Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)

2020-08-16 Thread Reio Remma

On 16.08.2020 03:15, Fabian Müller wrote:


So what we know: It has something to do with the mysql-tables. What I 
don’t understand is, what opensmtpd is trying to do which leads to 
that error. To my understanding opensmtpd should only try to connect 
to the database if it needs to read from the tables, which – if just 
starting up – obviously is not the case.




IIRC OpenSMTPD opens the connection to MySQL server at startup. Just 
like it opens all other tables at startup.


Anything in MySQL logs? I'm fairly certain it is a connection issue.

Like Edgar recommended, try running smtpd -dv possibly with trace 
enabled as well.


Good luck,
Reio



Re: syslog logging changed ?

2020-06-26 Thread Reio Remma

On 26.06.2020 18:03, Harald Dunkel wrote:

Hi folks,

before 6.7 the smtpd log file entries were easy to find: Just
look for "smtpd" in /var/log/mail.log.

With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd"
as expected, so I wonder wth?


Regards
Harri



Unfortunately something has broken since last release.

I was unable to track it down myself:

https://github.com/OpenSMTPD/OpenSMTPD/issues/1059

Good luck!
Reio




OpenSMTPD 6.7.0 issue on CentOS 8.

2020-05-02 Thread Reio Remma

Hello!

I just thought to try out current portable and built and RPM
based on my 6.6.4 RPM, which went fine. However when running
the daemon, syslog messages are broken.

May  2 12:32:13 centos8 smtpd[124028]: info: OpenSMTPD 6.7.0-portable starting
May  2 12:32:50 centos8 journal[124033]: y express[124033]: 6ad20154b7c9470a 
smtp connected address=local host=centos8

 ^^

Any ideas what might be causing it?

Thanks!
Reio



Re: OpenSMTPd + Dovecot + mlmmj infinite loop while sending messages from localhost to any remote addresses

2020-03-10 Thread Reio Remma

Try running 'smtpd -d -T rules' and see what rule you're hitting.

Or alternatively 'smtpctl trace rules' and look at maillog and later 
turn it off with 'smtpctl untrace rules'.


match auth most likely doesn't work at all if you submit to port 25 
without authentication.


Good luck,
Reio

On 10/03/2020 15:35, Martin wrote:

table reject-subnet file:/etc/mail/reject-subnet (contains 192.168.2.0/24)
table reject-domain file:/etc/mail/reject-domain (contains nothing)
table reject-domain file:/etc/mail/reject-domain-helo (contains nothing)

action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "spampd-in" relay host smtp://127.0.0.1:10025
action "dkim-sign" relay host smtp://127.0.0.1:1027
action "outbound" relay src  helo-src 

match from src  for any reject
match from any mail-from  for any reject
match from any helo  for any reject

match from local for local action "local-aliases"
match tag SPAM_IN fro local action "local-aliases"
match from any for domain  action "virtual-users"
match tag SPAM_IN from any for domain  action "virtual-users"

match tag DKIM_OUT for any action "outbound"
match auth from any for any action "outbound"


‐‐‐ Original Message ‐‐‐
On Tuesday, March 10, 2020 1:22 PM, Reio Remma  wrote:


On 10/03/2020 15:18, Martin wrote:


Hello list,
Undefined problem with mail infinite looping if I send messages from mail
server's localhost to any domains outside.
If I sent mail from mail server itself (from localhost) to aliased
addresses and virtuals on the same mail's server domain, all the
messages delivered fine even sent from localhost.
In two sentences:
Sending from localhost to 'remote' addresses > infinite loop
Sending from localhost to 'local' aliases and virtual users > all
works fine
In both ways I'm using Mutt locally on mail server. Mutt connects to
127.0.0.1:25 in clear without any auth.
$ cat /etc/smtpd.conf
...
table aliases db:/etc/mail/aliases.db
table virtuals db:/etc/mail/virtuals.db
listen on lo0 tls pki smtp.domain.tld mask-src no-dsn hostname
 tag SMTP
action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "outbound" relay src  helo-src 
match auth from any for any action "outbound"

What are your other match rules (in correct order)?

Reio





--
Tervitades
Reio Remma

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee





Re: OpenSMTPd + Dovecot + mlmmj infinite loop while sending messages from localhost to any remote addresses

2020-03-10 Thread Reio Remma

On 10/03/2020 15:18, Martin wrote:

Hello list,

Undefined problem with mail infinite looping if I send messages from mail
server's localhost to any domains outside.

If I sent mail from mail server itself (from localhost) to aliased
addresses and virtuals on the same mail's server domain, all the
messages delivered fine even sent from localhost.

In two sentences:
Sending from localhost to 'remote' addresses > infinite loop
Sending from localhost to 'local' aliases and virtual users > all 
works fine


In both ways I'm using Mutt locally on mail server. Mutt connects to 
127.0.0.1:25 in clear without any auth.


$ cat /etc/smtpd.conf
...
table aliases db:/etc/mail/aliases.db
table virtuals db:/etc/mail/virtuals.db

listen on lo0 tls pki smtp.domain.tld mask-src no-dsn hostname
 tag SMTP

action "local-aliases" lmtp "/var/dovecot/lmtp" rcpt-to alias 
action "virtual-users" lmtp "/var/dovecot/lmtp" rcpt-to virtual 
action "outbound" relay src  helo-src 

match auth from any for any action "outbound"


What are your other match rules (in correct order)?

Reio



Re: OpenSMTPD on CentOS 8.

2020-03-07 Thread Reio Remma
On 7. Mar 2020, at 04:27, Ihor Antonov  wrote:
> 
> On 2020-03-07 02:30, Reio Remma wrote:
>>> On 07.03.2020 0:41, Ihor Antonov wrote:
>>> On 2020-03-06 23:05, Reio Remma wrote:
>>>> Hello!
>>>> 
>>>> I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
>>>> failure on the old machine). I've successfully built an RPM of OpenSMTPD 
>>>> for
>>>> CentOS 8 and it's running nicely, however I've a problem with the global
>>>> crypto policies in CentOS 8.
>>>> 
>>>> Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
>>>> got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
>>>> the whole system from DEFAULT to LEGACY crypto policy?
>>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
>>> sinice it is considered to be not safe)
>> 
>> Because my thinking is it's better than the plain text the clients fall back
>> to. Or is it not so?
> 
> Good question. Will other smtp servers fall back to plaintext if
> TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not
> force TLSv1.3 yet, but I also really dont want to communicate with
> systems that are so outdated that they dont support TLSv1.2. But that is
> a matter of personal choice probably.

I did have an overly optimistic experiment some time ago where IIRC I 
restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per 
day from banks, government agencies, etc. being lost. Unfortunately there are a 
lot of outdated set and forget servers out there (like our old qmail setup that 
had TLSv1 as max).

Reio



Re: OpenSMTPD on CentOS 8.

2020-03-06 Thread Reio Remma

On 07.03.2020 0:41, Ihor Antonov wrote:

On 2020-03-06 23:05, Reio Remma wrote:

Hello!

I was forced to upgrade our mail server to CentOS 8 (thanks to hardware
failure on the old machine). I've successfully built an RPM of OpenSMTPD for
CentOS 8 and it's running nicely, however I've a problem with the global
crypto policies in CentOS 8.

Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone
got any experience on how to allow TLSv1 for OpenSMTPD without downgrading
the whole system from DEFAULT to LEGACY crypto policy?

Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially
sinice it is considered to be not safe)


Because my thinking is it's better than the plain text the clients fall 
back to. Or is it not so?


Reio



OpenSMTPD on CentOS 8.

2020-03-06 Thread Reio Remma

Hello!

I was forced to upgrade our mail server to CentOS 8 (thanks to hardware 
failure on the old machine). I've successfully built an RPM of OpenSMTPD 
for CentOS 8 and it's running nicely, however I've a problem with the 
global crypto policies in CentOS 8.


Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has 
anyone got any experience on how to allow TLSv1 for OpenSMTPD without 
downgrading the whole system from DEFAULT to LEGACY crypto policy?


OpenSMTPD has "smtp ciphers" directive which does overwrite the global 
ciphers set by the crypto policy, but there doesn't seem to be a way to 
set minimum TLS version for OpenSMTPD.


Any help would be welcome!

Thanks!
Reio



Re: request (privately) for maillog

2020-02-24 Thread Reio Remma

On 24.02.2020 19:41, Peter J. Philipp wrote:

Hi,

I got another "bouncing messages from misc@opensmtpd.org" message.  The
particular message was 4669 that bounced.  Yet I have no record of this in
my maillog, so I suspect a DNS fault.


I received the same message - suspect the problem was on the list side.

Good luck
Reio



Re: 421 errors

2020-02-18 Thread Reio Remma

On 18/02/2020 01:48, Jeff Moskow wrote:

Hi,

I recently replaced an older Linux Postfix server with a new OpenBSD
(6.6) and OpenSMTPD 6.6.0.

Most things are working fine, but email sent to my secondary MX server
never get accepted by my OpenSMTPD server -- they always get a 421 error
that looks like this:

smtp failed-command command="DATA" result="421 try again later"

The secondary MX server is running OpenBSD/postfix and reports message
statuses like this:

(host foo.bar.com[192.168.2.2] said: 421 try again later (in reply to 
end of DATA command))

Does anyone have some suggestions on what I should be looking for/at to
diagnose/fix this problem?

Thanks,
Jeff



Hello!

If possible, try running OpenSMTPD in debug mode: 'smtpd -dv' and see if 
it provides more info.


Other than that, do you maybe have greylisting implemented?

Good luck,
Reio



Re: filter bug?

2020-02-01 Thread Reio Remma

Hello!

The token|session id in v0.4 of the filter protocol were swapped to the 
more sensible session id|token order in v0.5. I believe the docs are 
still being worked on and will apply to the v0.5 protocol.


For example filter-rspamd was recently updated to work with both 
versions, switching the argument order as needed.


Good luck,
Reio

On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 states 
the following:


 For all phases, excepted "data-line", the responses must follow the same
 construct, a message type "filter-result", followed by the unique 
session

 id, the opaque token, a decision and optional decision-specific
 parameters:

   filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
 This request is emitted after connection, before the 
banner is

 displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is 
the ISC


# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar







Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability

2020-01-29 Thread Reio Remma

On 29/01/2020 00:30, gil...@poolp.org wrote:

Hello misc@,

Qualys has found a critical vulnerability leading to a possible privilege 
escalation.

It is very important that you upgrade your setups AS SOON AS POSSIBLE.

We'll provide more details when the advisory will be out and I'll take time to 
write
about how this bug was made possible, but in the meantime get your setups fixed 
!



Thanks a lot for the heads up! Updated my CentOS 7 packages.

Thanks,
Reio



Re: Unable to use .forward with snmpd

2019-12-18 Thread Reio Remma

What about perms on the initially generated .forward file?

Reio

On 18.12.2019 19:50, Юрий Иванов wrote:

I've created directory through regular RoundCube web interface.
Base directory:
suser@webmail:~$ ll Maildir/
total 188
drwx-- 13 suser suser  4096 Dec 18 19:42 ./
drwxr-xr-x  6 suser suser  4096 Dec 18 09:07 ../
drwx--  5 suser suser  4096 Dec 18 16:37 .Drafts/
drwx--  5 suser suser  4096 Dec 18 19:41 .Sent/
...
drwx--  2 suser suser 12288 Dec 18 19:41 cur/
-rw---  1 suser suser  3311 Dec 18 19:38 dovecot-uidlist
-rw---  1 suser suser     8 Dec 17 09:42 dovecot-uidvalidity
-r--r--r--  1 suser suser     0 Dec 10 11:43 dovecot-uidvalidity.5def68bc
-rw---  1 suser suser  1608 Dec 18 19:37 dovecot.index
...
-rw---  1 suser suser   192 Dec 17 09:42 dovecot.mailbox.log
drwx--  2 suser suser  4096 Dec 18 18:01 new/
-rw---  1 suser suser    53 Dec 17 09:42 subscriptions
drwx--  2 suser suser  4096 Dec 18 18:00 tmp/

Admin dir, that was created via roundcube web interface:
suser@webmail:~$ ll Maildir/.admin/
total 32
drwx--  5 suser suser 4096 Dec 16 19:26 ./
drwx-- 13 suser suser 4096 Dec 18 19:42 ../
drwx--  2 suser suser 4096 Dec 16 19:26 cur/
-rw---  1 suser suser   51 Dec 16 19:26 dovecot-uidlist
...

suser@webmail:~$ ll Maildir/.admin/cur/
total 8
drwx-- 2 suser suser 4096 Dec 16 19:26 ./
drwx-- 5 suser suser 4096 Dec 16 19:26 ../

Normal home directory:
suser@webmail:~$ ll
total 256
drwxr-xr-x  6 suser suser   4096 Dec 18 09:07 ./
drwxr-xr-x 51 root  root    4096 Dec 17 14:36 ../
-rw---  1 suser suser    875 Dec 16 20:24 .bash_history
-rw-r--r--  1 suser suser    220 Dec 10 08:46 .bash_logout
-rw-r--r--  1 suser suser   3771 Dec 10 08:46 .bashrc
drwx--  2 suser suser   4096 Dec 10 09:15 .cache/
drwx--  3 suser suser   4096 Dec 10 09:15 .gnupg/
-rw-r--r--  1 suser suser    807 Dec 10 08:46 .profile
-rw-r--r--  1 suser suser      0 Dec 10 09:25 .sudo_as_admin_successful
-rw---  1 root  root    1129 Dec 11 09:42 .viminfo
drwx-- 13 suser suser   4096 Dec 18 19:42 Maildir/

*От:* Edgar Pettijohn 
*Отправлено:* 18 декабря 2019 г. 19:28
*Кому:* misc@opensmtpd.org ; Юрий Иванов 


*Тема:* Re: Unable to use .forward with snmpd


On Dec 18, 2019 8:47 AM, Юрий Иванов  wrote:
>
> Hi, I'm using snmpd with roundcube.
>
> After creating .forward file I apply chmod 400 .forward, so no 
errors in my mail.err log.

