smtpd.conf on OpenBSD: how to say "internal network"?

2023-10-21 Thread Harald Dunkel
Hi folks, hardwired constants in my smtpd.conf are causing problems with IPv6 prefix delegation, so I wonder if there is some abbr. for "internal network"? Something like # table localnet { 10.10.10.0/24 10.10.11.0/24 2001:db8:abcd:0012::/64 } : listen on intern tls pki

smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved

2023-01-26 Thread Harald Dunkel
Hi folks, smtpctl spfwalk returns messages like smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{ir}.%{v}.%{d}.spf.has.pphosted.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com

what does "from=<>" mean?

2022-07-06 Thread Harald Dunkel
Hi folks I see quite a number of EMails mentioned in /var/log/maillog with a string "from=<>", e.g. Jul 6 08:08:24 mailgate smtpd[84448]: 90d0e01d76abce9c mta delivery evpid=e62074ed220d58f9 from=<> to= rcpt=<-> source="10.0.96.7" relay="10.0.96.11 (mailhost.mydomain.com)" delay=0s

bounce invalid message IDs?

2022-07-04 Thread Harald Dunkel
Hi folks, is it possible to bounce invalid message IDs, e.g. using a UUID instead of the well-known format (https://en.wikipedia.org/wiki/Message-ID)? Regards Harri

Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected

2022-06-01 Thread Harald Dunkel
On 2022-05-31 11:50:39, Harald Dunkel wrote: Hi Frank, I am not sure if I got this correctly, but AFAIU you assume some unusual chars in the recipient address. There are none, according to /var/log/maillog. The chars in the recipient address are between 0x33 and 0x7e. And there is neither

Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected

2022-05-31 Thread Harald Dunkel
thers think of the way we are handling the ORCPT? Cheers Frank [1] https://datatracker.ietf.org/doc/html/rfc3461#section-4.2 [2] https://datatracker.ietf.org/doc/html/rfc3461#section-4 On Mon, 2022-05-30 at 09:04 +0200, Harald Dunkel wrote: Hi folks, my MTA (opensmtpd on OpenBSD

EMails to "ORCPT=rfc822;u...@example.com" are rejected

2022-05-30 Thread Harald Dunkel
Hi folks, my MTA (opensmtpd on OpenBSD 7.0) rejects a few EMails with a message like May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-command command="RCPT TO: ORCPT=rfc822;u...@example.com" result="550 Invalid recipient: " in /var/log/maillog. The EMails to u...@example.com

do I have to set pki in the relay action?

2022-03-23 Thread Harald Dunkel
Hi folks, what is the default for the pki option in a relay action? The man page doesn't tell, AFAICS. Regards Harri

what happened to "protocols" and "ciphers" options?

2022-02-19 Thread Harald Dunkel
Hi folks, on OpenBSD's smtpd I can set "protocols" and "ciphers" for the listen lines. They are not mentioned in the man page for smtpd.conf on Linux. What is the story here? Regards Harri

restart necessary on certificate upgrade (letsencrypt)?

2022-01-09 Thread Harald Dunkel
Hi folks, I wonder if opensmtpd starts using new key and certificate chain automagically, in case they replaced the old files? Do I have to hup or restart smtpd? Hopefully I am not too blind to see, but apparently the man page doesn't tell. Regards Harri

6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

2021-06-21 Thread Harald Dunkel
Hi folks, since the upgrade to OpenBSD 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. opensmtpd.conf and the certificate chain hasn't changed. There is only a single MX defined in DNS (for both "example.com" and

Re: smtpctl spf walk -6 ?

2021-05-12 Thread Harald Dunkel
On 5/12/21 2:56 PM, Martijn van Duren wrote: Apparently it's a problem in glibc's inet_net_pton. It does not support AF_INET6. to.c has the same problem and works around this problem by handcrafting broken_inet_net_pton_ipv6(). Would it be possible to use inet_pton() ? Regards Harri

Re: smtpctl spf walk -6 ?

2021-05-12 Thread Harald Dunkel
On 5/12/21 8:56 AM, nathanael wrote: this is what i get on my machine: ~ echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 2a01:111:f400::/48 2a01:111:f403::/48 51.4.72.0/24

smtpctl spf walk -6 ?

2021-05-12 Thread Harald Dunkel
Hi folks, I am a big fan of IPv6, so I wonder why smtpctl spf walk omits all the IPv6 addresses? # echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 51.4.72.0/24 51.5.72.0/24

Re: dkim signing integrated in opensmtpd?

