filter-dkims support for multiple domains

2020-08-30 Thread Martijn van Duren
Hello,

I've always said that I would not add support for multiple domains in
filter-dkimsign until someone could point me to a good reason to do so.
Recently this was done by Maarten de Vries who pointed out to me that
there is such a requirement in DMARC (RFC7489 section 3.1) stating that
the DKIM signature must be aligned with the From-header.
Unforunately the from-header is a mailbox-list; I decided to only use
the first mailbox in the list, which should cover most use-cases.

As expected, this diff is more intrusive then I would've liked, but
works so far in my testing. It works by using a single selector and
trying to do a strict match on domain first, falling back to a relaxed
match if none is found and ultimately going for the first domain in the
list.

I would like to ask everyone who wants this feature to test this and
report back to me. I plan to create a new release in a week or 2 turning
it into a less voluntary test. :-)

Source-code can be found here (svn):
http://imperialat.at/dev/filter-dkimsign/
This is still OpenBSD only, but Maarten can probably supply people with
an arch-compatible version.

martijn@




Re: Usage example for filter-dnsbl

2020-08-17 Thread Martijn van Duren
I run filter-dnsbl as follow:

...
filter dnsbl proc-exec "filter-dnsbl -mv zen.spamhaus.org dnsbl.dronebl.org 
bl.spamcop.net"
...
listen on egress tls pki keys filter dnsbl
...

To be clear: filters in proc-exec chooes their own "phase, so there's no
need for you to worry about that. The only thing you need to know is
which blacklists you want to use and on which listen socket they should
be executed on (and optionally where in a filter-chain if you have
multiple).

martijn@

On Mon, 2020-08-17 at 11:23 +0200, Leo Unglaub wrote:
> Hey,
> i installed the filter "filter-dnsbl" from here 
> (http://imperialat.at/dev/filter-dnsbl/) and now i want to add it to my 
> config. However, i have to admit i have no idea how to do that? In what 
> "phase" should i put this filter? I looked around but i found a couple 
> of outdated blog posts on filters, but nothing current. I also read thru 
> here 
> (https://github.com/openbsd/src/blob/master/usr.sbin/smtpd/smtpd-filters.7), 
> but i found nothing.
> 
> If someone of you has a working example on how to use that filter, could 
> you please be so kind and send it to me?
> 
> Thanks so much and greetings
> Leo
> 




Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-29 Thread Martijn van Duren
On Wed, 2020-07-29 at 02:57 -0400, Larkin Nickle wrote:
> On 2020-07-29 02:54, Martijn van Duren wrote:
> > I was talking about the mails we exchanged in private.
> > 
> > On Wed, 2020-07-29 at 02:51 -0400, Larkin Nickle wrote:
> > > I did obtain consent before sending here but didn't mention it.
> 
> Oh right, I'm sorry about that. I was under the impression I just 
> started a chain out of the mailing list by hitting the wrong reply 
> button somewhere and we just kept going out-of-list by mistake. You're 
> right, I should've asked.
> 
No harm done and apology accepted.




Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-29 Thread Martijn van Duren
I was talking about the mails we exchanged in private.

On Wed, 2020-07-29 at 02:51 -0400, Larkin Nickle wrote:
> I did obtain consent before sending here but didn't mention it.




Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-29 Thread Martijn van Duren
On Tue, 2020-07-28 at 22:05 -0400, Larkin Nickle wrote:
> On 2020-07-28 06:02, Martijn van Duren wrote:
> > On Tue, 2020-07-28 at 05:37 -0400, Larkin Nickle wrote:
> > > > Doing a little more searching on "ORCPT :1:1" shows me the following
> > > > links:
> > > > https://groups.google.com/forum/#!topic/mailing.postfix.users/a2wjRII3Q_Y
> > > > https://community.microfocus.com/t5/GroupWise-User-Discussions/550-5-7-1-Unable-to-relay-to-certain-provider/td-p/2302331?p=2287440
> > > > https://info-ims.arnold.narkive.com/GtKAJz28/off-topic-research-on-rcpt-to-s-orcpt-extension
> > > > All complaining about that postfix.
> > > > 
> > > > This looks more and more like a misfeature from groupwise. So unless
> > > > there is some solid evidence that this is actually allowed I'd tell
> > > > your colleague to either turn of this misfeature or change software.
> > > > Or my personal favourite: If I can't receive your mails because you
> > > > violate the protocol I can't handle any requests in those mails.
> > > > 
> > > 
> > > It doesn't actually seem like DSN is enabled as there's no "NOTIFY=" in
> > > the SMTP command either (in the last link they said turning off DSN
> > > server-side fixed things). GroupWise is a major email server software,
> > > if this is actually the issue I wonder if it would be better to just
> > > work around it (esp. since others seem to).
> > 
> > Just because it's major doesn't mean it does the correct thing, just
> > because others don't seem to trip over it doesn't mean it's wise to
> > deviate from the spec.
> > 
> > Personally I'm not inclined to change this check for (imho) the worst,
> > but I'm not the lead developer on this project. So if you want it
> > changed you can write a diff around the smtp_session.c code I pointed
> > to in my previous mail with a detailed explination on how this
> > improves the situation, how this header attribute is/can be used down
> > the line and how this may or may not negatively impact that downstream.
> > Even better would be if you can point to the part of the specifications
> > that allow for this behaviour.
> > 
> > It's quite a bit of work and it might still not be accepted. I'm
> > unlikely to commit it unless you can show me I'm wrong in my previous
> > assessment, but I won't object if you can show us it's not detrimental.
> > 
> > Hope this helps.
> > 
> 
> He got this reply from Micro Focus upon asking them about it:
> 
> ```
> I was able to find a defect that matched this issue back in 2009 for 
> GroupWise version 8.
> 
> The defect specifically mentions that we are following the RFC as directed:
> 
> The :1:1 is essential to GroupWise status tracking.
> The numbers represent the host and user numbers for the creating a 
> GroupWise internal status message.
> 
> According to the RFC, the format of the ORCPT is ;xtext
> We use RFC822 for the address type and we use xtext to contain the 
> information that we need, which is
> groupwise-::
> 
> xtext is defined (see http://tools.ietf.org/html/rfc3461) as any ASCII 
> characters between "!" and "~" excluding "+" and "="
> 
> If this were not the case, we would be seeing tons of undeliverables, 
> but we are not. GroupWise 18.2.1 was released on March 4th of this year 
> and this is the first case we have dealing with undeliverables because 
> of the RFC standard.
> ```
> 
> So according to them it should actually be okay and OpenSMTPD is wrong 
> here. (check 4. Additional parameters for RCPT and MAIL commands for 
> example)
> 

While they are correct that the ABNF only prescribes xtext, they fail to
look at the text the paragraph directly after it:

while the "xtext" portion contains an encoded representation of the
original recipient address using the rules in section 5 of this document.

and the paragraph after that opens with:

When initially submitting a message via SMTP, if the ORCPT parameter is
used, it MUST contain the same address as the RCPT TO address (unlike
the RCPT TO address, the ORCPT parameter will be encoded as xtext).