> Default permissions leads to generating warn in logs:
> smtpd[6275]: warn: smtpd: /home/suser/.forward: unsecure file
>
> Content is more or less default:
>
> ad...@mydomain.com        # anything after # is ignored
> "|/home/suser/Maildir/.admin/new/"
>
> As the result my mail is not working:
>
> Dec 18 12:54:33 webmail smtpd[6279]:  mda 
event=delivery evpid=3b98bdcf411c5f9a from= 
to= user=suser method=mda delay=3h48m10s 
result=TempFail stat=Error ("/bin/sh: 1: 
/home/suser/Maildir/.admin/new/: Permission denied")

>

What are the permissions for the directory you are forwarding to?

> Thanks in advance





Re: How to display ip address in syslog on linux?

2019-12-01 Thread Reio Remma

On 01.12.2019 1:46, Demetri A. Mkobaranov wrote:

On 11/30/19 6:56 PM, Reio Remma wrote:


I made a filter for myself to log failed auth attempts with IP to use 
in fail2ban.

do you mean a fail2ban filter?



It's a reporter filter in OpenSMTPD that gathers IP addresses for failed 
auth and then writes them to maillog:


Nov 27 01:02:26 host smtpd[29787]: auth-reporter: failed authentication 
from user=username address=113.172.130.229 host=static.vnpt.vn


Fail2ban takes it from there.




Re: How to display ip address in syslog on linux?

2019-11-30 Thread Reio Remma

On 30.11.2019 18:50, Demetri A. Mkobaranov wrote:

Hello,

I'm trying to write a fail2ban filter for v.0.6.0.2 running on Debian 
10 but I don't see the ip address of the client displayed in syslog.


smtpctl log verbose doesn't help.

This is all I get:

Nov 30 16:48:29 dctl smtpd[9063]: 9ecee3c84e91538d smtp 
event=authentication user=i...@example.com result=permfail
Nov 30 16:48:30 dctl smtpd[9063]: smtp-in: Failed command on session 
9ecee3c84e91538d: "AUTH PLAIN (...)" => 535 Authentication failed


Is there any way to force smtpd to log the ip address of the client?


I made a filter for myself to log failed auth attempts with IP to use in 
fail2ban.


Good luck,
Reio



Re: Mailing list expansion problem.

2019-11-01 Thread Reio Remma

On 02.11.2019 0:41, Reio Remma wrote:

On 31.10.2019 10:06, gil...@poolp.org wrote:

October 26, 2019 1:23 PM, "Reio Remma"  wrote:


On 26/10/2019 14:18, Reio Remma wrote:


On the subject of catch all aliases, I tried adding one to my setup > with odd 
results.

My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual >  
userbase 

match from any for domain  rcpt-to  action > deliver_lmtp

To get catch all working, I had to remove rcpt-to  from > the match:

match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient:

One I removed the actual catch all alias and sent mail to a > non-existent 
account, the usual:

550 Invalid recipient:

turned into:

524 5.2.4 Mailing list expansion problem:

Any ideas how I could use a catch all alias _and_ get a proper 550 > Invalid 
recipient if I don't?

This is all with the current (v6.6) portable from a week ago or so.

This error occurs when aliases expansion encounters an error during its 
processing,
there's not enough info here to understand what happened in the expansion loop:

- it is likely a table content issue either in virtuals or in userinfo table or 
both
- using `smtpd -dv -T expand` will help you understand what went wrong during 
expansion

Gilles


A couple of hours reading code and I'm fairly certain catchall aliases 
don't work at all with database backends.


Mailaddr lookups from static tables use mailaddr_match to compare 
address parts with catchall aliases, but table-mysql for example 
doesn't do any extra work.


expand: 0x23b6628: expand_insert() called for 
address:du...@domain.com[parent=(nil), rule=(nil)]

expand: 0x23b6628: inserted node 0x23b8320
expand: lka_expand: address: du...@domain.com [depth=0]
lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table static: -> 
true
lookup: match "sen...@gmail.com" as MAILADDR in table proc:blacklist -> 
false

lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table proc:domains -> true
lookup: match "du...@domain.com" as MAILADDR in table proc:recipients -> 
false
lookup: match "209.85.167.41" as NETADDR in table static: -> 
false

lookup: match "209.85.167.41" as NETADDR in table static: -> true
lookup: match "domain.com" as DOMAIN in table static: -> 
true
lookup: match "209.85.167.41" as NETADDR in table static: -> 
false

lookup: match "209.85.167.41" as NETADDR in table static:sources -> false
no rule matched

The only query I see in the query log is trying to match the full 
recipient address:


SELECT mailaddr FROM virtuals WHERE mailaddr = 'du...@domain.com'

This works:

match from any for domain  rcpt-to {'@domain.com', ... } action 
deliver


This doesn't:

match from any for domain  rcpt-to  
action deliver




Re: Mailing list expansion problem.

2019-11-01 Thread Reio Remma

On 31.10.2019 10:06, gil...@poolp.org wrote:

October 26, 2019 1:23 PM, "Reio Remma"  wrote:


On 26/10/2019 14:18, Reio Remma wrote:


On the subject of catch all aliases, I tried adding one to my setup > with odd 
results.

My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual >  
userbase 

match from any for domain  rcpt-to  action > deliver_lmtp

To get catch all working, I had to remove rcpt-to  from > the match:

match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a > non-existent 
account, the usual:

550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 > Invalid 
recipient if I don't?

This is all with the current (v6.6) portable from a week ago or so.


This error occurs when aliases expansion encounters an error during its 
processing,
there's not enough info here to understand what happened in the expansion loop:

- it is likely a table content issue either in virtuals or in userinfo table or 
both
- using `smtpd -dv -T expand` will help you understand what went wrong during 
expansion

Gilles


A couple of hours reading code and I'm fairly certain catchall aliases 
don't work at all with database backends.


Mailaddr lookups from static tables use mailaddr_match to compare 
address parts with catchall aliases, but table-mysql for example doesn't 
do any extra work.


Reio


Re: Announce: OpenSMTPD 6.6.0 released

2019-10-26 Thread Reio Remma

On 26.10.2019 16:18, Gilles Chehade wrote:

OpenSMTPD 6.6.0 has just been released.

OpenSMTPD is a FREE implementation of the SMTP protocol with some common
extensions. It allows ordinary machines to exchange e-mails with systems
speaking the SMTP protocol. It implements a fairly large part of RFC5321
and can already cover a large range of use-cases.

It runs on OpenBSD, NetBSD, FreeBSD, DragonFlyBSD and glibc-based Linux.


If anyone on CentOS 7 wants to give it a go, I've uploaded a fresh 
CentOS 7 RPM here:


https://github.com/whataboutpereira/OpenSMTPD/releases

It's built statically against OpenSSL 1.1.1d and therefore supports TLS 
v1.3.


Good luck,
Reio



Re: Mailing list expansion problem.

2019-10-26 Thread Reio Remma

On 26/10/2019 14:18, Reio Remma wrote:
On the subject of catch all aliases, I tried adding one to my setup 
with odd results.


My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match from any for domain  rcpt-to  action 
deliver_lmtp


To get catch all working, I had to remove rcpt-to  from 
the match:


match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a 
non-existent account, the usual:


550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 
Invalid recipient if I don't? 


This is all with the current (v6.6) portable from a week ago or so.



Mailing list expansion problem.

2019-10-26 Thread Reio Remma
On the subject of catch all aliases, I tried adding one to my setup with 
odd results.


My usual setup with virtual users:

action deliver_lmtp lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match from any for domain  rcpt-to  action deliver_lmtp

To get catch all working, I had to remove rcpt-to  from the 
match:


match from any for domain  action deliver_lmtp

Otherwise the response was: 550 Invalid recipient: 

One I removed the actual catch all alias and sent mail to a non-existent 
account, the usual:


550 Invalid recipient: 

turned into:

524 5.2.4 Mailing list expansion problem: 

Any ideas how I could use a catch all alias _and_ get a proper 550 
Invalid recipient if I don't?


Thanks,
Reio




Re: Accept mail for all recipients

2019-10-26 Thread Reio Remma

On 26/10/2019 13:35, Sergey Seacher wrote:

Hello!

How can I make, opensmtpd accept mail for all recipients: that are 
present in the file /etc/opensmtpd/aliases and that are not present?

I had the rule in my /etc/opensmtpd/smtpd.conf file:

accept \
   from any \
   for domain domain.ltd alias  \
   deliver to lmtp "/run/dovecot/lmtp" rcpt-to

I have changed this rule to:

accept \
   from any \
   for domain domain.ltd \
   deliver to lmtp "/run/dovecot/lmtp" rcpt-to

Now, if I send to any recipient in my domain, for example 
rggg...@domain.ltd, I receive error 550, but I need mail to be deliver 
to i...@domain.ltd


Do you mean a catch all alias? Try adding to your aliases file:

@domain.ltd i...@domain.ltd

And re-add alias  to your accept rule.

Good luck,
Reio


Re: Portable buildung issues

2019-10-22 Thread Reio Remma

Looks suspiciously like this.

https://github.com/OpenSMTPD/OpenSMTPD/issues/944

Good luck,
Reio

On 22/10/2019 14:45, gil...@poolp.org wrote:

we really really really need more details, I have no idea what system that is 
:-)

October 22, 2019 1:38 PM, "John Smith"  wrote:


Hello,

cloned today, I am having problems building smtpd. After configure:

/data/git/opensmtp # make
make all-recursive
make[1]: Entering directory '/data/git/opensmtp'
Making all in openbsd-compat
make[2]: Entering directory '/data/git/opensmtp/openbsd-compat'
gcc -DHAVE_CONFIG_H -I. -I.. -I../smtpd -I../openbsd-compat 
-I../openbsd-compat/err_h
-I/usr/include -march=skylake -fomit-frame-pointer -O2 -pipe -fPIC -DPIC -Wall 
-Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
-Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE 
-D_DEFAULT_SOURCE
-c -o arc4random.o arc4random.c
arc4random.c:167:21: error: macro "arc4random_stir" passed 1 arguments, but 
takes just 0
arc4random_stir(void)
^
arc4random.c:168:1: error: expected '=', ',', ';', 'asm' or '__attribute__' 
before '{' token
{
^
make[2]: *** [Makefile:445: arc4random.o] Error 1
make[2]: Leaving directory '/data/git/opensmtp/openbsd-compat'
make[1]: *** [Makefile:418: all-recursive] Error 1
make[1]: Leaving directory '/data/git/opensmtp'
make: *** [Makefile:350: all] Error 2

Any idea what I might be missing? As I have a rather minimal system, some 
package my be lacking.
Any further details that are needed?

Thanks

Ede





Re: upcoming 6.6.0 release

2019-10-18 Thread Reio Remma

On 18/10/2019 10:40, Reio Remma wrote:

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match 
the code from smtpd in OpenBSD 6.6.


A portable branch, branch-6.6.0p1, has been forked from there and can 
be used to test the matching portable version:


 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I 
want to gain confidence that it works for most systems and 
distributions we have supported so far.


Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being 
tracked down, musl is not a showstopper for me as we have had issues 
in previous releases too but if we can track down the problem I'd be 
happy (unsuccessful so far)


I _really_ need help on testing this as I had unexpected hand surgery 
and doing the tests myself is extremely long.


Please report as a follow up to this mail what you did test,

Thanks,
Gilles



Once I chewed through it, SRS works nicely. Running on CentOS 7. I've 
been running 6.6 current for a while now without problems. 


And this is with OpenSSL 1.1.1d statically compiled into OpenSMTPD 
communicating nicely with TLSv1.3.


With GMail servers, that is. :)

Reio



Re: upcoming 6.6.0 release

2019-10-18 Thread Reio Remma

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,

Thanks,
Gilles



Once I chewed through it, SRS works nicely. Running on CentOS 7. I've 
been running 6.6 current for a while now without problems.


Reio



Re: upcoming 6.6.0 release

2019-10-17 Thread Reio Remma

On 17/10/2019 15:06, Gilles Chehade wrote:

On Thu, Oct 17, 2019 at 02:54:26PM +0300, Reio Remma wrote:

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

  https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,



Hello! Do you have any pointers as to what an SRS key should look like?


just make it something hard to guess :-)



So it's just a few random letters? Reading "key" I always think of some 
kind of a hash. :)


Reio




Re: upcoming 6.6.0 release

2019-10-17 Thread Reio Remma

On 17/10/2019 14:20, gil...@poolp.org wrote:

Hello misc@,

As some have noticed, the 6.6.0 tag was created on Github to match the code 
from smtpd in OpenBSD 6.6.

A portable branch, branch-6.6.0p1, has been forked from there and can be used 
to test the matching portable version:

 https://github.com/OpenSMTPD/OpenSMTPD/tree/branch-6.6.0p1


I have not tagged 6.6.0p1 yet because there's still some time and I want to 
gain confidence that it works for most systems and distributions we have 
supported so far.

Note that:

- this release will depend on either LibreSSL 3.0.x or OpenSSL 1.1.x
- musl-based distros may have issues at this point, they are being tracked 
down, musl is not a showstopper for me as we have had issues in previous 
releases too but if we can track down the problem I'd be happy (unsuccessful so 
far)

I _really_ need help on testing this as I had unexpected hand surgery and doing 
the tests myself is extremely long.

Please report as a follow up to this mail what you did test,




Hello! Do you have any pointers as to what an SRS key should look like?

Thanks,
Reio



Re: filter-rspamd DKIM checks failing intermittently.

2019-10-16 Thread Reio Remma

So it's wasn't line breaks afterall.

It turned out that OpenSMTPD passes raw SMTP data lines to filters and 
raw SMTP lines have leading dot characters escaped by another dot, so 
.text became ..text. Feeding it to Rspamd like that made DKIM alignment 
tests fail, because body hash came out wrong.


A pull request has been submitted with a fix.

