Re: Including remote addresses in smtpd syslog output

2020-05-26 Thread Kevin Zheng
Hi Gilles,

On 5/26/20 12:04 AM, gil...@poolp.org wrote:
> We now provide a reporting API which is basically a stream of events that can
> be consumed by tools. It is a line-based format which is not meant to be read
> by humans but meant to be easily parsed by tools and that provides all of the
> information necessary to replicate the session states. Using this stream, one
> can write a tiny filter which aggregates info and outputs logs tailored for a
> specific third-party application with a guarantee that it won't break when we
> make a subtle change to the maillog format. If I were working on SSHGuard for
> example, I'd write an sshguard-exporter script that reads the stream and that
> outputs to syslog a format SSHguard recognizes. This way, an smtpd user would
> simply:
> 
> filter sshguard proc-exec "sshguard-exporter"
> listen on all filter sshguard
> action "foobar" relay filter sshguard
> 
> SSHguard itself would never need to be altered to follow changes in logs.

Thanks makes sense to me. I was vaguely aware that actions and filters
became available, but I didn't know that they could do this. I think
this is exactly what I was looking for.

Thanks,
Kevin

-- 
Kevin Zheng
kevinz5...@gmail.com | kev...@berkeley.edu
XMPP: kev...@eecs.berkeley.edu



Including remote addresses in smtpd syslog output

2020-05-25 Thread Kevin Zheng
Hi folks,

I'm new around here. I'm a happy OpenSMTPD user (on FreeBSD), and I
maintain SSHGuard (https://www.sshguard.net/), a program that reads
system logs and adds temporary firewall rules.

Some SSHGuard users want to use SSHGuard with OpenSMTPD. OpenSMTPD 6.6.0
appears to log SMTP sessions:

May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp connected
address=a.b.c.d host=a.b.c.d

Subsequent things that happen during that session look like:

May 26 00:20:00 mx01 smtpd[9904]: ce7a8154503699d2 smtp failed-command
command="AUTH LOGIN (password)" result="535 Authentication failed"

Chasing changes in syslog output is a part of maintaining software like
SSHGuard. Unfortunately, my parser (which recently learned how to
pledge!) is a bit dull and would require some re-education to remember
SMTP sessions and their associated IP addresses. So, my questions are:

Why did OpenSMTPD stop reporting IP addresses on every line?

Is there any chance that OpenSMTPD can put IP addresses back on every line?

Regards,
Kevin

-- 
Kevin Zheng
kevinz5...@gmail.com | kev...@berkeley.edu
XMPP: kev...@eecs.berkeley.edu



Re: myca submission and letsencrypt smtp

2020-01-05 Thread Kevin Chadwick
Perhaps stunnel may work for port 25, though I guess I would lose some of 
opensmtpds priv sep features



myca submission and letsencrypt smtp

2020-01-04 Thread Kevin Chadwick
Is it possible to have both?

letsencrypt for tls on port 25 for remote servers to verify

and tls-require verify auth on port 587 permitting self signed certificates
signed by myca only for client authentication without any risk of arbitrary CAs
providing forged certificates.

Perhaps I can move /etc/ssl/cert.pem, though I guess that may break ftp etc.

I am trying to replace ssh for client access to mail as it cannot be as energy
efficient considering it is not email client controlled and so more like a VPN

I understand email isn't the most secure but for internal comms on controlled
servers it is secure and highly functional.

Thanks, KC



Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Kevin
On Thu, Oct 3, 2019 at 11:31 AM Nick Ryan  wrote:

> Have you contacted vultr? Their faq states it could be blocked and its
> worth checking with them.
>
> Do you allow outbound SMTP?
> <https://www.vultr.com/resources/faq/?query=Smtp#outboundsmtp>
>
> In some instances, outbound traffic to the SMTP port may be blocked for
> new accounts. If you encounter this restriction, contact our support team
> from the customer portal.
>
>
SOLVED!

Winner, winner, chicken dinner!

Just reporting back here that Nick Ryan has nailed the issue: Vultr.

Apparently they're borderline militant anti-spammers who block SMTP by
default and also refuse to unblock it for you for any kind of promotional
emailing including to double- and triple- opt-in verified contacts.

IOW: practically speaking, you can't use a Vultr instance for mailing
anything resembling "marketing" emails, because, let's be honest here,
you're GOING to get spam complaints... all businesses do, no matter how
'clean' your list and how white hat and ethical you are as a business.

Heck, I had an instance years ago where GoDaddy (hate them) threatened to
revoke a domain registration because exactly *ONE* person complained that I
was a spammer over the course of *years*.

