Re: Maildir Delivery Issue/Question
Hey Phillipp, Sorry about my late reply. AD has been frustrating to use and deal with. I setup OpenDJ and that directory and openstmpd work beautifully now. The delivery was correctly received from my external mx (opensmtpd) and relayed to my internal mx (opensmtpd) properly. Thansk. Cheers, ASD. --- Aly Dharshi B.Sc., RHCE Communications Design Specialist ETS Technical Services CITY OPERATIONS | TRANSIT Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 780-619-1585 MOBILE City of Edmonton DL MacDonald Transit Yards ROW Building 13304 50A Street Edmonton AB T5A 4P6 All information contained in this email post is proprietary to the City of Edmonton, confidential and intended only for the addressed recipient. If you have received this post in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination or distribution of this email, if misdirected, is strictly prohibited. On Sep 17, 2024 at 1:58 AM -0600, Philipp , wrote: > Hi > > [2024-09-12 19:33] Aly Dharshi > > Hello OpenSMTPD Gurus, > > > > It’s been a very long time since I’ve had to do mail server work. However, > > I have been working on implementing opensmtpd and I am running into a weird > > issue. > > > > I am using: > > > > 1. Oracle Linux 9.4 > > 2. OpenSMTPD 7.5.0p0 from Oracle’s EPEL repo > > 3. Default user and group of smtpd:smtpd > > 4. Using sssd+AD and getent passwd username returns a valid entry. > > > > When I ask opensmtpd to perform a deliver to a Maildir lifted from the > > default configs I get an error message where the system can’t find my home > > directory and says it can’t stat it. I can get you a proper error in the AM. > > The exact error would help. > > > But if I run smtpd in the foreground as root the deliver takes place > > flawlessly. If I ask smtpd as the user in (3) above to deliver to a mbox it > > works fine. > > I don't get what you meen with "as the user in (3)". OpenSMTPD must run > as root and has some helper user for special porposes. By default the > delivery (mda) is run as the recipient user. Also to better understand > what you do: can you share your config? > > > I see the systemd file has a set of read and write directories and am not > > sure if that has something to do with it or not. > > The maildir delivery method writes to $HOME/Maildir by default. If your > systemd service file disallowes this it obviolus fails. Specify a > different directory might help. > > A bit more general, considering your other mail asking about ldap: > I would asume this gives a bit bigger setup wher in the end the users > access there mails only via IMAP/Webmail. In this case I would recommend > to deliver via lmtp to something like dovecot. This gives you a bit more > flexibility about where you store the users mail and allows some > features (like sieve). > > Philipp > > > I have more questions that I will fire off in a different set of > > emails/threads. Thanks so so much. > > > > Cheers, > > > > ASD. > > > > > > > > > > > > --- > > > > [image: Edmonton-signature-RGB.jpg] > > > > Aly Dharshi B.Sc., RHCE > > > > Communications Design Specialist > > > > ETS Technical Services > > > > CITY OPERATIONS | TRANSIT > > > > > > Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > > > > 780-619-1585 MOBILE > > > > > > > > City of Edmonton > > > > DL MacDonald Transit Yards > > > > ROW Building > > > > 13304 50A Street > > > > Edmonton AB T5A 4P6 > > > > All information contained in this email post is proprietary to the City of > > Edmonton, confidential and intended only for the addressed recipient. If > > you have received this post in error, please disregard the contents, inform > > the sender of the misdirection, and remove it from your system. The > > copying, dissemination or distribution of this email, if misdirected, is > > strictly prohibited. > > > > -- > > *The contents of this message and any attachment(s) are confidential, > > proprietary to the City of Edmonton, and are intended only for the > > addressed recipient. If you have received this in error, please disregard > > the contents, inform the sender of the misdirection, and remove it from > > your system. The copying, dissemination, or distribution of this message, > > if misdirected, is strictly prohibited.* -- *The contents of this message and any attachment(s) are confidential, proprietary to the City of Edmonton, and are intended only for the addressed recipient. If you have received this in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination, or distribution of this message, if misdirected, is strictly prohibited.*
Re: Maildir Delivery Issue/Question
Hi [2024-09-12 19:33] Aly Dharshi > Hello OpenSMTPD Gurus, > > It’s been a very long time since I’ve had to do mail server work. However, > I have been working on implementing opensmtpd and I am running into a weird > issue. > > I am using: > > 1. Oracle Linux 9.4 > 2. OpenSMTPD 7.5.0p0 from Oracle’s EPEL repo > 3. Default user and group of smtpd:smtpd > 4. Using sssd+AD and getent passwd username returns a valid entry. > > When I ask opensmtpd to perform a deliver to a Maildir lifted from the > default configs I get an error message where the system can’t find my home > directory and says it can’t stat it. I can get you a proper error in the AM. The exact error would help. > But if I run smtpd in the foreground as root the deliver takes place > flawlessly. If I ask smtpd as the user in (3) above to deliver to a mbox it > works fine. I don't get what you meen with "as the user in (3)". OpenSMTPD must run as root and has some helper user for special porposes. By default the delivery (mda) is run as the recipient user. Also to better understand what you do: can you share your config? > I see the systemd file has a set of read and write directories and am not > sure if that has something to do with it or not. The maildir delivery method writes to $HOME/Maildir by default. If your systemd service file disallowes this it obviolus fails. Specify a different directory might help. A bit more general, considering your other mail asking about ldap: I would asume this gives a bit bigger setup wher in the end the users access there mails only via IMAP/Webmail. In this case I would recommend to deliver via lmtp to something like dovecot. This gives you a bit more flexibility about where you store the users mail and allows some features (like sieve). Philipp > I have more questions that I will fire off in a different set of > emails/threads. Thanks so so much. > > Cheers, > > ASD. > > > > > > --- > > [image: Edmonton-signature-RGB.jpg] > > Aly Dharshi B.Sc., RHCE > > Communications Design Specialist > > ETS Technical Services > > CITY OPERATIONS | TRANSIT > > > Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 > > > 780-619-1585 MOBILE > > > > City of Edmonton > > DL MacDonald Transit Yards > > ROW Building > > 13304 50A Street > > Edmonton AB T5A 4P6 > > All information contained in this email post is proprietary to the City of > Edmonton, confidential and intended only for the addressed recipient. If > you have received this post in error, please disregard the contents, inform > the sender of the misdirection, and remove it from your system. The > copying, dissemination or distribution of this email, if misdirected, is > strictly prohibited. > > -- > *The contents of this message and any attachment(s) are confidential, > proprietary to the City of Edmonton, and are intended only for the > addressed recipient. If you have received this in error, please disregard > the contents, inform the sender of the misdirection, and remove it from > your system. The copying, dissemination, or distribution of this message, > if misdirected, is strictly prohibited.*
Maildir Delivery Issue/Question
Hello OpenSMTPD Gurus, It’s been a very long time since I’ve had to do mail server work. However, I have been working on implementing opensmtpd and I am running into a weird issue. I am using: 1. Oracle Linux 9.4 2. OpenSMTPD 7.5.0p0 from Oracle’s EPEL repo 3. Default user and group of smtpd:smtpd 4. Using sssd+AD and getent passwd username returns a valid entry. When I ask opensmtpd to perform a deliver to a Maildir lifted from the default configs I get an error message where the system can’t find my home directory and says it can’t stat it. I can get you a proper error in the AM. But if I run smtpd in the foreground as root the deliver takes place flawlessly. If I ask smtpd as the user in (3) above to deliver to a mbox it works fine. I see the systemd file has a set of read and write directories and am not sure if that has something to do with it or not. I have more questions that I will fire off in a different set of emails/threads. Thanks so so much. Cheers, ASD. --- [image: Edmonton-signature-RGB.jpg] Aly Dharshi B.Sc., RHCE Communications Design Specialist ETS Technical Services CITY OPERATIONS | TRANSIT Meeting Booking Link https://calendar.app.google/eTj5cU9rJFYUTqNM6 780-619-1585 MOBILE City of Edmonton DL MacDonald Transit Yards ROW Building 13304 50A Street Edmonton AB T5A 4P6 All information contained in this email post is proprietary to the City of Edmonton, confidential and intended only for the addressed recipient. If you have received this post in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination or distribution of this email, if misdirected, is strictly prohibited. -- *The contents of this message and any attachment(s) are confidential, proprietary to the City of Edmonton, and are intended only for the addressed recipient. If you have received this in error, please disregard the contents, inform the sender of the misdirection, and remove it from your system. The copying, dissemination, or distribution of this message, if misdirected, is strictly prohibited.*
Re: /etc/mail/aliases question
On 2023-06-14 18:32, Thomas Bohl wrote: The default is -rw-r--r-- 1 root wheel 2045 Oct 28 2022 aliases My question is - why does smtpd output what it does - particularly the "failed to update table" portion ? Because _smtpd does not have read access to /etc/mail/aliases. Hi Thomas, Ah, you are correct! When I reset the permissions on: alias, alias.db to the defaults you mentioned and then edited aliases and re-ran: newaliases, all is good: Jun 14 20:07:45 server smtpd[87551]: info: Table "aliases" successfully updated Silly mistake on my part ... I must have changed the permissions at some point. Thanks for your help! - J
Re: /etc/mail/aliases question
Hello, However, the output from: newaliases shows: $ doas newaliases /etc/mail/aliases: 69 aliases Test messages also show that the changes to the aliases file are being picked up. That should not be the case. But hard to tell without the full config. The current permissions I have on: /etc/mail/aliases are: -rw-r- 1 root wheel 2.1K Jun 14 17:31 aliases -rw-r- 1 root wheel 64.0K Jun 14 17:31 aliases.db ... and I don't believe I've changed the file permissions (please correct me if this isn't the default set of permissions). The default is -rw-r--r-- 1 root wheel 2045 Oct 28 2022 aliases My question is - why does smtpd output what it does - particularly the "failed to update table" portion ? Because _smtpd does not have read access to /etc/mail/aliases.
/etc/mail/aliases question
Hi, I have a question regarding some output to: /var/log/maillog when I update the: /etc/mail/aliases file. If I make a change to: /etc/mail/aliases: $ doas vim /etc/mail/aliases $ doas newaliases I see the following in: /var/log/maillog: ... server smtpd[50072]: /etc/mail/aliases: fopen: Permission denied ... server smtpd[50072]: info: Failed to update table "aliases" However, the output from: newaliases shows: $ doas newaliases /etc/mail/aliases: 69 aliases Test messages also show that the changes to the aliases file are being picked up. The current permissions I have on: /etc/mail/aliases are: -rw-r- 1 root wheel 2.1K Jun 14 17:31 aliases -rw-r- 1 root wheel 64.0K Jun 14 17:31 aliases.db ... and I don't believe I've changed the file permissions (please correct me if this isn't the default set of permissions). My question is - why does smtpd output what it does - particularly the "failed to update table" portion ? Thanks, - J
Re: Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts
Thanks for this idea, yeah I posted about this on that mailing list too, thanks for the suggestion! Happy to have tried OpenBSD for a mailing server though, its been fun so far :) On Fri, Jun 18, 2021, at 3:36 AM, Ryan Kavanagh wrote: > On Fri, Jun 18, 2021 at 03:23:35AM +, Samuel Banya wrote: > > This is what was present AFTER my changes in > > '/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's > > workaround > > http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html): > > Visually comparing this with my own working configuration, I can't see > any meaningful differences. FWIW, I have: > > sieve_plugins = sieve_imapsieve sieve_extprograms > sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment > > Seeing that this is a dovecot issue and not an opensmtpd issue, you'll > probably have better luck asking on the dovecot mailing lists > https://www.dovecot.org/mailing-lists or in #dovecot on OFTC. > > Best, > Ryan > > -- > |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F > |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A > >
Re: Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts
On Fri, Jun 18, 2021 at 03:23:35AM +, Samuel Banya wrote: > This is what was present AFTER my changes in > '/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's > workaround > http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html): Visually comparing this with my own working configuration, I can't see any meaningful differences. FWIW, I have: sieve_plugins = sieve_imapsieve sieve_extprograms sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment Seeing that this is a dovecot issue and not an opensmtpd issue, you'll probably have better luck asking on the dovecot mailing lists https://www.dovecot.org/mailing-lists or in #dovecot on OFTC. Best, Ryan -- |)|/ Ryan Kavanagh | GPG: 4E46 9519 ED67 7734 268F |\|\ https://rak.ac | BD95 8F7B F8FC 4A11 C97A
Question Regarding The 'poolp' Guide On How To Deploy A Mail Server's Last Portion Regarding Dovecot With 'sieve' Scripts
Hello everyone,
I've been following the "poolp" guide on how to deploy an email server on
OpenBSD:
-
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
I'm currently at the very end of the guide in which he is using sieve with
Dovecot to do some final filtering.
The unfortunate thing is that when I run these two commands in the
'/usr/local/lib/dovecot/sieve' directory:
sievec report-ham.sieve
sievec report-spam.sieve
I'm getting the following error:
# sievec report-ham.sieve
report-ham: line 1: error: require command: unknown Sieve capability
`vnd.dovecot.pipe'.
report-ham: line 1: error: require command: unknown Sieve capability
`imapsieve'.
report-ham: line 15: error: unknown command 'pipe' (only reported once at first
occurrence).
report-ham: error: validation failed.
sievec(root): Fatal: failed to compile sieve script 'report-ham.sieve'
# sievec report-spam.sieve
report-spam: line 1: error: require command: unknown Sieve capability
`vnd.dovecot.pipe'.
report-spam: line 1: error: require command: unknown Sieve capability
`imapsieve'.
report-spam: line 7: error: unknown command 'pipe' (only reported once at first
occurrence).
report-spam: error: validation failed.
sievec(root): Fatal: failed to compile sieve script 'report-spam.sieve'
What's interesting is that this same post has the same exact error, and I tried
his workaround which did NOT work unfortunately:
- http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html
This is what was present BEFORE my changes in '
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY APPEND
imapsieve_mailbox1_before =
file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox3_name = Inbox
imapsieve_mailbox3_causes = APPEND
imapsieve_mailbox3_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
}
This is what was present AFTER my changes in
'/etc/dovecot/conf.d/90-plugin.conf' (aka I followed this post's workaround
http://dovecot.2317879.n4.nabble.com/sieve-compile-error-td70414.html):
plugin {
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_global_extensions = +vnd.dovecot.environment +vnd.dovecot.debug
+vnd.dovecot.pipe
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY APPEND
imapsieve_mailbox1_before =
file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
imapsieve_mailbox3_name = Inbox
imapsieve_mailbox3_causes = APPEND
imapsieve_mailbox3_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
}
Any ideas on what I can do?