This how seems to be a problem with Rspamd:

arc=reject (signature check failed: fail, {[1] = sig:google.com:reject});

Good luck,
Reio

On 13.10.2019 17:43, Reio Remma wrote:

Things seem to have gotten worse on Google Groups front though:

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
arc=reject (signature check failed: fail, {[1] = 
sig:google.com:reject});
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.215.186 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com
Authentication-Results: orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.215.186 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com

---

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.222.184 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com;
arc=reject (signature check failed: fail, {[1] = sig:google.com:reject})
Authentication-Results: orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (orc.mrstuudio.ee: domain ofhel...@googlegroups.com  
designates 209.85.222.184 as permitted 
sender)smtp.mailfrom=hel...@googlegroups.com

On 13.10.2019 16:37, Reio Remma wrote:

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.45 as permitted sender)smtp.mailfrom=gil...@gmail.com
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.42 as permitted sender)smtp.mailfrom=gil...@gmail.com

On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


    On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter.
Can the filter then extract "leftover" line endings for
incoming strings and make decision based on that when joining
the strings before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should u

Re: Problem using senders table in listen directive

2019-10-14 Thread Reio Remma

I just tested with MySQL and the result is the same.

smtpd -dv -T lookup yielded:

de334c3363d95880 smtp authentication user=u...@host.com result=ok
debug: smtp: SIZE in MAIL FROM command
debug: lka: mailaddrmap senderalias:u...@host.com
lookup: lookup "u...@host.com" as MAILADDRMAP in table proc:senderalias 
-> error: No such file or directory

warn: failure during mailaddrmap lookup senderalias:u...@host.com

Preceeded by:

senderalias[36753]: debug: (re)connecting
senderalias[36753]: debug: connected

So the table is loaded but it tries to look up from a file maybe?

Good luck,
Reio

On 14/10/2019 13:32, y38...@protonmail.com wrote:

Hello Giovanni,

I just gave it a try. The order of the operands of the LIKE operator doesn't 
make any difference. I just tested it manually against my sqlite database. The 
returned results are identical.

Greetings,
   Michael

‐‐‐ Original Message ‐‐‐
Am Montag, Oktober 14, 2019 9:15 AM schrieb Giovanni Bechis 
:


On 10/12/19 4:46 PM, y38...@protonmail.com wrote:


SELECT (username||'@'||domain) FROM users WHERE ? LIKE mailbox

I think it should read
SELECT (username||'@'||domain) FROM users WHERE mailbox LIKE ?
typo or error ?

Giovanni





Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

Things seem to have gotten worse on Google Groups front though:

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
arc=reject (signature check failed: fail, {[1] = 
sig:google.com:reject});
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.215.186 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com
Authentication-Results: orc.mrstuudio.ee;
dkim=pass header.d=googlegroups.com header.s=20161025 header.b=HBqGik0B;
dkim=pass header.d=gmail.com header.s=20161025 header.b=PGhHBIgC;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.215.186 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com

---

ARC-Authentication-Results: i=3;
orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.222.184 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com;
arc=reject (signature check failed: fail, {[1] = sig:google.com:reject})
Authentication-Results: orc.mrstuudio.ee;
dkim=fail (body hash did not verify) header.d=googlegroups.com 
header.s=20161025 header.b=Q/j34gd1;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=pPw7LbVC;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (orc.mrstuudio.ee: domain of hel...@googlegroups.com 
designates 209.85.222.184 as permitted sender) 
smtp.mailfrom=hel...@googlegroups.com

On 13.10.2019 16:37, Reio Remma wrote:

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofm...@opensmtpd.org  designates 
45.76.46.201 as permitted sender)smtp.mailfrom=misc@opensmtpd.org
---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.45 as permitted sender)smtp.mailfrom=gil...@gmail.com
Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain ofgil...@gmail.com  designates 
209.85.128.42 as permitted sender)smtp.mailfrom=gil...@gmail.com

On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


    On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the
strings before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: host.domain.com
 

Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

So far there's a marked improvement!
Waiting for a FB notification now - asked the wife to message me. :P

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com 
(policy=none);
spf=pass (host.domain.com: domain of misc@opensmtpd.org designates 
45.76.46.201 as permitted sender) smtp.mailfrom=misc@opensmtpd.org

Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of misc@opensmtpd.org designates 
45.76.46.201 as permitted sender) smtp.mailfrom=misc@opensmtpd.org

---

Authentication-Results: host.domain.com;
dkim=fail (body hash did not verify) header.d=gmail.com 
header.s=20161025 header.b=SLB9Imr3;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of gil...@gmail.com designates 
209.85.128.45 as permitted sender) smtp.mailfrom=gil...@gmail.com

Authentication-Results: host.domain.com;
dkim=pass header.d=gmail.com header.s=20161025 header.b=ot9QqpYS;
dmarc=pass (policy=none) header.from=gmail.com;
spf=pass (host.domain.com: domain of gil...@gmail.com designates 
209.85.128.42 as permitted sender) smtp.mailfrom=gil...@gmail.com


On 13.10.2019 16:27, Reio Remma wrote:

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the strings
before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: host.domain.com
<http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject)
header.from=facebookmail.com <http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>:
domain of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both
\r\r\n and
\n) cause issues. There's efforts going on to see how we
can remedy
this, but in the mean time tell your senders that they
should fix their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF"
characters in text
   (i.e., either without the other) has a long history of
causing
   problems in mail implementations and applications that
use the mail
   system as a tool.  SMTP client implementations MUST NOT
transmit
   these characters except when they are intended as line
terminators
   and then MUST, as indicated above, transmit them only as
a 
   sequence.
>
> Thanks,
> Reio
>
>











Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

Just restarted my daemon with the modified filter. :)

Will have to get someone message me at FB now.

On 13.10.2019 16:22, Gilles Chehade wrote:

Very likely yes, can you give it a try ?

On Sun, Oct 13, 2019, 15:15 Reio Remma <mailto:r...@mrstuudio.ee>> wrote:


On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:

I don't think that is the issue, it is probably the
filter-rspamd reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how
OpenSMTPD splits strings before passing them to the filter. Can
the filter then extract "leftover" line endings for incoming
strings and make decision based on that when joining the strings
before Rspamd?

Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren
mailto:opensm...@list.imperialat.at>> wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server
and I'm seeing
> lots of failed DKIM checks, specifically dkim=fail (body
hash did not
> verify).
>
>
> Authentication-Results: host.domain.com
<http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject)
header.from=facebookmail.com <http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>:
domain of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both
\r\r\n and
\n) cause issues. There's efforts going on to see how we can
remedy
this, but in the mean time tell your senders that they
should fix their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF"
characters in text
   (i.e., either without the other) has a long history of
causing
   problems in mail implementations and applications that
use the mail
   system as a tool.  SMTP client implementations MUST NOT
transmit
   these characters except when they are intended as line
terminators
   and then MUST, as indicated above, transmit them only as
a 
   sequence.
>
> Thanks,
> Reio
>
>









Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

On 13.10.2019 16:09, Reio Remma wrote:

On 13.10.2019 16:05, Gilles Chehade wrote:
I don't think that is the issue, it is probably the filter-rspamd 
reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how OpenSMTPD 
splits strings before passing them to the filter. Can the filter then 
extract "leftover" line endings for incoming strings and make decision 
based on that when joining the strings before Rspamd?


Do you experience the same yourself?


strings.NewReader(strings.Join(s.tx.message, "\n"))

Wonder if we should use \r\n here?




Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren 
mailto:opensm...@list.imperialat.at>> 
wrote:


    On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server and I'm
seeing
> lots of failed DKIM checks, specifically dkim=fail (body hash
did not
> verify).
>
>
> Authentication-Results: host.domain.com <http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject) header.from=facebookmail.com
<http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>: domain
of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be
something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix
their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF" characters
in text
   (i.e., either without the other) has a long history of causing
   problems in mail implementations and applications that use the
mail
   system as a tool.  SMTP client implementations MUST NOT transmit
   these characters except when they are intended as line terminators
   and then MUST, as indicated above, transmit them only as a 
   sequence.
>
> Thanks,
> Reio
>
>







Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

On 13.10.2019 16:05, Gilles Chehade wrote:
I don't think that is the issue, it is probably the filter-rspamd 
reconstruction of the message that is incorrect.


I was thinking along the same lines, but I'm not sure how OpenSMTPD 
splits strings before passing them to the filter. Can the filter then 
extract "leftover" line endings for incoming strings and make decision 
based on that when joining the strings before Rspamd?


Do you experience the same yourself?

Reio




On Sun, Oct 13, 2019, 15:00 Martijn van Duren 
mailto:opensm...@list.imperialat.at>> 
wrote:


On 10/13/19 1:59 PM, Reio Remma wrote:
> Hello!
>
> I finally moved to Rspamd (2.0) on my production server and I'm
seeing
> lots of failed DKIM checks, specifically dkim=fail (body hash
did not
> verify).
>
>
> Authentication-Results: host.domain.com <http://host.domain.com>;
>      dkim=fail (body hash did not verify)
header.d=facebookmail.com <http://facebookmail.com>
> header.s=s1024-2013-q3 header.b=pNWbKJUd;
>      dmarc=pass (policy=reject) header.from=facebookmail.com
<http://facebookmail.com>;
>      spf=pass (host.domain.com <http://host.domain.com>: domain
of notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
> designates 66.220.144.215 as permitted sender)
> smtp.mailfrom=notificat...@facebookmail.com
<mailto:notificat...@facebookmail.com>
>
> My current stab-in-the-dark theory is that there might be something
> going on with line endings when mails are fed to Rspamd.
>
> Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix
their
mails (RFC5321):
   In addition, the appearance of "bare" "CR" or "LF" characters
in text
   (i.e., either without the other) has a long history of causing
   problems in mail implementations and applications that use the mail
   system as a tool.  SMTP client implementations MUST NOT transmit
   these characters except when they are intended as line terminators
   and then MUST, as indicated above, transmit them only as a 
   sequence.
>
> Thanks,
> Reio
>
>





Re: filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

On 13.10.2019 15:59, Martijn van Duren wrote:

On 10/13/19 1:59 PM, Reio Remma wrote:

Hello!

I finally moved to Rspamd (2.0) on my production server and I'm seeing
lots of failed DKIM checks, specifically dkim=fail (body hash did not
verify).


Authentication-Results: host.domain.com;
      dkim=fail (body hash did not verify) header.d=facebookmail.com
header.s=s1024-2013-q3 header.b=pNWbKJUd;
      dmarc=pass (policy=reject) header.from=facebookmail.com;
      spf=pass (host.domain.com: domain of notificat...@facebookmail.com
designates 66.220.144.215 as permitted sender)
smtp.mailfrom=notificat...@facebookmail.com

My current stab-in-the-dark theory is that there might be something
going on with line endings when mails are fed to Rspamd.

Any better theories? :)

It's a known issue that mails that don't end on \r\n (both \r\r\n and
\n) cause issues. There's efforts going on to see how we can remedy
this, but in the mean time tell your senders that they should fix their
mails (RFC5321):
In addition, the appearance of "bare" "CR" or "LF" characters in text
(i.e., either without the other) has a long history of causing
problems in mail implementations and applications that use the mail
system as a tool.  SMTP client implementations MUST NOT transmit
these characters except when they are intended as line terminators
and then MUST, as indicated above, transmit them only as a 
sequence.


I'm not sure Facebook will listen to me! :)

Reio



filter-rspamd DKIM checks failing intermittently.

2019-10-13 Thread Reio Remma

Hello!

I finally moved to Rspamd (2.0) on my production server and I'm seeing 
lots of failed DKIM checks, specifically dkim=fail (body hash did not 
verify).



Authentication-Results: host.domain.com;
    dkim=fail (body hash did not verify) header.d=facebookmail.com 
header.s=s1024-2013-q3 header.b=pNWbKJUd;

    dmarc=pass (policy=reject) header.from=facebookmail.com;
    spf=pass (host.domain.com: domain of notificat...@facebookmail.com 
designates 66.220.144.215 as permitted sender) 
smtp.mailfrom=notificat...@facebookmail.com


My current stab-in-the-dark theory is that there might be something 
going on with line endings when mails are fed to Rspamd.


Any better theories? :)

Thanks,
Reio




Re: Repeated 421 try again later erros

2019-10-09 Thread Reio Remma

On 09.10.2019 23:13, Matt Schwartz wrote:

Hello List,

I am getting a lot of repeated 421 try again later errors from various 
lists that I am a member of. There is one in particular that is coming 
from outbound.foodtecsolutions.com 
. Here is an excerpt from my 
/var/log/maillog. I am running OpenBSD 6.6-current #344.


Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp connected 
address=52.201.148.113 host=outbound.foodtecsolutions.com 

Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp 
failed-command command="DATA" result="421 try again later"
Oct  9 16:07:53 meow smtpd[19379]: a52386b4311e607e smtp disconnected 
reason=quit


Below is my smtpd.conf file:
pki "mail" cert "/etc/ssl/mail.crt"
pki "mail" key "/etc/ssl/private/mail.key"

table aliases file:/etc/mail/aliases
table credentials passwd:/etc/mail/credentials
table extras file:/etc/mail/extras
table relays file:/etc/mail/relays
table rejects file:/etc/mail/rejects
table virtuals file:/etc/mail/virtuals

filter check_rejects phase connect match rdns regex  \
        disconnect "554 Forbidden"
filter check_rdns phase connect match !rdns \
        disconnect "554 No Reverse DNS Configured"
filter rspamd proc-exec "filter-rspamd"

listen on lo filter rspamd
listen on egress tls pki "mail" hostname "mail.goblackcat.com 
" \

        filter {check_rejects, check_rdns, rspamd}
listen on egress port submission tls-require pki "mail" hostname 
"mail.goblackcat.com " \

        auth  filter {check_rejects, check_rdns, rspamd}

action "local_mail" mbox alias 
action "virtual_mail" maildir "/var/vmail/%{dest.domain}/%{dest.user}" 
junk \

        virtual 
action "outbound" relay

match for local action "local_mail"
match !from src  mail-from "@goblackcat.com 
" reject
match from any for domain "goblackcat.com " 
action "virtual_mail"

match auth from any for any action "outbound"
match for any action "outbound"

I am out of ideas with which to troubleshoot. I am already running 
smtpd with -v switch for more verbosity.


Thanks,
Matt


Greylisting at work?

Good luck,
Reio


OpenSMTPD sendmail and Message-Id.

2019-10-09 Thread Reio Remma

Hello!

I'm curious as to what the norm is with Message-Id when sending mail 
from command line or scripts.