Said grouser had originally gotten onto my list back in 2008... I emailed
him a handful of times a year for the next few years with no issues, then
in 2014 (yes, six YEARS he was on my list), he complains to GoDaddy that
I'd "spammed" him. (I didn't.)

Luckily, I keep all the original sign-up info (IP, user_agent, etc), so I
was able to get out of the issue, but that *was*a complaint.

Would Vultr terminate my hosting with them after that? From their TOS it
sure seems like it.

S... as much as I like them technologically, I'm looking for a new ISP
now. (Anyone got recommendations for cloud-based OpenBSD hosts? I'm done
hosting bare metal...)

Thanks for the help everyone (double thanks to Nick Ryan), and let this
serve as future notice to anyone RTFAs, attempts to redact or withhold
information when you're seeking help from the list is just stupid.

Even the *tiniest detail* can be THE key to solving your issue. Disclose
anything or figure it out on your own.

Kevin


Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Kevin
   0:00.02
dovecot/log
_dovecot 35238  0.0  0.2   616  2344 ??  I  11:41PM0:00.02
dovecot/anvil
root 27271  0.0  0.5  2748  5300 ??  I  11:41PM0:00.09
dovecot/config
_dovecot 24598  0.0  0.2   676  2480 ??  I  11:41PM0:00.02
dovecot/stats



mx$ ps aux | grep spam
root 35077  0.0  0.4 41748  3756 ??  I  11:41PM0:00.09 rspamd:
main process (rspamd)
_rspamd  17847  0.0  0.7 41908  7380 ??  S  11:41PM0:01.48 rspamd:
rspamd_proxy process (localhost:11332) (rspamd)
_rspamd  35396  0.0  1.3 42840 13092 ??  S  11:41PM0:08.62 rspamd:
controller process (localhost:11334) (rspamd)
_rspamd   9697  0.0  1.0 42676  9896 ??  S  11:41PM0:01.55 rspamd:
normal process (localhost:11333) (rspamd)
_smtpd2006  0.0  0.3 106116  3544 ??  I   9:41AM0:00.01
/usr/local/libexec/smtpd/filter-rspamd



mx$ ps aux | grep redis
_redis   86838  0.0  0.3 14468  2860 ??  S  11:41PM0:19.81
redis-server: /usr/local/sbin/redis-server 127.0.0.1:6379 (redis-server)


On Thu, Oct 3, 2019 at 9:11 AM Edgar Pettijohn 
wrote:

> Could you post your config.
>
> Thanks
> On Oct 3, 2019 10:34 AM, Kevin  wrote:
>
>
>
> On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen 
> wrote:
>
> On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote:
> > Hi all,
> >
> > Having just followed the setup instructions on Gilles HOWTO page here:
> >
> >
> >
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
> >
> >
> > ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD
> 6.6-beta
> > (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
> > other deliveries (and mail retrieval) work.
> >
> > The pertinent log message looks like this:
> >
> > Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
> > evpid=2c41c5fc4a7e6c06 from= to= >
> > Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
> > reason=quit
> > Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
> > reason=Connection timeout
>
> Connection timeout sounds very much like your machine is not allowed to
> send
> outgoing mail via SMTP. Check for firewalls and the like.
>
> Also,
>
> [Thu Oct 03 09:24:37] peter@skapet:~$ host example.app
> Host example.app not found: 3(NXDOMAIN)
> [Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app
> Host mx.example.app not found: 3(NXDOMAIN)
>
> Among the things you need in order to deliver mail, a valid domain is in
> the top few. I think the basic requirements are indeed listed in the
> article
> (under "Requirements"), please go back and re-read, check that you have
> all of those set up properly.
>
>
> I can see why you might think that given that I altered the real domain
> name to example.app. (I know it's frowned upon; I only did it because this
> is a new machine with a setup hobbling along. Bad Kevin... bad...)
>
> In any event, I'm *sure* the domain DNS part is right as I can _receive_
> email just fine, including from the same @gmail address I'm writing this
> from, ergo, DNS resolution of the real domain (and its MX record) are fine.
>
> As for pf being the issue; it's disabled.
>
> # pfctl -s info
> Status: Disabled for 0 days 08:23:56 Debug: err
>
> Latest, greatest kernel running:
>
> $ dmesg | grep Open | tail -1
> OpenBSD 6.6 (GENERIC) #326: Wed Oct  2 22:34:33 MDT 2019
>
> One of the things that's puzzling is this part of the log:
>
> 
> smtp disconnected reason=quit.
> 
>
> If I can send the domain email, if I can retrieve email via Dovecot, if I
> can send mail to myself from the server's CLI (and even retrieve it
> remotely via my mail client), it seems like there's some knob missing that
> says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles'
> rules (and edited them for my own domain) , and it am no workie.
>
> Is there perhaps something else akin to the forwarding knob that lets PF
> forward packets between interfaces that either I've forgotten or was
> skipped in the HOWTO?
>
> Thanks,
> Kevin
>
>


Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Kevin
On Thu, Oct 3, 2019 at 8:55 AM Reio Remma  wrote:

> On 03.10.2019 18:34, Kevin wrote:
>
> If I can send the domain email, if I can retrieve email via Dovecot, if I
> can send mail to myself from the server's CLI (and even retrieve it
> remotely via my mail client), it seems like there's some knob missing that
> says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles'
> rules (and edited them for my own domain) , and it am no workie.
>
> Is there perhaps something else akin to the forwarding knob that lets PF
> forward packets between interfaces that either I've forgotten or was
> skipped in the HOWTO?
>
> Thanks,
> Kevin
>
>
> What connection do you have?
>

Ironically / fittingly, Vultr, same as in Gilles' guide. Have been there
for ~6 years now running OpenBSD for all my servers there.


> If it's a home connection, then most ISP-s block sending mail directly to
> port 25 (on the destination server). You want a static IP for a mail
> server, with rDNS etc. set up.
>

RDNS is setup and matches the hostname.


Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Kevin
On Thu, Oct 3, 2019 at 12:36 AM Peter N. M. Hansteen 
wrote:

> On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote:
> > Hi all,
> >
> > Having just followed the setup instructions on Gilles HOWTO page here:
> >
> >
> >
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
> >
> >
> > ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD
> 6.6-beta
> > (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
> > other deliveries (and mail retrieval) work.
> >
> > The pertinent log message looks like this:
> >
> > Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
> > evpid=2c41c5fc4a7e6c06 from= to= >
> > Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
> > reason=quit
> > Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
> > reason=Connection timeout
>
> Connection timeout sounds very much like your machine is not allowed to
> send
> outgoing mail via SMTP. Check for firewalls and the like.
>
> Also,
>
> [Thu Oct 03 09:24:37] peter@skapet:~$ host example.app
> Host example.app not found: 3(NXDOMAIN)
> [Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app
> Host mx.example.app not found: 3(NXDOMAIN)
>
> Among the things you need in order to deliver mail, a valid domain is in
> the top few. I think the basic requirements are indeed listed in the
> article
> (under "Requirements"), please go back and re-read, check that you have
> all of those set up properly.
>
>
I can see why you might think that given that I altered the real domain
name to example.app. (I know it's frowned upon; I only did it because this
is a new machine with a setup hobbling along. Bad Kevin... bad...)

In any event, I'm *sure* the domain DNS part is right as I can _receive_
email just fine, including from the same @gmail address I'm writing this
from, ergo, DNS resolution of the real domain (and its MX record) are fine.

As for pf being the issue; it's disabled.

# pfctl -s info
Status: Disabled for 0 days 08:23:56 Debug: err

Latest, greatest kernel running:

$ dmesg | grep Open | tail -1
OpenBSD 6.6 (GENERIC) #326: Wed Oct  2 22:34:33 MDT 2019

One of the things that's puzzling is this part of the log:


smtp disconnected reason=quit.


If I can send the domain email, if I can retrieve email via Dovecot, if I
can send mail to myself from the server's CLI (and even retrieve it
remotely via my mail client), it seems like there's some knob missing that
says, "All auth'd users to relay," yet, I've copied-and-pasted Gilles'
rules (and edited them for my own domain) , and it am no workie.

Is there perhaps something else akin to the forwarding knob that lets PF
forward packets between interfaces that either I've forgotten or was
skipped in the HOWTO?

Thanks,
Kevin


unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Kevin
Hi all,

Having just followed the setup instructions on Gilles HOWTO page here:


https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/


...I'm unable to send mail from my new OpenSMTPD server on OpenBSD 6.6-beta
(OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
other deliveries (and mail retrieval) work.

The pertinent log message looks like this:

Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
evpid=2c41c5fc4a7e6c06 from= to=
Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
reason=quit
Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
reason=Connection timeout

A couple of other relevant facts:

1. I can send mail from the command line to myself locally and download it
via my mail client
2. I can send mail from other external addresses and download it via my
mail client.

My config files are ostensibly the same as those on the HOWTO page.
Obviously happy to post them if needed.