Thanks,
~ Sam
Hello and mixed dex/dns operation question
I have been using opensmtpd for fully dex operation, as described in https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ (Yes the smtpd.conf has changed a bit since that article was written.) Now, I wanted to also relay outgoing mail that is *not* a raw IP through a server. Using relay host is straightforward, but then I lose the fully dex operation. Is there any way to have my cake and eat it too?
Can't get opensmtpd to match rules and deliver to dovecot (possibly another newbie question)
Hi again! About two weeks ago I had my first newbie-question where this list helped me – thank you again! Back then Marcus Merighi recommended that I already make opensmtpd validate if the recipient exists and refuse if he doesn’t. I am having a hard time accomplishing this. I am feeling like I don’t understand some fundamental concepts of opensmtpd but I can’t figure out how to learn them. # Goals 1. I want to get my opensmtpd to get all user and alias information via mysql. (working at least regarding goal 2) 2. I want it to deliver emails from authenticated users via smtp to anywhere. (already working) 3. I want it to take emails for existing users and deliver them via lmtp to dovecot. 4. I want it to take emails for aliases and forward them to the destination both internally and externally. (complete config below) # 3. Deliver to existing users via lmtp I am failing to get a rule to match. Originally I had this rule which should accept all emails for the domains in the table (the wanted user-check was not included): match from any for domain action "inbound" But that always results in 550 Invalid recipient. Then I rcpt-to and to hardcode one email-address match from any rcpt-to *EMAILADDRESSHERE* action "inbound" but I still get 550 Invalid recipient. Furthermore I am totally confused by the virtual users concept. I don’t really get the difference between user, userbase and virtual and I don’t understand how, if I specify mysql as a table, opensmtpd knows which query from the mysql config-file it should use to get the needed table-items. Logically the syntax should be something like Match from any rcpt-to action "inbound" and then I should have table domains mysql:/etc/mail/mysql.conf Where I can specify a query that is run with what ever is the real rcpt-to. But that seems to be a big misconception, so how is it right? # 4. Forward for aliases Haven’t even tried yet. I fail to understand how that would work. # smtpd.conf # Variablen setzen ipv4addr = *removed* hostn = mx01.*domainremoved* # komprimiert die Warteschlange, verschlüsselt sie und löscht nach 4 Stunden (optional) #queue compression #queue encryption key "***" #expire 4h # Zertifikate hinzufügen pki mx01.mx.itsmind.dev cert "/etc/ssl/mx01.*domainremoved*.crt" pki mx01.mx.itsmind.dev key "/etc/ssl/private/mx01.*domainremoved*.key" # Relevante Tabellen laden table domains mysql:/etc/mail/mysql.conf table credentials mysql:/etc/mail/mysql.conf table virtuals mysql:/etc/mail/mysql.conf # Zuhören listen on $ipv4addr port smtp tls listen on $ipv4addr smtps pki mx01.*domainremoved* auth listen on $ipv4addr port submission tls-require pki mx01.*domainremoved* auth # define actions action "inbound" lmtp "mda1:24" action "outbound" relay # define triggers match from any for domain action inbound #match from any rcpt-to "EMAIL-ADDRESS-HERE" action "inbound" #match for any action "outbound" match auth from any for any action "outbound" # /etc/mail/mysql.conf host XXX username XXX password XXX database XXX query_credentials SELECT email, password FROM virtual_users WHERE email=?; query_domain SELECT name FROM virtual_domains WHERE name=?; #query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?; query_alias SELECT destination FROM virtual_aliases WHERE source=?; Conclusion Getting started with opensmtpd is acutally extremely hard… but I am happy that there is this mailinglist! Thank you in advance! Kind regards Fabian
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
Hello Fabian, not answering your question and not solving you problem, but after your introduction I feel compelled to say: f...@1lb.eu (Fabian Müller), 2020.08.16 (Sun) 02:15 (CEST): > 1. take e-mails on port 25, check via mysql if it's for a domain it is > responsible for and then forward via lmtp to dovecot which then takes > care of everything else (including rejecting unknown users). I'd recommend to deny delivery right at the front door, i.e. let OpenSMTPd do the rejection. That way the sender gets the Non-Delivery-Notification from her/his own mail server. Otherwise the sending server sees the "250 2.0.0 XXYYZZ Message accepted for delivery" and thinks all is well. Later, when dovecot rejects, your server has to send the NDN, possibly to a spammer, which might bounce and all of that. Marcus
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
Hi Edgar, hi Reio, smptd -dv did the job: It turned out, that opensmtpd could not connect to the db because there was a Space after the db-name. So „host db.example.com “ instead of „host db.example.com“. Now it connects fine but I get illegal table-api version which prevents opensmtpd from starting up. I guess that‘s from a version mismatch between the debian buster packages of opensmtpd and opensmtpd-extras. According to the Debian bugtracker this is fixed in the latest backport packages. I‘ll give it a try. Thanks a lot for your help! Greetings Fabian Am 16.08.2020 um 11:00 schrieb Reio Remma : On 16.08.2020 03:15, Fabian Müller wrote: > So what we know: It has something to do with the mysql-tables. What I don’t > understand is, what opensmtpd is trying to do which leads to that error. To > my understanding opensmtpd should only try to connect to the database if it > needs to read from the tables, which – if just starting up – obviously is not > the case. IIRC OpenSMTPD opens the connection to MySQL server at startup. Just like it opens all other tables at startup. Anything in MySQL logs? I'm fairly certain it is a connection issue. Like Edgar recommended, try running smtpd -dv possibly with trace enabled as well. Good luck, Reio
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
On 16.08.2020 03:15, Fabian Müller wrote: So what we know: It has something to do with the mysql-tables. What I don’t understand is, what opensmtpd is trying to do which leads to that error. To my understanding opensmtpd should only try to connect to the database if it needs to read from the tables, which – if just starting up – obviously is not the case. IIRC OpenSMTPD opens the connection to MySQL server at startup. Just like it opens all other tables at startup. Anything in MySQL logs? I'm fairly certain it is a connection issue. Like Edgar recommended, try running smtpd -dv possibly with trace enabled as well. Good luck, Reio
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
On Sun, Aug 16, 2020 at 02:15:52AM +0200, Fabian M??ller wrote: > > is your user allowed to connect to the host above? > > ** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and > even db1, db2, db3 directly (which I also tried, but did not change > anything). And the internet is allowed to connect to mx1. Or did you mean the > mda1? mda1 is not yet set up. > The user from mysql.conf needs to be able to connect to the mysql server found at host db.[removed for privacy]. > > > > username [removed for privacy] > > > password [removed for privacy] > > > database [removed for privacy] > > > > > > query_credentials SELECT email, password FROM virtual_users WHERE email=?; > > > query_domain SELECT name FROM virtual_domains WHERE name=?; > > > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?; > > > query_alias SELECT destination FROM virtual_aliases WHERE source=?; > > > > # Further explinations: What I've tried > > First I guess the error has something to do with the mysql-stuff. > > > > But I am really really confused about the whole mysql-tables thing and can't > find a place where actually somebody explained (or documented) how it works. > > > > Have you tried: > > > > man table-mysql > > > > Perhaps its missing if so you can find it on github. > > > > > > ** I found the source for a man that sheds light on what those config options > are for. > > > > But that actually doesn???t help me with the error which occurs or if they > are needed. > > > > By taking a look at table_proc.c from the opensmdpd source on github I guess > > > > > warn: table-proc: pipe closed > > > > means that opensmtpd got an emty response when trying to do something (?) > with a table. I am unsure what opensmtpd is trying to do with the table. > Strangely it isn???t even trying to connect to the db-server (tcpdump > unrevals that). > > > table-proc is a seperate process if I'm not mistaken that needs to talk to the table-mysql which is a seperate process. If the pipe is closed they can't talk to eachother. > So what we know: It has something to do with the mysql-tables. What I don???t > understand is, what opensmtpd is trying to do which leads to that error. To > my understanding opensmtpd should only try to connect to the database if it > needs to read from the tables, which ??? if just starting up ??? obviously is > not the case. > > If you try something like: # smtpd -dv You should get some useful messages from table-mysql if its not connecting or what have you. Edgar
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
Hi Edgar thanks for your reply! Von: Edgar Pettijohn Datum: Sonntag, 16. August 2020 um 01:00 An: Fabian M??ller Cc: Betreff: Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question) On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote: Hi! I am hopefully a new opensmtpd user and before I???ll start off with my first newbie question I???d be happy to briefly introduce myself: I???m Fabian from Germany. Actually I am studying german law, but as ??? in opposite to legal work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT since I left school. Together with some friends I own a small IT-company which makes me here and there a few bucks but is actually there more for the fun rather than the profit. During shool-time I???ve already run a mailserver (postfix + dovecot, but that actually doesn???t mean I???ve known anything about mail ;)) but after we started offering services to businesses we somehow switched over to an all in one solution (plesk). As those AiO-solutions sucks because they are a blackbox and debugging is a nightmare we've decided to do hosting ourself again. And as I am the only one of us who is motivated to dive into mail, it became my part. So after some days googeling around and spending a serious amount of time on youtube watching mail-server-congress-talks I decided to go with a setup including opensmtpd rather than postfix. As the best way to start with something is to start trying I span up a few cloud-servers and started trying. As expected I ran into problems but ??? not expected ??? reading the man and googeling around couldn't solve them. So that's how I ended up here, hoping for your help! # General Setup 1. OpenSMTPD (tables via mysql, delivering via lmtp) 2. Dovecot (not yet set up) 3. MariaDB Galera Cluster as Backend-Database # The Problem I'm getting the following error and can't connect to port 25 from outside world (telnet port 25). Are you sure your ISP isn't blocking you? Can you connect to a non standard port or the submission port from outside? listen on egress port 5000 telnet yourhost.com 5000 ** It turned out that opensmtd is exiting with status=1/FAILURE after generating the already mentioned error (I only looked at the mail-log and not at the syslog as I thought opensmtpd might be at least starting up successfully as the start command did not return an error (as it would if eg I had a syntax error in my config). So no ISP-Block. > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed Is mysqld up and running? Have you verified from the command line that your username and password are correct? mysql --user=username --password=password dbase ** Yes! I even tried the command used in the mysql.conf (SELECT name FROM virtual_domains WHERE name=[mailhost];) which returned the expected hostname. # Host-System OS: Debian 10 OpenSMTPd: 6.0.3p1-5+deb10u4 Openssmtpd-extras: 5.7.1-4+b2 # /etc/smtpd.conf > # Variablen setzen > ipv4addr = [removed for privacy] > hostn = mx01.[removed for privacy] > > # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 > Stunden (optional) > #queue compression > #queue encryption key "[removed for privacy]" > #expire 4h > > # Zertifikate hinzuf??gen > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for > privacy].crt" > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for > privacy].key" > > # Relevante Tabellen laden > table domains mysql:/etc/mail/mysql.conf > table credentials mysql:/etc/mail/mysql.conf > > # Zuh??ren > listen on $ipv4addr port smtp tls > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev auth > > > # E-Mails annehmen und weitergeben > accept from any for domain deliver to lmtp "mda1:24" > accept for any relay # /etc/mail/mysql.conf > host db.[removed for privacy] is your user allowed to connect to the host above? ** Which host do you mean? mx01 is allowed to connect to db (ha-proxy) and even db1, db2, db3 directly (which I also tried, but did not change anything). And the internet is allowed to connect to mx1. Or did you mean the mda1? mda1 is not yet set up. > username [removed for privacy] > password [removed for privacy] > database [removed for privacy] > > query_credentials SELECT email, password FROM virtual_users WHERE email=?; > query_domain
Re: warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
On Sun, Aug 16, 2020 at 12:13:41AM +0200, Fabian M??ller wrote: > Hi! > > I am hopefully a new opensmtpd user and before I???ll start off with my first > newbie question I???d be happy to briefly introduce myself: I???m Fabian from > Germany. Actually I am studying german law, but as ??? in opposite to legal > work ??? anyone who wants to can ???do??? IT-stuff I???ve also been in IT > since I left school. Together with some friends I own a small IT-company > which makes me here and there a few bucks but is actually there more for the > fun rather than the profit. During shool-time I???ve already run a mailserver > (postfix + dovecot, but that actually doesn???t mean I???ve known anything > about mail ;)) but after we started offering services to businesses we > somehow switched over to an all in one solution (plesk). > > As those AiO-solutions sucks because they are a blackbox and debugging is a > nightmare we've decided to do hosting ourself again. And as I am the only one > of us who is motivated to dive into mail, it became my part. So after some > days googeling around and spending a serious amount of time on youtube > watching mail-server-congress-talks I decided to go with a setup including > opensmtpd rather than postfix. As the best way to start with something is to > start trying I span up a few cloud-servers and started trying. As expected I > ran into problems but ??? not expected ??? reading the man and googeling > around couldn't solve them. > > So that's how I ended up here, hoping for your help! > > # General Setup > 1. OpenSMTPD (tables via mysql, delivering via lmtp) > 2. Dovecot (not yet set up) > 3. MariaDB Galera Cluster as Backend-Database > > # The Problem > I'm getting the following error and can't connect to port 25 from outside > world (telnet port 25). Are you sure your ISP isn't blocking you? Can you connect to a non standard port or the submission port from outside? listen on egress port 5000 telnet yourhost.com 5000 > > > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting > > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed > > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting > > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed > Is mysqld up and running? Have you verified from the command line that your username and password are correct? mysql --user=username --password=password dbase > # Host-System > OS: Debian 10 > OpenSMTPd: 6.0.3p1-5+deb10u4 > Openssmtpd-extras: 5.7.1-4+b2 > > # /etc/smtpd.conf > > # Variablen setzen > > ipv4addr = [removed for privacy] > > hostn = mx01.[removed for privacy] > > > > # komprimiert die Warteschlange, verschl??sselt sie und l??scht nach 4 > > Stunden (optional) > > #queue compression > > #queue encryption key "[removed for privacy]" > > #expire 4h > > > > # Zertifikate hinzuf??gen > > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for > > privacy].crt" > > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for > > privacy].key" > > > > # Relevante Tabellen laden > > table domains mysql:/etc/mail/mysql.conf > > table credentials mysql:/etc/mail/mysql.conf > > > > # Zuh??ren > > listen on $ipv4addr port smtp tls > > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth > > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev > > auth > > > > # E-Mails annehmen und weitergeben > > accept from any for domain deliver to lmtp "mda1:24" > > accept for any relay > > # /etc/mail/mysql.conf > > host db.[removed for privacy] is your user allowed to connect to the host above? > > username [removed for privacy] > > password [removed for privacy] > > database [removed for privacy] > > > > query_credentials SELECT email, password FROM virtual_users WHERE email=?; > > query_domain SELECT name FROM virtual_domains WHERE name=?; > > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?; > > query_alias SELECT destination FROM virtual_aliases WHERE source=?; > > # Further explinations: What I've tried > First I guess the error has something to do with the mysql-stuff. > > But I am really really confused about the whole mysql-tables thing and can't > find a place where actually somebody explained (or documented) how it works. Have you tried: man table-mysql Perhaps its missing if so you can find it on github. > > In the beginning I thought it works like if I write > &
