CA certificate stores?

2020-03-04 Thread John Cox
Hi all

Can anyone help me with how to get custom certifcate verification to
work in opensmtpd?

I have two opensmtpd machines - yidhra & azathoth - and I want to
deliver mail from azathoth to yidhra.

On yidhra:

I have generated a local self-signed CA cert 
I have generated a machiner cert and signed it with my ca cert
I can verify the machine cert against the ca cert with openssl
I have the certs set  smtpd.conf with 

pki yidhra.outer.uphall.net cert
"/etc/ssl/local_certs/yidhra.outer.uphall.net.crt"
pki yidhra.outer.uphall.net key
"/etc/ssl/private/yidhra.outer.uphall.net.key"
ca yidhra.outer.uphall.net cert
"/etc/ssl/local_certs/ca_uphall.net.crt"

and I belive that all works.

When azathoth attempsts to deliver mail I get

Mar  4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connecting
address=smtp://10.44.0.3:25 host=yidhra.outer.uphall.net
Mar  4 15:25:04 azathoth smtpd[85072]: 45f2eb89e3a43fb8 smtp
disconnected reason=quit
Mar  4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connected
Mar  4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta tls
ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
Mar  4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta
server-cert-check result="failure"

My questions are:
Where should I have put the local CA cert on azathoth in order to get
cert check success?

Do I need a certificate with purposes set - my current one doesn't?  

Can I get enhanced debug on the cert verification process so I know
what is failing?

I had this working (with verify required) until my certs timed out
recently & I have clearly cocked up something when updating
everything.

Many Thanks

John Cox



Re: tags on the portable branch?

2019-08-23 Thread John Cox
Hi

>On 8/23/19 1:37 PM, Harald Dunkel wrote:
>> 
>> {hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v
>> origin  https://github.com/OpenSMTPD/OpenSMTPD.git (fetch)
>> origin  https://github.com/OpenSMTPD/OpenSMTPD.git (push)
>> {hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1
>> error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git
>> 
>> ???
>> 
>
>PS: Of course I did a "git fetch --all" first.

Whilst I know it doesn't help you I just git cloned that URL and the
tag checkout just worked for me.  What happens if you make another new
(temporary) repo with clone and try again?

Regards

John Cox



Re: RBLs?

2019-06-20 Thread John Cox
Hi

>Hi,
>
>I’ve been using a combination of OpenSMTPd and spamd on OpenBSD (currently at 
>6.5) for some time and with success. However, there are still some 
>false-negatives and I’m looking at ways of reducing those. One way is by 
>making use of RBLs.
>
>(I’ve evaluated delivered spam and the majority of it seems to be coming from 
>IPs that are on various blacklists but aren’t being caught by greylisting.)
>
>spamd doesn’t support RBLs, at least that I’ve found, it can only use lists 
>that can be downloaded locally—the particular service I’m wanting to use only 
>provides DNS-based RBLs. So that’s my problem…
>
>I’m looking for ways of including an RBL in either spamd or OpenSMTPd, 
>preferring to stay in OpenBSD base as much as possible. (In other words, I’d 
>prefer to not rip out spamd or replace or supplement it with SpamAssassin or 
>rspamd—I’d rather find a solution that will plugin _specifically_ for RBLs 
>without all of the other bloat
that SpamAssassin and similar products bring.
>
>Can anyone offer some input on this please?
>
>I’m not opposed to writing an OpenSMTPd filter, though I’d need to locate some 
>documentation for that (I’ve looked but haven’t been able to find it, so I’m 
>probably looking in the wrong places—suggestions welcomed).
>
>~ Tom

I wrote a python script (enclosed) that scans the spamd logs, looks up
new ip address in zen.spamhaus.org and blacklists if found.  It keeps
a cache of what it has done to keep the load down and expires it over
time.  If run at least once within the whitelisting period it will do
the RBL thing for you.

The script has various command line options (mostly for testing) but
oddly if you want to change the RBL you are going to have to edit the
script (hopefully obvious).

I have this line in roots crontab to run it every 15mins

*/15*   *   *   *   /usr/local/bin/dnsbl-scan.py

Hope that helps

JC



dnsbl-scan.py
Description: Binary data


Re: problem with resolution aliases after upgrade to 6.5

2019-04-29 Thread John Cox
Hi

>Hello,
>
>I use aliases in an smtpd config and before upgrade to 6.5 it worked fine.
>After upgrade and rewriting config smtpd starts to reject mails
>addressed to aliases with a reason "550 Invalid recipient". What's
>wrong with new config?
>
>/var/log/maillog:
>
>Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp connected
>address=209.85.167.44 host=mail-lf1-f44.google.com
>Apr 29 07:01:48 ns1 smtpd[71399]: e99e9db5916c8789 smtp tls
>ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
>Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp failed-command
>command="RCPT TO:" result="550 Invalid recipient:
>"
>Apr 29 07:01:49 ns1 smtpd[71399]: e99e9db5916c8789 smtp disconnected 
>reason=quit
>
>smtpd.conf before upgrade to 6.5:
>
>pki mx1. certificate "/etc/ssl/.crt"
>pki mx1. key "/etc/ssl/private/.key"
>
>limit mta inet4
>queue compression
>
>listen on lo0
>listen on lo0 port 10028 tag DKIM_OUT
>listen on egress port 25 tls pki mx1.
>listen on egress port 465 smtps pki mx1. auth mask-source hostname mx1.
>listen on egress port 587 tls-require pki mx1. auth mask-source
>hostname mx1.
>
>table aliases db:/etc/mail/aliases.db
>table secrets db:/etc/mail/secrets.db
>table domains {  }
>
>accept for local deliver to mbox
>accept for local alias  deliver to mbox
>accept for domain "" relay via
>"tls+auth://gm...@smtp.gmail.com:587" auth 
>accept from any for domain "" alias  deliver to mbox
>#accept from local for any relay
>
>accept tagged DKIM_OUT for any relay
>accept from local for any relay via smtp://127.0.0.1:10027
>
>expire 2d
>bounce-warn 2h, 4h, 1d
>
>
>pki mx1. cert "/etc/ssl/.crt"
>pki mx1. key "/etc/ssl/private/.key"
>
>mta limit inet4
>bounce warn-interval 2h, 4h, 1d
>queue ttl 4d
>queue compression
>
>listen on lo0
>listen on lo0 port 10028 tag DKIM_OUT
>listen on egress port 25 tls pki mx1.
>#listen on egress port 25 tls pki mx1. auth-optional hostname mx1.
>listen on egress port 465 smtps pki mx1. auth mask-source hostname mx1.
>listen on egress port 587 tls-require pki mx1. auth mask-source
>hostname mx1.
>
>table aliases db:/etc/mail/aliases.db
>table secrets db:/etc/mail/secrets.db
>table domains {  }
>
>action "local" mbox alias 
>action "gmail" relay host "smtp+tls://gm...@smtp.gmail.com:587" auth 
>action "relay_dkim" relay host smtp://127.0.0.1:10027
>action "relay" relay
>
>match tag DKIM_OUT for any action "relay"
>match from local for local action "local"
>match from local for any auth action "relay_dkim"
>match from any for domain domains action "local"