Thanks,
Kevin


pony express: smtpd: bind: Cannot assign requested address

2017-09-24 Thread Kevin
; queue backend
smtpd[21205]: debug: using "ramqueue" scheduler backend
smtpd[21205]: debug: using "ram" stat backend
smtpd[21205]: setup_peer: pony express -> control[21203] fd=5
smtpd[21206]: debug: init ssl-tree
smtpd[21206]: info: loading pki information for db5.myplaceonline.com
smtpd[21206]: debug: init ca-tree
smtpd[21206]: debug: init ssl-tree
smtpd[21206]: info: loading pki keys for db5.myplaceonline.com
smtpd[21206]: debug: using "fs" queue backend
smtpd[21206]: debug: using "ramqueue" scheduler backend
smtpd[21206]: debug: using "ram" stat backend
smtpd[21206]: setup_peer: queue -> control[21203] fd=5
smtpd[21206]: setup_peer: queue -> pony express[21205] fd=6
smtpd[21206]: setup_peer: queue -> lookup[21204] fd=7
smtpd[21205]: setup_peer: pony express -> klondike[21202] fd=6
smtpd[21205]: setup_peer: pony express -> lookup[21204] fd=7
smtpd[21205]: setup_peer: pony express -> queue[21206] fd=8
smtpd[21205]: setup_proc: pony express done
smtpd[21201]: setup_done: pony[21205] done
smtpd[21206]: setup_peer: queue -> scheduler[21207] fd=8
smtpd[21206]: setup_proc: queue done
smtpd[21201]: setup_done: queue[21206] done
systemd[1]: opensmtpd.service: Unit entered failed state.
smtpd[21207]: setup_proc: scheduler done
systemd[1]: opensmtpd.service: Failed with result 'exit-code'.
smtpd[21207]: debug: bounce warning after 4h
smtpd[21201]: setup_done: scheduler[21207] done
smtpd[21201]: smtpd: setup done
smtpd[21205]: pony express: smtpd: bind: Cannot assign requested address
smtpd[21201]: debug: parent_send_config_ruleset: reloading
smtpd[21201]: debug: parent_send_config: configuring pony process
smtpd[21201]: debug: parent_send_config: configuring ca process
smtpd[21202]: debug: init private ssl-tree
smtpd[21203]: debug: control -> pony express: pipe closed
smtpd[21203]: debug: control agent exiting
smtpd[21206]: debug: queue -> pony express: pipe closed
smtpd[21207]: debug: scheduler -> control: pipe closed
smtpd[21207]: debug: scheduler agent exiting
smtpd[21202]: debug: ca -> control: pipe closed
smtpd[21202]: debug: ca agent exiting
smtpd[21206]: debug: queue agent exiting
smtpd[21201]: warn: parent -> pony: imsg_read: Connection reset by peer
smtpd[21201]: smtpd: exiting: Connection reset by peer
smtpd[21204]: debug: lka -> control: pipe closed
smtpd[21204]: debug: lookup agent exiting

Linux 4.12.13-200.fc25.x86_64

--
Kevin


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory

2017-09-24 Thread Kevin

Hi, Relaying is working but I see the following in my logs:

warn: unable to load CA file /etc/ssl/cert.pem: No such file or directory
smtp-out: Server certificate verification failed on session [...]

I'm running on Fedora 26 and the CA certs file is located in 
/etc/pki/tls/cert.pem. I reconfigured and recompiled with the correct path:


# systemctl stop opensmtpd
# cd /usr/local/src/opensmtpd-201702130941p1/
# ./configure --with-path-CAfile=/etc/pki/tls/cert.pem
# grep -r /etc/pki/tls/cert.pem *
config.log:  $ ./configure --with-path-CAfile=/etc/pki/tls/cert.pem
config.log:CA_FILE='/etc/pki/tls/cert.pem'
config.status:ac_cs_config="'--with-path-CAfile=/etc/pki/tls/cert.pem'"
config.status:  set X /bin/sh './configure' 
'--with-path-CAfile=/etc/pki/tls/cert.pem' $ac_configure_extra_args 
--no-create --no-recursion

config.status:S["CA_FILE"]="/etc/pki/tls/cert.pem"
contrib/libexec/encrypt/Makefile:CA_FILE = /etc/pki/tls/cert.pem
contrib/libexec/Makefile:CA_FILE = /etc/pki/tls/cert.pem
contrib/libexec/mail.local/Makefile:CA_FILE = /etc/pki/tls/cert.pem
contrib/Makefile:CA_FILE = /etc/pki/tls/cert.pem
Makefile:CA_FILE = /etc/pki/tls/cert.pem
mk/smtpctl/Makefile:CA_FILE = /etc/pki/tls/cert.pem
mk/smtpd/Makefile:CA_FILE = /etc/pki/tls/cert.pem
mk/Makefile:CA_FILE = /etc/pki/tls/cert.pem
openbsd-compat/Makefile:CA_FILE = /etc/pki/tls/cert.pem
# make
# sudo make install
# systemctl start opensmtpd

However, the problem reoccurs with a new mail.