warn: table-proc: pipe closed (Probably mySQL-hassle and a newbie-question)
Hi! I am hopefully a new opensmtpd user and before I’ll start off with my first newbie question I’d be happy to briefly introduce myself: I’m Fabian from Germany. Actually I am studying german law, but as – in opposite to legal work – anyone who wants to can “do” IT-stuff I’ve also been in IT since I left school. Together with some friends I own a small IT-company which makes me here and there a few bucks but is actually there more for the fun rather than the profit. During shool-time I’ve already run a mailserver (postfix + dovecot, but that actually doesn’t mean I’ve known anything about mail ;)) but after we started offering services to businesses we somehow switched over to an all in one solution (plesk). As those AiO-solutions sucks because they are a blackbox and debugging is a nightmare we've decided to do hosting ourself again. And as I am the only one of us who is motivated to dive into mail, it became my part. So after some days googeling around and spending a serious amount of time on youtube watching mail-server-congress-talks I decided to go with a setup including opensmtpd rather than postfix. As the best way to start with something is to start trying I span up a few cloud-servers and started trying. As expected I ran into problems but – not expected – reading the man and googeling around couldn't solve them. So that's how I ended up here, hoping for your help! # General Setup 1. OpenSMTPD (tables via mysql, delivering via lmtp) 2. Dovecot (not yet set up) 3. MariaDB Galera Cluster as Backend-Database # The Problem I'm getting the following error and can't connect to port 25 from outside world (telnet port 25). > Aug 15 23:17:25 mx01 smtpd[32458]: info: OpenSMTPD 6.0.3-portable starting > Aug 15 23:17:25 mx01 smtpd[32462]: warn: table-proc: pipe closed > Aug 15 23:17:25 mx01 smtpd[32462]: lookup: table-proc: exiting > Aug 15 23:17:25 mx01 smtpd[32459]: smtpd: process lka socket closed # Host-System OS: Debian 10 OpenSMTPd: 6.0.3p1-5+deb10u4 Openssmtpd-extras: 5.7.1-4+b2 # /etc/smtpd.conf > # Variablen setzen > ipv4addr = [removed for privacy] > hostn = mx01.[removed for privacy] > > # komprimiert die Warteschlange, verschlüsselt sie und löscht nach 4 Stunden > (optional) > #queue compression > #queue encryption key "[removed for privacy]" > #expire 4h > > # Zertifikate hinzufügen > pki mx01.[removed for privacy] certificate "/etc/ssl/mx01.[removed for > privacy].crt" > pki mx01.[removed for privacy] key "/etc/ssl/private/mx01.[removed for > privacy].key" > > # Relevante Tabellen laden > table domains mysql:/etc/mail/mysql.conf > table credentials mysql:/etc/mail/mysql.conf > > # Zuhören > listen on $ipv4addr port smtp tls > listen on $ipv4addr smtps pki mx01.mx.itsmind.dev auth > listen on $ipv4addr port submission tls-require pki mx01.mx.itsmind.dev auth > > > # E-Mails annehmen und weitergeben > accept from any for domain deliver to lmtp "mda1:24" > accept for any relay # /etc/mail/mysql.conf > host db.[removed for privacy] > username [removed for privacy] > password [removed for privacy] > database [removed for privacy] > > query_credentials SELECT email, password FROM virtual_users WHERE email=?; > query_domain SELECT name FROM virtual_domains WHERE name=?; > query_userinfo SELECT uid,gid,maildir FROM virtual_users WHERE email=?; > query_alias SELECT destination FROM virtual_aliases WHERE source=?; # Further explinations: What I've tried First I guess the error has something to do with the mysql-stuff. But I am really really confused about the whole mysql-tables thing and can't find a place where actually somebody explained (or documented) how it works. In the beginning I thought it works like if I write > table domains mysql:/etc/mail/mysql.conf to the smtpd.conf the value domains is retrieved from what's stated after query_domains (query_domains because the name of the table is domains. So from my guess table example would translate to query_example). Therefor I only had one line query_domain SELECT name FROM virtual_domains WHERE name=?; in my mysql.conf. I've also tried using $1 instead of ?. After every conf I found in the internet (about 3) had query_credentials, query_domain, query_userinfo and query_alias I thought those are fixed terms, so I included them all in the mysql-config. In conclusion I think what I am trying to achive is not too complex: opensmtpd should 1. take e-mails on port 25, check via mysql if it's for a domain it is responsible for and then forward via lmtp to dovecot which then takes care of everything else (including rejecting unknown users). 2. Authenticate users on port 465 and 587 against mysql and forward their mails if successful. Later on I'd like to add rspamd and DKIM… but one step at a time. I would be glad if anyone could shed some light on the whole mysql-hassle and knows what prevents my opensmtpd from doing what I want it to do. Thank you in advance! Fabian
Re: Newbie config question
I've been wrestling with this for days with no progress.
Next time, post what config you have, please.
Can someone drop me a v6.6.4 config to do something similar to the
following.
Untested:
v4adr = 999.2.3.4
hostn = mx.davidfavor.com
table aliases file:/etc/mail/aliases
table ma2help { supp...@davidfavor.com }
table ma2user { da...@davidfavor.com = david, i...@davidfavor.com =
david, da...@radicalhealth.com = david
supp...@radicalhealth.com = support,
i...@radicalhealth.com = support }
pki $hostn cert "/etc//mx.davidfavor.com_Fullchain.pem"
pki $hostn key "/etc/ssl/mx.davidfavor.com_Key.pem"
listen on lo0
listen on $v4adr port 25 tls \
hostname $hostn pki $hostn
listen on $v4adr smtps \
hostname $hostn pki $hostn \
auth
listen on $v4adr port 587 tls-require \
hostname $hostn pki $hostn \
auth
action "receivedLocally" maildir alias
action "receivedRemotely" maildir virtual
action "relay2Helpdesk" relay \
host smtps://f...@mail.helpdesk.com \
auth { foo = password } \
helo $hostn \
src $v4adr
action "relay2Internet" relay \
helo $hostn \
src $v4adr
match for local action "receivedLocally"
match from any for rcpt-to action "relay2Helpdesk"
match from any for domain { davidfavor.com, radicalhealth.com } action
"receivedRemotely"
match auth from any for any action "relay2Internet"
Re: Newbie config question
David Favor wrote: I've been wrestling with this for days with no progress. Can someone drop me a v6.6.4 config to do something similar to the following. da...@davidfavor.com - maildir i...@davidfavor.com- forward to da...@davidfavor.com supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay Service supp...@radicalhealth.com - maildir i...@radicalhealth.com- forward to supp...@radicalhealth.com da...@radicalhealth.com - send natively to da...@davidfavor.com (no Smarthost or Relay Service) Just a raw config file will be fine, I can remove whatever I don't require right now, like DKIM signing, which I'll add later. I'm just trying to get basic OpenSMTPD delivery working. Thanks. Still be great to have a working config. No requirement for long explanation, just a copy of a working config, that handles all the above. Thanks.
Re: Newbie config question
On Fri, Jun 05, 2020 at 11:28:12AM -0500, David Favor wrote: > I've been wrestling with this for days with no progress. > > Can someone drop me a v6.6.4 config to do something similar to the following. > >da...@davidfavor.com - maildir >i...@davidfavor.com- forward to da...@davidfavor.com >supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay > Service > >supp...@radicalhealth.com - maildir >i...@radicalhealth.com- forward to supp...@radicalhealth.com >da...@radicalhealth.com - send natively to da...@davidfavor.com (no > Smarthost or Relay Service) > > Just a raw config file will be fine, I can remove > whatever I don't require right now, like DKIM signing, > which I'll add later. > It would likely be easier if you just posted your current smtpd.conf and associated tables. Edgar > I'm just trying to get basic OpenSMTPD delivery working. > > Thanks.
Re: Newbie config question
On my phone but I'll show you tomorrow if no one answers before, this is trivialGillesOn Jun 5, 2020 18:28, David Favor wrote:I've been wrestling with this for days with no progress. Can someone drop me a v6.6.4 config to do something similar to the following. da...@davidfavor.com - maildir i...@davidfavor.com - forward to da...@davidfavor.com supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay Service supp...@radicalhealth.com - maildir i...@radicalhealth.com - forward to supp...@radicalhealth.com da...@radicalhealth.com - send natively to da...@davidfavor.com (no Smarthost or Relay Service) Just a raw config file will be fine, I can remove whatever I don't require right now, like DKIM signing, which I'll add later. I'm just trying to get basic OpenSMTPD delivery working. Thanks.
Newbie config question
I've been wrestling with this for days with no progress. Can someone drop me a v6.6.4 config to do something similar to the following. da...@davidfavor.com - maildir i...@davidfavor.com- forward to da...@davidfavor.com supp...@davidfavor.com - forward to f...@helpdesk.com using MailGun Relay Service supp...@radicalhealth.com - maildir i...@radicalhealth.com- forward to supp...@radicalhealth.com da...@radicalhealth.com - send natively to da...@davidfavor.com (no Smarthost or Relay Service) Just a raw config file will be fine, I can remove whatever I don't require right now, like DKIM signing, which I'll add later. I'm just trying to get basic OpenSMTPD delivery working. Thanks.
Re: bgp-spamd question
Thanks Pierre-Edouard,
Well that's okay. Perhaps they ended the project.
V/r,
Bryan
On 4/11/2020 10:48 AM, Pierre-Edouard wrote:
Hi,
I was also using bgpd-spamd, and it stopped working recently as well.
It's not your config, issue is seen on my side too.(was working fine
for many months before)
Cheers,
Pywy
Le 11/04/2020 à 16:09, Bryan Harris a écrit :
Hi folks,
I was able to setup my OpenSMTPd on my server maybe 1-2 years ago,
and everything has been working fine. However, recently the bgp-spamd
list that comes down into my bgp settings has not been populating. As
far as email everything is still working I just don't get those bgp
lists anymore, so they don't go into spamd.
I tried looking at the website but it appears it's not working.
Would anybody want to charge me some money in exchange for helping me
figure out my bgp spamd problem?
I will post my config details at the end. I'm using OpenBSD 6.6 and
the OpenSMTPd that comes with that version.
Thanks for any advice.
V/r,
Bryan
[root@sally:/root]
$ smtpd -h
version: OpenSMTPD 6.6.0
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]
[root@sally:/root]
$ uname -r
6.6
[root@sally:/root]
$ bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath
origin
[root@sally:/root]
$ cat /etc/bgpd.conf
# http://bgp-spamd.net/client/bgpd.html
spamdAS="65066" # AS id of bgp-spamd server - don't edit this
AS 65000 # editable but 65001 is a sane default
fib-update no # Mandatory, to not update the local routing table
nexthop qualify via default
group "spamd-bgp" {
remote-as $spamdAS
multihop 64
export none # Do not send Route Server any information
# uncomment one
#
# us.bgp-spamd.net
neighbor 64.142.121.62
# eu.bgp-spamd.net
neighbor 217.31.80.170
# IPv6 eu.bgp-spamd.net
neighbor 2a00:15a8:0:100:0:d91f:50aa:1
# RS
neighbor 64.142.121.62
}
# deny to any
# deny from any
# allow from group "spamd-bgp"
# 'match' is required, to remove entries when routes are withdrawn
match from group "spamd-bgp" community $spamdAS:42 set pftable
"bgp-spamd-bypass"
match from group "spamd-bgp" community $spamdAS:666 set pftable
"bgp-spamd"
--
"If thou examinest a man for illness in his cardia and he has pains in his arms
and in his
breast and in one side of his cardia ... it is death threatening him."
—Ebers Papyrus (description of a heart attack, 1550BC)
"The beauty of doing nothing is that you can do it perfectly. Only when you do
something is it almost impossible to do it without mistakes."
—Thomas Sowell
Re: bgp-spamd question
Hi,
I was also using bgpd-spamd, and it stopped working recently as well.
It's not your config, issue is seen on my side too.(was working fine for
many months before)
Cheers,
Pywy
Le 11/04/2020 à 16:09, Bryan Harris a écrit :
Hi folks,
I was able to setup my OpenSMTPd on my server maybe 1-2 years ago, and
everything has been working fine. However, recently the bgp-spamd list
that comes down into my bgp settings has not been populating. As far
as email everything is still working I just don't get those bgp lists
anymore, so they don't go into spamd.
I tried looking at the website but it appears it's not working.
Would anybody want to charge me some money in exchange for helping me
figure out my bgp spamd problem?
I will post my config details at the end. I'm using OpenBSD 6.6 and
the OpenSMTPd that comes with that version.
Thanks for any advice.
V/r,
Bryan
[root@sally:/root]
$ smtpd -h
version: OpenSMTPD 6.6.0
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]
[root@sally:/root]
$ uname -r
6.6
[root@sally:/root]
$ bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath origin
[root@sally:/root]
$ cat /etc/bgpd.conf
# http://bgp-spamd.net/client/bgpd.html
spamdAS="65066" # AS id of bgp-spamd server - don't edit this
AS 65000 # editable but 65001 is a sane default
fib-update no # Mandatory, to not update the local routing table
nexthop qualify via default
group "spamd-bgp" {
remote-as $spamdAS
multihop 64
export none # Do not send Route Server any information
# uncomment one
#
# us.bgp-spamd.net
neighbor 64.142.121.62
# eu.bgp-spamd.net
neighbor 217.31.80.170
# IPv6 eu.bgp-spamd.net
neighbor 2a00:15a8:0:100:0:d91f:50aa:1
# RS
neighbor 64.142.121.62
}
# deny to any
# deny from any
# allow from group "spamd-bgp"
# 'match' is required, to remove entries when routes are withdrawn
match from group "spamd-bgp" community $spamdAS:42 set pftable
"bgp-spamd-bypass"
match from group "spamd-bgp" community $spamdAS:666 set pftable
"bgp-spamd"
bgp-spamd question
Hi folks,
I was able to setup my OpenSMTPd on my server maybe 1-2 years ago, and
everything has been working fine. However, recently the bgp-spamd list
that comes down into my bgp settings has not been populating. As far as
email everything is still working I just don't get those bgp lists
anymore, so they don't go into spamd.
