Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-29 Thread Larkin Nickle

On 2020-07-29 02:54, Martijn van Duren wrote:

I was talking about the mails we exchanged in private.

On Wed, 2020-07-29 at 02:51 -0400, Larkin Nickle wrote:

I did obtain consent before sending here but didn't mention it.

Oh right, I'm sorry about that. I was under the impression I just 
started a chain out of the mailing list by hitting the wrong reply 
button somewhere and we just kept going out-of-list by mistake. You're 
right, I should've asked.

Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-29 Thread Larkin Nickle

I did obtain consent before sending here but didn't mention it.

Re: how to ignore TLS1.3 for test purposes?

2020-07-28 Thread Larkin Nickle

On 2020-07-28 02:56, Harald Dunkel wrote:

Hi folks,

there seems to be a compatibility issue between opensmtpd on
OpenBSD 6.7 and exim4 on Debian's bugtracker, see

Most recent syspatches are applied, of course. I cannot reproduce
this problem with opensmtpd 6.7.1-p1 on Debian.

How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use
TLS1.2 only, just for test purposes? TLS1.3 in libressl appears
to be brand new. Maybe its buggy.

Every helpful hint is highly appreciated

Looking at smtpd.conf(5), you should be able to put `smtp ciphers 
control` (control being the control string of allowed ciphers). The 
default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should 
be valid in removing TLSv1.3 as far as I can tell according to 
SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but 
this might be a useful starting point.

Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-28 Thread Larkin Nickle

On 2020-07-28 06:02, Martijn van Duren wrote:

On Tue, 2020-07-28 at 05:37 -0400, Larkin Nickle wrote:

Doing a little more searching on "ORCPT :1:1" shows me the following
All complaining about that postfix.

This looks more and more like a misfeature from groupwise. So unless
there is some solid evidence that this is actually allowed I'd tell
your colleague to either turn of this misfeature or change software.
Or my personal favourite: If I can't receive your mails because you
violate the protocol I can't handle any requests in those mails.

It doesn't actually seem like DSN is enabled as there's no "NOTIFY=" in
the SMTP command either (in the last link they said turning off DSN
server-side fixed things). GroupWise is a major email server software,
if this is actually the issue I wonder if it would be better to just
work around it (esp. since others seem to).

Just because it's major doesn't mean it does the correct thing, just
because others don't seem to trip over it doesn't mean it's wise to
deviate from the spec.

Personally I'm not inclined to change this check for (imho) the worst,
but I'm not the lead developer on this project. So if you want it
changed you can write a diff around the smtp_session.c code I pointed
to in my previous mail with a detailed explination on how this
improves the situation, how this header attribute is/can be used down
the line and how this may or may not negatively impact that downstream.
Even better would be if you can point to the part of the specifications
that allow for this behaviour.

It's quite a bit of work and it might still not be accepted. I'm
unlikely to commit it unless you can show me I'm wrong in my previous
assessment, but I won't object if you can show us it's not detrimental.

Hope this helps.

He got this reply from Micro Focus upon asking them about it:

I was able to find a defect that matched this issue back in 2009 for 
GroupWise version 8.

The defect specifically mentions that we are following the RFC as directed:

The :1:1 is essential to GroupWise status tracking.
The numbers represent the host and user numbers for the creating a 
GroupWise internal status message.

According to the RFC, the format of the ORCPT is ;xtext
We use RFC822 for the address type and we use xtext to contain the 
information that we need, which is


xtext is defined (see as any ASCII 
characters between "!" and "~" excluding "+" and "="

If this were not the case, we would be seeing tons of undeliverables, 
but we are not. GroupWise 18.2.1 was released on March 4th of this year 
and this is the first case we have dealing with undeliverables because 
of the RFC standard.


So according to them it should actually be okay and OpenSMTPD is wrong 
here. (check 4. Additional parameters for RCPT and MAIL commands for 

Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-27 Thread Larkin Nickle
Someone from a corporation that uses GroupWise for email is unable to 
get their mail to deliver to my server running OpenBSD. In the log, I see:

Jul 27 22:10:39 hostname smtpd[34369]: de587a23456fe10c smtp 
failed-command command="RCPT TO: 
ORCPT=rfc822;" result="553 ORCPT address 
syntax error"

My best guess is that GroupWise is maybe appending :1:1 to the end of 
the address and this is what is tripping this syntax error. They are 
able to successfully send mail to me on Google Mail, Outlook, etc. mail