I can workaround it with a symlink:

# ln -s /etc/pki/tls/cert.pem /etc/ssl/cert.pem

smtp-out: Server certificate verification succeeded on session [...]

But I thought it was worth reporting to check if I'm doing something 
wrong or there's a bug.


--
Kevin


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How do I only allow relay for authenticated users?

2017-09-24 Thread Kevin

Hi,

On 09/24/2017 12:12 PM, Bruno Pagani wrote:

Hi,

Le 24/09/2017 à 20:48, Kevin a écrit :

My question is: how do I only allow relay for authenticated users?

#accept from any for any relay via tls+auth://la...@smtp.sendgrid.net
auth 

Just `accept from local` instead of `from any` in the line I’ve left
above, and it should work the way you want. ;)


Ah! I see now in the man page: "Any remote sender that passed SMTPAUTH 
is treated as if it was the server's local user that was sending the 
mail. This means that filter rules using from local will be matched."


Thank you.

--
Kevin


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



How do I only allow relay for authenticated users?

2017-09-24 Thread Kevin
Hi, I just started with OpenSMTPD and I was able to get it up and 
running (with Dovecot) in just one day. It's a real pleasure to use and 
configure, so thank you!


My question is: how do I only allow relay for authenticated users? Below 
is my current configuration largely based on the example1 from the FAQ. 
I'm running from source with opensmtpd-201702130941p1.


table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table users file:/etc/mail/users
table secrets file:/etc/mail/secrets

pki ${cubevar_app_email_host} certificate 
"/etc/letsencrypt/live/${cubevar_app_email_host}/fullchain.pem"
pki ${cubevar_app_email_host} key 
"/etc/letsencrypt/live/${cubevar_app_email_host}/privkey.pem"


listen on eth0 inet4 port  25 tls pki ${cubevar_app_email_host} 
auth-optional 
listen on eth0 inet4 port 465 tls-require pki ${cubevar_app_email_host} 
auth 
listen on eth0 inet4 port 587 tls-require pki ${cubevar_app_email_host} 
auth 


accept from local for local alias  deliver to lmtp 
"/run/dovecot/lmtp" rcpt-to
accept from any for domain  virtual  deliver to lmtp 
"/run/dovecot/lmtp" rcpt-to
#accept from any for any relay via tls+auth://la...@smtp.sendgrid.net 
auth 


If I understand the above correctly, somebody could connect to port 25, 
not authenticate, but still send an email which would relay to sendgrid. 
However, I don't want to enforce authentication on 25 because then I 
can't receive email for my domains as an MX server.


--
Kevin


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: please share your configuration files with us

2017-08-12 Thread Kevin Chadwick
I sent my elansys one direct, should I have posted it to the list?


Re: Password encryption

2017-08-07 Thread Kevin Chadwick
On Sun, 6 Aug 2017 14:32:16 +0200


> The next question would be ...why does it work for other ppl?

I use system accounts and some scripts but if you need a database then
I can't help. It's not actually that difficult once you work it out to
sync system pwd.db files actually and you get the OpenBSD login system
too. Not that I have done this but I did used to create small pwd.db
files inside web chroots. I've removed the need to now though. 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Debugging MySQL backend

2016-03-01 Thread Kevin Lemonnier
> can you run with -T tables -T lookup ?

Here is the output with this :

lookup: check "ipv6:::1" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
lookup: check "local" as NETADDR in table static: -> found
lookup: check "domain.tld" as DOMAIN in table proc:vdomains -> found
lookup: lookup "t...@domain.tld" as ALIAS in table proc:vusers -> 
"t...@domain.tld"
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
smtp-in: session 420e7f864e710497: received invalid command: "RCPT TO: 
<t...@domain.tld>"


Thanks for the help,

Kevin Lemonnier

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Debugging MySQL backend

2016-02-29 Thread Kevin Lemonnier
Hi,

I've been using opensmtpd for a few weeks for my personal e-mails, and
it's been working well. At work we usually install postfix +
postfixadmin + dovecot for our clients, but I've decided to try and
replace postfix with opensmtpd. I am also trying to replace postfixadmin
with vimbadmin, but that shouldn't really be relevant to my problem.