I tried looking at the website but it appears it's not working.
Would anybody want to charge me some money in exchange for helping me
figure out my bgp spamd problem?
I will post my config details at the end. I'm using OpenBSD 6.6 and the
OpenSMTPd that comes with that version.
Thanks for any advice.
V/r,
Bryan
[root@sally:/root]
$ smtpd -h
version: OpenSMTPD 6.6.0
usage: smtpd [-dFhnv] [-D macro=value] [-f file] [-P system] [-T trace]
[root@sally:/root]
$ uname -r
6.6
[root@sally:/root]
$ bgpctl show rib community 65066:666
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath origin
[root@sally:/root]
$ cat /etc/bgpd.conf
# http://bgp-spamd.net/client/bgpd.html
spamdAS="65066" # AS id of bgp-spamd server - don't edit this
AS 65000 # editable but 65001 is a sane default
fib-update no # Mandatory, to not update the local routing table
nexthop qualify via default
group "spamd-bgp" {
remote-as $spamdAS
multihop 64
export none # Do not send Route Server any information
# uncomment one
#
# us.bgp-spamd.net
neighbor 64.142.121.62
# eu.bgp-spamd.net
neighbor 217.31.80.170
# IPv6 eu.bgp-spamd.net
neighbor 2a00:15a8:0:100:0:d91f:50aa:1
# RS
neighbor 64.142.121.62
}
# deny to any
# deny from any
# allow from group "spamd-bgp"
# 'match' is required, to remove entries when routes are withdrawn
match from group "spamd-bgp" community $spamdAS:42 set pftable
"bgp-spamd-bypass"
match from group "spamd-bgp" community $spamdAS:666 set pftable "bgp-spamd"
--
"If thou examinest a man for illness in his cardia and he has pains in his arms
and in his
breast and in one side of his cardia ... it is death threatening him."
—Ebers Papyrus (description of a heart attack, 1550BC)
"The beauty of doing nothing is that you can do it perfectly. Only when you do
something is it almost impossible to do it without mistakes."
—Thomas Sowell
Re: filter question
On Mar 9, 2020 1:34 AM, Martijn van Duren wrote: > > On 3/6/20 5:00 PM, epektasis wrote: > > Greetings. I have my own blacklist file of email addresses > > (some in the format microcen...@microcenter.com and some in > > the format *@squaredeals.com), one per line. I would like to > > filter each incoming email so that a mail-from address > > that matches any line in the blacklist file will go to a > > junk file. In the smtpd.conf I have tried > > > > table blksender file:/etc/blksender > > filter mail-from junk > > match filter mail-from junk > > > > but get syntax errors on both of the last two lines when > > checking the configuration. There's something I'm not > > understanding and am asking for advice. > > epektasis > > > Have another look at the manpage: > filter filter-name phase phase-name match conditions decision > Register a filter filter-name. A decision about what to do > with the mail is taken at phase phase-name when matching > conditions. Phases, matching conditions, and decisions are > described in MAIL FILTERING, below. > > So without testing (you should do that yourself anyway) I think what you > want would be: > > table blksender file:/etc/blksender > filter blksender phase mail-from match mail-from junk > listen on filter blksender > Also look at table(5) '*' is only allowed on the domain side of the '@'. Edgar
Re: filter question
On 3/6/20 5:00 PM, epektasis wrote: > Greetings. I have my own blacklist file of email addresses > (some in the format microcen...@microcenter.com and some in > the format *@squaredeals.com), one per line. I would like to > filter each incoming email so that a mail-from address > that matches any line in the blacklist file will go to a > junk file. In the smtpd.conf I have tried > > table blksender file:/etc/blksender > filter mail-from junk > match filter mail-from junk > > but get syntax errors on both of the last two lines when > checking the configuration. There's something I'm not > understanding and am asking for advice. > epektasis > Have another look at the manpage: filter filter-name phase phase-name match conditions decision Register a filter filter-name. A decision about what to do with the mail is taken at phase phase-name when matching conditions. Phases, matching conditions, and decisions are described in MAIL FILTERING, below. So without testing (you should do that yourself anyway) I think what you want would be: table blksender file:/etc/blksender filter blksender phase mail-from match mail-from junk listen on filter blksender
filter question
Greetings. I have my own blacklist file of email addresses (some in the format microcen...@microcenter.com and some in the format *@squaredeals.com), one per line. I would like to filter each incoming email so that a mail-from address that matches any line in the blacklist file will go to a junk file. In the smtpd.conf I have tried table blksender file:/etc/blksender filter mail-from junk match filter mail-from junk but get syntax errors on both of the last two lines when checking the configuration. There's something I'm not understanding and am asking for advice. epektasis --
Re: Question about OpenSMTPD and Debian package and filters/spam filtering
On 8/21/19 12:50 PM, Michiel van Es wrote: I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD (6.0.3) Hello, can you really use Buster's official opensmptd package? I tried it about 3 weeks ago and it was broken out of the box for me (can't really remember what was the issue at the moment). I had to use pinning and install stretch package.
Re: builtin filter regex question
On Mon, Nov 04, 2019 at 10:18:07PM +0100, Joerg Jung wrote:
> On Thu, Oct 31, 2019 at 08:28:23AM +, gil...@poolp.org wrote:
> > October 24, 2019 8:35 PM, "Joerg Jung" wrote:
> >
> > > I used some regex filters in the past which I'm trying to convert to the
> > > latest builtin filters. In particular, I stumbled over a HELO filter,
> > > which rejects non-FQDN HELO forcing SMTP protocol, aka:
> > > Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
> > >
> > > I had significant success rate with this kind of blocking, since a good
> > > portions of spammers seem to be too lazy to configure HELO correctly.
> > >
> > > Here is what I came up with:
> > >
> > > # reject HELO/EHLO with leading or trailing dot, and without dots
> > > (non-FQDN)
> > > filter helo phase helo connect match helo regex { "^\.", "\.$",
> > > "^[^\.]*$" } disconnect "554 5.7.1
> > > HELO rejected"
> > > filter ehlo phase ehlo connect match helo regex { "^\.", "\.$",
> > > "^[^\.]*$" } disconnect "554 5.7.1
> > > EHLO rejected
> > >
> > > Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> > > are no dots in EHLO [::1], but still a valid/allowed value.
> > > With old filter-regex I just did a negotiation: ! regex "^\[" to
> > > not apply filter to v6 literals
> > >
> > > Any ideas/hints how to add/implement this with the new builtin regex
> > > filter syntax?
> > >
> >
> > Sadly there would have been a very easy way if I had that use-case in mind
> > pre-release,
> > which would be to make the "proceed" action explicit, you could have had a
> > filter
> > match the inet6 address and proceed to shortcut the matching of non fqdn.
>
> :)
>
> > As of today, there will be no option but to craft your regex to contain
> > both the pattern
> > you want to match AND exclude [ as far as I see it.
>
> But that AND EXCLUDE (aka AND NOT) is not possible with re_format(7),
> because no zero-width negative lookahead or similar tricks are
> available, right?
>
> I wonder if abusing "match" instead of filtering is an option here, with
> match I have the negotiation operator available, so something like this
> would probably work, right?
>
> match ! helo regex "^\[" myaction
> match helo regex { "^\.", "\.$", "^[^\.]*$" } reject
> # further standard match rules following...
>
> The question is, what to put into: myaction, there is no
> pass/accept/skip/jump to other match rules... and "relay"
> will probably result in a loop, no?
>
> Seems like this is just not possible with the built-in syntax for now
> and I need to write a tiny proc-exec filter instead?
I took a quick shot and wrote a tiny and portable ~20 lines sed based
filter, which can be found below and is released here:
https://www.umaxx.net/dl/filter-fqdn-0.1.tar.gz
I'm not an sed expert and I'm pretty sure the script can be shortened
and further simplified e.g. with some hold buffer exchange, yalla, yalla
Any suggestions or comments are welcome, but for now it does what I want
and works fine for me.
Thanks,
Regards,
Joerg
#!/usr/bin/sed -Enuf
# $Id: filter-fqdn.sed 53 2019-11-20 19:27:59Z umaxx $
# Copyright (c) 2019 Joerg Jung
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# filter-fqdn - opensmtpd filter for HELO/EHLO FQDN filtering
#
# version: 0.1
#
# uncomment for debug
#s/(.*)/\1/w /dev/stderr
/^config|ready$/ { a\
register|filter|smtp-in|helo\
register|filter|smtp-in|ehlo\
register|ready
}
/^filter\|0.4\|.*\|smtp-in\|.*/ {
# skip address literals
/^.*smtp-in\|(.*)\|(.*)\|\[.*$/ {
bproceed
}
# reject leading dot
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|\..*$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
# reject trailing dot
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|.*\.$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
# reject without dots (non-FQDN)
/^.*smtp-in\|(.*)\|(.*)\|(.*)\|[^\.]*$/ {
s//filter-result\|\3|\2\|reject\|554 5.7.1 \1 failed/p
}
:proceed
/^.*smtp-in\|.*\|(.*)\|(.*)\|.*$/ {
s//filter-result\|\2|\1\|proceed/p
}
}
Re: builtin filter regex question
On Thu, Oct 31, 2019 at 08:28:23AM +, gil...@poolp.org wrote:
> October 24, 2019 8:35 PM, "Joerg Jung" wrote:
>
> > Hi,
> >
> > I used some regex filters in the past which I'm trying to convert to the
> > latest builtin filters. In particular, I stumbled over a HELO filter,
> > which rejects non-FQDN HELO forcing SMTP protocol, aka:
> > Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
> >
> > I had significant success rate with this kind of blocking, since a good
> > portions of spammers seem to be too lazy to configure HELO correctly.
> >
> > Here is what I came up with:
> >
> > # reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
> > filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$"
> > } disconnect "554 5.7.1
> > HELO rejected"
> > filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$"
> > } disconnect "554 5.7.1
> > EHLO rejected
> >
> > Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> > are no dots in EHLO [::1], but still a valid/allowed value.
> > With old filter-regex I just did a negotiation: ! regex "^\[" to
> > not apply filter to v6 literals
> >
> > Any ideas/hints how to add/implement this with the new builtin regex
> > filter syntax?
> >
>
> Sadly there would have been a very easy way if I had that use-case in mind
> pre-release,
> which would be to make the "proceed" action explicit, you could have had a
> filter
> match the inet6 address and proceed to shortcut the matching of non fqdn.
:)
> As of today, there will be no option but to craft your regex to contain both
> the pattern
> you want to match AND exclude [ as far as I see it.
But that AND EXCLUDE (aka AND NOT) is not possible with re_format(7),
because no zero-width negative lookahead or similar tricks are
available, right?
I wonder if abusing "match" instead of filtering is an option here, with
match I have the negotiation operator available, so something like this
would probably work, right?
match ! helo regex "^\[" myaction
match helo regex { "^\.", "\.$", "^[^\.]*$" } reject
# further standard match rules following...
The question is, what to put into: myaction, there is no
pass/accept/skip/jump to other match rules... and "relay"
will probably result in a loop, no?
Seems like this is just not possible with the built-in syntax for now
and I need to write a tiny proc-exec filter instead?
Re: builtin filter regex question
October 24, 2019 8:35 PM, "Joerg Jung" wrote:
> Hi,
>
> I used some regex filters in the past which I'm trying to convert to the
> latest builtin filters. In particular, I stumbled over a HELO filter,
> which rejects non-FQDN HELO forcing SMTP protocol, aka:
> Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
>
> I had significant success rate with this kind of blocking, since a good
> portions of spammers seem to be too lazy to configure HELO correctly.
>
> Here is what I came up with:
>
> # reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
> filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$" }
> disconnect "554 5.7.1
> HELO rejected"
> filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$" }
> disconnect "554 5.7.1
> EHLO rejected
>
> Now, I just need a way to skip/allow IPv6 address literals, e.g. there
> are no dots in EHLO [::1], but still a valid/allowed value.
> With old filter-regex I just did a negotiation: ! regex "^\[" to
> not apply filter to v6 literals
>
> Any ideas/hints how to add/implement this with the new builtin regex
> filter syntax?
>
Sadly there would have been a very easy way if I had that use-case in mind
pre-release,
which would be to make the "proceed" action explicit, you could have had a
filter
match the inet6 address and proceed to shortcut the matching of non fqdn.
As of today, there will be no option but to craft your regex to contain both
the pattern
you want to match AND exclude [ as far as I see it.
builtin filter regex question
Hi,
I used some regex filters in the past which I'm trying to convert to the
latest builtin filters. In particular, I stumbled over a HELO filter,
which rejects non-FQDN HELO forcing SMTP protocol, aka:
Sendmail FEATURE(block_bad_helo) or Postfix reject_non_fqdn_helo_hostname
I had significant success rate with this kind of blocking, since a good
portions of spammers seem to be too lazy to configure HELO correctly.
Here is what I came up with:
# reject HELO/EHLO with leading or trailing dot, and without dots (non-FQDN)
filter helo phase helo connect match helo regex { "^\.", "\.$", "^[^\.]*$" }
disconnect "554 5.7.1 HELO rejected"
filter ehlo phase ehlo connect match helo regex { "^\.", "\.$", "^[^\.]*$" }
disconnect "554 5.7.1 EHLO rejected
Now, I just need a way to skip/allow IPv6 address literals, e.g. there
are no dots in EHLO [::1], but still a valid/allowed value.
With old filter-regex I just did a negotiation: ! regex "^\[" to
not apply filter to v6 literals
Any ideas/hints how to add/implement this with the new builtin regex
filter syntax?
Thanks,
Regards,
Joerg
Re: Question about match auth with the new syntax.
On Aug 28, 2019 1:52 PM, Reio Remma wrote: > > Hello! > > I've pretty much converted my setup to the new syntax now and I'm > wondering if I get this right. > > I understand that from local was changed to not include authenticated > users, but my question is does "match auth" match both authenticated and > local users? > > I currently have - "match auth from any for any action dkim" - and I see > that I can send mail from command line using that rule, so I'm guessing > yes. :) > > Maybe the man page could reflect these bits for match auth and match > from local. > Match from local for local is a default rule. You have to specifically negate it if you don't want it. Edgar > Thanks! > Reio >
Question about match auth with the new syntax.