Now let's follow it to section 5.2.1 (final sentence):

(d) If any ORCPT parameter was present in the RCPT command for a
recipient when the message was received, an ORCPT parameter with the
identical original-recipient-address MUST appear in the RCPT command
issued for that recipient when relaying the message. (For example, the
MTA therefore MUST NOT change the case of any alphabetic characters in
an ORCPT parameter.) If no ORCPT parameter was p

Re: Fwd: 553 ORCPT address syntax error on OpenBSD 6.7

2020-07-28 Thread Martijn van Duren
On Mon, 2020-07-27 at 22:46 -0400, Larkin Nickle wrote:
> Someone from a corporation that uses GroupWise for email is unable to 
> get their mail to deliver to my server running OpenBSD. In the log, I see:
> 
> Jul 27 22:10:39 hostname smtpd[34369]: de587a23456fe10c smtp 
> failed-command command="RCPT TO: 
> ORCPT=rfc822;groupwise...@l..org:1:1" result="553 ORCPT address 
> syntax error"
> 
> My best guess is that GroupWise is maybe appending :1:1 to the end of 
> the address and this is what is tripping this syntax error. They are 
> able to successfully send mail to me on Google Mail, Outlook, etc. mail 
> accounts.
> 
I probably agree with you; from smtp_session.c:3213:
} else if (ADVERTISE_EXT_DSN(tx->session) && strncasecmp(opt, 
"ORCPT=", 6) == 0) {
opt += 6;

if (strncasecmp(opt, "rfc822;", 7) == 0)
opt += 7;

if (!text_to_mailaddr(>evp.dsn_orcpt, opt) ||
!valid_localpart(tx->evp.dsn_orcpt.user) ||
!valid_domainpart(tx->evp.dsn_orcpt.domain)) {
smtp_reply(tx->session,
"553 ORCPT address syntax error");
return;
}
}
Where valid_domainpart uses res_hnok(), which only allows for:
'.', alpha, digit, '-', and '_' according to libc/net/res_comp.c.

According to RFC3461 section 4.2:
  orcpt-parameter = "ORCPT=" original-recipient-address
  original-recipient-address = addr-type ";" xtext

So addr-type here is rfc822, which is supported by smtpd. So the
address-part is in xtext, on which the RFC says the following:
while the "xtext" portion contains an encoded representation of the
original recipient address using the rules in section 5 of this
document.

I haven't read section 5 fully (don't have the time now) but I'm highly
doubtful that ":1:1" is a legitimate postfix on a domainname. You should
ask your colleague where this comes from and why this should be
accepted.

As for why google, outlook, etc support this: I don't know. I don't see
any value in it yet personally, so maybe they don't either and just
parse the value to see if it's valid xtext, without actually validating
that it's a valid mail address. Just taking a blind guess here.

martijn@




Re: dmarc

2020-07-25 Thread Martijn van Duren
I'm not 100% sure what you mean, but let me give it a best effort.

On Sat, 2020-07-25 at 11:00 +0200, Peter J. Philipp wrote:
> Hi,
> 
> This is sorta a feature request.  A lot of people use dmarc to check for
> incoming mails.  Is there a way to turn off dmarc checking in the smtpd?
> This would be valuable for trusted sources such as mailing lists.

This reads as if you want to disable checking on the receiving end,
which is smtpd. This is not needed since smtpd has no support for
DMARC, SPF, or DKIM verification at this moment.
> 
> Let me give you an example.  I mail 1000 bytes to openbsd-misc and there is
> thousands of recipients on that mailing list.  When their software delivers
> to these thousands I get a DNS request (I'm predicting 40 bytes in the 
> question,
> and no less than 40 bytes in the answer * thousands) that's already a minimum
> of 80K bytes DNS traffic generated by a 1K byte mail.

If you're worried about those numbers I would stop hosting DNS yourself
and just put it at a company who can handle it.
> 
> It would be cool if OpenBSD could set a "X-DMARC-VERIFIED" header or something
> and based on a policy on every smtpd that receives this no dmarc dns request
> is caused.  This would make me very happy.

I'm not aware of this mail header, nor is google. Also this would make
your mail susceptible for a man in the middle to disabling DMARC.

But if you want this header you should be able to do this quite easily
with a custom filter. The documentation is not installed by default, but
a draft is available in the smtpd soures: smtpd-filters.7.
> 
> Is this all technically possible?
> 
> Best Regards,
> -peter
> 
martijn@




Re: Filter trustee src bypass - syntax error

2020-04-28 Thread Martijn van Duren
In that case we'd need to know which version of OpenSMTPd you're running
and your full configuration. This was just an educated guess, but
without all the information it's impossible to help you.

On 4/28/20 11:07 AM, KJ (Klaas Jan) Schuurs wrote:
> Dear Martijn,
> 
> Thank you for your answer. I've corrected my table definition to:
> 
> table trustedip file:/etc/mail/trustedip
> 
> I'm still getting syntax error on the line with:
> filter trusted phase mail-from match src  bypass
> 
> 
> 
> KJ (Klaas Jan) Schuurs
> 
> 
> 
> Martijn van Duren schreef op 2020-04-28 10:45:
>> On 4/28/20 10:29 AM, KJ (Klaas Jan) Schuurs wrote:
> 
>>> ***
>>> smtpd.conf
>>> ***
>>> table  file:/etc/mail/trustedip
>>
>> This should be:
>> table trustedip file:/etc/mail/trustedip
>>
>> Can you tell if it works with this change?
>>




Re: Filter trustee src bypass - syntax error

2020-04-28 Thread Martijn van Duren
On 4/28/20 10:29 AM, KJ (Klaas Jan) Schuurs wrote:
> Dear all,
> 
> Hi! This is the first time I'm posting to this mailinglist. English is 
> not my native language, so if I'm not making sense, then accept my 
> apologies.
> 
> First of all I would like to tell @Gilles and others that I love 
> opensmtpd. I've used it now for like two years and I like it way better 
> than postfix.
> 
> I'm trying to setup a filter bypass. I've looked at the example Gilles 
> has provided on his website.
> 
> ***
> smtpd.conf
> ***
> table  file:/etc/mail/trustedip

This should be:
table trustedip file:/etc/mail/trustedip

Can you tell if it works with this change?

> 
> filter trusted phase mail-from match src  bypass
> 
> listen on all tls pki example.com filter { trusted check_rdns ... }
> ***
> 
> ***
> /etc/mail/trustedip
> ***
> 192.168.1.0/24
> ***
> 
> When I do 'smtpd -n' I get a syntax error on the line where I define the 
> filter trusted.
> 
> I'm not sure what the error is.
> 
> I'm running openbsd 6.6 release.
> 
> Can someone shed some light on my syntax error?
> 
> Thank you!
> 
> With regards,
> 
> KJ (Klaas Jan) Schuurs
> 



Re: Custom filter

2020-04-16 Thread Martijn van Duren
On 4/16/20 3:58 PM, Jacky wrote:
> Hi,
> 
> I am using Opensmtp 6.6.4p1. I am going to use Opensmtp as outgoing SMTP 
> server, and use POP before SMTP method for authentication.
> 
> Is it possible for us to write and use custom filter ? If yes, is there any 
> information / resources available in the web ?
> 
> Jacky
> 

There are a couple of filters available, but I'm not aware of how
cross-platform available they are.
>From the OpenBSD ports tree there's the following written in go:
- https://github.com/poolpOrg/filter-rspamd
- https://github.com/poolpOrg/filter-senderscore
- spamassassin via https://www.umaxx.net
The latter has a couple of other filters, but aren't in the ports
tree, so probably have a little less testing.