With my current setup, I get a 550 invalid recipient when I try to send
an e-mail to an existing account on the server, and I can't figure out a
way to debug the MySQL backend. Here are the configurations :

cat /etc/smtpd-mysql.conf

hostlocalhost
usernameuser
passwordpass
databasevimbadmin

# Alias lookup query
#
# rows   >= 0
# fields == 1 (user varchar)
#
query_aliasSELECT goto AS user FROM alias WHERE address =? AND
active = '1';

# Domain lookup query
#
# rows   == 1
# fields == 1 (domain varchar)
#
query_domainSELECT domain FROM domain WHERE domain =? AND
backupmx = '0' AND active = '1';

# User lookup query
#
# rows   == 1
# fields == 3 (uid int, gid int, directory varchar)
#
query_userinfoSELECT uid, gid, homedir FROM mailbox WHERE
username =? AND active = '1';

# Credentials lookup query
#
# rows   == 1
# fields == 2 (username varchar, password varchar)
#
query_credentialsSELECT username, password FROM mailbox WHERE
username =? AND active = '1';



cat /etc/smtpd.conf

listen on localhost

table vusers mysql:/etc/smtpd-mysql.conf
table vdomains mysql:/etc/smtpd-mysql.conf
table aliases mysql:/etc/smtpd-mysql.conf

accept from any for domain  virtual  deliver to mda
"/usr/lib/dovecot/dovecot-lda -f %{sender} -d %{dest}"
accept from local for any relay


I have changed the SQL queries according to the database, but even when
I enable the global MySQL logs, I don't get the queries logged (Only the
prepare queries when I start smtpd). So I have no idea what queries
opensmtpd is actually sending (or what results it gets), and when I run
it in debug mode I don't get much informations :

smtp-in: session 193a8b1376aabfb1: connection from host localhost
[IPv6:::1] established
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
debug: aliases_virtual_get: 't...@domain.tld' resolved to 1 nodes
smtp-in: session 193a8b1376aabfb1: received invalid command: "RCPT TO:
<t...@domain.tld>"

I'm guessing the result aren't formatted like opensmtpd is expecting
them (since it's more targeted at dovecot and postfix), but I can't
figure out what is wrong.
Thanks !

Regards,
Kevin Lemonnier

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: latest OpenSSL causes OpenSMTPD to segv

2016-02-02 Thread Kevin Chadwick
> This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd
> to crash as soon as the RSA engine is used (ie: whenever there's crypto)
> 
> A quick workaround is to not upgrade to 1.0.2f yet and maybe ask OpenSSL
> why a "patchlevel" release contains more than patches.
> 
> Meanwhile, we're investigating how we're going to unfuck this.

Does this affect other projects? I am simply wondering what the odds
are of this being hostility or stupidity?

-- 

KISSIS - Keep It Simple So It's Securable

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Slight correction on Does anyone else have an issue establishing a starttls to this host.

2015-04-09 Thread Kevin Chadwick
On Wed, 08 Apr 2015 19:55:52 -0700
Seth wrote:

  Also, whether this hangs
 
  /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp
  -CAfile /etc/ssl/cert.pem  
 
 I ran the command above on an OpenBSD 5.6-release host and it stopped  
 responding at the 250 8BITMIME line at the bottom.

Hmm, now I am puzzled as that is what should happen. You don't
have /usr/bin/openssl and /usr/sbin/openssl installed do you? I guess
you ran the same as above but /usr/sbin on 5.6 as it has moved
to /usr/bin/ on 5.7

Also have you applied the ssl patches from
www.openbsd.org/errata56.html or by using mtiers openup tool (no
building). Particularly 005 that disables sslv3?

On my 5.6 box it stops at CONNECTED and the traffic shows client hello
like for OpenSMTPD (well actually a certificate receipt can be seen in
the encrypted traffic but not much more).

-debug shows it ending with SPACES/NULLS

Thanks

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Should I add tls enforcement to issue 502

2015-04-09 Thread Kevin Chadwick
For a minute I thought the following was possible that my old server
couldn't do. I know gpg is the solution but getting people to use it
can sometimes be easy and sometimes impossible and so there are times
when you are on the border of what you are comfortable sending in plain
text.

accept tagged DKIM for any recipient tlsrequired relay tls
accept tagged DKIM for any recipient ca-tlsrequired relay verify
accept tagged DKIM for any relay

Is there a way of doing this already and/or is it worth adding to a new
issue or to the existing.

https://github.com/OpenSMTPD/OpenSMTPD/issues/502;

OpenSMTPd should accept alias rules in relay declarations #502.


There is a DANE issue already, so maybe it's not necessary?

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Slight correction on Does anyone else have an issue establishing a starttls to this host.

2015-04-09 Thread Kevin Chadwick
On Thu, 09 Apr 2015 09:54:17 -0700
Seth wrote:

  On my 5.6 box it stops at CONNECTED and the traffic shows client hello
  like for OpenSMTPD (well actually a certificate receipt can be seen in
  the encrypted traffic but not much more).  
 
