mechanism but also because the code
to make your use-case work has never existed, kinds of irritates me.

I don't get royalties on smtpd install, please install whatever software
fits your use case, this is how proper engineering works.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: smtpd - help needed tranlsating to new virtual map syntax

2019-01-21 Thread Gilles Chehade
 @example.orgotheru...@example.com
   @   catch...@example.com


You're feeding the virtual table with invalid values.

Also, this is a recipient translation mechanism, similar to aliases, and
not a sender rewriting mechanism which we do not have at this point.


> A cursory glance at the source code (yikes, it's been a long time since I was 
> a programmer) suggests that virtual now only works on recipients, not 
> senders.  Which is too bad for me, as that means I'll have to switch at least 
> one box to use Postfix.
>

virtual _now_ only works on recipients, not senders ?

the virtual code hasn't changed, it works the way it always did.

there is no way it could ever do what you're describing or attempting to
do given that it doesn't operate at all anywhere near the message. there
is no way it has ever parsed:

@bad.athompso.net @good.athompso.net

and the only thing that changed is that such errors are now visible from
the session as:

5.2.4 Mailing list expansion problem

instead of an invalid recipient error like it probably did in 6.3


> I'm not convinced the new smtpd.conf grammar improves anything at all, but I 
> assume it must help someone or it wouldn't have changed... but I believe my 
> use case got thrown out with the bathwater, so to speak.  Oh, well.  :-(
>

This is bullshit.

The grammar doesn't reduce the functional scope, it can only expand it.

What you are describing has never existed in smtpd, there's never been
code to translate sender addresses and there's a good reason for that:

it not considered doable before the grammar change...

But sure, blame it on the grammar.


> (If anyone cares, the bad sender addresses are mostly alerts coming from 
> older Sun ALOMs and at least one Lexmark printer that also sends email with 
> broken From addresses.)
> 


I may sound a bit harsh, but starting a thread with "this is my last try
or I'll switch" (as if it actually matters) right before telling someone
who wants to help you that you actually tried _nothing_ then blaming the
code improvements for a use-case that could have never worked because it
not only uses the wrong _documented_ mechanism but also because the code
to make your use-case work has never existed, kinds of irritates me.

I don't get royalties on smtpd install, please install whatever software
fits your use case, this is how proper engineering works.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Mail to root not working anymore with 6.4

2019-01-14 Thread Gilles Chehade
On Fri, Jan 11, 2019 at 11:27:53PM +0100, Farid Joubbi wrote:
> Hello fellow opensmtpd admins!
> 

Hello,

> I have been running smtpd on OpenBSD for several years without problems.
> Now after upgrading to release 6.4 I have an issue with local system
> e-mails not coming through.
> 
> My hostname is nuc.example.com.
> My normal e-mail address is fa...@example.com.
> All system generated e-mails sent to root go to r...@nuc.example.com, which
> was properly translated to fa...@example.com in 6.3, but not anymore.
> I can't figure out how to fix this.
> 
> This is from the log:
> Jan 11 22:45:02 nuc smtpd[3]: e5cfc1fdf14d2d33 smtp connected
> address=local host=nuc.example.com
> Jan 11 22:45:02 nuc smtpd[3]: e5cfc1fdf14d2d33 smtp message
> address=local host=nuc.example.com msgid=4d7fc17d from=<> to=<
> r...@nuc.example.com> size=1991 ndest=1 proto=ESMTP
> Jan 11 22:45:02 nuc smtpd[3]: e5cfc1fdf14d2d33 smtp disconnected
> address=local host=nuc.example.com reason=quit
> Jan 11 22:45:02 nuc dovecot: lmtp(72696): Connect from local
> Jan 11 22:45:02 nuc dovecot: lmtp(72696): Disconnect from local: Connection
> closed (in RCPT TO)
> Jan 11 22:45:02 nuc smtpd[3]:  mda delivery
> evpid=4d7fc17d08076b4e from=<> to= rcpt=<
> r...@nuc.example.com> user=farid delay=0s result=PermFail stat=Error
> ("mail.lmtp: LMTP server error: 550 5.1.1  User
> doesn't exist: r...@nuc.example.com\^M")

That ^M is very likely a cause of error.


> Jan 11 22:45:02 nuc smtpd[43925]: warn: queue: no return path!
> 
> /etc/mail/aliases is configured to translate root to farid and farid to
> fa...@example.com.
> This worked in 6.3.
> 

Surely that ^M wasn't there because I don't see how it could work.