I have written filter-dnsbl and filter-dkimsign in C:
- http://imperialat.at/dev/libopensmtpd/ (dependency for both)
- http://imperialat.at/dev/filter-dnsbl/
- http://imperialat.at/dev/filter-dkimsign/

I've got libopensmtpd to compile on Linux, but after that my need to get
them to work on Linux disappeared so the filters themselves never got 
there. If you want to use them I'm willing to help you set them up in 
your environment and commit the changes to my repo.

Other filters are relatively easy to write, but I don't think the
protocol is properly documented. You can look at this thread[0] as a
starting point, but there have been some minor changes since then, so
make sure to check your input.

martijn@

[0] https://www.mail-archive.com/misc@opensmtpd.org/msg03727.html



Re: Unable to setup my OpenSMTPd (version 6.6.4p1)

2020-04-15 Thread Martijn van Duren
On 4/15/20 11:21 AM, Pete wrote:
> Hey,
> 
>> match from any for rcpt-to  action action_relay
> shouldn't that be:
> match from any for domain mydoain.com rcpt-to  action 
> action_relay
> 
> 
Turns out you're right. I got my versions mixed up. For completeness:
The for rcpt-to  was added by gilles on 2019/11/26.
The 6.6.4 release was released on February 24th, but this was only
a bugfix release.

So the syntax will be valid for the next release.

martijn@



Re: Unable to setup my OpenSMTPd (version 6.6.4p1)

2020-04-15 Thread Martijn van Duren
On 4/15/20 5:50 AM, Jacky wrote:
> Hi,
> 
>  
> 
> I was unable to setup my Opensmtpd (version 6.6.4p1). At the end of this 
> message, there are content of the recipient table and smtpd.conf. When 
> opensmtpd start, I get the following error message :-
> 
>  
> 
>  /etc/opensmtpd/smtpd.conf:38: syntax error
> 
>  
> 
> Line 38 of smtpd.conf stand for the "match from ..." line. Can anybody please 
> advice what's wrong with my configuration file.
> 
>  
> 
> Thank you very much.
> 
>  
> 
>  
> 
> Jacky
> 
>  
> 
>  
> 
> #
> 
> #
> 
> #   /etc/opensmtpd/recipienttable
> 
> #
> 
> #
> 
>  
> 
> r...@mydomain.com
> 
> t...@mydomain.com
> 
>  
> 
>  
> 
> #
> 
> #
> 
> #   /etc/opensmtpd/smtpd.conf
> 
> #
> 
> #
> 
>  
> 
> pki server01 cert "/etc/opensmtpd/cert/mydomain.com/fullchain.cer"
> 
> pki server01 key "/etc/opensmtpd/cert/mydomain.com/mydomain.com.key"
> 
> pki server01 dhe auto
> 
>  
> 
> table table_recipient file:/etc/opensmtpd/recipienttable
> 
>  
> 
> listen on 192.168.0.2 port 25 tls pki server01 hostname mydomain.com
> 
> listen on 192.168.0.2 port 587 tls-require pki server01 hostname mydomain.com
> 
>  
> 
> action action_relay relay host smtp://127.0.0.1:10025
> 
> match from any for rcpt-to  action action_relay
> 
>  
> 
>  
> 

Your config file is not complete (it's far from 38 lines).
If I strip your config of tls and adjust the paths it works for me.

Could you send over your entire config? If you're not comfortable to do
it publicly feel free to do so in a personal mail.

martijn@



Re: opensmtpd 6.6.4p1 crashes on netbsd 9.0

2020-03-09 Thread Martijn van Duren
On 3/9/20 8:15 AM, Andi Vajda wrote:
> 
>> On Mar 8, 2020, at 23:58, Martijn van Duren  
>> wrote:
>>
>> I guess not a lot of opensmtpd developers have a NetBSD machine at hand
>> (I certainly don't). Could you supply us with a backtrace, which most
>> likely will be needed from the pony process.
> 
> Rebuilding with libressl 3.0.2 (instead of openssl 1.1.1d) worked around the 
> problem.

So it's safe for me to assume you're fine with applying the workaround
for every release and letting other people do the same?
> 
> Andi..
> 
>>
>> martijn@



Re: opensmtpd 6.6.4p1 crashes on netbsd 9.0

2020-03-09 Thread Martijn van Duren
I guess not a lot of opensmtpd developers have a NetBSD machine at hand
(I certainly don't). Could you supply us with a backtrace, which most
likely will be needed from the pony process.

martijn@

On 3/7/20 1:38 AM, Andi Vajda wrote:
> 
>   Hi,
> 
> I've been running opensmtpd 6.6.4p1 on netbsd 7.2 just fine.
> 
> I'm now upgrading to netbsd 9.0 and I'm seeing that opensmtpd 6.6.4p1 crashes
> when mail is submitted to it. The crash seems to happen right after 'message
> begin':
> 
>--- snip ---
> smtp: 0x7ad646215000: fd 24 from queue
> smtp: 0x7ad646215000: message fd 24
> smtp: 0x7ad646215000: message begin
> debug: parent -> pony: pipe closed
> debug: control -> pony express: pipe closed
> debug: control agent exiting
> smtpd: process pony socket closed
> debug: ca -> pony express: pipe closed
>--- snip ---
> 
> If I copy the smtpd binary built on netbsd 7.2 to netbsd 9.0 then smtpd works
> fine again:
>--- snip ---
> smtp: 0x76e3f19b8000: fd 24 from queue
> smtp: 0x76e3f19b8000: message fd 24
> smtp: 0x76e3f19b8000: message begin
> debug: 0x76e3f19b8000: end of message, error=0
> ad1ae4fedfe423f1 smtp message msgid=c931775c size=567 nrcpt=1 proto=ESMTP
>--- snip --- 
> and mail is delivered as expected.
> 
> There is an ldd difference between the two binaries:
> 
> on netbsd 7.2:
>  -lz.1 => /usr/pkg/lib/libz.so.1
>  -lgcc_s.1 => /usr/lib/libgcc_s.so.1
>  -lc.12 => /usr/lib/libc.so.12
>  -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1
>  -lpthread.1 => /usr/lib/libpthread.so.1
>  -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1
>  -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7
>  -lasr.0 => /usr/pkg/lib/libasr.so.0
>  -lcrypt.1 => /usr/lib/libcrypt.so.1
> 
>   on netbsd 9.0:
>  -lz.1 => /usr/pkg/lib/libz.so.1
>  -lc.12 => /usr/lib/libc.so.12
>  -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1
>  -lpthread.1 => /usr/lib/libpthread.so.1
>  -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1
>  -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7
>  -lasr.0 => /usr/pkg/lib/libasr.so.0
>  -lcrypt.1 => /usr/lib/libcrypt.so.1
> 
> The -lgcc_s.1 entry is not present on 9.0.
> 
> The compiler used on netbsd 7.2: gcc (nb2 20150115) 4.8.5
> The compiler used on netbsd 9.0: gcc (nb3 20190319) 7.4.0
> 
> I also tried building opensmtpd 6.6.2p1 on netbsd 9.0, with the same result.
> 
> Is there something about netbsd 9.0 (and its gcc 7.4.0 system compiler) that
> is known to cause this ? Is there some configure setting I need to change ?
> (on both OSs, I'm only changing paths, ie --prefix, --with-libssl, 
> --with-libasr, --with-libevent as I'm using the pkgsrc installations (also 
> built from sources) of these libraries).
> 
> I'm going to try building opensmtpd with llvm next...
> Thank you for your insights !
> 
> Andi..
> 