Hello! I've pretty much converted my setup to the new syntax now and I'm wondering if I get this right. I understand that from local was changed to not include authenticated users, but my question is does "match auth" match both authenticated and local users? I currently have - "match auth from any for any action dkim" - and I see that I can send mail from command line using that rule, so I'm guessing yes. :) Maybe the man page could reflect these bits for match auth and match from local. Thanks! Reio
Re: table api question
On Sat, Aug 24, 2019 at 08:19:00AM +, gil...@poolp.org wrote: > 24 ao??t 2019 02:59 "Edgar Pettijohn" a ??crit: > > > I am writing a table-lua, however the table_lua_update function doesn't > > appear to be called. > > Here are relevant pieces of the code. > > > > The lookup function works. However, it would be more ideal to have the > > update() called early > > to fill in the tables for the other functions. As is the lookup() has to do > > the work of both. > > > > Any help is appreciated. > > > > update is called when you issue an `smtpctl table update ` command. Makes sense. However, the smtpctl manual says its for tables using the "file" backend. > > On a side note, I had this discussion with someone a few days ago but can't > remember > who, so if it was you and you already know, disregard: > > I have a plan for the next two releases to switch the implementation of > tables to an > API similar to that of filters, so we can have tables become scripts that > read lines > from stdin, write answers to stdout, be written in any language, etc.. > Not me but sounds interesting. > Not discouraging you from writing something using the current API, it is not > so much > work anyways, but just letting you know that in a relatively short term your > code is > going to need a rewrite. I was using table-passwd as a bit of a go by. Armed with this new knowledge. I see that table_passwd_update is called from main. I think that is what I need to do. Thanks, Edgar
Re: table api question
24 août 2019 02:59 "Edgar Pettijohn" a écrit: > I am writing a table-lua, however the table_lua_update function doesn't > appear to be called. > Here are relevant pieces of the code. > > The lookup function works. However, it would be more ideal to have the > update() called early > to fill in the tables for the other functions. As is the lookup() has to do > the work of both. > > Any help is appreciated. > update is called when you issue an `smtpctl table update ` command. On a side note, I had this discussion with someone a few days ago but can't remember who, so if it was you and you already know, disregard: I have a plan for the next two releases to switch the implementation of tables to an API similar to that of filters, so we can have tables become scripts that read lines from stdin, write answers to stdout, be written in any language, etc.. Not discouraging you from writing something using the current API, it is not so much work anyways, but just letting you know that in a relatively short term your code is going to need a rewrite.
table api question
I am writing a table-lua, however the table_lua_update function doesn't appear
to be called.
Here are relevant pieces of the code.
The lookup function works. However, it would be more ideal to have the update()
called early
to fill in the tables for the other functions. As is the lookup() has to do the
work of both.
Any help is appreciated.
Thanks,
Edgar
table_lua.c
static int
table_lua_update(void)
{
int ret;
lua_getglobal(L, "update");
lua_pushnil(L);
if (lua_pcall(L, 1, 1, 0)) {
log_warnx("warn: update: %s", lua_tostring(L, -1));
return -1;
}
ret = lua_toboolean(L, -1);
log_warnx("\t\tlua-update: %d\n", ret);
return ret;
}
int
main(int argc, char **argv)
{
int ch;
char *path;
log_init(1);
while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
fatalx("bad option");
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;
if (argc == 0)
fatalx("missing path");
path = argv[0];
L = luaL_newstate();
make_global_table(L, "service", services);
make_global_table(L, "Lookup", NULL);
make_global_table(L, "Fetch", NULL);
make_global_table(L, "Check", NULL);
make_global_table(L, "Update", NULL);
luaL_openlibs(L);
if (luaL_loadfile(L, path) || lua_pcall(L, 0, 0, 0))
fatalx("%s", lua_tostring(L, -1));
log_debug("debug: starting...");
table_api_on_update(table_lua_update);
table_api_on_check(table_lua_check);
table_api_on_lookup(table_lua_lookup);
table_api_on_fetch(table_lua_fetch);
table_api_dispatch();
log_debug("debug: exiting");
lua_close(L);
return 1;
}
table.lua
function update ()
io.stderr:write("\n\t\ttable-lua is updating\n")
return true
end
Re: Question about OpenSMTPD and Debian package and filters/spam filtering
> On 21 Aug 2019, at 13:58, Gilles Chehade wrote:
>
> On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
>> Hi!
>>
>
> Hi,
>
>
>> I am running a small VPS with 1 GB memory with Debian 10 amd64 with
>> OpenSMTPD (6.0.3) for private email and am looking what my best options are
>> to limit spam.
>> I know there are some filters from Joerg
>> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not
>> sure if these will work with my version of OpenSMTPD (I get a syntax error
>> when trying the old filter syntax).
>>
>> I can also relay everything to Amavisd/SpamAssassin but then email won???t
>> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are
>> pretty resource intensive and will eat all my VPS memory ;)
>>
>> What would be my best option?
>>
>
> 6.0.3 is a fairly old version and there aren't many options available.
>
> if you're forced to stick with that version, which suffers from at least
> one denial of service as far as I know, your best option is to relay via
> something like SpamPD so it can interface with SpamAssassin, but this is
> not going to operate at SMTP level, it will happen at delivery time.
That’s interesting since Debian has a good track record of back porting
security fixes in their stable packages.
I will ask the maintainer if he applied the patch or upgraded the package to
latest version.
For now I use spampd which works fine for bayesian spam detection.
>
> there will be no way of blocking at SMTP level before next release 6.6.0
> that is going to happen in a few weeks, during October, so any option is
> going to be post delivery: either as a custom MDA, or as a relay via for
> some smtp proxy that will reinject in smtpd like the dkimproxy stuff.
I will wait for 6.6.0 ;)
>
> your best option would really be to build from source 6.4.2: it will not
> block at SMTP level but will provide mechanisms to ease interfacing with
> spamassassin or rspamd for post-SMTP handling.
>
> if you're not too easily scared, running the development version is good
> too because it's very close to release now, very stable and will not get
> much changes until October as I'm busy busy these days ;-)
Might give that a try, thanks :)
>
>
>> I like to do some DNSBL and SpamAsssassin checks if possible.
>>
>> My config if that is to any use to give some insights:
>>
>> pki server.pragmasec.nl certificate
>> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
>> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
>> listen on localhost
>> listen on eth0 port 25 tls pki server.pragmasec.nl hostname
>> server.pragmasec.nl auth-optional
>> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname
>> server.pragmasec.nl auth
>> table vdomains file:/etc/mail/domains
>> table vusers file:/etc/mail/vusers
>> expire 7d
>> limit mta inet4
>> accept from any for domain virtual deliver to mda
>> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
>> accept from local for any relay
>>
>> Cheers,
>>
>> Michiel
>>
>>
>>
>
> --
> Gilles Chehade @poolpOrg
>
> https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: Question about OpenSMTPD and Debian package and filters/spam filtering
On Wed, Aug 21, 2019 at 12:50:10PM +0200, Michiel van Es wrote:
> Hi!
>
Hi,
> I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD
> (6.0.3) for private email and am looking what my best options are to limit
> spam.
> I know there are some filters from Joerg
> (https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not
> sure if these will work with my version of OpenSMTPD (I get a syntax error
> when trying the old filter syntax).
>
> I can also relay everything to Amavisd/SpamAssassin but then email won???t
> get blocked at the SMTP level, also ASSP or Rspamd is an option but they are
> pretty resource intensive and will eat all my VPS memory ;)
>
> What would be my best option?
>
6.0.3 is a fairly old version and there aren't many options available.
if you're forced to stick with that version, which suffers from at least
one denial of service as far as I know, your best option is to relay via
something like SpamPD so it can interface with SpamAssassin, but this is
not going to operate at SMTP level, it will happen at delivery time.
there will be no way of blocking at SMTP level before next release 6.6.0
that is going to happen in a few weeks, during October, so any option is
going to be post delivery: either as a custom MDA, or as a relay via for
some smtp proxy that will reinject in smtpd like the dkimproxy stuff.
your best option would really be to build from source 6.4.2: it will not
block at SMTP level but will provide mechanisms to ease interfacing with
spamassassin or rspamd for post-SMTP handling.
if you're not too easily scared, running the development version is good
too because it's very close to release now, very stable and will not get
much changes until October as I'm busy busy these days ;-)
> I like to do some DNSBL and SpamAsssassin checks if possible.
>
> My config if that is to any use to give some insights:
>
> pki server.pragmasec.nl certificate
> "/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
> pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
> listen on localhost
> listen on eth0 port 25 tls pki server.pragmasec.nl hostname
> server.pragmasec.nl auth-optional
> listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname
> server.pragmasec.nl auth
> table vdomains file:/etc/mail/domains
> table vusers file:/etc/mail/vusers
> expire 7d
> limit mta inet4
> accept from any for domain virtual deliver to mda
> "/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
> accept from local for any relay
>
> Cheers,
>
> Michiel
>
>
>
--
Gilles Chehade @poolpOrg
https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Question about OpenSMTPD and Debian package and filters/spam filtering
Hi!
I am running a small VPS with 1 GB memory with Debian 10 amd64 with OpenSMTPD
(6.0.3) for private email and am looking what my best options are to limit spam.
I know there are some filters from Joerg
(https://www.mail-archive.com/misc@opensmtpd.org/msg04402.html) but am not sure
if these will work with my version of OpenSMTPD (I get a syntax error when
trying the old filter syntax).
I can also relay everything to Amavisd/SpamAssassin but then email won’t get
blocked at the SMTP level, also ASSP or Rspamd is an option but they are pretty
resource intensive and will eat all my VPS memory ;)
What would be my best option?
I like to do some DNSBL and SpamAsssassin checks if possible.
My config if that is to any use to give some insights:
pki server.pragmasec.nl certificate
"/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
listen on localhost
listen on eth0 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl
auth-optional
listen on eth0 port 587 tls-require pki server.pragmasec.nl hostname
server.pragmasec.nl auth
table vdomains file:/etc/mail/domains
table vusers file:/etc/mail/vusers
expire 7d
limit mta inet4
accept from any for domain virtual deliver to mda
"/usr/lib/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
accept from local for any relay
Cheers,
Michiel
Re: Question about backup mx
Ok, thanks for the clarification. I guess one way to avoid the wait is to just manually schedule all. On Wed, Oct 31, 2018, 8:48 AM Gilles Chehade On Mon, Oct 22, 2018 at 01:36:07PM -0400, Matt Schwartz wrote: > > If I have two mail exchange servers and the primary one goes down, do > > I then have to manually issue an smtpctl schedule all to resume > > delivery from the backup to the primary? > > > > no, you just have to way for the backup one to realize the primary is up > which may take some time depending how long the primary was down. > > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg >
Re: Question about backup mx
On Mon, Oct 22, 2018 at 01:36:07PM -0400, Matt Schwartz wrote: > If I have two mail exchange servers and the primary one goes down, do > I then have to manually issue an smtpctl schedule all to resume > delivery from the backup to the primary? > no, you just have to way for the backup one to realize the primary is up which may take some time depending how long the primary was down. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Question about backup mx
If I have two mail exchange servers and the primary one goes down, do I then have to manually issue an smtpctl schedule all to resume delivery from the backup to the primary? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: userbase question
Hi Gilles,
Thank you for your advice about using wrappers. I decided to implement
an mda wrapper as per your suggestion. It is interesting that I still
needed to specify either an mbox or maildir in the syntax when I
specify a wrapper. In this case, it doesn't seem to matter if I use
mbox or maildir because dovecot's LDA is doing the final delivery.
This works but I might be doing it wrong.
action "local" mbox wrapper "deliver" alias
action "domain" mbox wrapper "deliver" virtual
match for local action "local"
match from any for domain action "domain"
I have to agree that using the mda wrapper feature is a heck of a lot
cleaner. I am even going to do some testing using OpenSMTPD for final
delivery now that there is explicit support for junk mail delivery. I
think the reason that the userbase didn't work is that I am using
dovecot for final delivery of the email. Below is a patch for the
smtpd.conf(8) man page to reflect where to use the wrapper specified
by mda wrapper.
--- smtpd.conf.5Sat Sep 1 08:52:32 2018
+++ smtpd.conf.5 Sat Sep 1 08:55:23 2018
@@ -156,6 +156,9 @@
.Pq see Sx FORMAT SPECIFIERS .
.It Cm relay
Relay the message to another SMTP server.
+.It Cm wrapper Ar name
+Use a wrapper specified by
+.Cm mda wrapper .It command.
.El
.Pp
The local delivery methods support additional options:
On Sat, Sep 1, 2018 at 8:01 AM Gilles Chehade wrote:
>
> On Mon, Aug 27, 2018 at 09:54:05AM -0400, Matt Schwartz wrote:
> > I am hoping not to have to use sqlite tables. I like the simplicity of
> > file-based configuration.
>
> just for the record:
>
> besides table-specific features, all smtpd features are usable from file
> configurations since I write the features for the file backend _then_ we
> adapt the other backends.
>
>
>
> > On Mon, Aug 27, 2018 at 9:47 AM Reio Remma wrote:
> > >
> > > Iirc I got the .forward file working with sqlite tables, where the user
> > > query also returned the virtual user???s maildir as an extra parameter.
> > >
> > > Good luck,
> > > Reio
> > >
> > > > On 27 Aug 2018, at 16:11, Matt Schwartz
> > > > wrote:
> > > >
> > > > Hello misc@,
> > > >
> > > > Below is my configuration file. I am trying to use the userbase
> > > > parameter and when I try to send an email to myself, I get the 550
> > > > Invalid Recipient error. I am trying to get the usrbase parameter
> > > > working so that I can add a .forward file for virtual users as per the
> > > > table(5) man page. If I don't use the userbase parameter, mail
> > > > delivery works just fine. I am not certain what I am doing wrong here.
> > > >
> > > > #smtpd.conf
> > > > pki mail cert "/etc/ssl/smtpd.crt"
> > > > pki mail key "/etc/ssl/private/smtpd.key"
> > > >
> > > > table aliases file:/etc/mail/aliases
> > > > table addrnames file:/etc/mail/addrnames
> > > > table credentials file:/etc/mail/credentials
> > > > table domains file:/etc/mail/domains
> > > > table virtuals file:/etc/mail/virtuals
> > > > table usrbase file:/etc/mail/usrbase
> > > > table rejects file:/etc/mail/rejects
> > > >
> > > > # Listeners
> > > > #
> > > > listen on lo0
> > > > listen on lo0 port 10028 tag DKIM
> > > > listen on vio0 tls pki mail hostnames
> > > > listen on vio0 port 587 tls-require pki mail auth \
> > > >hostnames
> > > >
> > > > # Actions
> > > > #
> > > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > > %{rcpt}'" alias
> > > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > > %{rcpt}'" userbase virtual
> > > > action "dkim" relay host smtp://127.0.0.1:10027
> > > > action "relay" relay
> > > >
> > > > # Incoming
> > > > #
> > > > match from any mail-from for any reject
> > > > match from local for local action "local"
> > > > match from any for domain action "domain"
> > > >
> > > > # Outgoing
> > > > #
> > > > match tag DKIM for any action "relay"
> > > > match from local for any action "dkim"
> > > > match auth from any for any action "dkim"
> > > >
> > > > #usrbase
> > > > m...@example.org 2000:2000:/var/vmail/example.org/matt
> > > >
> > > > #virtuals
> > > > m...@example.org vmail
> > > >
> > > > Thanks in advance,
> > > > Matt
> > > >
> > > > --
> > > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > > >
> > >
> > >
> > > --
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
>
> --
> Gilles Chehade
>
> https://www.poolp.org @poolpOrg
--
You received this mail because you are
Re: userbase question
On Mon, Aug 27, 2018 at 09:54:05AM -0400, Matt Schwartz wrote:
> I am hoping not to have to use sqlite tables. I like the simplicity of
> file-based configuration.
just for the record:
besides table-specific features, all smtpd features are usable from file
configurations since I write the features for the file backend _then_ we
adapt the other backends.