2021-05-10 Thread Harald Dunkel
On 5/10/21 3:14 PM, Martijn van Duren wrote: There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. I had found your web site https://palant.info/2020/11/09/adding-\

dkim signing integrated in opensmtpd?

2021-05-10 Thread Harald Dunkel
Hi folks, Would it be possible to *integrate* dkim signatures in opensmtpd? I saw rspamd, but this is not an option. I am looking for a lightweight solution for signing EMail headers. Regards Harri

Re: what happened to smtpd-filters.7 ?

2021-03-19 Thread Harald Dunkel
Hi Martin, thank you very much for your response. I stumbled over this lost man page looking for additional information about the filters mentioned on https://man.openbsd.org/smtpd.conf. Apparently there are a few more unused source files in the git repository. They are very hard to detect

what happened to smtpd-filters.7 ?

2021-03-19 Thread Harald Dunkel
Hi folks, looking at github there is a file "smtpd-filters.7" and "filter.c" in smtpd, but apparently they are not used at build or install time. configure.ac doesn't mention them, either, so I wonder whats the story here? Have they been forgotten? Obsolete code? Regards Harri

how to reject a spoofed "From: " address?

2021-01-08 Thread Harald Dunkel
Hi folks, AFAICS opensmtpd can reject EMails with a spoofed from address in the envelope, as shown in smtpd.conf(5). But how can I reject EMails with a spoofed "From: " address in the EMail header, matching my own domain? See below for smtpd.conf. EMails with a spoofed From addresses get

Re: how to watch opensmtpd filters at work?

2021-01-07 Thread Harald Dunkel
On 1/7/21 3:03 PM, Martijn van Duren wrote: Could you show your config, steps to reproduce and expected behaviour? Because I'm not entirely sure what you try to achieve. I was trying to see which rules in smtpd.conf match. "smtpctl trace all" didn't work. Problem was, I hadn't enabled debug

Re: how to watch opensmtpd filters at work?

2021-01-07 Thread Harald Dunkel
On 1/7/21 1:03 PM, Martijn van Duren wrote: Your question isn't really specific, but my best guess is that -Tfilters will do the trick. I tried "smtpctl trace all", but there was no visual effect. Regards Harri

how to watch opensmtpd filters at work?

2021-01-07 Thread Harald Dunkel
Hi folks, for debugging I would like to know which "match" line does actually match the incoming EMails. Is there some option for opensmtpd to watch it? "-v" seems to be insufficient. Every insightful comment would be highly appreciated. Regards Harri

Re: OpenSMTPD 6.8.0p1 RC1 - please test !

2020-12-07 Thread Harald Dunkel
I installed it on my mailhost: Seems to work. The problem with logging ("y express" instead of "smtpd" in the logfile) seems to be gone. Good work Harri

common format for maillog lines?

2020-10-08 Thread Harald Dunkel
Hi folks, apparently there are 2 different kinds of lines in /var/log/maillog: Lines with a message id, and lines without. Very painful. The lines without message id seem to start with "smtp-out:", eg smtp-out: No valid route for

Re: how to ignore TLS1.3 for test purposes?

2020-07-29 Thread Harald Dunkel
On 2020-07-29 04:12, Larkin Nickle wrote: Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can

how to ignore TLS1.3 for test purposes?

2020-07-28 Thread Harald Dunkel
Hi folks, there seems to be a compatibility issue between opensmtpd on OpenBSD 6.7 and exim4 on Debian's bugtracker, see https://lists.debian.org/debian-user/2020/07/msg01091.html Most recent syspatches are applied, of course. I cannot reproduce this problem with opensmtpd 6.7.1-p1 on

Re: smtp-out: Address family mismatch

2020-07-26 Thread Harald Dunkel
The Network error on destination MX has been resolved. The Address family mismatch is still open. smtpctl show queue gives me a9f755dd88e88083|inet4|mta||u...@example.com|cont...@bugs.debian.org|cont...@bugs.debian.org|1595227438|1595227438|0|27|pending|29446|Address family mismatch on

Re: opensmtpd appears to be IPv4-only

2020-07-26 Thread Harald Dunkel
Hi Slavik, On 2020-07-22 18:26, Slavik Svyrydiuk wrote: I do not have any issues with IPv6. It works for me. Ubuntu == opensmtpd 6.0.3p1-1ubuntu0.2 smtpd.conf lines: listen on 0.0.0.0 port 25 listen on ::0 port 25 $ netstat -lnt | grep ':25' tcp0 0 0.0.0.0:25

opensmtpd appears to be IPv4-only

2020-07-22 Thread Harald Dunkel
Hi folks, I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. My smtpd.conf says : xname = "mailhost.example.com" pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" pki $xname key