> 
> nuc# cat /etc/mail/smtpd.conf
> 
> 
> 
> # pki setup
> pki mail.example.com cert "/etc/ssl/mail.example.com.fullchain.pem"
> pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
> 
> # tables setup
> table aliases db:/etc/mail/aliases.db
> #table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
> table secrets file:/etc/mail/secrets
> 
> # listen ports setup
> listen on lo0
> listen on lo0 port 10026 tag DKIM_CHECKED
> listen on lo0 port 10028 tag DKIM
> listen on egress port 25 tls pki mail.example.com
> listen on egress port 587 tls-require pki mail.example.com auth 
> 
> action lmtp-local lmtp "/var/dovecot/lmtp" rcpt-to
> #action lmtp-local lmtp "/var/dovecot/lmtp" rcpt-to alias 
> action "relay" relay host smtp+tls://smtp...@mail.smtp2go.com:2525 auth
> 
> action "relay_dkim" relay host smtp://127.0.0.1:10027
> action "relay_incoming" relay host smtp://127.0.0.1:10025
> 
> match for local action "lmtp-local"
> match tag DKIM_CHECKED from any for domain  action "lmtp-local"
> match tag DKIM for any action "relay"
> match from any for domain  action "relay_incoming"
> match from local for any action "relay_dkim"
> match auth from any for any action "relay_dkim"
> 
> (My real domain name is censored to protect the innocent).
> 
> Any help is greatly appreciated.
> 

I'm 99% positive the issue is unrelated to your config but related to a
table content containing the \^M control character.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Confused by certificates

2019-01-07 Thread Gilles Chehade
On Mon, Jan 07, 2019 at 09:18:03AM +, John Cox wrote:
> Hi
> 
> >> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
> >> address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
> >> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
> >> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls
> >> ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
> >> Jan  6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate
> >> verification succeeded on session 92975635cb3d86a4
> >> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery
> >> evpid=00fe7e3a0bda75cf from=
> >> to= rcpt=
> >> source="46.235.226.138" relay="212.54.58.11
> >> (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0
> >> MXIN650 mail accepted for delivery
> >> ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;"
> >> Jan  6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session
> >> 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain
> >> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
> >> address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
> >> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
> >> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta
> >> disconnected reason=quit messages=1
> >> 
> >> Where I seems to succeed with tls and then it says that it has failed.
> >> What is going on?
> 
> I know I put 2 questions in one message but does anyone have any idea
> why I seem to both get a TLS success & a TLS failure here?
> 

you don't get both a TLS success and a TLS failure here, you only have a
single MTA session: 92975635cb3d86a4

what happens is that session established a connection then attempted TLS
negotiation. this worked fine, the MTA session played out until it hit a
TLS error that caused it to drop connection. TLS was opportunistic so it
connected again but without TLS.

The only "issue" in this log is that there was no need to reconnect, the
TLS error happened _after_ message was accepted and there was no message
pending delivery after this one.

The MTA is being reworked and this bug has no bad side-effect so we will
not fix, just ensure the new MTA code doesn't do that same.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: different lmtp destinations from table for mail delivery depending on email address

2018-12-27 Thread Gilles Chehade
On Thu, Dec 27, 2018 at 01:09:33PM +, Craig Skinner wrote:
> Hi Mabi,
> 
> On Wed, 26 Dec 2018 21:24:53 mabi wrote:
> > I would like to setup one OpenSMTPD server as MX server for incoming
> > mails and have OpenSMTPD deliver the mail to different Dovecot
> > mailbox servers using LTMP depending on the e-mail address of the
> > recipient.
> 
> Can your public MX machine route to your private IMAP machines via SMTP?
> 
> Each of your IMAP servers would have an MTA on it.
> 
> Make those MTAs send via LMTP to the local Dovecot over a UNIX socket.
> 
> Keeps it simple, no SQL nor proxies needed.
> 
> Set up a mapping on the public MX machine like this
> (have a cron job write it when users are added/removed):
> 
> joe@public.domain -> joe@imap1.private
> sarah@public.domain -> sarah@imap2.private
> andy@public.domain -> andy@imap3.private
> 

this will appear in Received lines though

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: different lmtp destinations from table for mail delivery depending on email address

2018-12-26 Thread Gilles Chehade
Doable with OpenSMTPD using multiple actions and using the rcpt-to matching 
criteria, however it feels kind of hackish to do it at that level.

Basically you would create one action per dovecot shard, then one match per 
shard with an rcpt-to criteria pointing to a table containing the recipients 
for that shard.

I’d do that in dovecot myself.

Cheers,


> On 26 Dec 2018, at 22:24, mabi  wrote:
> 
> Hello,
> 
> I would like to setup one OpenSMTPD server as MX server for incoming mails 
> and have OpenSMTPD deliver the mail to different Dovecot mailbox servers 
> using LTMP depending on the e-mail address of the recipient.
> 
> Would this kind of setup be possible to do using the table-postgresql extra 
> addon? I would then have a table in my database where the recipient email 
> address is mapped to a respective mailbox server name (email1 -> server1, 
> email2 -> server2, etc.).
> 
> Right now I use the following action:
> 
> action "dovecot" lmtp "server1:24" rcpt-to virtual 
> 
> which basically only allows me to deliver to one single mailbox server.
> 
> If I guess I could still use Dovecot's LMTP proxying feature for that purpose 
> but I think it would be much smarter to do that in OpenSMTPD directly.
> 
> Anyone know if this is possible or have an alternative idea how to do that?
> 
> Best regards,
> Mabi
> 
> 
> 
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: connect to cyrus lmtp with "as user"