Not sure if this is the only problem but domains is a table in this
version so the line should be (missing <>):

match from any for domain  action "local"

>match from any for any auth action "gmail"
>
>
>output from smtpd -dv -Texpand:
>
>queue: queue compression enabled
>debug: pony: rsae_init
>debug: pony: rsae_init
>debug: smtp: will accept at most 498 clients
>debug: smtpd: scanning offline queue...
>debug: smtpd: offline scanning done
>debug: queue: done loading queue into scheduler
>1ae957d6afeb0dfa smtp connected address=209.85.208.171
>host=mail-lj1-f171.google.com
>debug: looking up pki "mx1."
>debug: session_start_ssl: switching to SSL
>debug: pony: rsae_priv_enc
>1ae957d6afeb0dfa smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
>smtp: 0x15892c37000: smtp_cert_verify_cb: no-client-cert
>debug: smtp: SIZE in MAIL FROM command
>expand: 0x1ed226c59018: expand_insert() called for
>address:sergeyb@[parent=0x0, rule=0x0]
>expand: 0x1ed226c59018: inserted node 0x1ed2341cb800
>expand: lka_expand: address: sergeyb@ [depth=0]
>expand: 0x1ed226c59018: clearing expand tree
>1ae957d6afeb0dfa smtp failed-command command="RCPT TO:"
>result="550 Invalid recipient: "
>1ae957d6afeb0dfa smtp disconnected reason=quit
>
>Sergey

Hope that helps

JC


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Confused by certificates

2019-01-07 Thread John Cox
Hi

>2019-01-06 16:21 skrev John Cox:
>> Hi
>> 
>> I'm using OpenSMTPD 6.4.0
>> 
>> I'm (at least) a little confused as to which sort of certs I should
>> put in the pki cert and ca conf file entries (I can cope with the key
>> entry!)
>> 
>> I have an apparently functional ACME setup using the default
>> acme-client supplied with openbsd. This gives me 3 sorts of cert:
>> 
>> 1) Bare cert
>> 2) Chain cert
>> 3) Full chain cert
>> 
>> I have pki cert set to the bare cert, and ca set to the chain cert -
>> is that correct? or should I use the full chain cert for the pki cert?
>> 
>> I ask because whilst the setup mostly morks I do get odd logging like
>> this:
>> 
>> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
>> address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
>> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
>> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls
>> ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
>> Jan  6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate
>> verification succeeded on session 92975635cb3d86a4
>> Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery
>> evpid=00fe7e3a0bda75cf from=
>> to= rcpt=
>> source="46.235.226.138" relay="212.54.58.11
>> (mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0
>> MXIN650 mail accepted for delivery
>> ;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;"
>> Jan  6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session
>> 92975635cb3d86a4: opportunistic TLS failed, downgrading to plain
>> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
>> address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
>> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
>> Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta
>> disconnected reason=quit messages=1
>> 
>> Where I seems to succeed with tls and then it says that it has failed.
>> What is going on?

I know I put 2 questions in one message but does anyone have any idea
why I seem to both get a TLS success & a TLS failure here?

>> 
>> Thanks
>> 
>> John Cox
>
>You should use the full chain, so that any connecting computers can
>verify the full certificate chain. :)
>
>This is a snippet from my configuration:
>
>pki mx.helloworld.online cert  
>"/etc/ssl/acme/mx.helloworld.online.fullchain.pem"
>pki mx.helloworld.online key   
>"/etc/ssl/acme/private/mx.helloworld.online.key"
>
>Hope that helps in some way.

Thanks - I think I understand what is needed for verification to take
place, and as I am using a public CA to generate the certs. at least
in theory, the chain part should be well known and therefore not
needed or actually unwanted if the far end is going to verify the
cert. (Unless, of course, the CA has generated intermediate certs
between the well known root cert and my cert, in which case the chain
is required to bridge the gap.)

Fullchain shouldn't really be required unless you have a self-signed
thing or want to persuade the far end to add your root cert to its
cert stash.  Nonetheless I equally understand that many
implementations want a full chain so it must be available.

The question is - how is the fullchain constructed - is it pki+ca or
just pki, and if the latter then what is the ca statement meant to do
for me?

Many thanks

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Confused by certificates

2019-01-06 Thread John Cox
Hi

I'm using OpenSMTPD 6.4.0

I'm (at least) a little confused as to which sort of certs I should
put in the pki cert and ca conf file entries (I can cope with the key
entry!)

I have an apparently functional ACME setup using the default
acme-client supplied with openbsd. This gives me 3 sorts of cert:

1) Bare cert
2) Chain cert
3) Full chain cert

I have pki cert set to the bare cert, and ca set to the chain cert -
is that correct? or should I use the full chain cert for the pki cert?

I ask because whilst the setup mostly morks I do get odd logging like
this:

Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls
ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
Jan  6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate
verification succeeded on session 92975635cb3d86a4
Jan  6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery
evpid=00fe7e3a0bda75cf from=
to= rcpt=
source="46.235.226.138" relay="212.54.58.11
(mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0
MXIN650 mail accepted for delivery
;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;"
Jan  6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session
92975635cb3d86a4: opportunistic TLS failed, downgrading to plain
Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
Jan  6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta
disconnected reason=quit messages=1

Where I seems to succeed with tls and then it says that it has failed.
What is going on?

Thanks

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Filter withdrawals

2016-09-13 Thread John Cox
On Mon, 12 Sep 2016 11:11:09 +0200, you wrote:

>>> I’d be up for it. Although I’m still running 5.9 on my mail server, I’m 
>>> thinking of upgrading. I knew that filters are experimental (and really to 
>>> test the API, not the filters themselves), however I’ve decided to use some 
>>> of them and would like to continue doing so. The dnsbl is the one I’d miss 
>>> the most. 
>>> 
>>> All other functionality in my config uses traditional approach, with 
>>> relaying over smtp to a daemon (spamd, clamav, dkim_proxy, etc) listening 
>>> on lo interface, and all seems to be working fine. 
>> 
>> Assuming that that is OpenBSD spamd then I may be able to help you
>> with your dnsbl desire.
>> 
>> I have a python script that runs every 15 mins (inside the spamd
>> whitelist time) that checks for new entries, looks them up against a
>> dnsbl and blacklists if appropriate.  Note that this code would be
>> provided "as is" & whilst it works for me I make no guarantees as to
>> anything.  It probably isn't suitable for anything vaguely high
>> volume.
>> 
>> A better hack than what I'm doing currently would be to abuse the
>> spamd sync feature which provides a much more timely notification of
>> activity, but I haven't found the round tuits to do it and am unlikely
>> to do so.
>
>I am very interested in that script as well. Would be great to have a 
>blacklist function in spamd based on RBLs.

OK - I've exported my scripts to github
https://github.com/johncox44/spamd-util

As stated - these are just what I am using, written by me for my own
use. I may attempt to improve the (frankly non-existant) documentation
over the next couple of days. I don't have a lot of time to maintain
them or add features but I will look kindly on patches and will at
least consider feature requests.