I notice mails sent by cron (CentOS 7) are all without Message-Id when 
they're passed to OpenSMTPD.


As I see cron should use sendmail.opensmtpd to send mail.

Is it a problem with cron not supplying a Message-Id header?

Thanks,
Reio



Re: unable to send mail from desktop mail client to remote email addresses

2019-10-03 Thread Reio Remma

On 03.10.2019 18:34, Kevin wrote:
If I can send the domain email, if I can retrieve email via Dovecot, 
if I can send mail to myself from the server's CLI (and even retrieve 
it remotely via my mail client), it seems like there's some knob 
missing that says, "All auth'd users to relay," yet, I've 
copied-and-pasted Gilles' rules (and edited them for my own domain) , 
and it am no workie.


Is there perhaps something else akin to the forwarding knob that lets 
PF forward packets between interfaces that either I've forgotten or 
was skipped in the HOWTO?


Thanks,
Kevin


What connection do you have? If it's a home connection, then most ISP-s 
block sending mail directly to port 25 (on the destination server). You 
want a static IP for a mail server, with rDNS etc. set up.


Good luck,
Reio


Re: need help

2019-09-30 Thread Reio Remma

On 30/09/2019 16:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Is it OpenBSD only atm?

On CentOS 7:

$ make
Makefile:26: *** missing separator.  Stop.

Reio




FCrDNS.

2019-09-28 Thread Reio Remma

Hello!

I just had to share this. :)

I made a makeshift reporter to see how many incoming SMTP connections 
would fail on our server:


fcrdns-reporter: fcrdns-failure address=89.248.160.66 
host=no-reverse-dns-configured.com result="Hostname resolved to a 
different IP"


Someone out there has a good sense of humour! :D

Good luck,
Reio



Re: smtpd / mail.lmtp rewrites from address, breaking lmtp

2019-09-16 Thread Reio Remma

On 17.09.2019 1:08, Michal Krzysztofowicz wrote:

Thanks for looking after this. Unfortunately, no dice:
Sep 16 21:57:13 atlantic smtpd[83146]: 70aec8652b2efbe8 mda delivery evpid=0f662ffc0f395dbe 
from= to= rcpt= 
user=me delay=0s result=PermFail stat=Error ("/bin/sh: no closing quote”)



’ is not in MAILADDR_ALLOWED, ' and `  are though.

I'll test the slash issue tomorrow once I figure out how to apply the 
patch. Nearly 20 years have passed since I last applied one. :D


Good luck,
Reio



Failed logins hammer/filter.

2019-09-16 Thread Reio Remma

Hello!

Until upgrading to OpenSMTPD 6.6 I used fail2ban to ban excessive login 
failures from IPs, but that doesn't work any more with the log format 
changed from:


smtp event=failed-command address=185.13.39.7 host=vps-33288.fhnet.fr 
command="AUTH LOGIN (password)" result="535 Authentication failed"

|
smtp failed-command command="AUTH LOGIN (password)" result="535 
Authentication failed"


Surprisingly SMTP isn't brute forced that much, but as I registered 472 
failed authentications from a single IP yesterday, I'm going to have a 
Go at a filter too. :)


All the best,
Reio



Re: smarthost + aliases

2019-09-14 Thread Reio Remma

On 14.09.2019 3:05, Edgar Pettijohn wrote:

On Sat, Sep 14, 2019 at 12:32:22AM +0200, Thomas Schweikle wrote:

Hi!

Trying to set up opensmtpd as a simple single mta relaying all mail to a
smarthost. But ...

Config:
listen on localhost
table aliases db:/etc/aliases.db
table secrets db:/etc/smtpd.secrets.db
expire 4h


Add:

accept for local alias  deliver to mbox
accept from local for any relay via smtps+auth://gm...@smtp.gmail.com:465 auth



Hello! You may also look into forward-only if you want them to be 
forwarded to external addresses:


accept from local for local alias  forward-only

Good luck,
Reio



Re: Filters and rctp-to rewrite.

2019-09-09 Thread Reio Remma

On 09.09.2019 20:03, Giovanni Bechis wrote:

I'm currently using amavisd-new with the quarantine feature, but I'm itching to 
switch to Rspamd (greylisting here I come!).


amavisd-new 2.12 has rspamd support, have you tried it ?


Curious! I see the project has again switched hands, if you mean this one?

https://gitlab.com/amavis/amavis

I'll have a look at it. Then again with Rspamd and filter-rspamd we 
could cut down a lot of complexity.


Reio



Re: Filters and rctp-to rewrite.

2019-09-09 Thread Reio Remma

On 09.09.2019 18:13, Martijn van Duren wrote:

On 9/9/19 3:37 PM, Reio Remma wrote:

Hello!

Slowly digging into filters.

Now I'm curious if it's possible to modify the recipient after say spam
check in data-line? I get the impression that rewriting rcpt-to at that
stage is impossible, but my goal would be to redirect/quarantine high
scoring spam to a special e-mail address.

Would it be doable somehow?

Thanks!
Reio


It is not.

What you might be able to do is add an additional header and somehow let
an lmtp server make the decision based on the header.

I haven't used lmtp myself, no clue if this actually works, but it's
worth investigating :-)

Please reply to the threat if you managed to make it work.


Thanks Martijn and Gilles for the confirmation!

I'm currently using amavisd-new with the quarantine feature, but I'm 
itching to switch to Rspamd (greylisting here I come!).


I'm using the quarantine to keep an eye on mails with a medium spam 
score so we won't lose the occasional legit mail with a higher than 
normal spam score. Additionally I can train these borderline mails 
correctly as ham/spam.


I now see Rspamd has a metadata exporter feature I could probably use to 
copy spammy mails to the quarantine mail address.


There are also Dovecot's sieve scripts. I'll have to see which work better.

Thanks,
Reio



Filters and rctp-to rewrite.

2019-09-09 Thread Reio Remma

Hello!

Slowly digging into filters.

Now I'm curious if it's possible to modify the recipient after say spam 
check in data-line? I get the impression that rewriting rcpt-to at that 
stage is impossible, but my goal would be to redirect/quarantine high 
scoring spam to a special e-mail address.


Would it be doable somehow?

Thanks!
Reio



Re: Virtual User handling

2019-09-08 Thread Reio Remma
> On 07.09.2019 12:53, Ede Wolf wrote:
> Excellent idea, however, the error stays the same. No change, despite copying 
> the whole opensmtpd folder to /usr/local/libexec
> 
> result=TempFail stat=Error (temporary failure: "mail.lmtp: No such file or 
> directoryconnect")

I purposefully mistyped the Dovecot LMTP socket in my config and got the same 
message.

Sep  7 13:26:28 host smtpd[26873]: 7cde0d1cf207f8f3 mda delivery 
evpid=b96774ed55a5492e from=<> to=<> rcpt=<> user=3 delay=0s result=TempFail 
stat=Error (temporary failure: "mail.lmtp: No such file or directoryconnect")

I suspect your problem is that there is no Cyrus LMTP listening in 
/run/cyrus/socket/lmtp:

action "deliver" lmtp "/run/cyrus/socket/lmtp" rcpt-to user lmtpd

Do you actually use Cyrus IMAP?

Good luck,
Reio




Re: OpenSMTPD-Logwatch script.

2019-09-05 Thread Reio Remma

On 05/09/2019 11:33, gil...@poolp.org wrote:

Yes, see the smtpd.conf(5) man page:

filter myreporter proc-exec "/tmp/reporting.sh"

listen on [...] filter myreporter


Ahh, that's what it is now. I looked at the man page looking for 
"report". :)


Thanks!
Reio





September 5, 2019 10:30 AM, "Reio Remma"  wrote:


On 03/09/2019 21:32, gil...@poolp.org wrote:


September 3, 2019 8:29 PM, "Reio Remma"  wrote:


On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is > 
interested on giving it a
try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0 
(current portable).

Good luck,
Reio

Nice

I wonder why you didn't parse the reporting output though, it would have been 
much much simpler :-)

About that:

proc reporting "/tmp/reporting.sh"
report smtp on reporting

The 2nd line gives smtpd -n a syntax error. Has the syntax changed between your 
post and now? :)

Reio





Re: New syntax and virtual aliases to remote addresses.

2019-09-05 Thread Reio Remma

On 05/09/2019 11:32, gil...@poolp.org wrote:

could be interesting to implement a tls builtin filter, so you could:

 filter check-tls phase mail-from match !tls junk

and flag non tls options as spam, without discarding them completely


You know, I was hoping you'd say that! :D

I would so very much like to run with TLS only, but alas I have people 
here that need all these plain text private mails from their banks etc. :P


I've already started to send out mails to point it out to them (bank, 
government institutions, etc). Even our old QMail (RIP) had TLSv1 in it. 
There's just no excuse.


And the most absurd fact. Postfix needs a setting to turn on 
opportunistic TLS on outgoing mail. They default to none.


Oh I'm angry today. In a positive way! :)

Reio


September 5, 2019 8:38 AM, "Reio Remma"  wrote:


On 02/09/2019 18:37, Reio Remma wrote:


On 02/09/2019 18:36, Reio Remma wrote:


Now I ended up switcing to tls-require on port 25. I wonder how much >> spam 
that will take down!
:)

Well, that's depressing.

On the spam front - requiring TLS apparently cuts off about 99% of spam 
(SpamAssassin is
practically out of work), but we do get the occasional legit non-TLS connection 
and I'm having to
switch back to optional TLS. :/

So TLS is 20 years old but they're (banks etc) still sending somewhat private 
info in plain text.

'twas fun while it lasted. :)

I'm going to start schooling them one by one.

Reio





Re: New syntax and virtual aliases to remote addresses.

2019-09-05 Thread Reio Remma

On 05/09/2019 09:38, Reio Remma wrote:

On 02/09/2019 18:37, Reio Remma wrote:

On 02/09/2019 18:36, Reio Remma wrote:

Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


On the spam front - requiring TLS apparently cuts off about 99% of 
spam (SpamAssassin is practically out of work), but we do get the 
occasional legit non-TLS connection and I'm having to switch back to 
optional TLS. :/ 


Now I'm thinking I should look into getting SpamAssassin score mails by 
lacking TLS.


Reio



Re: OpenSMTPD-Logwatch script.

2019-09-05 Thread Reio Remma

On 03/09/2019 21:32, gil...@poolp.org wrote:

September 3, 2019 8:29 PM, "Reio Remma"  wrote:


On 27.04.2018 12:26, Reio Remma wrote:


Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is > 
interested on giving it a
try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0 
(current portable).

Good luck,
Reio

Nice

I wonder why you didn't parse the reporting output though, it would have been 
much much simpler :-)



About that:

proc reporting "/tmp/reporting.sh"
report smtp on reporting

The 2nd line gives smtpd -n a syntax error. Has the syntax changed 
between your post and now? :)


Reio



Re: New syntax and virtual aliases to remote addresses.

2019-09-05 Thread Reio Remma

On 02/09/2019 18:37, Reio Remma wrote:

On 02/09/2019 18:36, Reio Remma wrote:

Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


Well, that's depressing.

On the spam front - requiring TLS apparently cuts off about 99% of spam 
(SpamAssassin is practically out of work), but we do get the occasional 
legit non-TLS connection and I'm having to switch back to optional TLS. :/


So TLS is 20 years old but they're (banks etc) still sending somewhat 
private info in plain text.


'twas fun while it lasted. :)

I'm going to start schooling them one by one.

Reio




Re: OpenSMTPD-Logwatch script.

2019-09-04 Thread Reio Remma

On 04/09/2019 01:43, Edgar Pettijohn wrote:

On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:

On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
interested on giving it a try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
(current portable).

Good luck,
Reio


deathstar$ ./opensmtpd.pl
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
523, near "} ) "


Perl, I don't like you anymore.

Want to give it another try to see if I'm still using 
experimental/removed features? :)


Good luck,
Reio




Re: OpenSMTPD-Logwatch script.

2019-09-03 Thread Reio Remma

On 04.09.2019 1:43, Edgar Pettijohn wrote:

On Tue, Sep 03, 2019 at 09:29:14PM +0300, Reio Remma wrote:

On 27.04.2018 12:26, Reio Remma wrote:

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is
interested on giving it a try, it's now at:

https://github.com/whataboutpereira/OpenSMTPD-Logwatch

Hello! I've now updated the Logwatch script to work with OpenSMTPD 6.6.0
(current portable).

Good luck,
Reio


Lots of errors with newer perls. :(

deathstar$ perl -v

This is perl 5, version 28, subversion 2 (v5.28.2) built for amd64-openbsd

deathstar$ ./opensmtpd.pl
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 523.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
523, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 527.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
527, near "};"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 541.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
541, near "} )"
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 553.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
553, near "} ) "
Experimental keys on scalar is now forbidden at ./opensmtpd.pl line 557.
Type of arg 1 to keys must be hash or array (not hash element) at ./opensmtpd.pl line 
557, near "};"
./opensmtpd.pl has too many errors


Meh. CentOS 7 indeed has an older version for me to test with:

$ perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for 
x86_64-linux-thread-multi

(with 39 registered patches, see perl -V for more detail)



Re: New syntax and virtual aliases to remote addresses.

2019-09-02 Thread Reio Remma

On 02/09/2019 18:36, Reio Remma wrote:

On 02/09/2019 17:05, gil...@poolp.org wrote:

September 2, 2019 3:35 PM, "Reio Remma"  wrote:

Hello!

I was able to have virtual aliases pointing to external addresses 
with the old syntax, but it

doesn't seem to work like that with new rules:

Not awake enough to process what follows but the new syntax certainly 
allows this

as my whole infrastructure depends on it ;-)

I suspect that there's a problem with the ruleset that prevents 
external addresses

from matching a rule themselves.


Looking at you config at 
https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/


Now I ended up switcing to tls-require on port 25. I wonder how much 
spam that will take down! :)


I also notice you're not using match auth anywhere, I think this might 
make the difference for mails from remote addresses to virtuals 
aliased to another remote address. I didn't have auth in the old config.