2018-12-26 Thread Gilles Chehade
On Wed, Dec 26, 2018 at 05:37:49PM +0100, Peter J. Philipp wrote:
> Hi,
> 
> I'm somewhat at a dillema.  I'm on OpenBSD 6.3 and upgraded the CVS tree for
> smtpd to -current.  With this I wanted to achieve configuring the smtpd for
> an upgrade to 6.4.  However my old config does not fit after having translated
> it to 6.4 syntax.
> 
> The host in question is an internal LAN host that fetchmail's mail from my VPS
> and inserts it into cyrus imapd so that the LAN here can use IMAP.  The line
> in the smtpd.conf used to say this:
> 
> accept for local alias  deliver to lmtp "/var/imap/socket/lmtp" as 
> _cyrus
> 
> And the new action I have this:
> 
> action "local" lmtp "/var/imap/socket/lmtp" alias 
> 

from the smtpd.conf(5) man page:


 The local delivery methods support additional options:

 [...]

 user username
 Specify the username for performing the delivery, to be
 looked up with getpwnam(3).

 This is used for virtual hosting where a single username
 is in charge of handling delivery for all virtual users.

         This option is not usable with the mbox delivery method.



-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: What if sender is a network?

2018-12-26 Thread Gilles Chehade
On Wed, Dec 26, 2018 at 11:18:33AM +0300, Tevfik Ceydeliler wrote:
> Hi,
> 
> I try to configure smtpd.conf file
> 
> I have some conf line that works successfully like that:
> 
> accept from source { 10.65.8.100 } sender { "@test.com" } for domain {
> anothertests.com } relay
> 
> It is OK for one IP address. But I try to do?? with a subnet such as sources
> is 10.65.8.0/24 or range from 10.65.8.1 to 10.65.8.255 . How can I to do it?
> 
> To do, should I enter 255 IP address one by one or is there any other
> parameter?
> 

quoting the man page:

 [!] from src address | 
 Specify that session may only originate from string or
 list table address which can be a specific address or a
 subnet expressed in CIDR-notation.

you're using an older version of OpenSMTPD, but it worked the same.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Maildir filenames are now localhost?

2018-12-23 Thread Gilles Chehade
On Mon, Dec 24, 2018 at 12:20:09AM -0500, ED Fochler wrote:
> I'm running OpenBSD 6.4 release, and since upgrading all of the Maildir files 
> created by smtpd are named 
> 1545583984.c094e34d.localhost
> instead of 
> 1544841199.94379.host.domain.tld
> 
>   Is this how it is supposed to be?  Or have I bungled my config?
> 
> I have a FQDN defined by /etc/myname, and reverse DNS, and listed in 
> /etc/mail/mailname.
> 
>   Humbly asking,
> 

this bug was introduced between 6.3 and 6.4, when I rewrote maildir as a
real MDA instead of an OpenSMTPD builtin.

it was fixed three days ago in -current.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Thoughts and queries (n=1) on the filter API

2018-12-23 Thread Gilles Chehade
ER_HELO,  "helo", filter_builtins_helo },
>   { FILTER_EHLO,  "ehlo", filter_builtins_helo },
>   { FILTER_STARTTLS,  "starttls", filter_builtins_notimpl },
> ..
> 

yes, the same implementation of the builtin is used so I factored it but
the filter phase  and reporting events differentiate them.

don't worry about that I ran a filter rejecting HELO and accepting EHLO,
the two are distinct as far as filtering is concerned.


> > > 7) In lka_filter.c, if a filter feeds back more than LINE_MAX, should
> > > we handle that?
> > >
> > > (void)strlcpy(buffer, line, sizeof buffer);
> > >
> > 
> > that's an interesting question.
> > 
> > LINE_MAX is not the correct value but we need to have a maximum value
> > for the line and filters will need to ensure they don't produce lines
> > bigger than these.
> 
> Understood. I based the LINE_MAX on the following within lka_filter.c:
> int
> lka_filter_process_response(const char *name, const char *line)
> {
>   ...
>   char buffer[LINE_MAX];
>   ...
>   (void)strlcpy(buffer, line, sizeof buffer);
> 

yes, I had to start with something.

to be very transparent my goal was to get behaving filters to fully work
before the end of the year, then jan/feb/mar will be to ensure smtpd can
cope with misbheaving filters.

the areas we know need to be improved:

- all kinds of timeouts: smtp session timeout, filters timeout, ...
- all kinds of DATA issues: filter responding with end of message, while
  client hasn't responded with end of message yet, ...
- all kinds of exhaustions: failure to allocate filter sessions, failure
  to send data to filters because the pipe is exhausted, ...
- all kinds of filters fuckup: filters responding with bad phases or bad
  sessions or bad action, etc... some are bugs, some are legit, ...

now that we know filters work, including in chains, we can focus on what
is needed to make them rock solid for April :-)

please continue raising questions because the more people play with them
the more we can spot what needs to be investigated.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.org tip me: https://paypal.me/poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



  1   2   3   4   5   6   7   8   >