Feel free to copy & adapt for your use

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Filter withdrawals

2016-09-12 Thread John Cox
>> On 6 Sep 2016, at 14:10, Edgar Pettijohn  wrote:
>> 
>> I'm thinking of starting a support group for others suffering from filter 
>> withdrawal. Upgraded to 6.0 over the weekend and went back to using spampd 
>> and sieve. Is there any other options besides amavis?  I really miss 
>> filter-regex. Haven't had any luck finding a replacement just curious if 
>> anyone out there has any suggestions.
>
>Hi,
>
>I’d be up for it. Although I’m still running 5.9 on my mail server, I’m 
>thinking of upgrading. I knew that filters are experimental (and really to 
>test the API, not the filters themselves), however I’ve decided to use some of 
>them and would like to continue doing so. The dnsbl is the one I’d miss the 
>most. 
>
>All other functionality in my config uses traditional approach, with relaying 
>over smtp to a daemon (spamd, clamav, dkim_proxy, etc) listening on lo 
>interface, and all seems to be working fine. 

Assuming that that is OpenBSD spamd then I may be able to help you
with your dnsbl desire.

I have a python script that runs every 15 mins (inside the spamd
whitelist time) that checks for new entries, looks them up against a
dnsbl and blacklists if appropriate.  Note that this code would be
provided "as is" & whilst it works for me I make no guarantees as to
anything.  It probably isn't suitable for anything vaguely high
volume.

A better hack than what I'm doing currently would be to abuse the
spamd sync feature which provides a much more timely notification of
activity, but I haven't found the round tuits to do it and am unlikely
to do so.

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-17 Thread John Cox
>There is a CA Option in smtpd.conf, for example (CA-ubuntu path)
>
>ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"

Yes - but what I want is the verification of "random" senders (I don't
want to reject them - I just want the trace in the headers like I used
to get previously)

ca doesn't obviously do that - quoting the man page:

ca hostname certificate cafile
Associate a custom CA certificate located in cafile with hostname.

If we were using that syntax then what I want would be hostname = *
(and I do use the ca keyword for my custom routes)

CApath / CAfile (and CRLfile) would normally be where to look up
everything non-custom as used in sendmail & openssl.

Either way - this used to work and it doesn't now.  I'm perfectly
happy to believe that I need a config file change to get it work again
but what is wanted isn't obvious to me.

Regards

JC


>
>Regards,
>
>Marcel
>
>
>Am 17.05.2016 um 09:47 schrieb John Cox:
>> Hi
>>
>> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
>> validation errors in the headers:
>>
>>  TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
>> bits=256 verify=NO
>>
>> Prior to the upgrade I would get verify=YES. (I think it was the
>> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
>> did it - it was certainly about that time)
>>
>> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
>> makes no difference.
>>
>> All logging suggests that cert validation is OK (though I note that I
>> only ever get that message on outgoing lines, and never on incoming)
>>
>> What does OpenSMTPD use as its default cert store - as far as I can
>> tell the .conf lacks CAfile or CApath options?
>>
>> Testing with openssl s_client suggests that my certs are generally in
>> order
>>
>> Any clues?
>>
>> Many thanks
>>
>> John Cox
>>
>>
>> Log file:
>>
>>
>> May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting
>> May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session
>> 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18]
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session
>> 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message
>> daa12d76 on session 31086515f45c2260: from=<j...@cix.co.uk>,
>> to=<j...@uphall.net>, size=793, ndest=1, proto=ESMTP
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to
>> tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session
>> 3108651f4a1f0980...
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session
>> 31086515f45c2260
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session
>> 3108651f4a1f0980
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on
>> session 3108651f4a1f0980: version=TLSv1.2,
>> cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate
>> verification succeeded on session 3108651f4a1f0980
>> May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9:
>> session=3108651f4a1f0980, from=<j...@cix.co.uk>, to=<j...@uphall.net>,
>> rcpt=<->, source=46.235.226.138, relay=10.44.0.3
>> (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message
>> accepted for delivery
>> May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session
>> 3108651f4a1f0980: 1 message sent.
>> #
>>
>>
>> Headers:
>>
>> Return-Path: j...@cix.co.uk
>> Delivered-To: j...@uphall.net
>> Received: from azathoth.uphall.net (azathoth.uphall.net
>> [46.235.226.138])
>>  by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286
>>  TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
>> bits=256 verify=NO
>>  for <j...@uphall.net>;
>>  Tue, 17 May 2016 08:27:48 +0100 (BST)
>> Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18])
>>  by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76
>>  TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO
>>  for <j...@uphall.net>;
>>  Tue, 17 May 2016 08:27:48 +0100 (BST)
>> Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47
>> -
>> Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18)
>>   by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016
>> 07:27:47 -
>> From: John Cox <j...@cix.co.uk>
>> To: John home Cox <j...@uphall.net>
>> Subject: Incoming 2
>> Date: Tue, 17 May 2016 08:27:47 +0100
>> Message-ID: <cvhljbt2nr02qi3iaanth6bm759hiqc...@4ax.com>
>> User-Agent: ForteAgent/7.10.32.1212
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=us-ascii
>> Content-Transfer-Encoding: 7bit
>>
>>
>>

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Incoming certificate verification

2016-05-17 Thread John Cox
Hi

Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
validation errors in the headers:

TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
bits=256 verify=NO

Prior to the upgrade I would get verify=YES. (I think it was the
upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
did it - it was certainly about that time)

I have now upgraded OpenSMTPD to the current 5.9.2 release and that
makes no difference.

All logging suggests that cert validation is OK (though I note that I
only ever get that message on outgoing lines, and never on incoming)

What does OpenSMTPD use as its default cert store - as far as I can
tell the .conf lacks CAfile or CApath options?

Testing with openssl s_client suggests that my certs are generally in
order

Any clues?

Many thanks

John Cox


Log file:


May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting
May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session
31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18]
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session
31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message
daa12d76 on session 31086515f45c2260: from=<j...@cix.co.uk>,
to=<j...@uphall.net>, size=793, ndest=1, proto=ESMTP
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to
tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session
3108651f4a1f0980...
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session
31086515f45c2260
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session
3108651f4a1f0980
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on
session 3108651f4a1f0980: version=TLSv1.2,
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate
verification succeeded on session 3108651f4a1f0980
May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9:
session=3108651f4a1f0980, from=<j...@cix.co.uk>, to=<j...@uphall.net>,
rcpt=<->, source=46.235.226.138, relay=10.44.0.3
(yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message
accepted for delivery
May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session
3108651f4a1f0980: 1 message sent.
#


Headers:

Return-Path: j...@cix.co.uk
Delivered-To: j...@uphall.net
Received: from azathoth.uphall.net (azathoth.uphall.net
[46.235.226.138])
by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286
TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
bits=256 verify=NO
for <j...@uphall.net>;
Tue, 17 May 2016 08:27:48 +0100 (BST)
Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18])
by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76
TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO
for <j...@uphall.net>;
Tue, 17 May 2016 08:27:48 +0100 (BST)
Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47
-
Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18)
  by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016
07:27:47 -
From: John Cox <j...@cix.co.uk>
To: John home Cox <j...@uphall.net>
Subject: Incoming 2
Date: Tue, 17 May 2016 08:27:47 +0100
Message-ID: <cvhljbt2nr02qi3iaanth6bm759hiqc...@4ax.com>
User-Agent: ForteAgent/7.10.32.1212
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: strange behavior on delivering messages

2015-02-15 Thread John Cox

accept tagged CLAM_OUT for domain vdomains virtual valiases relay via \
lmtp://127.0.0.1

So is this line finally legal?