Re: filter question

2020-03-09 Thread Martijn van Duren
On 3/6/20 5:00 PM, epektasis wrote:
> Greetings.  I have my own blacklist file of email addresses
> (some in the format microcen...@microcenter.com and some in 
> the format *@squaredeals.com), one per line.  I would like to
> filter each incoming email so that a mail-from address
> that matches any line in the blacklist file will go to a
> junk file.  In the smtpd.conf I have tried
> 
> table blksender file:/etc/blksender
> filter mail-from  junk
> match filter mail-from  junk
> 
> but get syntax errors on both of the last two lines when
> checking the configuration.  There's something I'm not
> understanding and am asking for advice.
>   epektasis
> 
Have another look at the manpage:
 filter filter-name phase phase-name match conditions decision
 Register a filter filter-name.  A decision about what to do
 with the mail is taken at phase phase-name when matching
 conditions.  Phases, matching conditions, and decisions are
 described in MAIL FILTERING, below.

So without testing (you should do that yourself anyway) I think what you
want would be:

table blksender file:/etc/blksender
filter blksender phase mail-from match mail-from  junk
listen on   filter blksender



Re: Non stop /bsd: smtpctl[51626]: pledge "fattr", syscall 124

2020-01-07 Thread Martijn van Duren
Quite some time I made a change that made smtpctl use tmpfile(3).
Are you kernel, libc and smtpctl all up to date?
(e.g. did you compile smtpctl from source without updating libc)

martijn@

On 1/7/20 5:04 PM, Johannes Krottmayer wrote:
> On 07.01.20 at 07:22,  Mik J wrote:
>> Hello,
>>
>> I keep having these logs in my /var/log/messages do you know what this
>> means ?
>> Jan  7 06:51:01 v /bsd: smtpctl[51626]: pledge "fattr", syscall 124
>> Jan  7 06:52:01 v /bsd: smtpctl[64532]: pledge "fattr", syscall 124
>> Jan  7 06:52:01 v /bsd: smtpctl[13532]: pledge "fattr", syscall 124
>> Jan  7 06:53:01 v /bsd: smtpctl[20480]: pledge "fattr", syscall 124
>> Jan  7 06:53:01 v /bsd: smtpctl[70486]: pledge "fattr", syscall 124
>> Jan  7 06:54:01 v /bsd: smtpctl[88165]: pledge "fattr", syscall 124
>> Jan  7 06:54:01 v /bsd: smtpctl[96175]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[22724]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[56931]: pledge "fattr", syscall 124
>> Jan  7 06:55:01 v /bsd: smtpctl[99044]: pledge "fattr", syscall 124
>>
>> Thank you
> 
> FYI:
> 
> The pledge mechanism is a security feature from OpenBSD.
> 
> I your case it means that the kernel AFAIK has prevent "smtpctl" to call
> the function "fattr".
> 
> Details:
> https://man.openbsd.org/pledge.2
> 
> Cheers,
> Johannes K.
> 
> 
> 
> 



Re: Postgres backend missing?

2019-12-08 Thread Martijn van Duren
$ pkg_info -Q opensmtpd-extras
...
opensmtpd-extras-pgsql-6.4.0p0v0
...

On 12/8/19 7:04 PM, Norman Golisz wrote:
> Hi,
> 
> I'm currently migrating an old instance of OpenSMTPD (6.3) on OpenBSD to
> current.
> 
> This setup uses Postgres as backend for the user database. Now, it seems
> the Postgres backend is gone, because smtpd claims there is no such
> backend. Then I've installed the opensmtpd-extras package to no avail.
> 
> So, is the Postgres backend gone forever, WIP, or am I just failing to
> read manuals properly?
> 
> Thanks!
> 
> Norman
> 
> 



Re: opensmtpd setresgid ubuntu crash

2019-11-15 Thread Martijn van Duren
That seems to do the trick. Thanks.
Sorry for the noise.

On 11/15/19 11:40 AM, Gilles Chehade wrote:
> Try using the 6.6.1p1 tag, I'm currently reworking the dev branch to 
> completely revamp compat layer, things will be shaky for the next few days
> 
> On Nov 15, 2019 11:22, Martijn van Duren  wrote:
> 
> EHLO,
> 
> I'm currently trying to port filter-dnsbl to ubuntu, but I'm stuck at
> not being able to startup smtpd. Is there anyone who has seen this
> before and who has a (possible) solution?
> 
> This all is freshly installed.
> 
> OS: Ubuntu 18.04.3 LTS
> OpenSMTPD: git portable (latest)
> Installed packages:
> - build-essential
> - autoconf
> - libtool
> - libssl-dev
> - libz-dev
> - bison
> - libasr-dev
> - gdb
> configure parameters: none
> backtrace:
> #0  setresgid (rgid=rgid@entry=1001, egid=1001, egid@entry= variable: DWARF-2 expression error: Loop detected (257).>, sgid=1001, 
> sgid@entry= (257).>) at setresgid.c:29
> #1  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #2  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #3  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #4  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #5  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #6  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #7  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #8  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #9  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #10 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #11 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #12 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #13 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #14 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #15 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #16 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #17 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #18 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #19 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #20 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).>) at setresgid.c:29
> #21 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid= reading variable: DWARF-2 expression error: Loop detected (257).>, 
> sgid= (257).&

opensmtpd setresgid ubuntu crash

2019-11-15 Thread Martijn van Duren
EHLO,

I'm currently trying to port filter-dnsbl to ubuntu, but I'm stuck at
not being able to startup smtpd. Is there anyone who has seen this
before and who has a (possible) solution?

This all is freshly installed.

OS: Ubuntu 18.04.3 LTS
OpenSMTPD: git portable (latest)
Installed packages:
- build-essential
- autoconf
- libtool
- libssl-dev
- libz-dev
- bison
- libasr-dev
- gdb
configure parameters: none
backtrace:
#0  setresgid (rgid=rgid@entry=1001, egid=1001, egid@entry=, sgid=1001, 
sgid@entry=) at setresgid.c:29
#1  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#2  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#3  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#4  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#5  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#6  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#7  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#8  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#9  0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#10 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#11 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#12 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#13 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#14 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#15 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#16 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#17 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#18 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#19 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#20 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#21 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#22 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#23 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#24 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#25 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#26 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#27 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#28 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#29 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#30 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#31 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#32 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#33 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#34 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29
#35 0x55c9b388d0c8 in setresgid (rgid=rgid@entry=1001, egid=, sgid=) at setresgid.c:29


martijn@



Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Martijn van Duren
On 10/13/19 3:05 PM, Gilles Chehade wrote:
> I don't think that is the issue,

I never said it's the issue in this particular case, I said that non-RFC
line-endings are most definitively an issue with DKIM and that clients
who send incorrect line-endings should be fixed.