Reio




action filter_incoming relay host smtp://127.0.0.1:10024
action sign_outgoing   relay host smtp://127.0.0.1:10026
action relay_outgoing  relay
action deliver_lmtp    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match tag FILTERED for domain  action deliver_lmtp
match tag SIGNED   for any action relay_outgoing
match auth from any    for domain  action deliver_lmtp
match from any for domain  rcpt-to  
action filter_incoming

match auth from any    for any action sign_outgoing

Old rules were:

accept tagged Filtered for domain  virtual  
userbase  deliver to lmtp

"/var/run/dovecot/lmtp" rcpt-to
accept from local  for domain  virtual  
userbase  deliver to lmtp

"/var/run/dovecot/lmtp" rcpt-to
accept from !local for domain  recipient  
relay via smtp://127.0.0.1:10024

accept tagged Signed   for any relay
accept from local  for any relay via smtp://127.0.0.1:10026

recipi...@mydomain.com used to be nicely redirected to a remote 
recipi...@someotherdomain.com, but

with the new syntax it doesn't hit any rules.

I found that adding "match tag FILTERED for any action 
relay_outgoing" after "match tag FILTERED

for domain  action deliver_lmtp" solves the issue.

I suspect that the old "accept tagged Filtered" went straight to MTA 
after expanding the virtual

alias?

Does it sound right to "match tag FILTERED for any" after dealing 
with FILTERED for our domains?


Can I do anything about DKIM breaking for forwarded mails?

Thanks,
Reio





--
Tervitades
Reio Remma


MR Stuudio 25 aastat

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee





New syntax and virtual aliases to remote addresses.

2019-09-02 Thread Reio Remma

Hello!

I was able to have virtual aliases pointing to external addresses with 
the old syntax, but it doesn't seem to work like that with new rules:


action filter_incoming relay host smtp://127.0.0.1:10024
action sign_outgoing   relay host smtp://127.0.0.1:10026
action relay_outgoing  relay
action deliver_lmtp    lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
 userbase 


match tag FILTERED for domain  action deliver_lmtp
match tag SIGNED   for any action relay_outgoing
match auth from any    for domain  action deliver_lmtp
match from any for domain  rcpt-to  action 
filter_incoming

match auth from any    for any action sign_outgoing

Old rules were:

accept tagged Filtered for domain  virtual  userbase 
 deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to
accept from local  for domain  virtual  userbase 
 deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to
accept from !local for domain  recipient  relay 
via smtp://127.0.0.1:10024

accept tagged Signed   for any relay
accept from local  for any relay via smtp://127.0.0.1:10026

recipi...@mydomain.com used to be nicely redirected to a remote 
recipi...@someotherdomain.com, but with the new syntax it doesn't hit 
any rules.


I found that adding "match tag FILTERED for any action relay_outgoing" 
after "match tag FILTERED for domain  action deliver_lmtp" 
solves the issue.


I suspect that the old "accept tagged Filtered" went straight to MTA 
after expanding the virtual alias?


Does it sound right to "match tag FILTERED for any" after dealing with 
FILTERED for our domains?


Can I do anything about DKIM breaking for forwarded mails?

Thanks,
Reio



Re: Virtual User handling

2019-09-02 Thread Reio Remma

On 30/08/2019 18:00, Ede Wolf wrote:

Hello,

While trying to learn opensmtpd, amongst other things I am struggeling 
with the virtual user handling - for a non virtual domain setup.


From what I have been able to understand so far it seems, as if there 
is no way to deliver mails to a lmtp socket, if there is not at least 
some reference/mapping to a system user?


accept from any for domain "example.com" recipient  alias 
 deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody


where vusers contains:
b...@example.com

However, despite being listed in vusers, when trying to send a mail to 
bob, it gets rejected with "550 Invalid recipient". Creating a 
systemuser "bob" makes it work. But then I do not need the vusers 
table, so I am wondering, is it possible to get along without the need 
for a system user?
Now the man page mentions a userbase parameter, and I assume, the 
according table has to be in the format of the userinfo table 
mentioned in tables(5)?
What then effectively again refers to a system user - just with a 
mapping in between.


For virtual aliases you need to have a mapping of a virtual address to a 
user:


table vusers { b...@example.com = bob }

You might try this:

accept from any for domain "example.com" virtual  deliver to 
lmtp "/run/cyrus/lmtp" rcpt-to


The userbase parameter is handy if you deliver to mailboxes straight 
from OpenSMTPD or you want OpenSMTPD to read the users .forward files:


table userinfo { bob = 5000:5000:/var/mail/example.com/bob }

accept from any for domain "example.com" virtual  userbase 
 deliver to lmtp "/run/cyrus/lmtp" rcpt-to


Good luck,
Reio




Re: Virtual User handling

2019-09-02 Thread Reio Remma

On 02/09/2019 10:35, Ede Wolf wrote:

Hello Edgar,

thanks very much for your in depth reply and the effort you've put 
into it.


As for the "user" keyword, the way I understand this, it that it 
equals the "as" statement in the old version.


... lmtp "/run/cyrus/lmtp" rcpt-to ->as nobody<-


I'm using multiple virtual domains myself and delivering to Dovecot via 
LMTP with no user parameter. I _suspect_ it's more useful when you let 
OpenSMTPD to deliver straight to mailboxes.


Back to your reply: That catchall from your example in "@ catchall" is 
not a keyword, is it? But a local user accout?


@example.com need to be aliased to a real mail account to receive all these.


> but some real user has to own the mailbox...

Care to explain, why is that? From my unknowledgable point of view, 
the mailbox handling should be done on the other side of the lmtpd 
socket. This misconception is at the very heart of my question.


Maybe run 'smtpd -dv -T expand -T lookup -T rules' and see how OpenSMTPD 
is translating the aliases and which rules it's matching etc.


Good luck,
Reio




Re: Building 6.4.2p1 without ssl?

2019-09-02 Thread Reio Remma
  if (rsa_default->flags & RSA_FLAG_SIGN_VER)
   ^
   RSA_FLAG_EXT_PKEY
../../smtpd/ca.c:511:27: note: each undeclared identifier is reported 
only once for each function it appears in
../../smtpd/ca.c:515:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.rsa_mod_exp = NULL;
  ^
../../smtpd/ca.c:517:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.bn_mod_exp = NULL;
  ^
../../smtpd/ca.c:519:14: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

   rsae_method.rsa_keygen = NULL;
  ^
../../smtpd/ca.c:520:13: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

  rsae_method.flags = rsa_default->flags |
 ^
../../smtpd/ca.c:522:13: error: invalid use of incomplete typedef 
'RSA_METHOD' {aka 'struct rsa_meth_st'}

  rsae_method.app_data = rsa_default->app_data;
 ^
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:19: error: storage size of 'rsae_method' isn't known
 static RSA_METHOD rsae_method = {
   ^~~
make[3]: *** [Makefile:742: ../../smtpd/smtpd-ca.o] Error 1
make[3]: Leaving directory '/root/build/opensmtpd-6.4.2p1/mk/smtpd'
make[2]: *** [Makefile:371: all-recursive] Error 1
make[2]: Leaving directory '/root/build/opensmtpd-6.4.2p1/mk'
make[1]: *** [Makefile:418: all-recursive] Error 1
make[1]: Leaving directory '/root/build/opensmtpd-6.4.2p1'
make: *** [Makefile:350: all] Error 2




--
Tervitades
Reio Remma


MR Stuudio 25 aastat

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee





Question about match auth with the new syntax.

2019-08-28 Thread Reio Remma

Hello!

I've pretty much converted my setup to the new syntax now and I'm 
wondering if I get this right.


I understand that from local was changed to not include authenticated 
users, but my question is does "match auth" match both authenticated and 
local users?


I currently have - "match auth from any for any action dkim" - and I see 
that I can send mail from command line using that rule, so I'm guessing 
yes. :)


Maybe the man page could reflect these bits for match auth and match 
from local.


Thanks!
Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 11:30, Gilles Chehade wrote:

OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get
solved by itself soon ;-)


Unfortunately not for CentOS 7. :D

They have a policy of not making major version upgrades during the 
lifecycle of an OS version. :(


Suspect I'll have to look at migrating everything tp CentOS 8 when that 
comes out.


Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 10:44, gil...@poolp.org wrote:

28 août 2019 00:00 "Reio Remma"  a écrit:


On 27.08.2019 21:25, Richard Narron wrote:


The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
It took me a while to get it to work though.
I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
And I got errors very similar to those of Denis Fateyev on Fedora 30.
Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.
Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.
The code shows version "6.6.0-portable".
It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1
Regards,
Richard Narron

Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a -l:libcrypto.a 
is the correct way
to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using 
these (and -pthreads
-ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.


I don't know about the -l:lib notation sorry

Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ?
This means that when an issue hits OpenSSL, updating OpenSSL and restarting the 
daemon will not be
enough to be back on track.

In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
multi-threaded.


Hello!

CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c 
compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine 
with CentOS 7's old OpenSSL version.


I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL 
libraries. Without these I ran into errors hinting at threads and dl.


I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on 
a production machine. :)


Thanks!
Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 01:00, Reio Remma wrote:
The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:

Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from=  to=  rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"


Funnily this sole test e-mail managed to get us Spamhaus banned due to 
using localhost.localdomain. :D


Good luck,
Reio


Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-27 Thread Reio Remma

On 27.08.2019 21:25, Richard Narron wrote:

The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2

It took me a while to get it to work though.

I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz

And I got errors very similar to those of Denis Fateyev on Fedora 30.

Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.

Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.

The code shows version "6.6.0-portable".

It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1

Regards,
Richard Narron


Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
-l:libcrypto.a is the correct way to get OpenSSL 1.1.1c statically 
compiled into OpenSMTPD? I ended up using these (and -pthreads -ldl) and 
managed to build an RPM based on 6.0.3 RPM from CentOS 7.


The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:


Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable starting
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting 
address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls 
ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check 
result="success"
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from= to= rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"

More testing will have to wait until tomorrow. :)

Good luck,
Reio


Re: Multiple query_mailaddr when using table_postgresql not possible

2019-08-12 Thread Reio Remma

On 12/08/2019 12:32, mabi wrote:

Hello,

I would like to add an extra table in a PostgreSQL database to define domain 
names which I will reject mails from (mostly spam domains) on my OpenBSD 6.5 MX 
server.

For that I would need to add the following query_mailaddr to my 
/etc/mail/postgresql.conf file as documented here 
(https://github.com/OpenSMTPD/OpenSMTPD-extras/pull/54):

query_mailaddr SELECT address FROM rejects WHERE address=?

The problem is that I already have a query_mailaddr entry in that file which is 
the following:

query_mailaddr SELECT destination FROM vusers WHERE email = 
REGEXP_REPLACE($1,'(.*)\+[\w-]+@(.*)','\1@\2');

and which I need in order to define my valid recipients using the following 
table/match rule:

table recipients postgres:/etc/mail/postgresql.conf
match from any for domain  rcpt-to  action "relay_amavis"

so, when I start smtpd I get the following error:

domains[19067]: warn: duplicate key query_mailaddr
domains[19067]: fatal: error parsing config file

Does anyone know how I can still achieve that? Maybe with another type of 
"query_" but which one?

Best regards,
Mabi


Whilst I have no experience with the new OpenSMTPD, I have my 6.0.3 
working with MySQL and 2 separate query_mailaddr (recipients and 
blacklist). I solved it by simply putting the blacklist query_mailaddr 
in a separate config file.


table recipients  mysql:/etc/opensmtpd/mysql.conf
table blacklist   mysql:/etc/opensmtpd/mysql-blacklist.conf

Good luck,
Reio




Re: 550 invalid recipient issue

2019-03-19 Thread Reio Remma

On 19/03/2019 04:53, Gabriele Tofano wrote:

I discovered the below after running a smtpd -dv -Tlookup:

lookup: check "17.58.63.178" as NETADDR in table static: -> 0
lookup: check "17.58.63.178" as NETADDR in table static: -> found
lookup: check “domain.com" as DOMAIN in table static: -> found
lookup: lookup “user1" as USERINFO in table getpwnam: -> 0

Why osmtpd is looking for user1 in table getpwnam? What table is that?


Maybe share your whole lookup debug log.

I see it's looking up user1 instead of us...@domain.com, which it means 
it's matching the action with alias rule, not the action with virtuals rule.


Good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Mail to root not working anymore with 6.4

2019-01-12 Thread Reio Remma
User doesn't exist: fa...@nuc.example.com 
\^M <-- What about looking at this?


Reio

On 12.01.2019 13:32, Farid Joubbi wrote:

It doesnt seem to give more information.

This is with "action lmtp-local lmtp "/var/dovecot/lmtp" rcpt-to":
Jan 12 12:12:29 nuc smtpd[91698]: f4addfe2dfdc0dee smtp connected 
address=local host=nuc.example.com 
Jan 12 12:12:29 nuc smtpd[91698]: f4addfe2dfdc0dee smtp message 
address=local host=nuc.example.com  
msgid=7701f750 from=> to=> size=2268 ndest=1 proto=ESMTP
Jan 12 12:12:29 nuc smtpd[91698]: f4addfe2dfdc0dee smtp disconnected 
address=local host=nuc.example.com  reason=quit

Jan 12 12:12:29 nuc dovecot: lmtp(9123): Connect from local
Jan 12 12:12:29 nuc dovecot: lmtp(9123): Disconnect from local: 
Connection closed (in RCPT TO)
Jan 12 12:12:29 nuc smtpd[91698]:  mda delivery 
evpid=7701f7508063f43e from=> to=> rcpt=> user=farid delay=0s result=PermFail 
stat=Error ("mail.lmtp: LMTP server error: 550 5.1.1 
mailto:r...@nuc.example.com>> User doesn't 
exist: r...@nuc.joubbi.se \^M")
Jan 12 12:12:30 nuc smtpd[91698]: f4addfe6604e447f smtp connected 
address=local host=nuc.example.com 
Jan 12 12:12:30 nuc smtpd[91698]: f4addfe6604e447f smtp message 
address=local host=nuc.example.com  
msgid=9efcaf84 from=<> to=> size=3621 ndest=1 proto=ESMTP
Jan 12 12:12:30 nuc smtpd[91698]: f4addfe6604e447f smtp disconnected 
address=local host=nuc.example.com  reason=quit

Jan 12 12:12:30 nuc dovecot: lmtp(9123): Connect from local
Jan 12 12:12:30 nuc dovecot: lmtp(9123): Disconnect from local: 
Connection closed (in RCPT TO)
Jan 12 12:12:30 nuc smtpd[91698]:  mda delivery 
evpid=9efcaf8480e8b1a5 from=<> to=> rcpt=> user=farid delay=0s result=PermFail 
stat=Error ("mail.lmtp: LMTP server error: 550 5.1.1 
mailto:fa...@nuc.example.com>> User doesn't 
exist: fa...@nuc.example.com \^M")

Jan 12 12:12:30 nuc smtpd[28280]: warn: queue: no return path!

