Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Peter N. M. Hansteen
On Wed, Oct 02, 2019 at 11:33:58PM -0700, Kevin wrote:
> Hi all,
> 
> Having just followed the setup instructions on Gilles HOWTO page here:
> 
> 
> https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
> 
> 
> ...I'm unable to send mail from my new OpenSMTPD server on OpenBSD 6.6-beta
> (OpenBSD 6.6-beta (GENERIC) #320: Mon Sep 30 21:24:24 MDT 2019); however,
> other deliveries (and mail retrieval) work.
> 
> The pertinent log message looks like this:
> 
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp envelope
> evpid=2c41c5fc4a7e6c06 from= to=
> Oct  2 23:21:33 mx smtpd[25067]: bf1c57bab7fcd344 smtp disconnected
> reason=quit
> Oct  2 23:21:38 mx smtpd[25067]: bf1c57b6b057c6ef mta error
> reason=Connection timeout

Connection timeout sounds very much like your machine is not allowed to send 
outgoing mail via SMTP. Check for firewalls and the like.

Also,

[Thu Oct 03 09:24:37] peter@skapet:~$ host example.app
Host example.app not found: 3(NXDOMAIN)
[Thu Oct 03 09:24:43] peter@skapet:~$ host mx.example.app
Host mx.example.app not found: 3(NXDOMAIN)

Among the things you need in order to deliver mail, a valid domain is in 
the top few. I think the basic requirements are indeed listed in the article
(under "Requirements"), please go back and re-read, check that you have
all of those set up properly.

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Re: Report Domain: dotbit.ro Submitter: fastmail.com Report-ID:2018.10.15.155619520

2018-10-16 Thread Peter N. M. Hansteen
To me it looks like the fastmail site sees mail purporting to be from your 
domain
but coming from 212.83.129.132 which is not in your SPF record as an allowed 
sender.

What you could be seeing here is that a mailing list is configured to do 
traditional forwarding
(which breaks with SPF enabled, sorry). I unfortunately see a lot of that.

The other possibility is that what is getting reported is an attempt at a 
joejob or
similar such as sending with a made up user name in hour domain but this report 
like most
DMARC reports disregard local-parts (usernames) so it's hard to tell.

There are ways to configure mailing lists to not trigger SPF/DMARC reports like 
this,
but AFAIK it will need to be done on a per-list basis and for that reason is 
kind of
a hassle for list admins.

- Peter
 
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Reject Senders by IP address - SMTPD

2018-09-28 Thread Peter N. M. Hansteen
On Fri, Sep 28, 2018 at 08:30:55AM +, Antonino Sidoti wrote:
> table shithole file:/etc/mail/blacklist
> 
> The file ‘blacklist’ contain the IP addresses that I wish to block, one per 
> line. I also have added a reject statement to my ‘smtpd.conf’ like so;
> 
> reject from source  for any
> 
> What I notice is that it does not block the IP address and it continues to 
> attempt a connection to the mail server. The IP address in question is 
> showing up in ‘/var/log/maillog’ like so;
> 
> Sep 28 18:22:12 obsd-svr3 smtpd[68949]: b6ab24ef369520cc smtp 
> event=failed-command address=185.xxx.xxx.254 host=185.xxx.xxx.254 
> command="AUTH LOGIN" result="503 5.5.1 Invalid command: Command not supported”
> 
> Any idea why the reject statement does not work? 

Well, the mail does get rejected, doesn't it?

it's possible that a simple pf.conf with a table you block from, fed from the 
file you already have would be the solution
your're looking for. Perhaps supplemented with a spamd(8) setup.

a couple of writeups of mine that you might find useful:

https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html
https://bsdly.blogspot.com/2013/05/keep-smiling-waste-spammers-time.html

It's also possible that the enumerated badness from 
https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html could 
usefully supplement your data sources.