Re: smtp-out: Address family mismatch

2020-07-11 Thread Harald Dunkel
Hi Thomas, On 7/7/20 2:12 AM, Thomas Bohl wrote: My guess would be that the target domain, at the time of the DNS query, only returned a IPv6 address. I have a similar problem. My config is action "relay2Internet" relay \     helo $hostn \     src {$v4adr, $v6adr} as I want to

smtp-out: Address family mismatch

2020-07-06 Thread Harald Dunkel
Hi folks, I see a lot of outgoing EMails queued with a message "smtp-out: Address family mismatch" in the log file. My colleagues don't like EMails being put on hold at all. Prior to 6.4 there was a limit mta inet4 The upgrade guide to the new smtpd.conf syntax

syslog logging changed ?

2020-06-26 Thread Harald Dunkel
Hi folks, before 6.7 the smtpd log file entries were easy to find: Just look for "smtpd" in /var/log/mail.log. With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" as expected, so I wonder wth? Regards Harri

Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-30 Thread Harald Dunkel
Hi Jason, On 2020-01-29 14:33, Jason Barbier wrote: According to the CVE everything since the commit in May 2018 that established the new grammar. The EMail did not mention a CVE. I was very concerned that I had to upgrade my "old" hosts to the new smtpd.conf syntax, so this is good news.

Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-29 Thread Harald Dunkel
Hi Gilles, On 2020-01-28 23:30, gil...@poolp.org wrote: Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll

improve smtpd.conf syntax check at startup?

2020-01-24 Thread Harald Dunkel
Hi folks, Do you think it would be possible to improve checking the syntax of the config file? A line like action "relay" relay host smtp+tls"//t...@example.com auth did not trigger an error message at startup time. When there was an EMail to send I got an error message in mail.log

Re: tags on the portable branch?

2019-08-24 Thread Harald Dunkel
Hi Gilles, On 8/24/19 9:14 PM, Gilles Chehade wrote: > > This is expected. > > Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x > do you think it would be possible to set a tag matching support for openssl 1.1.1c as well? The version I am using right now now is based on

Re: tags on the portable branch?

2019-08-24 Thread Harald Dunkel
On 8/23/19 9:55 PM, John Cox wrote: > Hi > > Whilst I know it doesn't help you I just git cloned that URL and the > tag checkout just worked for me. What happens if you make another new > (temporary) repo with clone and try again? > > Regards > > John Cox > Using a new clone, as suggested:

Re: tags on the portable branch?

2019-08-23 Thread Harald Dunkel
On 8/23/19 1:37 PM, Harald Dunkel wrote: {hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v origin  https://github.com/OpenSMTPD/OpenSMTPD.git (fetch) origin  https://github.com/OpenSMTPD/OpenSMTPD.git (push) {hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1 error

Re: tags on the portable branch?

2019-08-23 Thread Harald Dunkel
On 8/22/19 10:34 AM, Gilles Chehade wrote: On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote: Hi folks, would it be possible to set tags on the portable branch as well? Something like portable-6.4.1 would do. This could help alot for creating some kind of "off

tags on the portable branch?

2019-08-22 Thread Harald Dunkel
Hi folks, would it be possible to set tags on the portable branch as well? Something like portable-6.4.1 would do. This could help alot for creating some kind of "official" source package for Debian and Fedora/RedHat. Thanx in advance Harri

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/14/19 3:43 PM, Harald Dunkel wrote: > > This is Debian sid (amd64), including openssl version 1.1.1c . > Here is the list of packages providing shared objects for smtpd: > > ||/ Name VersionArchitect

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/13/19 9:02 PM, gil...@poolp.org wrote: > 13 août 2019 12:35 "Harald Dunkel" a écrit: > >> >> Surely I don't have a highly complex EMail configuration, but >> the new version is running on my MTA and the nullclients since >> Aug 7th: No issues by no

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-13 Thread Harald Dunkel
Hi folks, On 7/24/19 1:16 PM, Gilles Chehade wrote: > On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > >> I will check runtime ASAP. >> > > Great ! > > Keep on providing feedback please ! > Surely I don't have a highly complex EMail c