Earlier versions of opensmtp would not let you mix virtual and relay
via... (it is something I have always wanted and the reason why I am
still running sendmail on my gateway, but opensmtpd at the final
stage)

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Is my virtual user configuration correct?

2015-01-21 Thread John Cox
I tried putting this line in smtpd.conf to test

accept from any for any alias aliases relay

and got this error when checking the config

$ sudo smtpd -n
/etc/mail/smtpd.conf:13: aliases/virtual may not be used with a relay rule

That restriction has annoyed me too as it seems the obvious way of
setting up routes like this (which I want to do as well)

Regards

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [OpenSMTPD] master snapshot opensmtpd-201410040015 available

2014-10-09 Thread John Cox
On Sat, 4 Oct 2014 00:18:27 +0200 (CEST), you wrote:

A new opensmtpd snapshot is available at:

http://www.opensmtpd.org/archives/opensmtpd-201410040015.tar.gz

Checksum:

  SHA256 (opensmtpd-201410040015.tar.gz) =
  6802f24d70bada0287c212816b717941c0e6ad94e92e159f66010cdf16e5a6da

A summary of the content of this snapshot is available below.

Please test and let us know if it breaks something!

If this snapshot doesn't work, please also test with a previous one,
to help us spot where the issue is coming from. You can access all
previous snapshots here:

http://www.opensmtpd.org/archives/

The OpenSMTPD team ;-)


Summary of changes since last snapshot (opensmtpd-201410012007):
---

- introduce limit session keywors do replace hardcoded rcpt and mail 
 limits in smtp [1]
- DSA keys are currently unsupported, still not a reason to crash in the 
 error path...
- when no domain is specified on mail from or rcpt to, assume local user
- fix support for tls+backup://  (accept ... relay backup tls)

[1] Author: Renaud Allard ren...@allard.it

I'm not quite sure what goes wrong but this fails for me:


# smtpd -v -d
debug: init ssl-tree
info: loading pki information for yidhra.outer.uphall.net
info: OpenSMTPD 201410040015 starting
debug: bounce warning after 4h
debug: using fs queue backend
debug: using ramqueue scheduler backend
debug: using ram stat backend
info: startup [debug mode]
debug: parent_send_config_ruleset: reloading
filter: building simple chains...
debug: init ssl-tree
debug: parent_send_config: configuring pony process
filter: building complex chains...
info: loading pki keys for yidhra.outer.uphall.net
debug: parent_send_config: configuring ca process
filter: done building complex chains
debug: ca_engine_init: using RSAX engine support
debug: init private ssl-tree
debug: smtp: listen on 127.0.0.1 port 25 flags 0x401 pki
yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x401 pki
yidhra.outer.uphall.net
debug: smtp: listen on IPv6:::1 port 25 flags 0x401 pki
yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25
flags 0x401 pki yidhra.outer.uphall.net
debug: smtp: listen on 10.44.0.3 port 25 flags 0x401 pki
yidhra.outer.uphall.net
debug: pony: rsae_init
debug: pony: rsae_init
debug: smtp: will accept at most 3503 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: smtpd: offline scanning done
debug: smtp: new client on listener: 0xe9edc7ef000
smtp-in: New session 07bcbbe39c23052f from host azathoth.uphall.net
[46.235.226.138]
debug: lka: looking up pki yidhra.outer.uphall.net
debug: session_start_ssl: switching to SSL
debug: pony: rsae_priv_enc
debug: pony: rsae_init
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
smtp-in: Started TLS on session 07bcbbe39c23052f: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-in: Client certificate verification succeeded on session
07bcbbe39c23052f
debug: smtp: SIZE in MAIL FROM command
warn: parent - lka: pipe closed
warn: queue - lka: pipe closed
warn: control - lka: pipe closed
warn: scheduler - queue: pipe closed
warn: ca - control: pipe closed
warn: pony - lka: pipe closed
#

Is there any other info that would be useful? I think I can make this
happen quite reliably.

Regards

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Bounce message creation delivery control

2014-09-10 Thread John Cox
Hi

I have a set of email addresses that I forward on to other external
addresses.  I am getting a significant quantity of mail that targets
these adresses but is rejected by the destination (because it is bad);
the bounce message that I generate then fails to deliver because the
sender was faked.  Is there any way of selectively disabling the
creation of bounce messages?  I still want bounce messages for
anything sent from a local address that I've failed to send but I'd
like to stop generating bounces for failures to forward that simply
clog up my mailq 'cos they will never be delivered. Or possibly,
better still, redirect the bounces to a local address so I can see
what is happening if there is a real problem.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [OpenSMTPD] master snapshot opensmtpd-201406192229 available

2014-06-30 Thread John Cox
Hi

User gilles has just rebuilt a master snapshot, available from:

http://www.OpenSMTPD.org/archives/opensmtpd-201406192229.tar.gz

Checksum:

  SHA256 (opensmtpd-201406192229.tar.gz) =
  bd9c30a68b94b2533e8fd93b9669014d91fb3a0f83578413a7acc692c7f29bea

A summary of the content of this snapshot is available below.

Please test and let us know if it breaks something!

If this snapshot doesn't work, please also test with a previous one,
to help us spot where the issue is coming from. You can access all
previous snapshots here:

http://www.opensmtpd.org/archives/

The OpenSMTPD team ;-)


Summary of changes since last snapshot (opensmtpd-201406192203):
---

- unfuck build on OpenBSD 5.5 ...

At least on trivial testing this one seems to work :-)

Many thanks

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: wildcard support?

2014-06-19 Thread John Cox
Hi

I need block some sender like bounce--xxx@* but I would like to 
configure like:


table sender_deny { bounce-*-*@* }


The below case is working well for www-data@*


table sender_deny { www-data@* }

That feature would make me very happy too :-)

Thanks

John Cox

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-10 Thread John Cox
On Mon, 9 Jun 2014 10:16:43 +0200, you wrote:

On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
 Hi
 
 That's not correct no, I get plenty of TLS 1.0 trafic and it has been
 the case for many years
 
 To parrot this on all of my various instances OpenSMTPD and not I get tons
 of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
 every now and again I see SSLv2 attempts which for most of my instances get
 killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
 But seriously for email any transport encryption is better than none and
 OpenSMTPD's default should be the best way to handle opportunistic TLS
 where you always try to use the highest protocol version supported with the
 best ciphers supported, and there shouldnt need to be a knob for it.
 