All the best,
Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to deal with spam and opensmtpd

2018-04-19 Thread Peter N. M. Hansteen
On Wed, Apr 18, 2018 at 08:44:19AM +, Mik J wrote:
> I'm using Openbsd and Opensmtpd + Spamd. I have been able to reduce the spam.
> However there are some marketing companies that constantly change their IPs 
> and pass through the greylisting, they really attempt to send the mail 
> (multiple times).
> I looked at bogofilter and it looks nice.However I would like to know if 
> there's a way for opensmtpd to work with bogofilter.So that the mails can be 
> trashed or classified as spam.
> First I read that bogofilter works at the user level, I'd like it to work at 
> the server mail level.
> What other (not spamd and spamassassing) do you use ?

I know you said not spamassassin, but please do take a peek at 
Aaron Poffenberger's BSDCan slides about a working OpenSMTPD setup
with content filtering: 
https://github.com/akpoff/talks/tree/master/slides/2016/bsdcan_2016/2016_smtpd

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fail2Ban filter for OpenSMTPD

2017-06-17 Thread Peter N. M. Hansteen
On 06/17/17 11:57, mabi wrote:
> Does anyone have a fail2ban filter for OpenSMTPD?
> 
> I would like to block the many many AUTH LOGIN attempts as you can see
> here from the logs:
> 
> Jun 17 11:55:49 gw smtpd[594]: 7eeebcc95623efe1 smtp
> event=failed-command command="AUTH LOGIN" result="503 5.5.1 Invalid
> command: Command not supported"
> Jun 17 11:55:52 gw smtpd[594]: 7eeebcc95623efe1 smtp event=closed
> reason="io-error: Connection reset by peer"

It's been a while since I tried to tweak fail2ban at all but as long as
you're on OpenBSD or some other system with PF, it's fairly trivial to
autoban such silliness via a cron job that greps for the noisemakers and
add them to a table that's already referenced in a block rule.

Examples in the most recent PF tutorial start at
https://home.nuug.no/~peter/pftutorial/#44 and there is a oneliner that
would be an easy starting point for adapting to your needs at the bottom
of https://home.nuug.no/~peter/pftutorial/#46 - that one is taken from a
cron job I run somewhere that will not ever need a wordpress install.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Greylisting

2016-09-12 Thread Peter N. M. Hansteen
On 09/12/16 20:49, Silvio Siefke wrote:
> On Sat, 10 Sep 2016 23:06:54 +0200
> Mischa Peters <open...@high5.nl> wrote:
> 
>> Have a look at spamd.
>> https://www.openbsd.org/spamd/index.html
>>
>> Also runs on non-OpenBSD. 
> 
> Yes spamassassin is running with amavisd-new. 

I think you may be confusing the OpenBSD spamd(8) program described at
that URL with the program that comes with the spamassassin
content-filtering system. They are two distinct and quite different
programs, but it's more than possible for them to co-exist (even on the
same machine if needed, they install to different paths) and they
complement each other quite well in such setups.

Yes, it is kind of unfortunate that two very different programs come
with a binary with the same name, and it has lead to exactly that kind
of confusion at times.

If you're already using spamassassin, that's fine. If you put the
OpenBSD spamd in default greylisting mode in front of spamassassin or
other content filtering, the load on your content filtering will almost
certainly go down significantly.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



signature.asc
Description: OpenPGP digital signature


Re: Question

2015-05-19 Thread Peter N. M. Hansteen
On Tue, May 19, 2015 at 09:10:59AM +0200, Gilles Chehade wrote:
 OpenSMTPD does not support bad rcpt throttling as a specific mechanism
 but supports a more generic bad command throttling where a bad command
 is any command that has not helped moved the session forward.
 
 If you accumulate enough bad commands in a row and that your session has
 not moved forward, you get kicked, which is a hard disconnect.
 See bottom of this mail.
 