> it is probably the filter-rspamd reconstruction of the message that is 
> incorrect.

I'm not familiar enough with filter-rspamd to know if that's the case.
> 
> On Sun, Oct 13, 2019, 15:00 Martijn van Duren  <mailto:opensm...@list.imperialat.at>> wrote:
> 
> On 10/13/19 1:59 PM, Reio Remma wrote:
> > Hello!
> >
> > I finally moved to Rspamd (2.0) on my production server and I'm seeing
> > lots of failed DKIM checks, specifically dkim=fail (body hash did not
> > verify).
> >
> >
> > Authentication-Results: host.domain.com <http://host.domain.com>;
> >      dkim=fail (body hash did not verify) header.d=facebookmail.com 
> <http://facebookmail.com>
> > header.s=s1024-2013-q3 header.b=pNWbKJUd;
> >      dmarc=pass (policy=reject) header.from=facebookmail.com 
> <http://facebookmail.com>;
> >      spf=pass (host.domain.com <http://host.domain.com>: domain of 
> notificat...@facebookmail.com <mailto:notificat...@facebookmail.com>
> > designates 66.220.144.215 as permitted sender)
> > smtp.mailfrom=notificat...@facebookmail.com 
> <mailto:notificat...@facebookmail.com>
> >
> > My current stab-in-the-dark theory is that there might be something
> > going on with line endings when mails are fed to Rspamd.
> >
> > Any better theories? :)
> 
> It's a known issue that mails that don't end on \r\n (both \r\r\n and
> \n) cause issues. There's efforts going on to see how we can remedy
> this, but in the mean time tell your senders that they should fix their
> mails (RFC5321):
>    In addition, the appearance of "bare" "CR" or "LF" characters in text
>    (i.e., either without the other) has a long history of causing
>    problems in mail implementations and applications that use the mail
>    system as a tool.  SMTP client implementations MUST NOT transmit
>    these characters except when they are intended as line terminators
>    and then MUST, as indicated above, transmit them only as a 
>    sequence.
> >
> > Thanks,
> > Reio
> >
> >
> 



Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Martijn van Duren
On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
> 
> I finally moved to Rspamd (2.0) on my production server and I'm seeing 
> lots of failed DKIM checks, specifically dkim=fail (body hash did not 
> verify).
> 
> 
> Authentication-Results: host.domain.com;
>      dkim=fail (body hash did not verify) header.d=facebookmail.com 
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject) header.from=facebookmail.com;
>      spf=pass (host.domain.com: domain of notificat...@facebookmail.com 
> designates 66.220.144.215 as permitted sender) 
> smtp.mailfrom=notificat...@facebookmail.com
> 
> My current stab-in-the-dark theory is that there might be something 
> going on with line endings when mails are fed to Rspamd.
> 
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF" characters in text
   (i.e., either without the other) has a long history of causing
   problems in mail implementations and applications that use the mail
   system as a tool.  SMTP client implementations MUST NOT transmit
   these characters except when they are intended as line terminators
   and then MUST, as indicated above, transmit them only as a 
   sequence.
> 
> Thanks,
> Reio
> 
> 



Re: How can I integrate opensmtpd with opendkim?

2019-10-10 Thread Martijn van Duren
Hello Ihor,

On 10/10/19 5:39 PM, Ihor Antonov wrote:
> Hello everyone,
> 
> I am seriously thinking about replacing Postfix with OpenSMTPD on my
> Linux box (I am very attracted by configuration simplicity and
> security-mindedness of the project)
> 
Good.
> 
> So I found this issue on github where Gilles is redirecting a user's
> question to mailing list.
> 
> https://github.com/OpenSMTPD/OpenSMTPD/issues/733
> 
> Unfortunately I did not find any follow-ups on the subject. Is
> opensmtpd + opendkim possible? I know that there is new filter API
> released recently, is it something that can be used to achieve this> 
> Or maybe it is possible to write some sort of C plugin? (akin to table
> lookup API)
> 
> I am not looking for any other DKIM solutions (dkimproxy is abandoned,
> and as for p5-Mail-DKIM I don't want to introduce Perl into my setup)
> 
> I am very new to OpenSMTPD so I apologize for possibly  stupid
> questions.

I'm not sure if you want to sign or verify signatures.
At the moment we have an API which allows us to write custom plugins and
I have written a dkim signer myself[0][1], but it's written specifically
for OpenBSD and I haven't tested it on Linux (probably needs a few
tweaks for that).

If you want something that does spamfiltering (including dkim verify)
see Gilles' rspamd plugin[2] or Joerg's spamassassin plugin[3].

If you're lazy just wait a few weeks for OpenBSD 6.6 to be released,
which will contain these filters in the package managers. If you
want to stay on Linux see how far you get with compiling these codebases
yourself and contact me once you need help (at least the dkimsign one).
> 
> 
> Thanks
> 
> ---
> Ihor Antonov
> 
> 
martijn@

[0] http://imperialat.at/dev/libopensmtpd/
[1] http://imperialat.at/dev/filter-dkimsign/
[2] https://github.com/poolpOrg/filter-rspamd/
[3] https://www.umaxx.net



Re: OpenSMTPD-Logwatch script.

2019-09-05 Thread Martijn van Duren
On 9/5/19 11:55 AM, Reio Remma wrote:
> On 05/09/2019 11:33, gil...@poolp.org wrote:
>> Yes, see the smtpd.conf(5) man page:
>>
>> filter myreporter proc-exec "/tmp/reporting.sh"
>>
>> listen on [...] filter myreporter
> 
> smtp: 0x271c2c0: <<< EHLO localhost
> mproc: pony -> lka : 49 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
> mproc: pony -> lka : 50 IMSG_??? (129)
> smtp: 0x271c2c0: STATE_CONNECTED -> STATE_HELO
> smtp: 0x271c2c0: >>> 250-host.domain.com Hello localhost [local], pleased to 
> meet you
> mproc: pony -> lka : 102 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: >>> 250-8BITMIME
> mproc: pony -> lka : 47 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: >>> 250-ENHANCEDSTATUSCODES
> mproc: pony -> lka : 58 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: >>> 250-SIZE 104857600
> mproc: pony -> lka : 53 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: >>> 250 HELP
> mproc: pony -> lka : 43 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: IO_LOWAT 
> smtp: 0x271c2c0: IO_DATAIN 
> smtp: 0x271c2c0: <<< MAIL FROM:
> mproc: pony -> lka : 72 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
> mproc: pony -> queue : 8 IMSG_SMTP_MESSAGE_CREATE
> imsg: queue <- pony: IMSG_SMTP_MESSAGE_CREATE (len=8)
> queue-backend: queue_message_create() -> 1 (df19e22a)
> mproc: queue -> pony : 16 IMSG_SMTP_MESSAGE_CREATE
> imsg: pony <- queue: IMSG_SMTP_MESSAGE_CREATE (len=16)
> mproc: pony -> lka : 37 IMSG_REPORT_SMTP_TX_BEGIN
> smtp: 0x271c2c0: >>> 250 2.0.0 Ok
> mproc: pony -> lka : 70 IMSG_??? (134)
> mproc: pony -> lka : 47 IMSG_REPORT_SMTP_PROTOCOL_SERVER
> smtp: 0x271c2c0: IO_LOWAT 
> smtp: 0x271c2c0: IO_DATAIN 
> smtp: 0x271c2c0: <<< RCPT TO:
> mproc: pony -> lka : 63 IMSG_REPORT_SMTP_PROTOCOL_CLIENT
> mproc: pony -> lka : 291 IMSG_SMTP_EXPAND_RCPT
> 
> SMTPD seems to get stuck here with no errors. This is with the simple:
> 
> filter reporter proc-exec "/etc/opensmtpd/reporter.sh"
> 
> #!/bin/sh
> while read line; do
>     echo $line >> /var/log/opensmtpd.log
> done
> 
> Reio
> 
You need to register what events you want to receive and finish up with
register|ready.