 Only thing I can think of is that you're running a different version of  
 LibreSSL. I can also try the command from a FreeBSD host if that's of any  
 value.

I lowered my MTU to 1492 from 1500 and now it works fine.

When I upgraded my connection to fibre I set the link to an MTU of
1508. I think I may have noticed that the ppp link didn't accept that
though or I've missed an MTU on a firewall and removed the max-mss. So
it seems demon.co.uk can't handle fragmentation and neither does Yahoo
which I thought was a separate issue as it was switching between a
reputation message and unexpected termination.

Thanks Seth for all the help and testing libressl, getting me to finally
look at my own network and sorry for the noise everyone.


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Slight correction on Does anyone else have an issue establishing a starttls to this host.

2015-04-08 Thread Kevin Chadwick
On Wed, 08 Apr 2015 13:27:48 -0700
Seth wrote:

 Do you have a test email address we can try sending something to which  
 uses that server?
 

Sent privately 

Also, whether this hangs

/usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp
-CAfile /etc/ssl/cert.pem

 Starttls.info gives it a crappy score BTW
 
 Protocol
 Supports SSLV2. More info.
 Supports SSLV3.

That probably explains a lot and makes me feel better too, Thanks

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Slight correction on Does anyone else have an issue establishing a starttls to this host.

2015-04-08 Thread Kevin Chadwick
http://marc.info/?l=openbsd-miscm=142842356024311w=2

When I looked at the actual traffic it appeared that it gets one step
further and the connection actually stops at OpenSMTPD sending a client
hello via STARTTLS with no further response from the other side.

If someone can say it happens to them too but not to any/many other
hosts then I'd be glad to chalk it down to a bad implementation on their
side? I haven't found any others like this yet.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Case sensitivity in automatic folder filtering by tag

2015-03-30 Thread Kevin Chadwick
On Sat, 28 Mar 2015 08:55:24 -0700
Seth wrote:

  If the filesystem supports case sensitivity then I can understand users
  expecting the current behaviour but it doesn't seem practical to me and
  I couldn't see a format specifier to lowercase deliveries to Maildir
  expanding to just TAG.
 
  When someone sends to a tag user+...@users.org and there is an existing
  folder Tag then it works great and I really love it, however I am sure
  I cannot always trust senders to keep the case correct.
 
  Am I missing a configuration tweak?  
 
 I use the lowercase delivery option to address this issue.
 
 accept from blah blah blah deliver to maildir  
 /var/vmaildir/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}/mail/

I was using %{user.username:lowercase} which seems to deliver to the
exact same place as %{dest.user:lowercase|strip}

As far as I can tell so far, this has no bearing on lower casing the
TAG? (portion after the + and before the @).

%{rcpt:lowercase} could work but would break my dovecot config that
relies on the username and would create uglier directories too.

I guess there isn't a tweak currently and so should decide if I have
time for a patch, the filter api or simply traditional client filtering
as I had to use with qmail anyway.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Case sensitivity in automatic folder filtering by tag

2015-03-30 Thread Kevin Chadwick
On Sat, 28 Mar 2015 08:55:24 -0700
Seth wrote:

   If the filesystem supports case sensitivity then I can understand users
   expecting the current behaviour but it doesn't seem practical to me and
   I couldn't see a format specifier to lowercase deliveries to Maildir
   expanding to just TAG.
  
   When someone sends to a tag user+...@users.org and there is an existing
   folder Tag then it works great and I really love it, however I am sure
   I cannot always trust senders to keep the case correct.
  
   Am I missing a configuration tweak?  
  
  I use the lowercase delivery option to address this issue.
  
  accept from blah blah blah deliver to maildir  
  /var/vmaildir/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}/mail/


 As far as I can tell so far, this has no bearing on lower casing the
 TAG? (portion after the + and before the @).

Doh!, when I did that test I was editing the from any rule and sending
from local. I thought it was strange that it did the same thing.

So... Ace, this feature can work this way but you need a dot in
front of the folder for IMAP client compatibility and I'll have to find
a way to automatically check for new folders regularly or on client
startup.

/%{user.username}/.%{dest.user:lowercase}

Still trying to decide if it's worse but leaning to actually better?
than a patch or filter which only delivers if the directory already
exists (still creates both) and may save me the time I haven't got,

Thanks.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



potential makemap man page improvements

2015-03-14 Thread Kevin Chadwick
Assuming it's correct I wonder if something along the lines of the
following would improve the makemap man page virtual domains section.
I tried a few different things to get majordomo and the power
of virtual domains working, including a second deliver to mda before
noticing the 'extension' keyword. Admittedly I should have realised but
sometimes your concentration can run thin. Virtual domains being a
complete map is also mentioned on the github wiki but I am not sure it
is in the man pages yet?