 Whilst I agree with what you are saying for general purpose mail
 servers, I can see applications where enforced encryption levels are
 worth having.  I can see that some company gateways, where they know
 all of the other endpoints, might wish to enforce appropriate
 encryption as everybody who should be talking to that MTA should be
 capable of it and anything else is therefore spam or hacking.  This is
 particularly plausible on any link where TLS or SSL is already
 mandatory.
 

please define enforced encryption levels ?
Tricky - I don't have a specific use case in mind, but I worked on
building a military email system (X.400 based - it was that long ago,
though they may still use it for all I know) and they were pretty keen
on nailing down exactly what was expected on each link.

pretty much anyone tweaking ssl_ciphers will actually downgrade security
or/and break interop with other servers. some people may know how to tie
things further for their specific use-cases but the minute we add a knob
other people will start using it and shoot themselves in the foot.
Sadly that is the case with pretty much all security, but the lack of
an ability to check/filter based on what security level has been
negotiated means that those people who _do_ know what they are doing
can't.  I'm still annoyed by the general (not smtpd particularly)
impossibility of having usefully functioning CRLs, which are pretty
much a requirement of any PK system but have been generally ignored to
date.

At the time being we're looking to is to have the bul0k of users safe by
default and we're looking for more:

   https://twitter.com/Mayeu/status/474109854651785216

the magic of OpenSMTPD, you do no TLS configuration and you're graded A
 by default 3  (test here: starttls.info)
I do not disagree

Im not saying that this will hold true forever but at this point in time
I would prefer that we dont have ssl_ciphers and that any improvement we
do is made to the default until we exhausted all possibilities to do so.
Fair enough - I just felt it was worth adding another point of view to
the discussion.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-09 Thread John Cox
Hi

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

To parrot this on all of my various instances OpenSMTPD and not I get tons
of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
every now and again I see SSLv2 attempts which for most of my instances get
killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
But seriously for email any transport encryption is better than none and
OpenSMTPD's default should be the best way to handle opportunistic TLS
where you always try to use the highest protocol version supported with the
best ciphers supported, and there shouldnt need to be a knob for it.

Whilst I agree with what you are saying for general purpose mail
servers, I can see applications where enforced encryption levels are
worth having.  I can see that some company gateways, where they know
all of the other endpoints, might wish to enforce appropriate
encryption as everybody who should be talking to that MTA should be
capable of it and anything else is therefore spam or hacking.  This is
particularly plausible on any link where TLS or SSL is already
mandatory.

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [OpenSMTPD] master snapshot opensmtpd-201405142324 available

2014-05-19 Thread John Cox
Hi

hi,

can you reproduce the problem easily ?

I believe so - seemed to happen every time for every message, on an
admittedly limited sample as I stopped trying to use it quite quickly
at that point...  If you want some specific debug I'm happy to try
again.

Thanks

JC

Gilles


On Thu, May 15, 2014 at 09:21:04AM +0100, John Cox wrote:
 Hi
 
 It almost works for me on OpenBSD5.5-stable.
 
 Compiles, runs, delivers and then dies
 
 Many thanks
 
 John Cox
 
 # smtpd -d -v
 debug: init ssl-tree
 info: loading pki information for yidhra.outer.uphall.net
 info: OpenSMTPD 201405142324 starting
 debug: bounce warning after 4h
 debug: using fs queue backend
 debug: using ramqueue scheduler backend
 debug: using ram stat backend
 info: startup [debug mode]
 debug: parent_send_config_ruleset: reloading
 filter: building simple chains...
 debug: init ssl-tree
 debug: parent_send_config: configuring pony process
 filter: building complex chains...
 info: loading pki keys for yidhra.outer.uphall.net
 debug: parent_send_config: configuring ca process
 filter: done building complex chains
 filter: done building default chain
 debug: init private ssl-tree
 debug: ca_engine_init: using RSAX engine support
 debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki
 yidhra.outer.uphall.net
 debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki
 yidhra.outer.uphall.net
 debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki
 yidhra.outer.uphall.net
 debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25
 flags 0x1 pki yidhra.outer.uphall.net
 debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki
 yidhra.outer.uphall.net
 debug: pony: rsae_init
 debug: pony: rsae_init
 debug: smtp: will accept at most 3503 clients
 debug: queue: done loading queue into scheduler
 debug: smtpd: scanning offline queue...
 debug: smtpd: offline scanning done
 debug: smtp: new client on listener: 0x114602434000
 smtp-in: New session 9485f27f7b43e5d1 from host 10.44.1.11
 [10.44.1.11]
 debug: lka: looking up pki yidhra.outer.uphall.net
 debug: session_start_ssl: switching to SSL
 smtp-in: No PKI entry for requested SNI smtp.outer.uphall.neton
 session 9485f27f7b43e5d1
 debug: pony: rsae_priv_dec
 smtp-in: Started TLS on session 9485f27f7b43e5d1: version=TLSv1/SSLv3,
 cipher=AES128-SHA, bits=128
 smtp: 0x1145f9b6f000: fd 5 from queue
 smtp: 0x1145f9b6f000: fd 7 from filter
 debug: filter: tx data (255) for req 9485f27f7b43e5d1
 debug: filter: tx data (314) for req 9485f27f7b43e5d1
 debug: smtp: 0x1145f9b6f000: data io done (569 bytes)
 filter: deferring eom query...
 debug: filter: tx done for req 9485f27f7b43e5d1
 filter: running eom query...
 debug: 0x1145f9b6f000: end of message, msgflags=0x
 smtp-in: Accepted message 62ceecb7 on session 9485f27f7b43e5d1:
 from=j...@uphall.net, to=j...@cix.co.uk, size=569, ndest=1,
 proto=ESMTP
 debug: scheduler: evp:62ceecb7d179e5ef scheduled (mta)
 debug: mta: received evp:62ceecb7d179e5ef for j...@cix.co.uk
 debug: mta: draining
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]
 refcount=1, ntask=1, nconnector=0, nconn=0
 debug: mta: querying MX for
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]...
 debug: mta:
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]
 waiting for MX
 debug: MXs for domain azathoth.uphall.net:
 46.235.226.138 preference -1
 debug: mta: ... got mx (0x114600112a20, azathoth.uphall.net,
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0])
 debug: mta: draining
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]
 refcount=1, ntask=1, nconnector=0, nconn=0
 debug: mta: querying source for
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]...
 debug: mta: ... got source for
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]:
 10.44.0.3
 debug: mta: new
 [connector:10.44.0.3-[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0],0x1]
 debug: mta: connecting with
 [connector:10.44.0.3-[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0],0x0]
 debug: mta-routing: searching new route for
 [connector:10.44.0.3-[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0],0x0]...
 debug: mta-routing: selecting candidate route 10.44.0.3 -
 46.235.226.138
 debug: mta-routing: spawning new connection on 10.44.0.3 -
 46.235.226.138
 debug: mta: 0x1145ff354000: spawned for relay
 [relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0]
 debug: mta: connecting with
 [connector:10.44.0.3-[relay:azathoth.uphall.net,starttls,pki_name=yidhra.outer.uphall.net,mx,sourcetable=dynamic:0],0x0]
 debug: mta

datalen mismatch with opensmtpd-201405121706 and permissions question

2014-05-13 Thread John Cox
Hi

Having got the snapshot to compile on OpenBSD5.5-stable I tried it
out.  I get datalen errors when I try to send mail to it.  Any clues?
Everything works OK on 5.4.2. (run output below)

As a probably separate question, what permissions should there be on
/var/spool/smtpd/*?  I had to create user _smtpq to run the snapshot
and it seemed to want ownership of most of that directory.  Current
setup - is this correct?:

# ls -la /var/spool/smtpd/
total 36
drwx--x--x8 rootwheel   512 May 13 09:55 .
drwxr-xr-x   11 rootwheel   512 Mar  5 16:21 ..
drwx--   27 _smtpq  wheel  1024 Feb 23 11:44 corrupt
drwx--2 _smtpq  wheel   512 May 13 09:59 incoming
drwxrwxrwt2 rootwheel   512 Dec  9 20:27 offline
drwx--   16 _smtpq  wheel   512 May 13 09:55 purge
drwx--  258 _smtpq  wheel  3584 Feb 11 11:00 queue
drwx--2 _smtpq  wheel   512 May 13 09:59 temporary
#

Many thanks

JC

# smtpd -d -v
debug: init ssl-tree
info: loading pki information for yidhra.outer.uphall.net
info: OpenSMTPD 201405121706 starting
debug: bounce warning after 4h
debug: using fs queue backend
debug: using ramqueue scheduler backend
debug: using ram stat backend
info: startup [debug mode]
debug: parent_send_config_ruleset: reloading
filter: building simple chains...
debug: init ssl-tree
debug: parent_send_config: configuring pony process
filter: building complex chains...
info: loading pki keys for yidhra.outer.uphall.net
debug: parent_send_config: configuring ca process
filter: done building complex chains
filter: done building default chain
debug: init private ssl-tree
debug: ca_engine_init: using RSAX engine support
debug: smtp: listen on 127.0.0.1 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::1%lo0 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:::1 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: smtp: listen on IPv6:fe80::6a05:caff:fe08:e7b1%em2 port 25
flags 

0x1 pki yidhra.outer.uphall.net
debug: smtp: listen on 10.44.0.3 port 25 flags 0x1 pki 

yidhra.outer.uphall.net
debug: pony: rsae_init
debug: pony: rsae_init
debug: smtp: will accept at most 3503 clients
debug: queue: done loading queue into scheduler
debug: smtpd: scanning offline queue...
debug: smtpd: offline scanning done
debug: smtp: new client on listener: 0x56a7dae3000
smtp-in: New session fe1876ed47d20e57 from host 10.44.1.11
[10.44.1.11]
debug: lka: looking up pki yidhra.outer.uphall.net
debug: session_start_ssl: switching to SSL
smtp-in: No PKI entry for requested SNI smtp.outer.uphall.neton
session 

fe1876ed47d20e57
debug: pony: rsae_priv_dec
smtp-in: Started TLS on session fe1876ed47d20e57: version=TLSv1/SSLv3,
cipher=AES128-SHA, bits=128
smtp: 0x56a8451: fd 5 from queue
smtp: 0x56a8451: fd 7 from filter
debug: filter: tx data (255) for req fe1876ed47d20e57
debug: filter: tx data (314) for req fe1876ed47d20e57
debug: smtp: 0x56a8451: data io done (255 bytes)
smtp: 0x56a8451: eom. datalen=255
filter: datalen mismatch on session fe1876ed47d20e57: 569/255:
Undefined 

error: 0
smtp-in: Failed command on session fe1876ed47d20e57: DATA = 530 

Message rejected
debug: filter: tx done for req fe1876ed47d20e57
smtp-in: Received disconnect from session fe1876ed47d20e57
debug: smtp: 0x56a8451: deleting session: disconnected
debug: smtp: new client on listener: 0x56a7dae3000
smtp-in: New session fe1876f6e4a24c68 from host azathoth.uphall.net 

[46.235.226.138]
debug: lka: looking up pki yidhra.outer.uphall.net
debug: session_start_ssl: switching to SSL
debug: pony: rsae_priv_enc
debug: pony: rsae_init
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_init
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
debug: pony: rsae_pub_dec
debug: pony: rsae_bn_mod_exp
smtp-in: Started TLS on session fe1876f6e4a24c68: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtp-in: Client certificate verification succeeded on session 

fe1876f6e4a24c68
debug: smtp: SIZE in MAIL FROM command
debug: aliases_virtual_get: 'r...@yidhra.outer.uphall.net' resolved to
1 

nodes
debug: aliases_get: returned 1 aliases
smtp: 0x56a8451: fd 5 from queue
smtp: 0x56a8451: fd 7 from filter
debug: filter: tx data (297) for req fe1876f6e4a24c68
debug: filter: tx data (2461) for req fe1876f6e4a24c68
debug: smtp: 0x56a8451: data io done (297 bytes)
smtp: 0x56a8451: eom. datalen=297
filter: datalen mismatch on session fe1876f6e4a24c68: 2758/297:
Undefined 

error: 0
smtp-in: Failed command on session fe1876f6e4a24c68: DATA = 530 

Message rejected
debug: filter: tx done for req fe1876f6e4a24c68


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Building snapshots on 5.5-stable?

2014-05-08 Thread John Cox
Hi

On Tue, May 06, 2014 at 10:17:01AM +0100, John Cox wrote:
 Hi
 
 Is it possible to build snapshots on OpenBSD-5.5-Stable (built from
 source because as far as I can tell the release ISO still contains
 Heartbleed)?
 
 Neither the OpenBSD or the Portable version works for me.  I can
 understand that the OpenBSD version tracks current and may fail to
 build at any point, but I was hopeful theat the portable vsrsion might
 be more portable...
 
 I'd like to follow this project and maybe help if I ever have the time
 (which is, at the moment, I admit, unlikely) but I really don't have
 the time to try and follow OpenBSD-current
 
 Many thanks
 
 John Cox

Hi,

Sorry for the breakage.  The new snapshot should now work on both
current and stable. Please try it out.

Sadly it still doesn't build - the problem has moved on:

cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c: In function
'res_query':
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c:63: warning:
comparison between signed and unsigned
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c: In function
'res_search':
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_query.c:105: warning:
comparison between signed and unsigned
cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../res_search_async.c
cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c: In function
'__res_send':
/home/jc/opensmtpd-201405071639/smtpd/../asr/res_send.c:55: warning:
comparison between signed and unsigned
cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c
/home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c: In function
'res_send_async':
/home/jc/opensmtpd-201405071639/smtpd/../res_send_async.c:70: warning:
cast discards qualifiers from pointer target type
cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../asr/sethostent.c
cc -O2 -pipe  -I/home/jc/opensmtpd-201405071639/smtpd/../asr -g3 -ggdb
-I/home/jc/opensmtpd-201405071639/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201405071639/smtpd/../asr/event_asr_run.c
cc   -o smtpd aliases.o bounce.o ca.o compress_backend.o config.o
control.o crypto.o delivery.o dict.o dns.o envelope.o esc.o expand.o
forward.o iobuf.o ioev.o limit.o lka.o lka_session.o log.o mda.o
mproc.o mta.o mta_session.o parse.o pony.o queue.o queue_backend.o
ruleset.o runq.o scheduler.o scheduler_backend.o smtp.o smtp_session.o
smtpd.o ssl.o ssl_privsep.o ssl_smtpd.o stat_backend.o table.o to.o
tree.o util.o waitq.o compress_gzip.o delivery_filename.o
delivery_maildir.o delivery_mbox.o delivery_mda.o delivery_lmtp.o
table_db.o table_getpwnam.o table_proc.o table_static.o queue_fs.o
queue_null.o queue_proc.o queue_ram.o scheduler_ramqueue.o
scheduler_null.o scheduler_proc.o stat_ramstat.o asr.o asr_debug.o
asr_utils.o getaddrinfo.o getaddrinfo_async.o gethostnamadr.o
gethostnamadr_async.o getnameinfo.o getnameinfo_async.o getnetnamadr.o
getnetnamadr_async.o getrrsetbyname.o getrrsetbyname_async.o
res_debug.o res_init.o res_mkquery.o res_query.o res_search_async.o
res_send.o res_send_async.o sethostent.o event_asr_run.o -levent
-lutil -lssl -lcrypto -lm -lz
asr.o(.text+0x5c7): In function `asr_resolver_done':
/home/jc/opensmtpd-201405071639/smtpd/../asr.c:164: undefined
reference to `_THREAD_PRIVATE'
asr.o(.text+0x17ee): In function `asr_use_resolver':
/home/jc/opensmtpd-201405071639/smtpd/../asr.c:348: undefined
reference