$ cat test.sh 
#!/bin/sh

while read line; do
echo $line >&2
if [ "${line%%\|*}" == "config" ]; then
if [ "${line#*\|}" == "ready" ]; then
echo "register|report|smtp-in|link-connect"
echo "register|ready"
fi
continue
fi
done

Possible values for report are (from lka_report.c):
static struct smtp_events {
const char *event;
} smtp_events[] = {
{ "link-connect" },
{ "link-disconnect" },
{ "link-greeting" },
{ "link-identify" },
{ "link-tls" },
{ "link-auth" },

{ "tx-reset" },
{ "tx-begin" },
{ "tx-mail" },
{ "tx-rcpt" },
{ "tx-envelope" },
{ "tx-data" },
{ "tx-commit" },
{ "tx-rollback" },

{ "protocol-client" },
{ "protocol-server" },

{ "filter-response" },

{ "timeout" },
};

Possible values for filter are:
static struct filter_exec {
enum filter_phase   phase;
const char *phase_name;
int(*func)(struct filter_session *, struct filter 
*, uint64_t, const char *);
} filter_execs[FILTER_PHASES_COUNT] = {
{ FILTER_CONNECT,   "connect",  filter_builtins_connect },
{ FILTER_HELO,  "helo", filter_builtins_helo },
{ FILTER_EHLO,  "ehlo", filter_builtins_helo },
{ FILTER_STARTTLS,  "starttls", filter_builtins_notimpl },
{ FILTER_AUTH,  "auth", filter_builtins_notimpl },
{ FILTER_MAIL_FROM, "mail-from",filter_builtins_mail_from },
{ FILTER_RCPT_TO,   "rcpt-to",  filter_builtins_rcpt_to },
{ FILTER_DATA,  "data", filter_builtins_notimpl },
{ FILTER_DATA_LINE, "data-line",filter_builtins_notimpl },
{ FILTER_RSET,  "rset", filter_builtins_notimpl },
{ FILTER_QUIT,  "quit", filter_builtins_notimpl },
{ FILTER_NOOP,  "noop", filter_builtins_notimpl },
{ FILTER_HELP,  "help", filter_builtins_notimpl },
{ FILTER_WIZ,   "wiz",  filter_builtins_notimpl },
{ FILTER_COMMIT,"commit",   filter_builtins_notimpl },
};

reports come in in the format:
report||

filters come in in the format:
filter|||

Note that filters require a proceed, rewrite, reject, or disconnect
reply in the form:

filter-result|||proceed
filter-result|||reject|
filter-result|||disconnect|
filter-result|||rewrite|

Note that this is mostly stable, but some changes may occur, so
keep track of the version. Minor versions are backwards compatible,
major versions are not.



Re: Service names in listen on directives

2019-08-24 Thread Martijn van Duren
On 8/24/19 9:32 PM, Darren S. wrote:
> OpenBSD 6.5 amd64
> OpenSMTPD 6.5.0
> 
> port [port]
> Listen on the given port instead of the default port 25.
> 
> I wanted to confirm if service names are intended to be supported for
> `listen on` option in smtpd.conf.
> 
> These result in syntax failure:
> 
> listen on lo port smtp
> listen on lo port smtps
> 
> These do not:
> 
> listen on lo port 25
> listen on lo port 465
> 
> This also does not:
> 
> listen on lo port submission
> 
> Found it curious that `submission` may be used in place of a port
> number but not the other service names.
> 
Thanks for the report.
This should work in the next release.

Note that you can use the quoted syntax pointed out by gilles@ now and
will remain working after upgrading to the next release.

martijn@



Re: forcing SMTP authentication

2019-08-21 Thread Martijn van Duren
On 8/21/19 8:47 AM, Selmeci Tamás wrote:
> On Wed, 21 Aug 2019 08:19:24 +0200 Martijn van Duren
>  wrote:
> 
>> From smtpd.conf(5):
>>
>>  auth-optional []
>>  Support SMTPAUTH optionally: clients need not
>>  authenticate, but may do so.  This allows a listen on
>>  directive to both accept incoming mail from untrusted
>>  senders and permit outgoing mail from authenticated 
>> users
>>  (using match auth).  It can be used in situations where
>>  it is not possible to listen on a separate port (usually
>>  the submission port, 587) for users to authenticate.
> 
> Sounds good, but unauthenticated relaying still works with this...
> 
auth-optional []
...snip...
(using match auth)
...snip...

 match options action name
 If at least one mail envelope matches the options of one match
 action directive, receive the incoming message, put a copy into
 each matching envelope, and atomically save the envelopes to the
 mail spool for later processing by the respective dispatcher
 name.
...snip...
 [!] auth
 Matches transactions which have been authenticated.



Re: forcing SMTP authentication

2019-08-21 Thread Martijn van Duren
>From smtpd.conf(5):

 auth-optional []
 Support SMTPAUTH optionally: clients need not
 authenticate, but may do so.  This allows a listen on
 directive to both accept incoming mail from untrusted
 senders and permit outgoing mail from authenticated users
 (using match auth).  It can be used in situations where
 it is not possible to listen on a separate port (usually
 the submission port, 587) for users to authenticate.


On 8/21/19 7:39 AM, Selmeci Tamás wrote:
> Hello!
> 
> In brief: STARTTLS is enabled, there is a self-signed certificate for
> encryption (better than nothing), smarthost is used to send mails from
> my domain. My problem is that it still accepts SMTP connections (over
> TLS) without authentication. What I want:
> - anybody can send email to my email address in my domain (now it's
> working);
> - relaying through my SMTP server is allowed only after successful
> authentication (now anybody can relay through my server without
> authentication, e.g. to send spams). Authentication should be based on
> regular /etc/passwd file (local users of the computer). In order to
> hide the passwords, STARTTLS should be used;
> 
> It's a rather simple configuration, but I wasn't able to set it up. If
> I put 'auth' into the 'listen on' line, it needs authentication to any
> access of the SMTP server, so other machines (e.g. from google.com)
> can't send me mails. Using 'authenticated' in 'accept from' directives
> also didn't do the trick appropriately (it wasn't able to receive any
> mails at all).
> 
> Could you please help me out with this?
> 
> Thanks, regards,
> ---
> ---
> pki mail.486.hu certificate "/etc/smtpd/mail.486.hu.crt"
> pki mail.486.hu key "/etc/smtpd/mail.486.hu.key"
> 
> table cred file:/etc/smtpd/cred
> 
> listen on eth0  port 25 hostname mail.486.hu tls-require
> listen on localhost port 25 hostname mail.486.hu tls-require
> 
> # Storing mails arriving at the domain '486.hu'.
> accept from any for domain 486.hu deliver to mbox
> 
> # If the recipient is out of domain '486.hu', the mail is relayed through the
> # smarthost using TLS and authentication, see 'cred' file.
> accept from any for ! domain 486.hu relay via
> tls+auth://t-onl...@mail.t-online.hu auth  
> 



Re: How to deal with spam and opensmtpd

2018-04-19 Thread Martijn van Duren
On 04/19/18 13:36, Mik J wrote:
> I don't know how it works for you but for me these marketing companies change 
> their IPs every week (they use a few different subnets everyweek).
> So this task can be very time consuming.