> On Mon, Aug 27, 2018 at 9:47 AM Reio Remma wrote:
> >
> > Iirc I got the .forward file working with sqlite tables, where the user
> > query also returned the virtual user???s maildir as an extra parameter.
> >
> > Good luck,
> > Reio
> >
> > > On 27 Aug 2018, at 16:11, Matt Schwartz wrote:
> > >
> > > Hello misc@,
> > >
> > > Below is my configuration file. I am trying to use the userbase
> > > parameter and when I try to send an email to myself, I get the 550
> > > Invalid Recipient error. I am trying to get the usrbase parameter
> > > working so that I can add a .forward file for virtual users as per the
> > > table(5) man page. If I don't use the userbase parameter, mail
> > > delivery works just fine. I am not certain what I am doing wrong here.
> > >
> > > #smtpd.conf
> > > pki mail cert "/etc/ssl/smtpd.crt"
> > > pki mail key "/etc/ssl/private/smtpd.key"
> > >
> > > table aliases file:/etc/mail/aliases
> > > table addrnames file:/etc/mail/addrnames
> > > table credentials file:/etc/mail/credentials
> > > table domains file:/etc/mail/domains
> > > table virtuals file:/etc/mail/virtuals
> > > table usrbase file:/etc/mail/usrbase
> > > table rejects file:/etc/mail/rejects
> > >
> > > # Listeners
> > > #
> > > listen on lo0
> > > listen on lo0 port 10028 tag DKIM
> > > listen on vio0 tls pki mail hostnames
> > > listen on vio0 port 587 tls-require pki mail auth \
> > >hostnames
> > >
> > > # Actions
> > > #
> > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > %{rcpt}'" alias
> > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > > %{rcpt}'" userbase virtual
> > > action "dkim" relay host smtp://127.0.0.1:10027
> > > action "relay" relay
> > >
> > > # Incoming
> > > #
> > > match from any mail-from for any reject
> > > match from local for local action "local"
> > > match from any for domain action "domain"
> > >
> > > # Outgoing
> > > #
> > > match tag DKIM for any action "relay"
> > > match from local for any action "dkim"
> > > match auth from any for any action "dkim"
> > >
> > > #usrbase
> > > m...@example.org 2000:2000:/var/vmail/example.org/matt
> > >
> > > #virtuals
> > > m...@example.org vmail
> > >
> > > Thanks in advance,
> > > Matt
> > >
> > > --
> > > You received this mail because you are subscribed to misc@opensmtpd.org
> > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> > >
> >
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: userbase question
On Mon, Aug 27, 2018 at 09:11:02AM -0400, Matt Schwartz wrote:
> Hello misc@,
>
> Below is my configuration file. I am trying to use the userbase
> parameter and when I try to send an email to myself, I get the 550
> Invalid Recipient error. I am trying to get the usrbase parameter
> working so that I can add a .forward file for virtual users as per the
> table(5) man page. If I don't use the userbase parameter, mail
> delivery works just fine. I am not certain what I am doing wrong here.
>
> #smtpd.conf
> pki mail cert "/etc/ssl/smtpd.crt"
> pki mail key "/etc/ssl/private/smtpd.key"
>
> table aliases file:/etc/mail/aliases
> table addrnames file:/etc/mail/addrnames
> table credentials file:/etc/mail/credentials
> table domains file:/etc/mail/domains
> table virtuals file:/etc/mail/virtuals
> table usrbase file:/etc/mail/usrbase
> table rejects file:/etc/mail/rejects
>
> # Listeners
> #
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on vio0 tls pki mail hostnames
> listen on vio0 port 587 tls-require pki mail auth \
> hostnames
>
> # Actions
> #
> action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" alias
> action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" userbase virtual
> action "dkim" relay host smtp://127.0.0.1:10027
> action "relay" relay
>
you might want to have a look at mda wrappers, it will simplify your
actions considerably ;-)
> # Incoming
> #
> match from any mail-from for any reject
> match from local for local action "local"
> match from any for domain action "domain"
>
> # Outgoing
> #
> match tag DKIM for any action "relay"
> match from local for any action "dkim"
> match auth from any for any action "dkim"
>
> #usrbase
> m...@example.org 2000:2000:/var/vmail/example.org/matt
>
userbase maps a user to an account, so you shouldn't use an email address
here, it should be 'vmail' since that's what you use as the delivery user
in your virtuals table below:
> #virtuals
> m...@example.org vmail
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: userbase question
Sent from my Verizon SmartphoneOn Aug 27, 2018 8:54 AM, Matt Schwartz wrote:>> I am hoping not to have to use sqlite tables. I like the simplicity of > file-based configuration. > On Mon, Aug 27, 2018 at 9:47 AM Reio Remma wrote: > > > > Iirc I got the .forward file working with sqlite tables, where the user query also returned the virtual user’s maildir as an extra parameter. > > > > Good luck, > > Reio > > > > > On 27 Aug 2018, at 16:11, Matt Schwartz wrote: > > > > > > Hello misc@, > > > > > > Below is my configuration file. I am trying to use the userbase > > > parameter and when I try to send an email to myself, I get the 550 > > > Invalid Recipient error. I am trying to get the usrbase parameter > > > working so that I can add a .forward file for virtual users as per the > > > table(5) man page. If I don't use the userbase parameter, mail > > > delivery works just fine. I am not certain what I am doing wrong here. > > > > > > #smtpd.conf > > > pki mail cert "/etc/ssl/smtpd.crt" > > > pki mail key "/etc/ssl/private/smtpd.key" > > > > > > table aliases file:/etc/mail/aliases > > > table addrnames file:/etc/mail/addrnames > > > table credentials file:/etc/mail/credentials > > > table domains file:/etc/mail/domains > > > table virtuals file:/etc/mail/virtuals > > > table usrbase file:/etc/mail/usrbase > > > table rejects file:/etc/mail/rejects > > > > > > # Listeners > > > # > > > listen on lo0 > > > listen on lo0 port 10028 tag DKIM > > > listen on vio0 tls pki mail hostnames > > > listen on vio0 port 587 tls-require pki mail auth \ > > > hostnames > > > > > > # Actions > > > # > > > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a > > > %{rcpt}'" alias > > > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec > > > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a > > > %{rcpt}'" userbase virtual > > > action "dkim" relay host smtp://127.0.0.1:10027 > > > action "relay" relay > > > > > > # Incoming > > > # > > > match from any mail-from for any reject > > > match from local for local action "local" > > > match from any for domain action "domain" > > > > > > # Outgoing > > > # > > > match tag DKIM for any action "relay" > > > match from local for any action "dkim" > > > match auth from any for any action "dkim" > > > > > > #usrbase > > > m...@example.org 2000:2000:/var/vmail/example.org/matt > > > > > > #virtuals > > > m...@example.org vmail > > > > > > Thanks in advance, > > > Matt > > > > > > -- > > > You received this mail because you are subscribed to misc@opensmtpd.org > > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > > > > > > > > -- > > You received this mail because you are subscribed to misc@opensmtpd.org > > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > >> -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >It seems to be a bug. Look at the thread about forwarding a single email. He has the same issue. I switched to MySQL tables about a year ago and it is so much easier.
Re: userbase question
I am hoping not to have to use sqlite tables. I like the simplicity of
file-based configuration.
On Mon, Aug 27, 2018 at 9:47 AM Reio Remma wrote:
>
> Iirc I got the .forward file working with sqlite tables, where the user query
> also returned the virtual user’s maildir as an extra parameter.
>
> Good luck,
> Reio
>
> > On 27 Aug 2018, at 16:11, Matt Schwartz wrote:
> >
> > Hello misc@,
> >
> > Below is my configuration file. I am trying to use the userbase
> > parameter and when I try to send an email to myself, I get the 550
> > Invalid Recipient error. I am trying to get the usrbase parameter
> > working so that I can add a .forward file for virtual users as per the
> > table(5) man page. If I don't use the userbase parameter, mail
> > delivery works just fine. I am not certain what I am doing wrong here.
> >
> > #smtpd.conf
> > pki mail cert "/etc/ssl/smtpd.crt"
> > pki mail key "/etc/ssl/private/smtpd.key"
> >
> > table aliases file:/etc/mail/aliases
> > table addrnames file:/etc/mail/addrnames
> > table credentials file:/etc/mail/credentials
> > table domains file:/etc/mail/domains
> > table virtuals file:/etc/mail/virtuals
> > table usrbase file:/etc/mail/usrbase
> > table rejects file:/etc/mail/rejects
> >
> > # Listeners
> > #
> > listen on lo0
> > listen on lo0 port 10028 tag DKIM
> > listen on vio0 tls pki mail hostnames
> > listen on vio0 port 587 tls-require pki mail auth \
> >hostnames
> >
> > # Actions
> > #
> > action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > %{rcpt}'" alias
> > action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> > '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> > %{rcpt}'" userbase virtual
> > action "dkim" relay host smtp://127.0.0.1:10027
> > action "relay" relay
> >
> > # Incoming
> > #
> > match from any mail-from for any reject
> > match from local for local action "local"
> > match from any for domain action "domain"
> >
> > # Outgoing
> > #
> > match tag DKIM for any action "relay"
> > match from local for any action "dkim"
> > match auth from any for any action "dkim"
> >
> > #usrbase
> > m...@example.org 2000:2000:/var/vmail/example.org/matt
> >
> > #virtuals
> > m...@example.org vmail
> >
> > Thanks in advance,
> > Matt
> >
> > --
> > You received this mail because you are subscribed to misc@opensmtpd.org
> > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> >
>
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: userbase question
Iirc I got the .forward file working with sqlite tables, where the user query
also returned the virtual user’s maildir as an extra parameter.
Good luck,
Reio
> On 27 Aug 2018, at 16:11, Matt Schwartz wrote:
>
> Hello misc@,
>
> Below is my configuration file. I am trying to use the userbase
> parameter and when I try to send an email to myself, I get the 550
> Invalid Recipient error. I am trying to get the usrbase parameter
> working so that I can add a .forward file for virtual users as per the
> table(5) man page. If I don't use the userbase parameter, mail
> delivery works just fine. I am not certain what I am doing wrong here.
>
> #smtpd.conf
> pki mail cert "/etc/ssl/smtpd.crt"
> pki mail key "/etc/ssl/private/smtpd.key"
>
> table aliases file:/etc/mail/aliases
> table addrnames file:/etc/mail/addrnames
> table credentials file:/etc/mail/credentials
> table domains file:/etc/mail/domains
> table virtuals file:/etc/mail/virtuals
> table usrbase file:/etc/mail/usrbase
> table rejects file:/etc/mail/rejects
>
> # Listeners
> #
> listen on lo0
> listen on lo0 port 10028 tag DKIM
> listen on vio0 tls pki mail hostnames
> listen on vio0 port 587 tls-require pki mail auth \
>hostnames
>
> # Actions
> #
> action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" alias
> action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
> '/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
> %{rcpt}'" userbase virtual
> action "dkim" relay host smtp://127.0.0.1:10027
> action "relay" relay
>
> # Incoming
> #
> match from any mail-from for any reject
> match from local for local action "local"
> match from any for domain action "domain"
>
> # Outgoing
> #
> match tag DKIM for any action "relay"
> match from local for any action "dkim"
> match auth from any for any action "dkim"
>
> #usrbase
> m...@example.org 2000:2000:/var/vmail/example.org/matt
>
> #virtuals
> m...@example.org vmail
>
> Thanks in advance,
> Matt
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
userbase question
Hello misc@,
Below is my configuration file. I am trying to use the userbase
parameter and when I try to send an email to myself, I get the 550
Invalid Recipient error. I am trying to get the usrbase parameter
working so that I can add a .forward file for virtual users as per the
table(5) man page. If I don't use the userbase parameter, mail
delivery works just fine. I am not certain what I am doing wrong here.