Building snapshots on 5.5-stable?

2014-05-06 Thread John Cox
Hi

Is it possible to build snapshots on OpenBSD-5.5-Stable (built from
source because as far as I can tell the release ISO still contains
Heartbleed)?

Neither the OpenBSD or the Portable version works for me.  I can
understand that the OpenBSD version tracks current and may fail to
build at any point, but I was hopeful theat the portable vsrsion might
be more portable...

I'd like to follow this project and maybe help if I ever have the time
(which is, at the moment, I admit, unlikely) but I really don't have
the time to try and follow OpenBSD-current

Many thanks

John Cox

Trying to build opensmtpd-201404151425 fails:

cc -O2 -pipe  -I -DNEED_EVENT_ASR_RUN -g3 -ggdb
-I/home/jc/opensmtpd-201404151425/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201404151425/smtpd/../dict.c
cc -O2 -pipe  -I -DNEED_EVENT_ASR_RUN -g3 -ggdb
-I/home/jc/opensmtpd-201404151425/smtpd/.. -Wall -Wstrict-prototypes
-Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith
-Wcast-qual -Wsign-compare -Wbounded -DIO_SSL -DQUEUE_PROFILING   -c
/home/jc/opensmtpd-201404151425/smtpd/../dns.c
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:32:17: error: asr.h: No
such file or directory
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: warning: its scope
is only this definition or declaration, which is probably not what you
want
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:59: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:60: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:61: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function
'dns_imsg':
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:225: warning: implicit
declaration of function 'getnameinfo_async'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:226: warning:
assignment makes pointer from integer without a cast
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:227: warning: implicit
declaration of function 'event_asr_run'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:253: warning: implicit
declaration of function 'res_query_async'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:253: warning:
assignment makes pointer from integer without a cast
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:276: warning:
assignment makes pointer from integer without a cast
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level:
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:296: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:297: error: conflicting
types for 'dns_dispatch_host'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:58: error: previous
declaration of 'dns_dispatch_host' was here
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function
'dns_dispatch_host':
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:304: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:313: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:314: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:316: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:317: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level:
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:330: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:331: error: conflicting
types for 'dns_dispatch_ptr'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:59: error: previous
declaration of 'dns_dispatch_ptr' was here
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function
'dns_dispatch_ptr':
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:337: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:338: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: At top level:
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:345: warning: 'struct
asr_result' declared inside parameter list
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:346: error: conflicting
types for 'dns_dispatch_mx'
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:60: error: previous
declaration of 'dns_dispatch_mx' was here
/home/jc/opensmtpd-201404151425/smtpd/../dns.c: In function
'dns_dispatch_mx':
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:355: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425/smtpd/../dns.c:355: error:
dereferencing pointer to incomplete type
/home/jc/opensmtpd-201404151425

Re: Should we use DKIM and SPF?

2014-04-26 Thread John Cox
On Fri, 25 Apr 2014 06:55:48 -0700, you wrote:

On Thu, Apr 24, 2014 at 11:13 AM, Ashish SHUKLA ashish...@lostca.se wrote:

 On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com
 said:
  Hi

  I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I
  have previously run with those, but I am in doubt.

  I am thinking about the worth of those technologies?

  I used to think SPF was a good idea, but SPF fails if someone forwards
  email to another server. Then the forwarding server is not listed in
  the SPF entry and the destination mail server will reject the email.

 SRS[1][2].

 References:
 [1]  http://www.openspf.org/SRS
 [2]  http://www.libsrs2.org/

 SPF itself is a decent idea this was just bound to happen since it makes
the assumption that all valid mail from a domain
only comes from servers that the domain knows about which may not
necessarily be the case (see mailing lists) but this is
one of the reasons to use both DKIM and SPF. generally if one passes it
scores high enough to cancel out that the other failed.
DKIM is supposed to prove that messages are authentic, not SPF. SPF is
setup to prove that a sending server has the right
to send on behalf of a domain. They really are meant to work hand in hand
and solve different problems. So if you were using DKIM and SPF
SRS would not be an issue since the DKIM info in the header proves the
message came from a valid source.

Unfortunately the whole point of SPF (unlike Sender-ID which works
much better and on much the same principles) is that you can reject
the message before receiving it so you wouldn't have the DKIM stuff
(which I think requires you to have the entire message?).

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Should we use DKIM and SPF?

2014-04-25 Thread John Cox
Hi

On Sat, 19 Apr 2014 08:26:59 +0200, Martin Braun yellowgoldm...@gmail.com 
said:
 Hi

 I was thinking about adding DKIM and SPF to my OpenSMTPD setup as I
 have previously run with those, but I am in doubt.

 I am thinking about the worth of those technologies?

 I used to think SPF was a good idea, but SPF fails if someone forwards
 email to another server. Then the forwarding server is not listed in
 the SPF entry and the destination mail server will reject the email.

SRS[1][2]. 

References:
[1]  http://www.openspf.org/SRS
[2]  http://www.libsrs2.org/

Yes that does provide a (horrid) workaround (the mail from field was
never meant to carry trace info), but it relies on _other mtas_ using
it and in my experience a fair quantity don't. It is annoying to have
your mail bounce just because you have set up correct SPF records.

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Bounces without Bodies

2014-03-10 Thread John Cox
Hi

 [snip]
 Given the similarities in the feel of the conf file to pf.conf I would
 try to tend towards that (well tested) model where possible to try and
 keep the confusion for new users as low as possible.
 

I don't really agree here, the first match approach is much simpler when
dealing with mail because you can view each rule as a template, either
an envelope matches the template and goes in or it doesn't match the
template and gets rejected. We don't deal with the many strange cases
that PF has to deal with and using a first-match approach makes our
rules evaluation much much simpler.

I think we are just going to have to disagree on this. And given that
you are the one writing the code - you get the final say :-)

Many thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Non quick virtual rules?

2014-03-07 Thread John Cox
Hi

 Is there any chance we could have a rule of the form
 
   accept for any virtual no-bounce vmap relay
 
 such that if the virtual lookup fails then processing continues to the
 next line rather than generating a bounce message.  This would
 simplify the generation of forwarding tables.
 

the processing continues is not going to happen because it leads to
issues:

   accept for any virtual no-bounce vmap relay
   accept for any relay

and suddenly instead of failing you match another rule that was not
meant to be matched, and the mail gets relayed instead of being
rejected.