This filters on sender e-mail address, not ip-address.
> 
> 
> Le jeudi 19 avril 2018 à 13:31:33 UTC+2, Martijn van Duren 
> <opensm...@list.imperialat.at> a écrit :
> 
> 
> Hello Mik,
> 
> On 04/19/18 13:18, Mik J wrote:
>> Thank you Simon for your answer.
>>
>> Actually, this marketing company is not doing heavy spam so they qualify 
>> mail adresses then have time to retry to send their email.
>> Their unsubscribe button is worthless.
>>
>> Another option could be to subscribe their services with a spamtrap adress.
>>
>> But I was wondering what do you guys use to filter content of emails at the 
>> smtp server level.
> 
> For these kind of cases I keep it rather low-tech. I added the following
> line to my smtpd.conf:
> reject from any sender  for any
> 
> and just manually add the the spam addresses to this table.
>>
>> Regards
>>
>> Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane <s...@desu.ne.jp 
>> <mailto:s...@desu.ne.jp>> a écrit :
>>
>>
>> On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and
>>
>> spamassassing) do you use ?
>>
>>
>> I use bgp-spamd [1] and a hand-assembled blacklist (using
>> dovecot-pigeonhole) of certain terms that usually only appear in spam.
>> It's not as good as SpamAssassin but it seems to stop the majority of
>> the spam I get. I'm down from 2-3 spam messages per day to one 10 days
>> or so.
>>
>> Simon
>>
>> [1] https://bgp-spamd.net/
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org 
>> <mailto:misc@opensmtpd.org> <mailto:misc@opensmtpd.org 
>> <mailto:misc@opensmtpd.org>>
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org 
>> <mailto:unsubscr...@opensmtpd.org> <mailto:unsubscr...@opensmtpd.org 
>> <mailto:unsubscr...@opensmtpd.org>>
> 
>>
>>
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org 
> <mailto:misc@opensmtpd.org>
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org 
> <mailto:unsubscr...@opensmtpd.org>
> 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to deal with spam and opensmtpd

2018-04-19 Thread Martijn van Duren
Hello Mik,

On 04/19/18 13:18, Mik J wrote:
> Thank you Simon for your answer.
> 
> Actually, this marketing company is not doing heavy spam so they qualify mail 
> adresses then have time to retry to send their email.
> Their unsubscribe button is worthless.
> 
> Another option could be to subscribe their services with a spamtrap adress.
> 
> But I was wondering what do you guys use to filter content of emails at the 
> smtp server level.

For these kind of cases I keep it rather low-tech. I added the following
line to my smtpd.conf:
reject from any sender  for any

and just manually add the the spam addresses to this table.
> 
> Regards
> 
> Le mercredi 18 avril 2018 à 22:50:32 UTC+2, Simon McFarlane  
> a écrit :
> 
> 
> On 04/18/2018 01:44 AM, Mik J wrote:> What other (not spamd and
> 
> spamassassing) do you use ?
> 
> 
> I use bgp-spamd [1] and a hand-assembled blacklist (using
> dovecot-pigeonhole) of certain terms that usually only appear in spam.
> It's not as good as SpamAssassin but it seems to stop the majority of
> the spam I get. I'm down from 2-3 spam messages per day to one 10 days
> or so.
> 
> Simon
> 
> [1] https://bgp-spamd.net/
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org 
> 
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org 
> 
> 
> 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



deny sender not working completely.

2016-09-04 Thread Martijn van Duren
Hello,

For my mailserver I have a blacklist so that I can black annoying
senders. According to smtpd.conf(5) I should be able to block entire
domains by prepending a domain with '@', but this doesn't work for me.
An full email address is blocked.

martijn@

Version: OpenBSD 5.9-stable
$ cat /etc/mail/smtpd.conf
#   $OpenBSD: smtpd.conf,v 1.4 2012/07/16 05:56:16 jmc Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki keys certificate "/etc/ssl/mail.imperialat.at.crt"
pki keys key "/etc/ssl/private/mail.imperialat.at.key"

table authdb sqlite:/etc/mail/auth.conf
table rejectdb sqlite:/etc/mail/reject.conf
table blacklist sqlite:/etc/mail/blacklist.conf

filter dkim dkim-signer "-D" "imperialat.at" "-p"
"/etc/mail/dkim/private.key" "-s" "deathstar"

listen on egress tls pki keys auth-optional 
listen on all port submission filter dkim tls-require pki keys auth 

# Email addresses
table aliases db:/etc/mail/aliases.db

reject from any sender  for any
reject from any for domain  recipient 
accept from any for domain  virtual  userbase 
deliver to maildir "%{user.directory}/Maildir/%{dest.domain}/%{dest.user:strip}"

accept for local alias  deliver to mbox
accept for any relay
$ cat /etc/mail/blacklist.conf
dbpath  /etc/mail/storage.db

query_mailaddr SELECT sender FROM blacklist WHERE sender=?;
# sqlite3 /etc/mail/storage.db
sqlite> SELECT * FROM blacklist;
...
@bar.com
f...@bar.com
...
$ telnet mail.imperialat.at smtp
Trying 92.111.209.89...
Connected to imperialat.at.
Escape character is '^]'.
220 mail.imperialat.at ESMTP OpenSMTPD
HELO hackroom.obsd
250 mail.imperialat.at Hello hackroom.obsd [x.x.x.x], pleased to meet you
MAIL FROM: 
250 2.0.0: Ok
RCPT TO: 
250 2.1.5 Destination address valid: Recipient ok
QUIT
221 2.0.0: Bye
Connection closed by foreign host.
$ telnet mail.imperialat.at smtp
Trying 92.111.209.89...
Connected to imperialat.at.
Escape character is '^]'.
220 mail.imperialat.at ESMTP OpenSMTPD
HELO hackroom.obsd
250 mail.imperialat.at Hello hackroom.bsd [x.x.x.x], pleased to meet you
MAIL FROM: 
250 2.0.0: Ok
RCPT TO: 
550 Invalid recipient
QUIT
221 2.0.0: Bye
Connection closed by foreign host.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Pledge() in smtpd

2015-11-11 Thread Martijn van Duren

On 11/12/15 01:37, michalzient...@gmail.com wrote:

Hello guys,

Recently i was reading about new OpenBSD security mechanism called pledge(). I 
think this is another great idea from OpenBSD. Are you going to make use of it ?