Re: git portable branch: Failed to parse smarthost

2019-08-06 Thread Harald Dunkel
Hi Gilles, On 8/6/19 1:35 PM, Gilles Chehade wrote: > > you're using an auth label but this requires a secure transport. > > from smtpd.conf(5): > > The label corresponds to an entry in a credentials table, > as documented in table(5). It is used with the > "smtp+tls" and

git portable branch: Failed to parse smarthost

2019-08-05 Thread Harald Dunkel
Hi folks, trying the new smtpd with openssl support on Debian I get the following error: Aug 5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost smtp://someh...@mail.somehost.de Mail is not forwarded, of course. The config file says : table localnet { 10.0.0.0/24,

Re: openssl support

2019-05-17 Thread Harald Dunkel
Hi Gilles, I understand that ssl support is a highly complex issue, making it necessary to focus and to get rid of the cruft. It would be a pity if opensmtpd becomes "OpenBSD-only", though. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To

openssl support

2019-05-17 Thread Harald Dunkel
Hi folks, I wonder what became of https://github.com/OpenSMTPD/OpenSMTPD/issues/534 ? IMHO this issue was closed way too early. Are all OS distros happy with opensmtpd going libressl-only? Will the rest follow? Regards Harri -- You received this mail because you are subscribed to

Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-13 Thread Harald Dunkel
On 5/10/19 10:55 AM, Harald Dunkel wrote: Hi folks, for testing purposes I have to setup opensmtpd 6.0.3 to redirect all outgoing EMails from a list of stage systems to a dedicated internal account. smtpd.conf is attached. I have found it: : table aliases file:/etc/aliases table vmap file

Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-10 Thread Harald Dunkel
Hi Gilles, On 5/10/19 11:30 AM, Gilles Chehade wrote: without your configuration it's hard to determine what's wrong Config file was attached. You can find it in the archive as well, e.g. on https://www.mail-archive.com/misc@opensmtpd.org/msg04343.html Regards Harri -- You received this

opensmtpd 6.0.3: redirect outgoing EMails to an internal account

2019-05-10 Thread Harald Dunkel
Hi folks, for testing purposes I have to setup opensmtpd 6.0.3 to redirect all outgoing EMails from a list of stage systems to a dedicated internal account. smtpd.conf is attached. Problem is, there is an invalid recipient error for sending an EMail from such a stage system: % netcat

Re: kill -HUP not working as expected

2018-11-29 Thread Harald Dunkel
Hi Gilles, On 11/29/18 9:17 AM, Gilles Chehade wrote: there are multiple reasons behind that: - smtpd can be killed/restarted right away without having to do cleanups and given that other MTA are supposed to retry transfers if connection drops, the complexity of dealing with reloading

kill -HUP not working as expected

2018-11-28 Thread Harald Dunkel
Hi folks, I learned some time ago that daemons restart or reload their config file, when they receive a HUP. sendmail, sshd and tons of others do. smtpd doesn't. :-( Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to:

Address family mismatch on destination MXs

2018-11-07 Thread Harald Dunkel
Hi folks, sometimes opensmtpd (OpenBSD 6.3) queues an EMail with Address family mismatch on destination MXs even though smtpd.conf says limit mta inet4 The destination MX on my testcase (running OpenBSD 6.3 and opensmtpd as well) has both IPv4 and IPv6 address. According to

Re: 6.4 broke procmail .forward

2018-10-31 Thread Harald Dunkel
Hi Gilles, On 10/28/18 6:52 PM, Gilles Chehade wrote: Please do yourselves a favor, ditch procmail in favor of fdm. I am not sure if fdm is an option. Looking at https://github.com/ft/fdm.git it seems that this code has been abandoned. Are there others? Regards Harri -- You received

Re: "limit mta inet4" is ignored, smtpd fails to start

2018-03-18 Thread Harald Dunkel
On 03/18/18 13:54, Richard wrote: > > It appears that "limit mta inet4" statement limits outgoing ipv6 > connections but not incoming ipv6 connections... > > Instead of the limit statement one might use a notation like this > which limits incoming and outgoing connections to ipv4 by interface: >

Re: smtpd: listen on (eth0)

2017-04-22 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/21/17 05:56, Harald Dunkel wrote: > Hi folks, > > I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: > Apparently smtpd doesn't recognize a new IPv6 address assigned to the network > interface (e.g.

smtpd: listen on (eth0)

2017-04-20 Thread Harald Dunkel
Hi folks, I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: Apparently smtpd doesn't recognize a new IPv6 address assigned to the network interface (e.g. due to a prefix change). It keeps on listening on the old IPv6 address only. Do you think this could be improved? Thanx