This is with "action lmtp-local lmtp "/var/dovecot/lmtp" alias ":
Jan 12 12:23:43 nuc smtpd[58396]: info: OpenSMTPD 6.4.0 starting
Jan 12 12:24:05 nuc smtpd[59733]: af9c713d7d262539 smtp connected 
address=local host=nuc.example.com 
Jan 12 12:24:05 nuc smtpd[59733]: af9c713d7d262539 smtp message 
address=local host=nuc.example.com  
msgid=f80c9238 from=mailto:fa...@nuc.joubbi.se>> 
to=mailto:r...@nuc.joubbi.se>> size=2268 ndest=1 
proto=ESMTP
Jan 12 12:24:05 nuc smtpd[59733]: af9c713d7d262539 smtp disconnected 
address=local host=nuc.example.com  reason=quit
Jan 12 12:24:05 nuc smtpd[59733]: af9c7141cd28962a mta connecting 
address=smtp://127.0.0.1:10025  host=localhost

Jan 12 12:24:05 nuc smtpd[59733]: af9c7141cd28962a mta connected
Jan 12 12:24:05 nuc smtpd[59733]: af9c7142ff99ae87 smtp connected 
address=127.0.0.1 host=localhost
Jan 12 12:24:05 nuc smtpd[59733]: af9c7142ff99ae87 smtp failed-command 
address=127.0.0.1 host=localhost command="RCPT TO:>" result="524 5.2.4 Mailing list expansion 
problem"
Jan 12 12:24:05 nuc smtpd[59733]: af9c7141cd28962a mta delivery 
evpid=f80c92380ac5a4ea from=> to=> rcpt=> source="127.0.0.1" relay="127.0.0.1 
(localhost)" delay=0s result="PermFail" stat="524 5.2.4 Mailing list 
expansion problem"
Jan 12 12:24:06 nuc smtpd[59733]: af9c714308ca58b6 smtp connected 
address=local host=nuc.example.com 
Jan 12 12:24:06 nuc smtpd[59733]: af9c714308ca58b6 smtp message 
address=local host=nuc.example.com  
msgid=43ded801 from=<> to=> size=3553 ndest=1 proto=ESMTP
Jan 12 12:24:06 nuc smtpd[59733]: af9c714308ca58b6 smtp disconnected 
address=local host=nuc.example.com  reason=quit
Jan 12 12:24:07 nuc smtpd[59733]: af9c7142ff99ae87 smtp failed-command 
address=127.0.0.1 host=localhost command="RCPT TO:>" result="524 5.2.4 Mailing list expansion 
problem"
Jan 12 12:24:07 nuc smtpd[59733]: af9c7141cd28962a mta delivery 
evpid=43ded8014be1c057 from=<> to=> rcpt=> source="127.0.0.1" relay="127.0.0.1 
(localhost)" delay=1s result="PermFail" stat="524 5.2.4 Mailing list 
expansion problem"

Jan 12 12:24:07 nuc smtpd[21379]: warn: queue: no return path!
Jan 12 12:24:17 nuc smtpd[59733]: af9c7142ff99ae87 smtp disconnected 
address=127.0.0.1 host=localhost 

Re: smtpctl: need root privileges

2018-09-25 Thread Reio Remma
I've allowed a passwordless sudo in sudoers on CentOS 7 for a certain 
user to be able to execute specific smtpd commands.


Albeit, I have no idea if the same is possible on OpenBSD.

Good luck!
Reio

On 25/09/2018 12:23, Joel Carnat wrote:

Hi,

(Running OpenBSD 6.3/amd64 with OpenSMTPD 6.0.4)

I want `telegraf` to be allowed to run `/usr/sbin/smtpctl show stats`.
I configured "_smtpq:*:103:_telegraf" in groups and thought it would run.
But I still get:
  # doas -u _telegraf /usr/sbin/smtpctl show stats
  smtpctl: need root privileges

Is the thread (https://github.com/OpenSMTPD/OpenSMTPD/issues/678) 
still relevant ?

Is the only way to get stats is to use doas to execute as root ?

Thanks. 



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD password encryption scheme.

2018-09-18 Thread Reio Remma
I'm already using a shared SQL user database between Dovecot and 
OpenSMTPD, so all is fine in that sense. :)


I now actually recall running into the same issue when I was setting the 
system up - I ended up using smtpctl encrypt to generate the shared 
passwords. Alas, no way to provide rounds to smtpctl encrypt. :)


On 18.09.2018 20:49, Andreas Broecking wrote:

Hey,

I struggled with this issue as well on FreeBSD.

This worked for me after a lot of tracing.

1. Create your PW hash with doveadm:
echo `doveadm pw -s BLF-CRYPT` | cut -d'}' -f2

This will cut the {BLF-CRYPT}… header created by doveadm.
Opensmtpd uses crypt() to figure out the hash type and should role with it.

2. Tell dovecot that your password hashes are BLF-CRYPT so it recognises them 
without the {BLF-CRYPT} header

passdb {
 driver = passwd-file
 args = scheme=blf-crypt /usr/local/etc/mail/passwd
}

This way you can use the same passwd table both for opensmtpd and dovecot.

HTH
Andreas




On 18. Sep 2018, at 09:06, Reio Remma  wrote:

Hello!

I'm curious as to what determines the password scheme used by OpenSMTPD on a 
Linux system (CentOS 7 in my case). When setting up the system I ended up with 
using SHA512, because it seems to be what works both in OpenSMTPD and Dovecot, 
but would really like to use Blowfish instead. Dovecot seems to work with it, 
but is there any way I can make OpenSMTPD also agree with it?

Thanks,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD password encryption scheme.

2018-09-18 Thread Reio Remma

On 18.09.2018 19:33, Gilles Chehade wrote:

that's an easy one:

OpenSMTPD uses the crypt() function provided by your system and does not
care about the password scheme used as this is a system-specific detail.

On modern systems the crypt() function encodes the algorithm, rounds and
salt as a prefix to the encrypted password, as shown below:

  $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m
  |  |  ||
  |  |  ||__ encrypted password
  |  |  |__ begining of salt
  |  |__ beginning of rounds
  |__ beginning of cipher


But this encoding is only valid for my operating system, yours will have
a different one and the only thing you need to care about is if password
was generated using the same crypt() function that will be used validate
it.

I suggest your read the crypt(3) and passwd(1) man pages of your system.


Progress! I got it working with rounds=50.

There was one issue initially - Dovecot generates passwords with 
{SHA512-CRYPT} prepended to the string and OpenSMTPD closes the whole 
smtpd process when it encounters such a password. Removing the 
{SHA512-CRYPT} string from the hash helped make it all work.


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD password encryption scheme.

2018-09-18 Thread Reio Remma

On 18.09.2018 19:33, Gilles Chehade wrote:

On Tue, Sep 18, 2018 at 10:06:49AM +0300, Reio Remma wrote:

Hello!

I'm curious as to what determines the password scheme used by OpenSMTPD on a
Linux system (CentOS 7 in my case).



that's an easy one:

OpenSMTPD uses the crypt() function provided by your system and does not
care about the password scheme used as this is a system-specific detail.

On modern systems the crypt() function encodes the algorithm, rounds and
salt as a prefix to the encrypted password, as shown below:

  $2b$09$fEv/zNZ/5hELpDH3Vq93AuygRLnySIcNXH78rq9WxPPbZJxmcdk5m
  |  |  ||
  |  |  ||__ encrypted password
  |  |  |__ begining of salt
  |  |__ beginning of rounds
  |__ beginning of cipher


But this encoding is only valid for my operating system, yours will have
a different one and the only thing you need to care about is if password
was generated using the same crypt() function that will be used validate
it.

I suggest your read the crypt(3) and passwd(1) man pages of your system.


Thanks for your reply. :)

I was just reading up whilst my son was in his football practice and I'm 
about to see if I can add a few hundred thousand more rounds to the 
SHA512 that CentOS is using.


Thanks,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



OpenSMTPD password encryption scheme.

2018-09-18 Thread Reio Remma

Hello!

I'm curious as to what determines the password scheme used by OpenSMTPD 
on a Linux system (CentOS 7 in my case). When setting up the system I 
ended up with using SHA512, because it seems to be what works both in 
OpenSMTPD and Dovecot, but would really like to use Blowfish instead. 
Dovecot seems to work with it, but is there any way I can make OpenSMTPD 
also agree with it?


Thanks,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Testing SMTP Authentication CLI

2018-09-09 Thread Reio Remma

On 09.09.2018 7:16, Antonino Sidoti wrote:

I would like to test the configuration from CLI on my MacBook and using;

openssl s_client -connect mail.example.com:25 -starttls smtp.

The connection is successful and I can see TLS handshake, etc.
I now enter ‘helo’ and 'auth login’, each are successful.

Now going further, how can I test the user credentials using an ‘openssl’ 
connection? I am confident that ‘smtpctl encrypt’ it is using BLF-CRYPT, though 
what do I do to input the username and password to test the credentials?


I just tested it out of curiousity:

AUTH login 
334 VXNlcm5hbWU6

334 UGFzc3dvcmQ6

235 2.0.0: Authentication succeeded

Good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Sending mail from PowerShell via OpenSMTPD fails.

2018-09-05 Thread Reio Remma
Thanks for pointing it out! Quick search and I now know they're 
plaintext transmitted in base64. :P


Time for a password change. :D

I can also tell you why it's decodes as Usernamu. :P

Reio

PS: Damnation

On 05/09/2018 10:24, Marcus MERIGHI wrote:

Hello,

r...@mrstuudio.ee (Reio Remma), 2018.09.04 (Tue) 21:51 (CEST):

I've a backup script in Windows that sends an e-mail upon completion.
The mail goes out successfully if I use port 25 on the mail server but fails
unspectacularly with no specific error message on OpenSMTPD side when I try
to submit it authenticated on port 587.

I had to remove the rest, it contained info you should not have posted
and should change now ;-)

client: AUTH login 
server: 334 Usernamu: [I have no idea why the *u is there!]
client: (answers with a string that does not look like a username)
server: [thinks it's got a username] 334 Password:
client: disconnects

IIRC, there's two ways of doing auth in SMTP, your client is trying A
and smtpd expecting B.

Marcus



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Sending mail from PowerShell via OpenSMTPD fails.

2018-09-04 Thread Reio Remma

Hello!

I've a backup script in Windows that sends an e-mail upon completion.

The mail goes out successfully if I use port 25 on the mail server but 
fails unspectacularly with no specific error message on OpenSMTPD side 
when I try to submit it authenticated on port 587.


I suspect it's a PowerShell issue, but just in case, here are OpenSMTPD 
logs from the attempt.


IIRC authenticated submission used to work with our old QMail server.

PowerShell merely states:

Send-MailMessage : Authentication failed.
+ Send-MailMessage @param
+ ~~~
    + CategoryInfo  : InvalidOperation: 
(System.Net.Mail.SmtpClient:SmtpClient) [Send-MailMessage], SmtpException
    + FullyQualifiedErrorId : 
SmtpException,Microsoft.PowerShell.Commands.SendMailMessage

Regular OpenSMTPD logs state:

Sep  4 22:21:33 host smtpd[1011]: 676cdf15bd475b2d smtp event=connected 
address=10.0.8.2 host=10.0.8.2
Sep  4 22:21:34 host smtpd[1011]: 676cdf15bd475b2d smtp event=starttls address=10.0.8.2 
host=10.0.8.2 ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, 
bits=256"
Sep  4 22:21:34 host smtpd[1011]: 676cdf15bd475b2d smtp event=closed 
address=10.0.8.2 host=10.0.8.2 reason=disconnect


OpenSMTPD with trace states:

Sep  4 22:28:12 host smtpd[28824]: 1358b9537a51618f smtp event=starttls address=10.0.8.2 
host=10.0.8.2 ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, 
bits=256"
Sep  4 22:28:12 host smtpd[28824]: mproc: pony -> control : 41 
IMSG_STAT_INCREMENT
Sep  4 22:28:12 host smtpd[28824]: smtp: 0x239f1a0: STATE_TLS -> STATE_HELO
Sep  4 22:28:12 host smtpd[28822]: imsg: control <- pony: IMSG_STAT_INCREMENT 
(len=41)
Sep  4 22:28:12 host smtpd[28822]: ramstat: increment: smtp.tls
Sep  4 22:28:12 host smtpd[28822]: ramstat: smtp.tls (0x2193800): 0 -> 1
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< EHLO Silencio
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_HELO -> STATE_HELO
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-host.domain.ee 
Hello Silencio [10.0.8.2], pleased to meet you
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-8BITMIME
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-ENHANCEDSTATUSCODES
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-SIZE 104857600
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-DSN
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250-AUTH PLAIN LOGIN
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 250 HELP
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< AUTH login 
cmVpb0BtcnN0dXVkaW8uZWX=
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_HELO -> 
STATE_AUTH_USERNAME
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 334 VXNlcm5hbXU6
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DATAIN 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: <<< OGlyNW1GTnp6eg==
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: STATE_AUTH_USERNAME -> 
STATE_AUTH_PASSWORD
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: >>> 334 UGFzc3dvcmQ6
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_LOWAT 
Sep  4 22:28:13 host smtpd[28824]: smtp: 0x239f1a0: IO_DISCONNECTED 
Sep  4 22:28:13 host smtpd[28824]: 1358b9537a51618f smtp event=closed 
address=10.0.8.2 host=10.0.8.2 reason=disconnect


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: very confused on userbase parameter

2018-09-01 Thread Reio Remma

Hello!

Are you using multiple domains? I just tested it in its simplest form 
(in 6.0.3) with one domain and it worked without virtuals.


table userinfo { reio = 5000:5000:/home/vmail/turin.mrstuudio.ee/reio }

accept tagged Filtered for domain  userbase  deliver 
to lmtp "/var/run/dovecot/lmtp" rcpt-to


OpenSMTPD successfully read the .forward file from 
5000:5000:/home/vmail/turin.mrstuudio.ee/reio/.forward


If you're using multiple domains, then you need a somewhat convoluted 
system with virtuals and userbase.


The trouble is that OpenSMTPD is checking only the user name without the 
domain part from userbase.


Good luck,
Reio

On 01.09.2018 18:59, Matt Schwartz wrote:

I am afraid that I am hopelessly confused on the userbase parameter.
If I were to have the following:

# credentials
user1  

# userinfo
# vmail user is 2000
user1  2000:2000:/var/vmail/user1

# virtuals
us...@domain1.com  vmail

# smtpd.conf
table credentials file:/etc/mail/credentials
table virtuals file:/etc/mail/virtuals
table userinfo file:/etc/mail/userinfo

action "action01" maildir userbase  virtuals 
match from any for domain "domain1.com" action "action01"

In theory, shouldn't this deliver email addressed to us...@domain1.com
to /var/vmail/user1/Maildir/new?

Thanks in advance,
Matt




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: userbase question

2018-08-27 Thread Reio Remma
Iirc I got the .forward file working with sqlite tables, where the user query 
also returned the virtual user’s maildir as an extra parameter.

Good luck,
Reio

> On 27 Aug 2018, at 16:11, Matt Schwartz  wrote:
> 
> Hello misc@,
> 
> Below is my configuration file. I am trying to use the userbase
> parameter and when I try to send an email to myself, I get the 550
> Invalid Recipient error. I am trying to get the usrbase parameter
> working so that I can add a .forward file for virtual users as per the
> table(5) man page. If I don't use the userbase parameter, mail
> delivery works just fine. I am not certain what I am doing wrong here.
> 
> #smtpd.conf
> pki mail cert "/etc/ssl/smtpd.crt"
> pki mail key "/etc/ssl/private/smtpd.key"
> 
> table aliases file:/etc/mail/aliases
> table addrnames file:/etc/mail/addrnames
> table credentials file:/etc/mail/credentials
> table domains file:/etc/mail/domains
> table virtuals file:/etc/mail/virtuals
> table usrbase file:/etc/mail/usrbase
> table rejects file:/etc/mail/rejects
> 
> # Listeners
> #
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on vio0 tls pki mail hostnames 
> listen on vio0 port 587 tls-require pki mail auth  \
>hostnames 
> 
> # Actions
> #
> action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" alias 
> action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" userbase  virtual 
> action "dkim" relay host smtp://127.0.0.1:10027
> action "relay" relay
> 
> # Incoming
> #
> match from any mail-from  for any reject
> match from local for local action "local"
> match from any for domain  action "domain"
> 
> # Outgoing
> #
> match tag DKIM for any action "relay"
> match from local for any action "dkim"
> match auth from any for any action "dkim"
> 
> #usrbase
> m...@example.org 2000:2000:/var/vmail/example.org/matt
> 
> #virtuals
> m...@example.org vmail
> 
> Thanks in advance,
> Matt
> 
> -- 
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Forward of singele email address

2018-08-24 Thread Reio Remma

On 24.08.18 16:04, opensm...@stachelkaktus.net wrote:

Hello Matt,

On 24.08.2018 13:49, Matt Schwartz wrote:

Try adding it to the aliases file and see what happens but I think the
aliases file may only work to map a system user to another email address.

I've added another e-mail to an alias:

# cat aliases
...
test2mydomain.net: i...@otherdomain.com

This line seems to be completely ignored from opensmtp. Therefor it
seems your assumption that this works only to map a system user to
another email address seems to be right.


You need to configure your OpenSMTPD to actually use the alias file.

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Forward of singele email address

2018-08-24 Thread Reio Remma

What do opensmtpd log entries look like?

You might want to try running with "smtpctl trace lookup" and see what 
it's actually resolving to etc.


Good luck,
Reio

On 24.08.18 11:19, opensm...@stachelkaktus.net wrote:

Hello Matt,

thank you for your answer.

On 24.08.2018 02:48, Matt Schwartz wrote:

Try adding something similar to this to your vusers:
u...@example.org <mailto:u...@example.org>u...@example.com
<mailto:u...@example.com>

I've tried this additionally before.


# cat virtusertable
...
te...@mydomain.net   external
te...@mydomain.net   i...@otherdomain.com


and get the same error:
i...@otherdomain.com:
SMTP error from remote server for RCPT TO command, host: mout.mydomain.net 
reason: 550 Invalid recipient





additionally I had a typo in the first message, the correct writing is:

# cat /var/maildir/external/.forward
i...@otherdomain.com




--
Tervitades
Reio Remma


MR Stuudio 25 aastat

*MR Stuudio OÜ*
Tondi 17b, 11316, Tallinn
Tel +372 650 4808
Mob +372 56 22 00 33
r...@mrstuudio.ee
www.mrstuudio.ee





Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy

2018-08-01 Thread Reio Remma

On 01.08.18 15:17, ѽ҉ᶬḳ℠ wrote:

The matching rule for you should now be:

accept (from local) for any relay viasmtp://127.0.0.1:10027

This rule matching would again bypass DKIM and is redundant:

accept from source 172.25.120.2 for any relay


The way is set and working now:

accept for any relay via smtp://127.0.0.1:10027


The following 2 lines are redundant. The above will match first for 
authenticated submissions.



accept from local for any relay
accept from source 172.25.120.2 for any relay



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy

2018-08-01 Thread Reio Remma

On 01.08.18 14:48, ѽ҉ᶬḳ℠ wrote:

Having sorted PAM SMTPAUTH the user/client 172.25.120.2 is now treated
as  server's local user and filter rules using from local are matched.
Thence, amended

[ accept from source 172.25.120.2 for any relay via
smtp://127.0.0.1:10027 ] to [ accept from source 172.25.120.2 for any
relay ] and DKIM is working now for that client as well.

Appreciate the feedback/assistance provided here.


The matching rule for you should now be:

accept (from local) for any relay viasmtp://127.0.0.1:10027

This rule matching would again bypass DKIM and is redundant:

accept from source 172.25.120.2 for any relay

Good luck,
Reio



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy

2018-07-31 Thread Reio Remma

On 31.07.18 10:11, ѽ҉ᶬḳ℠ wrote:

  From cli it is a different ip. Just add a relay via dkim to the
line in question then and see if that works.


So it is but why makes that difference considering the directives -
particularly the [ any ] part should cover any (as in 172.25.120.2 for
instance), or should it not?

accept tagged DKIM for any relay
accept for any relay via smtp://127.0.0.1:10027

The default "from" for accept is "from local", which means only
local/authenticated messages were relayed to DKIM.

I suspect 172.25.120.2 was sending without authentication?

   from  [ !]
  local
 The rule matches only locally originating
connections.
 This is the default,
 and may be omitted.

172.25.120.2 gets authenticated by encrypted password over (START)TLS. I
would not permit any client for sending messages without authentication
first.


listen on eth0 inet4 port 587 smtps hostname mail mask-source tag lan


Either you trimmed this config line or you're missing "auth". Otherwise I 
suspect you're running without authentication.



Re: 6.0.3p1-2 - messages sent from imap (dovecot) are not passed through dkimproxy

2018-07-31 Thread Reio Remma

On 31.07.18 6:43, ѽ҉ᶬḳ℠ wrote:

 From cli it is a different ip. Just add a relay via dkim to the line in 
question then and see if that works.


So it is but why makes that difference considering the directives -
particularly the [ any ] part should cover any (as in 172.25.120.2 for
instance), or should it not?

accept tagged DKIM for any relay
accept for any relay via smtp://127.0.0.1:10027


The default "from" for accept is "from local", which means only 
local/authenticated messages were relayed to DKIM.


I suspect 172.25.120.2 was sending without authentication?

  from  [ !]
 local
The rule matches only locally originating connections.
This is the default,
and may be omitted.

Good luck!
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SMTP server does not support authentication

2018-07-12 Thread Reio Remma

Hello!

Did you try using the submission port (587) in Roundcube?

You probably won't want to enforce auth on port 25 because that's used 
mostly for incoming mail.


Good luck,
Reio

On 12.07.2018 10:52, Teno Deuter wrote:

Dear all,

I have following configuration:

openbsd 6.3
opensmtpd
dovecot 2.2.34
roundcubemail 1.3.5
httpd web server

here is my roundcube config file:

$config['default_host'] = '127.0.0.1';
$config['smtp_server'] = '127.0.0.1';
$config['smtp_port'] = 25;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';

my opensmtpd.conf file has following settings:

listen on $egress_int pki server.pki tls-require auth hostname [domain]
listen on $egress_int pki server.pki port 587 tls-require auth hostname [domain]
listen on $egress_int pki server.pki smtps auth hostname [domain]

when trying to send an email from roundcube I get:

ERROR: SMTP server does not support authentication ()

How can I enable AUTH?

Thank you




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fwd: smtpd.conf configuration error (accept)

2018-07-04 Thread Reio Remma

It seems empty equals broken. You need actual content in the file.

Reio


On 04.07.2018 12:25, Teno Deuter wrote:

unfortunately, in my case, the blacklist file is empty! :(

could have something to do with the permissions? Here is my current status:

-rw-r--r--  1 root  wheel

On Wed, Jul 4, 2018 at 11:00 AM, Reio Remma  wrote:

On 04.07.2018 11:35, Teno Deuter wrote:

here is what I have changed:

accept from any \
  for domain  recipient ! \
  virtual  \
  deliver to maildir "/var/mail/%{user.username}/Inbox"

and I still get the error:

invalid use of table "blacklistRecipients" as RECIPIENT parameter


The only way I can duplicate that error is by intentionally breaking the
blacklist file.

Recipients file/table should have one e-mail address per line I suspect.

Good luck!
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fwd: smtpd.conf configuration error (accept)

2018-07-04 Thread Reio Remma

On 04.07.2018 11:35, Teno Deuter wrote:

here is what I have changed:

accept from any \
 for domain  recipient ! \
 virtual  \
 deliver to maildir "/var/mail/%{user.username}/Inbox"

and I still get the error:

invalid use of table "blacklistRecipients" as RECIPIENT parameter


The only way I can duplicate that error is by intentionally breaking the 
blacklist file.


Recipients file/table should have one e-mail address per line I suspect.

Good luck!
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fwd: smtpd.conf configuration error (accept)

2018-07-03 Thread Reio Remma

On 04.07.2018 2:18, Teno Deuter wrote:

here is the full 'accept' part I was trying to define in order to
receive email from the outside:

accept from any \
 recipient !  \
 for domain 
 virtual  \
 deliver to maildir "/var/mail/%{user.username}/Inbox"

so now I have 2 issues:

1.
the 'blacklistRecipients which troughs a syntax error and


Your accept order is still wrong. Should be:

accept from any for domain  recipient !

Good night. :)
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fwd: smtpd.conf configuration error (accept)

2018-07-03 Thread Reio Remma

You need the domain match as well.

accept from any for domain example.org recipient ! 
alias  deliver to mbox


That works on my test system.

Reio

On 04.07.2018 1:20, Teno Deuter wrote:

just tried and gives a syntax error :(

On Tue, Jul 3, 2018 at 11:59 PM, Reio Remma  wrote:

Did you try it with:

accept from any for recipient ! 

Reio

On 03.07.2018 21:04, Teno Deuter wrote:

Thank you for your prompt reply but unfortunately this wasn't the problem :(

I renamed to 'blacklistRecipients' and still get the same error message!

On Tue, Jul 3, 2018 at 7:57 PM, Reio Remma  wrote:

Hello!

I'm not sure you can have a dash (-) in a table name. Apart from that, if
I'm correct that you're trying to reject mail to blacklisted recipients on
your own server, then:

reject from any for recipient 

Good luck,
Reio

On 03.07.2018 20:39, Teno Deuter wrote:

Dear support team,

I-m running a OpenBSD 6.3 amd64 installed box and try to set up
opensmtpd. In the smptd.conf file, following entries can be found:

table blacklist-recipients file:/etc/mail/blacklist-recipients

accept from any \
  recipient !  \

accept from any \
  recipient !  \

but I get the error:

invalid use of table "blacklist-recipients" as RECIPIENT parameter

also, I was looking for the 'accept' syntax documentation!

Thank you for your kind help on this





--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Fwd: smtpd.conf configuration error (accept)

2018-07-03 Thread Reio Remma