Regards,
Michal Zientara



Pledge is already used within the OpenBSD tree[1], so yes.
On other platforms I can't tell you, since I'm not a developer on either 
smtpd or the other platforms, although I reckon it's highly unlikely, 
since it's an in kernel implementation. But as Theo stated[2]: someone 
smart might be able to build a compatible layer upon seccomp. Just don't 
hold your breath.


[1] 
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/smtpd.c?rev=1.254=text/x-cvsweb-markup

[2] http://www.openbsd.org/papers/hackfest2015-pledge/mgp00034.html

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Shared authentication across OpenSMTPD and Dovecot

2015-06-16 Thread Martijn van Duren

Hello Jonathan,

I don't know about FreeBSD, but under OpenBSD the sqlite table backend 
is included.

I use the following configuration in smtpd.conf:

table authdb sqlite:/etc/mail/auth.conf
accept from any for domain authdb virtual authdb userbase authdb 
deliver to maildir 
%{user.directory}/Maildir/%{dest.domain}/%{dest.user:strip}


With /etc/mail/auth.conf:
dbpath  /etc/mail/storage.db

query_alias SELECT recipient FROM alias WHERE user=?;

query_domain SELECT SUBSTR(user, INSTR(user, '@')+1) FROM alias WHERE 
SUBSTR(user, INSTR(user, '@')+1)=? GROUP BY SUBSTR(user, INSTR(user, 
'@')+1);


query_credentials SELECT email, password FROM users WHERE email=?;

query_userinfo SELECT uid, gid, home AS directory FROM users WHERE 
REPLACE(email, '@', '_')=?;


And the layout for /etc/mail/storage.db:
CREATE TABLE users (
email   VARCHAR(128) NOT NULL PRIMARY KEY,
passwordVARCHAR(64) NOT NULL DEFAULT '!',
uid INT NOT NULL,
gid INT NOT NULL,
homeVARCHAR(256)
);
CREATE TABLE alias (
userVARCHAR(64) NOT NULL,
recipient   VARCHAR(128) NOT NULL
);
CREATE INDEX alias_user ON alias(user);

Make sure that you map every email-address is also in aliases, mapped to 
a recipient where the @ is replaced with a _, otherwise smtpd will keep 
looking for the user-part of the e-mail address.


For dovecot I use the following directives:
driver = sqlite
connect = /etc/mail/storage.db
password_query = SELECT email AS user, password, uid AS userdb_uid, gid 
AS userdb_gid, home AS userdb_home FROM users WHERE email = '%u';


Hope this helps. For my small home-setup it works like a charm.

On 06/16/15 14:14, free...@jonathanprice.org wrote:

Hello,

I currently run a personal mailserver using postfix + dovecot (and a few
other things for anti-spam, dkim etc, but i'm not worried about that at
the moment).

I am very interested in replacing postfix with OpenSMTPD, especially for
clarity of configuration.

However, I am a little stuck as to how I can get OpenSMTPD and Dovecot
to use the same source for authentication.

In my current setup, each of my virtual domains has a file called
/var/mail/vhosts/passwd-%DOMAIN% which is in the format of Dovecot's
passwd-file. I then use SASL to provide postfix with a way of
authenticating submissions.

If you'd like to see how that actually works from a configuration
standpoint, see the following link:
http://slexy.org/view/s20baUvUI8

As far as I can tell, OpenSMTPD does not support SASL, therefore
directly copying this approach will not work.

I don't believe I can customise the format of the auth table for either
OpenSMTPD or Dovecot to make them compatible with each other, so I don't
think that's an option (although if i'm wrong on that point, please let
me know!).

After spending some time researching I seem to have come across a couple
of references to a passwd table format for OpenSMTPD. It seems to be in
OpenSMTPD-extras, which is not currently a port on FreeBSD. I tried
compiling that particular table format based on instructions from
github, and making sure that I specified the correct directory for the
FreeBSD installation, but it still didn't appear to detect the format
when I started OpenSMTPD (giving the error: fatal: table_create:
backend passwd does not exist).

At this point I imagine i'm probably overcomplicating the situation, and
there is a simpler solution.

Does anybody have a recommended way to do the following?:
- virtual users and domains, not tied to system accounts
- stored in maildir format (using my existing solution of
/var/mail/vhosts/%DOMAIN%/%USER% would be a bonus)
- single source for authentication (I don't mind that being a single
file, rather than my current system of 1 file per domain, so long as I
can have for instance jonathan@DOMAIN1 and jonathan@DOMAIN2 having
different passwords).

Thanks for taking the time to read my question.

--
Jonathan Price
www.jonathanprice.uk
Verify my identity at https://keybase.io/pricetx



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



smtpd extra filters

2014-10-12 Thread Martijn van Duren

Hello misc@,

I'm trying to set up the filter-dkim-signer from the OpenSMTPD-extras 
repository on my OpenBSD 5.5 machine.
Unfortunately I can't seem to find the instructions to hook it up in my 
smtpd.conf.


It would be much appreciated if someone could inform me on how to set 
this up, or at least point me in the right direction.


Sincerely,

Martijn van Duren

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: [userbase] email in login field

2014-08-20 Thread Martijn van Duren
Hello Giovanni,

When doing a login the username is always stripped from its domain part.
For my setup (sqlite-based) I worked around this in the following manner
(only important sections):
smtpd.conf:
table authdb sqlite:/etc/mail/auth.conf

accept from any for domain authdb virtual authdb userbase authdb
deliver to maildir
%{user.directory}/Maildir/%{dest.domain}/%{dest.user:strip}

auth.conf:
dbpath  /etc/mail/storage.db

query_alias SELECT recipient FROM alias WHERE user=?;

query_domain SELECT SUBSTR(user, INSTR(user, '@')+1) FROM alias WHERE
SUBSTR(user, INSTR(user, '@')+1)=? GROUP BY SUBSTR(user, INSTR(user,
'@')+1);

query_credentials SELECT email, password FROM users WHERE email=?;

query_userinfo SELECT uid, gid, home AS directory FROM users WHERE
REPLACE(email, '@', '_')=?;

sqlite schema:
CREATE TABLE users (
email   VARCHAR(128) NOT NULL PRIMARY KEY,
passwordVARCHAR(64) NOT NULL DEFAULT '!',
uid INT NOT NULL,
gid INT NOT NULL,
homeVARCHAR(256)
);
CREATE TABLE alias (
userVARCHAR(64) NOT NULL,
recipient   VARCHAR(128) NOT NULL
);

Where recipient in alias can either be another email address or a
username where the '@' is replaced by an '_'.

Sincerely,

Martijn van Duren


On Wed, 2014-08-20 at 10:38 +0200, Giovanni Bechis wrote:
 Hi,
 I am trying to configure an smtpd server with mysql as userbase, on my 
 database the mailbox schema is the following (simplified):
 id1
 login giova...@paclan.it
 email giova...@paclan.it
 uid   5000
 gid   5000
 maildir   /var/vmail/paclan.it/giovanni
 
 With the following conf the table_lookup tries to find a record with 
 login=giovanni instead of login=giova...@paclan.it, is there a way to tell 
 that the login field contains an email ?
  Thanks
   Giovanni



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org