 Bad clients can then be blocked with a packet filter (just an example):
 
 pass inet proto tcp from any to any port smtp flags S/SA keep state \
 (max-src-conn 10, max-src-conn-rate 15/5, overload bruteforce 
 flush global)

On OpenBSD at least, it should also be possible to periodically run a script 
that parses smtpd logs
for the IP addresses of misbehaving hosts and calls spamdb(8) to add those to 
spamd(8)'s local
greytrap blacklist. In my setup I have some of that as well as automatic 
harvesting of
bad addresses in the local domains for inclusion in the local traplist (see eg 
[1] and references therein).

Also, for the bruteforce table members, I have accumulated some anecdotal 
evidence that
'block drop from bruteforce probability 90%' may have them shut up faster 
than just your
regular block drop (but further studies and data massaging are required for 
firm conclusions).

[1] http://www.bsdly.net/~peter/traplist.shtml

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: pre-queue spam check

2015-04-11 Thread Peter N. M. Hansteen
Joerg Jung m...@umaxx.net writes:

 I also know about spamd, but that is not really an option for now as the
 server speaks v6 and STARTTLS, moreover I have legacy users which AUTH
 on port 25 as well. This does not play well with spamd.

spamd doesn't even attempt smtp auth, but then once the sender is
whitelisted (as a valid sender should be), the problem would go away.

Your regular and valid correspondents would not see spamd at all --
after all spamd is supposed to simply slow down the obvious spambots.

In your scenario (as in most others) it's likely useful to explore the
nospamd option, as in maintain a table of IP addresses or ranges that
are simply never redirected to spamd. It's even in the spamd man page
(first pf.conf ruleset example).

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How can I stop this spammer?

2015-02-17 Thread Peter N. M. Hansteen
On Tue, Feb 17, 2015 at 07:39:22AM +, Ultramedia Libertad wrote:
 How can I stop this spammer?, you have filled my /var/log/maillog with your 
 logs
 
 
 Feb 17 01:28:41 hosting-openbsd smtpd[10574]: smtp-out: Connecting to
 smtp+tls://173.194.65.27:25 (ee-in-f27.1e100.net) on session
 9c66add9434290d1...
 Feb 17 01:28:41 hosting-openbsd smtpd[10574]: smtp-out: Connected on
 session 9c66add9434290d1
 Feb 17 01:28:42 hosting-openbsd smtpd[10574]: smtp-out: Started TLS on
 session 9c66add9434290d1: version=TLSv1/SSLv3,
 cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
 Feb 17 01:28:42 hosting-openbsd smtpd[10574]: smtp-out: Server
 certificate verification succeeded on session 9c66add9434290d1
 Feb 17 01:28:42 hosting-openbsd smtpd[10574]: smtp-in: Failed command
 on session 9c66add4c2fd6a1e: RCPT TO: get3...@yahoo.com.tw = 550
 Invalid recipient

Assuming you're not actually running yahoo.com.tw's mail service and you run on 
a reasonably recent OpenBSD version, you could do worse than try to use 
spamd(8)'s
mechanism for dealing with attempted relay-raping. Some ways down the spamd man 
page 
in the GREYTRAPPING section, you have

 The file /etc/mail/spamd.alloweddomains can be used to specify a list of
 domainname suffixes, one per line, one of which must match each
 destination email address in the greylist.  Any destination address which
 does not match one of the suffixes listed in spamd.alloweddomains will be
 trapped, exactly as if it were sent to a spamtrap address.  Comment lines
 beginning with `#' and empty lines are ignored.

followed by some enlightening examples which contains some strings that have
provoked comment by the so-inclined. TL;DR: list the domains you actually serve,
one per line, any attemtped deliveries to other domains incoming on the 
interface
where spamd listens will be greytrapped (blacklisted, stuttered at). 

It's a very useful addition to your spamd config if you're already using it,
otherwise it's a good starting point. (for more fun  games with spamd and
greytrapping, you can check out my blog - main url in the .signature).

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org