#smtpd.conf
pki mail cert "/etc/ssl/smtpd.crt"
pki mail key "/etc/ssl/private/smtpd.key"
table aliases file:/etc/mail/aliases
table addrnames file:/etc/mail/addrnames
table credentials file:/etc/mail/credentials
table domains file:/etc/mail/domains
table virtuals file:/etc/mail/virtuals
table usrbase file:/etc/mail/usrbase
table rejects file:/etc/mail/rejects
# Listeners
#
listen on lo0
listen on lo0 port 10028 tag DKIM
listen on vio0 tls pki mail hostnames
listen on vio0 port 587 tls-require pki mail auth \
hostnames
# Actions
#
action "local" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
'/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
%{rcpt}'" alias
action "domain" mda "/usr/local/bin/rspamc -d %{dest} --mime --exec
'/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest} -a
%{rcpt}'" userbase virtual
action "dkim" relay host smtp://127.0.0.1:10027
action "relay" relay
# Incoming
#
match from any mail-from for any reject
match from local for local action "local"
match from any for domain action "domain"
# Outgoing
#
match tag DKIM for any action "relay"
match from local for any action "dkim"
match auth from any for any action "dkim"
#usrbase
m...@example.org 2000:2000:/var/vmail/example.org/matt
#virtuals
m...@example.org vmail
Thanks in advance,
Matt
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: AW: hello! ... and first question
On 22/05/18 21:52, Damiano Venturin wrote: > On 22/05/18 06:48, Michael Taubert wrote: >> >> Hi Dam! >> >> >> > Hello! >> >> Did you try to add „example—com“ to your virtual Domains table? E.g. >> https://www.opensmtpd.org/faq/example1.html Let me change the angle a little. What's the best practice to follow for naming the users when a server uses multiple domains? I tried again with u...@example.com which matches the local user u...@example.com but I get this error which disappears if I remove the "@" from the local username. smtpd event=failed-command command="RCPT TO: NOTIFY=FAILURE,DELAY" result="550 Invalid recipient" I'm insisting on this because I would like my users to be able to use "u...@example.com" to login both against IMAP and SMTP avoiding situations like "user-example--com" What can I do? -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: AW: hello! ... and first question
On 22/05/18 06:48, Michael Taubert wrote: > > Hi Dam! > > > Hello! > > Did you try to add „example—com“ to your virtual Domains table? E.g. > https://www.opensmtpd.org/faq/example1.html > > > ehm I'm not sure what to answer ... yes I've added example.com but I didn't not add example--com The thought of adding example--com never crossed my mind. I'll try and report. Dam
AW: hello! ... and first question
Hi Dam! Did you try to add „example—com“ to your virtual Domains table? E.g. https://www.opensmtpd.org/faq/example1.html Best regards, Michael Von: Damiano Venturin Gesendet: Dienstag, 22. Mai 2018 01:16 An: misc@opensmtpd.org Betreff: hello! ... and first question Hello, this is Dam I'm in the process of freeing myself from Gmail and I'm trying to configure my debian vm as a mailserver using OpenSMTPD. Back in the days I was used to run my own mailserver with Postfix (then I don't know what happened to me and I moved to 3rd party services) but this is my first time with OpenSMTPD so I'm really trying to learn how to configure it properly. So far so good I've to say. Chess Griffin's guide has been of great help. There is one thing that I've noticed: if the local user contains @ in the name, OpenSTMD can't route an incoming email properly. I'm not sure if this something expected or a bug or if I'm missing something. So this is the scenario: d...@venturin.net sends an email to u...@example.com (123.123.123.123) which is is mapped on the server as user@example--com. So this is what you see in my /etc/opensmtd/vuser: u...@example.com: user@example--com As you can see from the log below, the incoming email is accepted, goes through clamsmtp filtering process (listening on 127.0.0.1:10025) smtpd[2794]: b22a8aceadaec265 smtp event=connected address=209.35.192.171 host=mail-pf1-f171.google.com smtpd[2794]: b22a8aceadaec265 smtp event=message msgid=9c2da050 from= to= size=2847 ndest=1 proto=ESMTP smtpd[2794]: b22a8aceadaec265 smtp event=closed reason=quit smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connecting address=smtp://127.0.0.1:10025 host=localhost smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connected smtpd[2794]: b22a8ad89531da2b smtp event=connected address=127.0.0.1 host=localhost smtpd[2794]: b22a8ad89531da2b smtp event=message msgid=9a2845eb from= to= size=3043 ndest=1 proto=ESMTP I think that now OpenSMTPD tries to send back a receipt to the email server which has sent the email. Am I right? Accordingly to the configuration, the message is sent again to clamsmtp which is listening on 127.0.0.1:10027 smtpd[2794]: b22a8ae0d78126ae mta event=connecting address=smtp://127.0.0.1:10027 host=localhost smtpd[2794]: b22a8ad7d4f8e7b8 mta event=delivery evpid=9c2da05070285532 from= to= rcpt=<-> source=127.0.0.1 relay= 127.0.0.1 (localhost) delay=11s result=Ok stat=250 2.0.0: 9a2845eb Message accepted for delivery smtpd[2794]: b22a8ae0d78126ae mta event=connected But then something happens: all of the sudden the recipient is no more u...@example.com but user@example--com (which is the name of the real local user) smtpd[2794]: b22a8ae11170b5b4 smtp event=connected address=127.0.0.1 host=localhost smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=f33aeeec from= to= size=3243 ndest=1 proto=ESMTP smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=9a2845eb454ddf26 from= to=rcpt= source=127.0.0.1 relay=127.0.0.1 (localhost) delay=5s result=Ok stat=250 2.0.0: f33aeeec Message accepted for delivery smtpd[2794]: b22a8ad89531da2b smtp event=closed reason=quit smtpd[2794]: b22a8ad7d4f8e7b8 mta event=closed reason=quit messages=1 smtpd[2794]: smtp-out: Failed to resolve MX for [relay:example--com]: Domain does not exist Of course the domain example--com is not found smtpd[2794]: mta event=delivery evpid=f33aeeecc889f968 from= to= rcpt=<-> source=- relay=example-- info delay=5s result=PermFail stat=Domain does not exist smtpd[2794]: b22a8aeac0c27769 smtp event=connected address=local host=localhost smtpd[2794]: b22a8aeac0c27769 smtp event=message msgid=57f4cae9 from=<> to= size=4459 ndest=1 proto=ESMTP smtpd[2794]: b22a8aeac0c27769 smtp event=closed reason=quit smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=e121e32c from=<> to= size=4660 ndest=1 proto=ESMTP smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=57f4cae9a970f282 from=<> to= rcpt=<-> source=127.0.0.1 relay=127.0.0.1 (loc alhost) delay=1s result=Ok stat=250 2.0.0: e121e32c Message accepted for delivery smtpd[2794]: b22a8ae11170b5b4 smtp event=closed reason=quit smtpd[2794]: b22a8ae0d78126ae mta event=closed reason=quit messages=2 smtpd[2794]: b22a8af88282d316 mta event=connecting address=smtp+tls://66.102.1.27:25 host=wb-in-f27.1e100.net smtpd[2794]: b22a8af88282d316 mta event=connected smtpd[2794]: b22a8af88282d316 mta event=starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 smtpd[2794]: smtp-out: Server certificate verification succeeded on session b22a8af88282d316 smtpd[2794]: b22a8af88282d316 mta event=delivery evpid=e121e32cb085713e from=<> to= rcpt=<-> source=123.123.123.123 relay=66.102.1. 27 (wb-in-f27.1e100.net) delay=20s result=Ok stat=250 2.0.0 OK 1526942107 a7-v6si5619866wrq.344 - gsmtp Now, if I change the local username to, say, user-example--com or user-example.c
hello! ... and first question
Hello, this is Dam I'm in the process of freeing myself from Gmail and I'm trying to configure my debian vm as a mailserver using OpenSMTPD. Back in the days I was used to run my own mailserver with Postfix (then I don't know what happened to me and I moved to 3rd party services) but this is my first time with OpenSMTPD so I'm really trying to learn how to configure it properly. So far so good I've to say. Chess Griffin's guide has been of great help. There is one thing that I've noticed: if the local user contains @ in the name, OpenSTMD can't route an incoming email properly. I'm not sure if this something expected or a bug or if I'm missing something. So this is the scenario: d...@venturin.net sends an email to u...@example.com (123.123.123.123) which is is mapped on the server as user@example--com. So this is what you see in my /etc/opensmtd/vuser: u...@example.com: user@example--com As you can see from the log below, the incoming email is accepted, goes through clamsmtp filtering process (listening on 127.0.0.1:10025) smtpd[2794]: b22a8aceadaec265 smtp event=connected address=209.35.192.171 host=mail-pf1-f171.google.com smtpd[2794]: b22a8aceadaec265 smtp event=message msgid=9c2da050 from= to= size=2847 ndest=1 proto=ESMTP smtpd[2794]: b22a8aceadaec265 smtp event=closed reason=quit smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connecting address=smtp://127.0.0.1:10025 host=localhost smtpd[2794]: b22a8ad7d4f8e7b8 mta event=connected smtpd[2794]: b22a8ad89531da2b smtp event=connected address=127.0.0.1 host=localhost smtpd[2794]: b22a8ad89531da2b smtp event=message msgid=9a2845eb from= to= size=3043 ndest=1 proto=ESMTP I think that now OpenSMTPD tries to send back a receipt to the email server which has sent the email. Am I right? Accordingly to the configuration, the message is sent again to clamsmtp which is listening on 127.0.0.1:10027 smtpd[2794]: b22a8ae0d78126ae mta event=connecting address=smtp://127.0.0.1:10027 host=localhost smtpd[2794]: b22a8ad7d4f8e7b8 mta event=delivery evpid=9c2da05070285532 from= to= rcpt=<-> source=127.0.0.1 relay= 127.0.0.1 (localhost) delay=11s result=Ok stat=250 2.0.0: 9a2845eb Message accepted for delivery smtpd[2794]: b22a8ae0d78126ae mta event=connected But then something happens: all of the sudden the recipient is no more u...@example.com but user@example--com (which is the name of the real local user) smtpd[2794]: b22a8ae11170b5b4 smtp event=connected address=127.0.0.1 host=localhost smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=f33aeeec from= to= size=3243 ndest=1 proto=ESMTP smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=9a2845eb454ddf26 from= to=rcpt= source=127.0.0.1 relay=127.0.0.1 (localhost) delay=5s result=Ok stat=250 2.0.0: f33aeeec Message accepted for delivery smtpd[2794]: b22a8ad89531da2b smtp event=closed reason=quit smtpd[2794]: b22a8ad7d4f8e7b8 mta event=closed reason=quit messages=1 smtpd[2794]: smtp-out: Failed to resolve MX for [relay:example--com]: Domain does not exist Of course the domain example--com is not found smtpd[2794]: mta event=delivery evpid=f33aeeecc889f968 from= to= rcpt=<-> source=- relay=example-- info delay=5s result=PermFail stat=Domain does not exist smtpd[2794]: b22a8aeac0c27769 smtp event=connected address=local host=localhost smtpd[2794]: b22a8aeac0c27769 smtp event=message msgid=57f4cae9 from=<> to= size=4459 ndest=1 proto=ESMTP smtpd[2794]: b22a8aeac0c27769 smtp event=closed reason=quit smtpd[2794]: b22a8ae11170b5b4 smtp event=message msgid=e121e32c from=<> to= size=4660 ndest=1 proto=ESMTP smtpd[2794]: b22a8ae0d78126ae mta event=delivery evpid=57f4cae9a970f282 from=<> to= rcpt=<-> source=127.0.0.1 relay=127.0.0.1 (loc alhost) delay=1s result=Ok stat=250 2.0.0: e121e32c Message accepted for delivery smtpd[2794]: b22a8ae11170b5b4 smtp event=closed reason=quit smtpd[2794]: b22a8ae0d78126ae mta event=closed reason=quit messages=2 smtpd[2794]: b22a8af88282d316 mta event=connecting address=smtp+tls://66.102.1.27:25 host=wb-in-f27.1e100.net smtpd[2794]: b22a8af88282d316 mta event=connected smtpd[2794]: b22a8af88282d316 mta event=starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128 smtpd[2794]: smtp-out: Server certificate verification succeeded on session b22a8af88282d316 smtpd[2794]: b22a8af88282d316 mta event=delivery evpid=e121e32cb085713e from=<> to= rcpt=<-> source=123.123.123.123 relay=66.102.1. 27 (wb-in-f27.1e100.net) delay=20s result=Ok stat=250 2.0.0 OK 1526942107 a7-v6si5619866wrq.344 - gsmtp Now, if I change the local username to, say, user-example--com or user-example.com, rebuild the vuser.db everything works fine but the presence of the "@" seems to mess up things. Is this an expected behavior? P.S. 1 * I've tested the same thing but removing clamsmtp for the (outgoing) relayed traffic and the result is absolutely the same * I've tried removing clamsmtp entirely and the result is the same but the log changes in this way smtpd[543
RE: Userbase question.
Hi,
In fact Dovecot handles the delivery via LMTP.
à The relation & in the extract below permit the
delivery via the SQL query (depending the case for local / vdomains).
Extract from /etc/mail/smtpd.conf
---
(…)
###
#
## Allow to deliver
#
accept for local alias deliver to mbox
###
#
## Relay
#
# Tagged mail returned from DKIM
accept tagged DKIM_OUT for any relay
# tagged mail returned from spampd deliver to maildir
accept tagged SPAM_IN for domain virtual deliver to lmtp
"/var/dovecot/lmtp" rcpt-to # deliver via lmtp
# tagged mail returned from clamsmtpd either send to spampd or dkimproxy_out
accept tagged CLAM_IN for any relay via smtp://127.0.0.1:10035 # send to
spampd
accept tagged CLAM_OUT for any relay via smtp://127.0.0.1:10030 # send to
dkimproxy_out
#
# Start here (inbound)
accept from any for domain relay via smtp://127.0.0.1:10025 # to
clamd via clamsmtpd_in
accept from local for any relay via smtp://127.0.0.1:10027 # to
clamd via clamsmtpd_out
In parallel dovecot has to be configured :
# Authentication for SQL users. Included from 10-auth.conf.
#
#
passdb {
driver = sql
# Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}
/etc/mail/dovecot-sql.conf.ext
+---> doas cat /etc/dovecot/dovecot-sql.conf.ext
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-sql.conf.ext
# Database driver: mysql, pgsql, sqlite
driver = pgsql
connect = host=127.0.0.1 dbname=vmail user=vmail password=myPassword
default_pass_scheme = BLF-CRYPT # BSD authentication
password_query = \
SELECT email, password \
FROM credentials WHERE email = '%u' AND active = 'Y' # the active fiels
permit here to unactive temporary a user.
You have also to configure another part of the dovecot side :
<http://wiki2.dovecot.org/> http://wiki2.dovecot.org/
Postgresql instructions for OpenBSD:
doas pkg_add postqgresql-server
doas su - _postgresql
mkdir /var/postgresql/data
initdb -D /var/postgresql/data -U postgres -A md5 -E UTF8 -W
exit
rcctl enable postgresql
à to modify /var/postgresql/data/postgresql.conf expecting your preconisations
à to modify /var/postgresql/data/pg_hba.conf expecting your preconisations
doas rcctl start postgresql
psql -U postgres
CREATE USER myUser;
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE USAGE ON SCHEMA public FROM PUBLIC;
GRANT CREATE ON SCHEMA public TO postgres;
GRANT USAGE ON SCHEMA public TO postgres;
CREATE DATABASE myDatabase WITH OWNER myUser;
ALTER ROLE myUser WITH PASSWORD 'myPassword';
\q
psql -U myUser
CREATE SEQUENCE seq_myDatabase_vDomains_id START 1;
CREATE SEQUENCE seq_myDatabase_vUsers_id START 1;
CREATE SEQUENCE seq_myDatabase_credentials_id START 1;
CREATE TABLE vDomains (
id INT NOT NULL DEFAULT nextval('seq_myDatabase_vdomains_id'),
domain varchar(40) NOT NULL UNIQUE,
PRIMARY KEY (id)
);
CREATE TABLE vUsers (
id INT NOT NULL DEFAULT nextval('seq_myDatabase_vusers_id'),
email VARCHAR(60) NOT NULL UNIQUE,
domain VARCHAR(40) NOT NULL,
destination VARCHAR(60) NOT NULL DEFAULT 'myUser',
PRIMARY KEY (id),
FOREIGN KEY (domain) REFERENCES vDomains(domain) ON DELETE CASCADE
);
CREATE TABLE credentials (
id INT NOT NULL DEFAULT nextval('seq_myDatabase_credentials_id'),
email VARCHAR(60) NOT NULL,
password VARCHAR(60),
active BOOLEAN DEFAULT 'TRUE' NOT NULL,
PRIMARY KEY (id),
FOREIGN KEY (email) REFERENCES vusers(email) ON DELETE CASCADE
);
INSERT INTO vdomains (domain) VALUES ('first.domain');
INSERT INTO credentials (email, password) VALUES ('one.user',
'myEncryptedPassword') #using smtpctl encrypt
INSERT INTO vusers (email, alias)
VALUES
('one.user', 'first.domain','vmail')
('postmaster@my.domain', 'my.domain', 'my.aliass');
Olivier.