Actually that is exactly what I want to happen - I really don't see
the issue.  I can cope with rules that fall through (or don't if
marked quick) in pf.conf and I can cope with it here.

 Maybe
 
   accept for recipient vmap virtual vmap relay
 
 would do, where the 2nd entry in the vmap is ignored would do?

 What I'm trying to avoid is having to list users that I want forwarded
 twice: once in a filter and once in a vmap, as that always leads to
 mismatches and confusion.  The solution would (of course) be to have
 script that auto-generates the appropriate files but I'd much rather
 avoid that level of complexity if I can.
 


technically this can be made to work if using a backend that can
share a table between different kinds of lookups (sql, ldap, ...)
some people are using the same table for credentials and userbase
using the sqlite backend for instance

I'd really prefer not to have to have an entire database setup just to
run my MTA

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Non quick virtual rules?

2014-03-06 Thread John Cox
Hi

Is there any chance we could have a rule of the form

  accept for any virtual no-bounce vmap relay

such that if the virtual lookup fails then processing continues to the
next line rather than generating a bounce message.  This would
simplify the generation of forwarding tables.

Maybe

  accept for recipient vmap virtual vmap relay

would do, where the 2nd entry in the vmap is ignored would do?

What I'm trying to avoid is having to list users that I want forwarded
twice: once in a filter and once in a vmap, as that always leads to
mismatches and confusion.  The solution would (of course) be to have
script that auto-generates the appropriate files but I'd much rather
avoid that level of complexity if I can.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [OpenSMTPD] master snapshot opensmtpd-201402271419 available

2014-02-28 Thread John Cox
Does this fix my maildir issue?

Thanks

JC


On Thu, 27 Feb 2014 14:23:01 +0100 (CET), you wrote:

User gilles has just rebuilt a master snapshot, available from:

http://www.OpenSMTPD.org/archives/opensmtpd-201402271419.tar.gz

Checksum:

  SHA256 (opensmtpd-201402271419.tar.gz) =
  f11d4e516eb0474d321c5515646f9f05fa71382bbfaac6a8b6a886c534afa865

A summary of the content of this snapshot is available below.

Please test and let us know if it breaks something!

If this snapshot doesn't work, please also test with a previous one,
to help us spot where the issue is coming from. You can access all
previous snapshots here:

http://www.opensmtpd.org/archives/

The OpenSMTPD team ;-)


Summary of changes since last snapshot (opensmtpd-201402071556):
---

- sync man page changes from OpenBSD
- tweak usage()
- implement smtpctl show status [1]
- do not lookup pki based on hostname if specified in listener
- document table_socketmap
- add support for initial-response for AUTH LOGIN [2]
- in MTA block-tree use strcasecmp() to compare domains
- fix off-by-one leading to bogus hoststats tree
- fix possible crash in multi-message transactions, introduced by DSN

[1] Author: Sunil Nimmagadda su...@nimmagadda.net
[2] Author: Nicolas EDEL nicolas.e...@gmail.com

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Why can't I have virtual and relay via together?

2013-12-16 Thread John Cox
Hi

I have a m/c that receives mail on the border of my domain.  It
doesn't want to deliver any mail itself it just wants to deliver to
the mailstore.  However it does want to do any required forwarding
and/or rejection to prevent needless internal message traffic (and to
prevent confusion if the message was spoofed).  So I thought that this
should work:

table localdomains {example.net}
table virtuser file:/etc/mail/virtuser

[pki stuff]

listen on all secure pki smarthost.example.net

accept from source mailstore.example.net\
 for !domain localdomains\
 relay pki smarthost.uphall.net

accept from !source mailstore.example.net\
 for domain localdomains virtual virtuser\
 relay via tls://mailstore.example.net pki smarthost.example.net

But I get

# smtpd -n
/etc/mail/smtpd.conf:22: aliases/virtual may not be used with a relay
rule

I understand what the error is saying but why is this enforced?

Thanks

JC

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Macro expansion

2013-12-14 Thread John Cox
I tried to use this:

  smarthost = smarthost.example.net

  from any relay via tls://$smarthost

however from the debug it looks like the macro did not expand and
(unsurprisingly) the system couldn't find the system $smarthost to
relay to.  Should this work or is the macro prevented from expanding
due to not being preceded by whitespace?

Could I use a macro for a longer bit of syntax e.g.

  smart_relay = relay via tls://smarthost.example.net pki
smarthost.example.net verify

  from any smart_relay

And if so (a) how can I get quotes into a macro and (b) can I use
other macros inside a macro?

Many thanks

John Cox

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: cert.pem missing

2013-12-11 Thread John Cox
Hi

I see this in my logs a lot:
Dec  9 19:17:51 frisell smtpd[8813]: warn: unable to load CA file
/etc/ssl/cert.pem: No such file or directory


On my system (gentoo), /etc/ssl/ has a directory called certs which
has multiple pems. How to handle this?

I'm guessing slightly but, openssl has (at least) two schemes for
handling certificate verification: bundles and directories with
certificates (and hashes).

A bundle, which is what I think opensmtpd wants, is simply all the
certs that you want to treat as roots concatenated into one file.
There is sometimes a size limit on what works for this.

A directory, which is what sendmail seems to want, is a lot of files
which each contains 1 cert with a file name derived from their hash
value (or quite commonly sym links named after the hash value of the
cert files they point to).

I have some perl scripts that will take apart bundles and convert to
the hash form, but not the other way round.

If you want to check that your bundle or dir is working correctly then
openssl verify is your friend (you will need to read the man page
carefully).

It is worth noting that from what I've read on this mailing list that

pki example.net ca /etc/ssl/certs.pem

is not the same thing as the sendmail

define(`confCACERT', `CERT_DIR/local_certs/ca_example.net.crt')

I believe that the pki line specifies a bundle to search for
verification and I'm pretty sure that the sendmail line defines a cert
(or small cert bundle) that is sent along with your local cert as a
list of preferred ca's that the other end should use (and maybe can
also show your chain of trust - I think this protocol element is often
abused, misunderstood or ignored).

TLS is the next thing I intend to play with in my opensmtpd setup and
I haven't had actual experience of setting it up yet so the above
should be taken with a pinch of salt.  But I have made sendmails
version work properly for me with both public root certs and locally
generated certs at the same time so I have some background on what I'm
expecting to happen.



Wishlist


pki example.net cacert_path /etc/ssl/certs - equivalent to sendmail
define(`confCACERT_PATH', `CERT_DIR/certs')

also a source match on cert issuer and/or cert name like the sendmail
access db line:

CertIssuer:/C=GB/ST=England/L=Gotham/O=WayneEnterprises/OU=BatCave/CN=cave.net/emailAddress=b...@cave.net
RELAY

I use the above to give allow relaying from any site that connects via
TLS with a cert that I have signed without the need for separate auth.
It also allows me to verify the cert chains of random sites that are
relaying mail to me without letting them relay onwards.


Also CRL bundles or CRL dirs



Thanks

John Cox

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org