Did you try it with:

accept from any*for*  recipient ! 

Reio

On 03.07.2018 21:04, Teno Deuter wrote:

Thank you for your prompt reply but unfortunately this wasn't the problem :(

I renamed to 'blacklistRecipients' and still get the same error message!

On Tue, Jul 3, 2018 at 7:57 PM, Reio Remma  wrote:

Hello!

I'm not sure you can have a dash (-) in a table name. Apart from that, if
I'm correct that you're trying to reject mail to blacklisted recipients on
your own server, then:

reject from any for recipient 

Good luck,
Reio

On 03.07.2018 20:39, Teno Deuter wrote:

Dear support team,

I-m running a OpenBSD 6.3 amd64 installed box and try to set up
opensmtpd. In the smptd.conf file, following entries can be found:

table blacklist-recipients file:/etc/mail/blacklist-recipients

accept from any \
  recipient !  \

accept from any \
  recipient !  \

but I get the error:

invalid use of table "blacklist-recipients" as RECIPIENT parameter

also, I was looking for the 'accept' syntax documentation!

Thank you for your kind help on this





Re: Dkim problems

2018-06-08 Thread Reio Remma

On 09.06.2018 2:39, flipchan wrote:


Hello ,
im having troubles configuring dkim to sign msgs with
opensmtpd, i can send emails with dkim it just loops it
and breaks

log:
Jun 8 20:36:21 mail smtpd[63656]: 1488dfc121f5364b smtp 
event=connected address=myip host=myhost
Jun 8 20:36:22 mail smtpd[63656]: 1488dfc121f5364b smtp event=starttls 
address=myip host=myhost ciphers="version=TLSv1.2, 
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256"
Jun 8 20:36:22 mail smtpd[63656]: 1488dfc121f5364b smtp 
event=authentication user=testuser address=myip host=myhost result=ok
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc121f5364b smtp event=message 
address=myip host=myhost msgid=3f9e from= 
to= size=556 n

dest=1 proto=ESMTP
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc4e9e0ccb5 mta 
event=connecting address=smtp://127.0.0.1:10027 host=localhost

Jun 8 20:36:23 mail smtpd[63656]: 1488dfc4e9e0ccb5 mta event=connected
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc54676e1ec smtp 
event=connected address=127.0.0.1 host=localhost
Jun 8 20:36:23 mail dkimproxy.out[76617]: DKIM signing - signed; 
message-id=, 
signer=, from=
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc121f5364b smtp event=closed 
address=myip host=myhost reason=quit
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc54676e1ec smtp event=message 
address=127.0.0.1 host=localhost msgid=3737cdb6 
from= to= size=2536 
ndest=1 proto=ESMTP
Jun 8 20:36:23 mail smtpd[63656]: 1488dfc4e9e0ccb5 mta event=delivery 
evpid=3f9efd1e5cb1 from= 
to= rcpt=<-> source="127.0.0.1" 
relay="127.0.0.1 (localhost)"
delay=1s result="Ok" stat="250 2.0.0: 3737cdb6 Message accepted for 
delivery"
Jun 8 20:36:24 mail dkimproxy.out[76617]: DKIM signing - signed; 
message-id=, 
signer=, from=
Jun 8 20:36:24 mail smtpd[63656]: 1488dfc54676e1ec smtp event=message 
address=127.0.0.1 host=localhost msgid=47f3b370 
from= to= size=4516 
ndest=1 proto=ESMTP
Jun 8 20:36:24 mail smtpd[63656]: 1488dfc4e9e0ccb5 mta event=delivery 
evpid=3737cdb6c6f4cceb from= 
to= rcpt=<-> source="127.0.0.1" 
relay="127.0.0.1 (localhost)"
delay=1s result="Ok" stat="250 2.0.0: 47f3b370 Message accepted for 
delivery"




this must be a smtpd.conf error, here is my configuration:
# $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

pki mail.mydomain.com certificate "/etc/ssl/mail.mydomain.com.crt"
pki mail.mydomain.com key "/etc/ssl/private/mail.mydomain.com.key"

queue compression
queue encryption key a2410ef405aa1d6e7592091f21092abe


table aliases file:/etc/mail/aliases


#listen on lo0
##listen on vio0 port 25 tls pki mail.mydomain.com
#listen on 0.0.0.0 port 25 tls pki mail.mydomain.com

listen on lo0

listen on lo0 port 10028 tag DKIM_OUT

#listen on lo0 port 10028 tag DKIM hostname mydomain.com
listen on vio0 port 25 hostname mydomain.com tls pki mail.mydomain.com
listen on vio0 port 587 hostname mydomain.com tls-require pki 
mail.mydomain.com auth mask-source


max-message-size 50M

#

#DKIM
#listen on lo0 port 10028 tag DKIM
#accept tagged DKIM for any relay
#accept from local for any relay via smtp://127.0.0.1:10027

#accept tagged DKIM for any relay source externalip hostname mydomain.com
# Uncomment the following to accept external mail for domain "example.org"
#

accept from any for domain "mydomain.com" alias  deliver to mbox
accept for local alias  deliver to mbox
accept tagged DKIM for any relay
accept from local for any relay via smtp://127.0.0.1:10027


#accept tagged DKIM_OUT from any for any relay
#accept for any relay via smtp://127.0.0.1:10027

#listen on lo0 port 10028 tag DKIM
#accept tagged DKIM for any relay
#accept from local for any relay via smtp://127.0.0.1:10027


Can anyone see something i dont? what am i doing wrong?


You're tagging as DKIM_OUT, but matching as DKIM.

Possibly.

Good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD new config

2018-05-24 Thread Reio Remma

On 24.05.18 16:14, Reio Remma wrote:

On 24.05.18 16:07, Gilles Chehade wrote:

On Thu, May 24, 2018 at 04:01:32PM +0300, Reio Remma wrote:

On 24.05.18 15:55, Gilles Chehade wrote:

On Thu, May 24, 2018 at 03:53:14PM +0300, Reio Remma wrote:
That's exactly the problem. Alias resolution wasn't possible 
before with

relay and I'm wondering if it will be in the future. :)


aliases resolution with relay will not be possible because it makes no
sense, however a mechanism that's somehow similar and that makes sense
for relaying might be possible if we know what your use-case is.

I'm using the common setup where OpenSMTPD relays incoming mail to
amavisd-new and amavisd is scanning all messages, even those that 
are sent

to non-existent users.

listen on 0.0.0.0 port 25 tls pki orc.mrstuudio.ee

# Incoming mail from Amavisd (SpamAssassin/ClamAV)
listen on 127.0.0.1 port 10025 tag Filtered

# Accept "Filtered" from Amavisd for delivery.
accept tagged Filtered for domain  virtual  
userbase  deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to


# Relay incoming mail to Amavisd for spam check and virus scan.
accept from !local for domain  relay via 
smtp://127.0.0.1:10024



you can filter recipients in a rule so that it doesnt get matched if the
recipient address is not part of a table.

this is doable in both old grammar and new grammar


Oh, thanks! Now I'm left a little red faced for missing the obvious! :)

I'll have a look at that and how it'll work with SQLite - not entirely 
sure which query_ it uses for recipients, but I can glean that from 
smtpd debug log.


Reio


It works like a charm.

accept from !local for domain  recipient  relay via 
smtp://127.0.0.1:10024

For posterity - since the *recipient* table uses the same 
*query_mailaddr* query as my sender blacklist table, I had to split the 
sqlite queries to separate files:


table recipients  sqlite:/etc/opensmtpd/sqlite.conf
table blacklist   sqlite:/etc/opensmtpd/sqlite-blacklist.conf


Thanks again,
Reio


Re: OpenSMTPD new config

2018-05-24 Thread Reio Remma

On 24.05.18 16:07, Gilles Chehade wrote:

On Thu, May 24, 2018 at 04:01:32PM +0300, Reio Remma wrote:

On 24.05.18 15:55, Gilles Chehade wrote:

On Thu, May 24, 2018 at 03:53:14PM +0300, Reio Remma wrote:

That's exactly the problem. Alias resolution wasn't possible before with
relay and I'm wondering if it will be in the future. :)


aliases resolution with relay will not be possible because it makes no
sense, however a mechanism that's somehow similar and that makes sense
for relaying might be possible if we know what your use-case is.

I'm using the common setup where OpenSMTPD relays incoming mail to
amavisd-new and amavisd is scanning all messages, even those that are sent
to non-existent users.

listen on 0.0.0.0 port 25 tls pki orc.mrstuudio.ee

# Incoming mail from Amavisd (SpamAssassin/ClamAV)
listen on 127.0.0.1 port 10025 tag Filtered

# Accept "Filtered" from Amavisd for delivery.
accept tagged Filtered for domain  virtual  userbase  
deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to

# Relay incoming mail to Amavisd for spam check and virus scan.
accept from !local for domain  relay via smtp://127.0.0.1:10024


you can filter recipients in a rule so that it doesnt get matched if the
recipient address is not part of a table.

this is doable in both old grammar and new grammar


Oh, thanks! Now I'm left a little red faced for missing the obvious! :)

I'll have a look at that and how it'll work with SQLite - not entirely 
sure which query_ it uses for recipients, but I can glean that from 
smtpd debug log.


Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD new config

2018-05-24 Thread Reio Remma

On 24.05.18 15:55, Gilles Chehade wrote:

On Thu, May 24, 2018 at 03:53:14PM +0300, Reio Remma wrote:

That's exactly the problem. Alias resolution wasn't possible before with
relay and I'm wondering if it will be in the future. :)


aliases resolution with relay will not be possible because it makes no
sense, however a mechanism that's somehow similar and that makes sense
for relaying might be possible if we know what your use-case is.


I'm using the common setup where OpenSMTPD relays incoming mail to 
amavisd-new and amavisd is scanning all messages, even those that are 
sent to non-existent users.


listen on 0.0.0.0 port 25 tls pki orc.mrstuudio.ee

# Incoming mail from Amavisd (SpamAssassin/ClamAV)
listen on 127.0.0.1 port 10025 tag Filtered

# Accept "Filtered" from Amavisd for delivery.
accept tagged Filtered for domain  virtual  userbase  
deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to

# Relay incoming mail to Amavisd for spam check and virus scan.
accept from !local for domain  relay via smtp://127.0.0.1:10024


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD new config

2018-05-24 Thread Reio Remma
That's exactly the problem. Alias resolution wasn't possible before with 
relay and I'm wondering if it will be in the future. :)


Reio

On 24.05.18 15:50, Gilles Chehade wrote:

Anything the previous configuration allowed is still working.


On Thu, May 24, 2018 at 03:48:02PM +0300, Reio Remma wrote:

Wonderful! It's making me want to dabble with OpenBSD: :)

I looked at the new man page, but it's not entirely clear to me if we'll be
able to reject mail to non-existent users outright before relaying to spam
checking etc. with the new syntax.

Thanks!
Reio



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD new config

2018-05-24 Thread Reio Remma

Wonderful! It's making me want to dabble with OpenBSD: :)

I looked at the new man page, but it's not entirely clear to me if we'll 
be able to reject mail to non-existent users outright before relaying to 
spam checking etc. with the new syntax.


Thanks!
Reio

On 21.05.18 19:52, Gilles Chehade wrote:

Hello,

It's been a while since my last post but we've been working on two major
projects within OpenSMTPD since EuroBSDCon 2017.

One of these projects was to refactor entirely the configuration file as
it came with various shortcomings that impacted many parts of the daemon
and which forced us to constantly work-around and/or deal with much more
complex code than should be.

The project, which we dubbed "new config" goes way beyond just the conf,
it alters a lot of the internal structures, it alters the format and the
way envelopes are reloaded and used during delivery, how the lookups are
done at runtime, it improves security, allow fixing configuration issues
after envelopes are on-disk and many other positive side effects.

The configuration change goes as follow:

We now split rules into a matching pattern AND a named action, so that a
rule that used to be described as:

  accept from any for any deliver to mbox

is now written as:

  action foobar mbox
  match from any for any action foobar


a change of the action foobar:

  action foobar maildir
  match from any for any action foobar

will cause all envelopes to catch up change on daemon restart, something
that was simply not doable before.


I have written an article on my blog describing how I changed my config,
you can read it here:

 https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/


The code is not committed yet, I'm waiting for okays from the OpenBSD
hackers, but you can give it a try by cloning the 'dispatcher' branch
on github ... but only for OpenBSD users yet.

WE DO NEED TESTING FROM OPENBSD USERS PLIZE.

Feel free to ask questions here or on IRC.



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to text that TxRep is working?

2018-05-22 Thread Reio Remma

On 23.05.2018 6:01, Philip wrote:
I've added TxRep to spamassassin and set in my local.cf. Following the 
instructions:


http://truxoft.com/resources/txrep.htm

# TXTREP
use_txrep 1

Is there a way to test that it's actually working?

Phil




You should start getting TXREP=0.248 etc. in X-Spam-Status after a bit 
of training. Other than that I would suggest running a mail through in 
debug mode to see if TxRep shows up (the same for learning).


Good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Rejecting mail from non-existent domains and otherwise.

2018-04-30 Thread Reio Remma

On 30.04.2018 20:55, Reio Remma wrote:
Does OpenSMTPD have any kind of checking for incoming mail from 
non-existent domains? I recall our QMail setup rejecting such mails at 
the doorstep.


I'm also curious if it will be possible (with the new dispatcher/rule 
system) to reject mails to non-existent users before any further 
actions (relaying mails to spam checking etc)? Right now our 
amavisd-new gets all the spam to non-existent users, scans them and 
then gets a non-existent user reject from OpenSMTPD when passing the 
mail back to it (which it then passes back to OpenSMTPD on the other 
end :) ).


What actually prompted me to ask is a mail we received from a 
non-existent domain to a non-existent user on our side. :)


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Rejecting mail from non-existent domains and otherwise.

2018-04-30 Thread Reio Remma

Hello!

Does OpenSMTPD have any kind of checking for incoming mail from 
non-existent domains? I recall our QMail setup rejecting such mails at 
the doorstep.


I'm also curious if it will be possible (with the new dispatcher/rule 
system) to reject mails to non-existent users before any further actions 
(relaying mails to spam checking etc)? Right now our amavisd-new gets 
all the spam to non-existent users, scans them and then gets a 
non-existent user reject from OpenSMTPD when passing the mail back to it 
(which it then passes back to OpenSMTPD on the other end :) ).


Thanks and good luck,
Reio

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



OpenSMTPD-Logwatch script.

2018-04-27 Thread Reio Remma

Hello all,

I've whipped together a Logwatch script for OpenSMTPD. I've anyone is 
interested on giving it a try, it's now at:


https://github.com/whataboutpereira/OpenSMTPD-Logwatch

For now it's rather spammy, because I haven't implemented any limits for 
the lists and I've yet to decide if/what lists I should eliminate.


Good luck,
Reio


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Problem sending mail with Apple Mail

2018-04-10 Thread Reio Remma
Curious indeed, if Apple autoconfiguration would work properly on the 
submission port.


Reio

On 10.04.18 12:49, Nick Gyurov wrote:

Hey Craig,

Solved by additionally specifying port, TLS/SSL and password auth (check my 
previous mail).

Worked on port 465 as well.

Sent from my iPhone


On 10 Apr 2018, at 5:43 PM, Craig Skinner  wrote:

Hi Nick,

Port 587 is the proper MUA submission port, not 465.

https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

https://tools.ietf.org/html/rfc6409

http://blog.mailgun.com/25-465-587-what-port-should-i-use/


Port 465 is not RFC compliant.

Perhaps Apple Mail expects the RFC port 587 to be operative?


Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7



--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



  1   2   >