Virtual domains represent a complete map of accepted addresses
resulting in a ``550 Invalid Recipient'' message being returned for any
non existing mapping. As an extension to aliases(5) everything that can
be done with aliases(5) including piping to commands can also be done
with virtual domains. The flexibility of virtual domains means that
only a single accept rule within smtpd.conf(5) may match per domain.


--- /usr/share/man/man8/makemap.8   Mon Jan 19 02:54:26 2015
+++ /tmp/man/man8/makemap.8 Sat Mar 14 15:58:41 2015
@@ -108,6 +108,20 @@
 .Xr smtpd 8
 will perform the lookups in that specific order.
 .Pp
+Virtual domains represent a complete map of accepted addresses
+resulting in a 
+.Dq 550 Invalid Recipient
+message being returned for any non existing mapping. As an
+extension to 
+.Xr aliases 5 
+everything that can be done with 
+.Xr aliases 5
+including piping to commands can also be done with virtual 
+domains. The flexibility of virtual domains means that only a 
+single accept rule within
+.Xr smtpd.conf 5 
+may match per domain.
+.Pp
 To create single virtual address, add
 .Dq u...@example.com user
 to the users map.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



recipients and greyscanner

2014-08-11 Thread Kevin Chadwick
I may have come across some information about rewriting envelopes but I
am struggling to find it right now.

With OpenSMTPD you can use bob+compa...@bobs.com, which is great.

My existing server however already uses bob-compa...@bobs.com and on
that system I can specify the character after which the rest is
forgotten but many addresses are already in use with a - character.

Is it possible to change the character to a minus or rewrite the
envelope or better still use the same program I use with greyscanner
for spamd with a recipient as an argument and so returning 1 or 0 for
recipients in smtpd.conf (greyscanner_checkrcpt.pl etc.)?

Thanks,
Kc

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

___

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Can smtps replace starttls and is there any point

2014-08-08 Thread Kevin Chadwick
I am not talking about submission which I guess is what the smtps
option is for and I know GPG is the best method and I also know that
spamd causes plain text transmissions.

With STARTTLS I believe there is a clear text race where an attacker can
create a response stating STARTTLS is unsupported resulting in
cleartext transmission which I believe would not be the case for smtps.

So is there any point in using secure? I guess both can't be run on
port 25 and I guess no-one would use SMTPS if it was running on port
25 but thought I would ask if anyone knew of an RFC of SMTPS on another
port or replacing STARTTLS or any other tips about this.

Thanks,
Kc

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

___

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [Bulk] Xombrero and the presentation link

2014-08-07 Thread Kevin Chadwick
previously on this list Kevin Chadwick contributed:

 when trying to view the presentation with xombrero I enabled
 javascript but the controls do not appear and using the url bar is
 a bit cumbersome.

Print works well though; printing the whole presentation as a pdf.

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
___

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



slide 34 resolver not chrooted

2014-08-07 Thread Kevin Chadwick

If the only nameserver entry in /etc/resolv.conf is say 127.0.0.1 or
localhost such as when using unbound couldn't opensmtpds resolver read
that line and chroot without issues like dhcp changes?

-- 
___

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd

___

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: slide 34 resolver not chrooted

2014-08-07 Thread Kevin Chadwick
On Thu, 7 Aug 2014 19:39:28 +0200
Alexander Schrijver wrote:

  Yeah I'm not sure whether it is worth the effort but I was thinking if
  a user has set a localhost as the nameserver then can we be very close
  to certain that they are not going to change the resolv.conf?  
 
 Having two DNS resolvers behave completely different because they're using
 different configuration data seems confusing and dangerous to me.

In the localhost case? Changing your DNS randomly on a mail server
seems confusing and dangerous to me. As a client well shouldn't you be
using crypto/submission and not trusting DNS in any way?

All I am wondering is how many use base unbound or a static setup
with opensmtpd and if there should atleast be a nob to turn chroot
on/off?

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: slide 34 resolver not chrooted

2014-08-07 Thread Kevin Chadwick
On Thu, 7 Aug 2014 20:41:39 +0200
Gilles Chehade wrote:

 Nope there's currently no way to turn chrooting for the lookup process.
 It's not really a resolver thing, we could have the resolver code in a
 chroot with some refactoring, but we need a process that does not run
 chrooted for other lookup purposes and it's more convenient to have the
 resolver code handled by the process.

Fair enough and thanks for replying. I expected that there was probably
more to it and it had already been considered and possibly discussed
too much already.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org