De : Reio Remma [mailto:r...@mrstuudio.ee]
Envoyé : Sunday, February 4, 2018 9:22 PM
À : misc@opensmtpd.org
Objet : Re: Userbase question.
The only reference I've found that tackles a similar problem:
https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/
Rather convoluted for a simple thing though. :)
Reio
On 04.02.2018 22:01, Reio Remma wrote:
On 04.02.2018 21:56, Reio Remma wrote:
Hello!
query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
I now realize you version doesn't return the actual user's virtu
Re: Userbase question.
On 05.02.18 2:18, Reio Remma wrote:
On 04.02.2018 22:21, Reio Remma wrote:
On 04.02.2018 22:01, Reio Remma wrote:
On 04.02.2018 21:56, Reio Remma wrote:
*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users
working completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system
account so I'm trying to use userbase, but userbase seems to take
username without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS
homedir FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com
<mailto:b...@domain-one.com>)
Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will
end up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.
Am I missing something about using virtuals in general? I'm
starting to feel a little stupid here. :)
Thanks,
Reio
I think I may have solved it (with a similar approach to Hugo Barrera's).
OpenSMTPD now sees all virtual maildirs' .forward files etc.
query_alias SELECT CONCAT( username, '_', domain ) FROM
users WHERE email = ?;
query_domainSELECT domain FROM users WHERE domain = ? LIMIT 1;
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) as maildir
FROM users WHERE
domain = SUBSTRING_INDEX( @u
:= ?, "_", -1 ) AND
username = TRIM( TRAILING
CONCAT('_', SUBSTRING_INDEX( @u, "_", -1 ) ) FROM @u );
I do hope query_userinfo will one day accept a second parameter (domain).
Good night!
Reio
A little refinement to query_userinfo:
query_userinfo SELECT 5000, 5000, CONCAT('/home/dovecot/domains/',
domain, '/', username ) AS homedir FROM users WHERE
domain = ( @dom := SUBSTRING_INDEX( @u := ?, "_", -1 ) ) AND
username = TRIM( TRAILING CONCAT('_', @dom ) FROM @u );
--
Tervitades,
Reio Remma
spetsialist
MR Stuudio OÜ
Tondi 17B, 11316, Tallinn
Tel: (+372) 6 504 808
Mob: (+372) 56 22 00 33
E-Mail: r...@mrstuudio.ee
www.mrstuudio.ee
Re: Userbase question.
On 04.02.2018 22:21, Reio Remma wrote:
The only reference I've found that tackles a similar problem:
https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/
Rather convoluted for a simple thing though. :)
Reio
On 04.02.2018 22:01, Reio Remma wrote:
On 04.02.2018 21:56, Reio Remma wrote:
Hello!
query_userinfo select 1001,1001,'/var/vmail/' from vusers where
email=$1;
I now realize you version doesn't return the actual user's virtual
mail directory. But maybe it doesn't need to. I suspect Dovecot can
handle .forward files as well, though it would be nice if they were
checked without turning to Dovecot.
In my setup currently OpenSMTPD can use .forward files by itself,
which is nice.
Does it match against an actual (whole) e-mail addess or username
for you?
What does your "accept for domain ..." line in smtpd.conf look like?
All the best,
Reio
On 04.02.2018 21:11, Olivier wrote:
Hello
I am using my own server with a postgresql database to store
domains, users & password:
vmail=> \d
List of relations
Schema | Name | Type | Owner
+--+--+---
public | credentials | table | vmail
public | seq_vmail_credentials_id | sequence | vmail
public | seq_vmail_vdomains_id | sequence | vmail
public | seq_vmail_vusers_id | sequence | vmail
public | vdomains | table | vmail
public | vusers | table | vmail
This database is used by dovecot & opensmtpd for authentication
(for encoding: use smtpctl encrypt).
All email are stored in the Maildir format, and store in the disk:
/var/vmail/some.domain.tld/SomeUsers/Maildir
For this, following packages have to be installed
_opensmtpd-extras-201703132115p1 extras
_opensmtpd-extras-pgsql-201703132115p1
Extract from smtpd.conf:
(…)
###
#
## Define Table
#
table aliases db:/etc/mail/aliases.db
table vdomains postgres:/etc/mail/pgsql.conf
table passwd postgres:/etc/mail/pgsql.conf
table valiases postgres:/etc/mail/pgsql.conf
(…)
Below, the database interface (/etc/mail/pgsql.conf)
# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf
conninfo host='myHost' user=’myUser' password='myPassword'
dbname='myDBName'
# Alias lookup query
#
query_alias select destination from myRelation where email=$1;
#
# Domain lookup query
#
query_domain select domain from myRelation where domain=$1;
#
# User lookup query
#
#query_userinfo select 1001,1001,'/var/vmail/' from vusers where
email=$1;
#
# Credentials lookup query
#
query_credentials select email, password from credentials where
email=$1 and active = 'Y'; # <-- here your SQL request
Sorry for my bad english. I hope that it will be helping.
Olivier.
*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users
working completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account
so I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com
<mailto:b...@domain-one.com>)
Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will
end up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.
Am I missing something about using virtuals in general? I'm
starting to feel a little stupid here. :)
Thanks,
Reio
I think I may have solved it (with a similar approach to Hugo Barrera's).
OpenSMTPD now sees all virtual maildirs' .forward files etc.
query_alias SELECT CONCAT( username, '_', domain ) FROM
users WHERE email = ?;
query_domain SELECT domain FROM users WHERE domain = ? LIMIT 1;
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) as maildir FROM
users WHERE
domain = SUBSTRING_INDEX( @u :=
?, "_", -1 ) AND
username = TRIM( TRAILING
CONCAT('_', SUBSTRING_INDEX( @u, "_", -1 ) ) FROM @u );
I do hope query_userinfo will one day accept a second parameter (domain).
Good night!
Reio
Re: Userbase question.
The only reference I've found that tackles a similar problem:
https://hugo.barrera.io/journal/2015/02/15/opensmtpd-dovecot-shared-sql-db/
Rather convoluted for a simple thing though. :)
Reio
On 04.02.2018 22:01, Reio Remma wrote:
On 04.02.2018 21:56, Reio Remma wrote:
Hello!
query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
I now realize you version doesn't return the actual user's virtual
mail directory. But maybe it doesn't need to. I suspect Dovecot can
handle .forward files as well, though it would be nice if they were
checked without turning to Dovecot.
In my setup currently OpenSMTPD can use .forward files by itself,
which is nice.
Does it match against an actual (whole) e-mail addess or username for
you?
What does your "accept for domain ..." line in smtpd.conf look like?
All the best,
Reio
On 04.02.2018 21:11, Olivier wrote:
Hello
I am using my own server with a postgresql database to store
domains, users & password:
vmail=> \d
List of relations
Schema | Name | Type | Owner
+--+--+---
public | credentials | table | vmail
public | seq_vmail_credentials_id | sequence | vmail
public | seq_vmail_vdomains_id | sequence | vmail
public | seq_vmail_vusers_id | sequence | vmail
public | vdomains | table | vmail
public | vusers | table | vmail
This database is used by dovecot & opensmtpd for authentication (for
encoding: use smtpctl encrypt).
All email are stored in the Maildir format, and store in the disk:
/var/vmail/some.domain.tld/SomeUsers/Maildir
For this, following packages have to be installed
_opensmtpd-extras-201703132115p1 extras
_opensmtpd-extras-pgsql-201703132115p1
Extract from smtpd.conf:
(…)
###
#
## Define Table
#
table aliases db:/etc/mail/aliases.db
table vdomains postgres:/etc/mail/pgsql.conf
table passwd postgres:/etc/mail/pgsql.conf
table valiases postgres:/etc/mail/pgsql.conf
(…)
Below, the database interface (/etc/mail/pgsql.conf)
# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf
conninfo host='myHost' user=’myUser' password='myPassword'
dbname='myDBName'
# Alias lookup query
#
query_alias select destination from myRelation where email=$1;
#
# Domain lookup query
#
query_domain select domain from myRelation where domain=$1;
#
# User lookup query
#
#query_userinfo select 1001,1001,'/var/vmail/' from vusers where
email=$1;
#
# Credentials lookup query
#
query_credentials select email, password from credentials where
email=$1 and active = 'Y'; # <-- here your SQL request
Sorry for my bad english. I hope that it will be helping.
Olivier.
*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users
working completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account
so I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com
<mailto:b...@domain-one.com>)
Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will end
up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.
Am I missing something about using virtuals in general? I'm starting
to feel a little stupid here. :)
Thanks,
Reio
Re: Userbase question.
On 04.02.2018 21:56, Reio Remma wrote:
Hello!
query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
I now realize you version doesn't return the actual user's virtual mail
directory. But maybe it doesn't need to. I suspect Dovecot can handle
.forward files as well, though it would be nice if they were checked
without turning to Dovecot.
In my setup currently OpenSMTPD can use .forward files by itself, which
is nice.
Does it match against an actual (whole) e-mail addess or username for you?
What does your "accept for domain ..." line in smtpd.conf look like?
All the best,
Reio
On 04.02.2018 21:11, Olivier wrote:
Hello
I am using my own server with a postgresql database to store domains,
users & password:
vmail=> \d
List of relations
Schema | Name | Type | Owner
+--+--+---
public | credentials | table | vmail
public | seq_vmail_credentials_id | sequence | vmail
public | seq_vmail_vdomains_id | sequence | vmail
public | seq_vmail_vusers_id | sequence | vmail
public | vdomains | table | vmail
public | vusers | table | vmail
This database is used by dovecot & opensmtpd for authentication (for
encoding: use smtpctl encrypt).
All email are stored in the Maildir format, and store in the disk:
/var/vmail/some.domain.tld/SomeUsers/Maildir
For this, following packages have to be installed
_opensmtpd-extras-201703132115p1 extras
_opensmtpd-extras-pgsql-201703132115p1
Extract from smtpd.conf:
(…)
###
#
## Define Table
#
table aliases db:/etc/mail/aliases.db
table vdomains postgres:/etc/mail/pgsql.conf
table passwd postgres:/etc/mail/pgsql.conf
table valiases postgres:/etc/mail/pgsql.conf
(…)
Below, the database interface (/etc/mail/pgsql.conf)
# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf
conninfo host='myHost' user=’myUser' password='myPassword'
dbname='myDBName'
# Alias lookup query
#
query_alias select destination from myRelation where email=$1;
#
# Domain lookup query
#
query_domain select domain from myRelation where domain=$1;
#
# User lookup query
#
#query_userinfo select 1001,1001,'/var/vmail/' from vusers where
email=$1;
#
# Credentials lookup query
#
query_credentials select email, password from credentials where
email=$1 and active = 'Y'; # <-- here your SQL request
Sorry for my bad english. I hope that it will be helping.
Olivier.
*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users working
completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account
so I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com
<mailto:b...@domain-one.com>)
Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will end
up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.
Am I missing something about using virtuals in general? I'm starting
to feel a little stupid here. :)
Thanks,
Reio
Re: Userbase question.
Hello!
query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
Does it match against an actual (whole) e-mail addess or username for you?
What does your "accept for domain ..." line in smtpd.conf look like?
All the best,
Reio
On 04.02.2018 21:11, Olivier wrote:
Hello
I am using my own server with a postgresql database to store domains,
users & password:
vmail=> \d
List of relations
Schema | Name | Type | Owner
+--+--+---
public | credentials | table | vmail
public | seq_vmail_credentials_id | sequence | vmail
public | seq_vmail_vdomains_id | sequence | vmail
public | seq_vmail_vusers_id | sequence | vmail
public | vdomains | table | vmail
public | vusers | table | vmail
This database is used by dovecot & opensmtpd for authentication (for
encoding: use smtpctl encrypt).
All email are stored in the Maildir format, and store in the disk:
/var/vmail/some.domain.tld/SomeUsers/Maildir
For this, following packages have to be installed
_opensmtpd-extras-201703132115p1 extras
_opensmtpd-extras-pgsql-201703132115p1
Extract from smtpd.conf:
(…)
###
#
## Define Table
#
table aliases db:/etc/mail/aliases.db
table vdomains postgres:/etc/mail/pgsql.conf
table passwd postgres:/etc/mail/pgsql.conf
table valiases postgres:/etc/mail/pgsql.conf
(…)
Below, the database interface (/etc/mail/pgsql.conf)
# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf
conninfo host='myHost' user=’myUser' password='myPassword'
dbname='myDBName'
# Alias lookup query
#
query_alias select destination from myRelation where email=$1;
#
# Domain lookup query
#
query_domain select domain from myRelation where domain=$1;
#
# User lookup query
#
#query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
#
# Credentials lookup query
#
query_credentials select email, password from credentials where
email=$1 and active = 'Y'; # <-- here your SQL request
Sorry for my bad english. I hope that it will be helping.
Olivier.
*De :*Reio Remma [mailto:r...@mrstuudio.ee]
*Envoyé :* Sunday, February 4, 2018 3:02 PM
*À :* misc@opensmtpd.org
*Objet :* Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users working
completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account so
I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com <mailto:b...@domain-one.com>)
Mail sent to b...@domain-two.com <mailto:b...@domain-two.com> will end
up at b...@domain-one.com <mailto:b...@domain-one.com> mailbox.
Am I missing something about using virtuals in general? I'm starting
to feel a little stupid here. :)
Thanks,
Reio
RE: Userbase question.
Hello
I am using my own server with a postgresql database to store domains, users &
password:
vmail=> \d
List of relations
Schema | Name | Type | Owner
+--+--+---
public | credentials | table| vmail
public | seq_vmail_credentials_id | sequence | vmail
public | seq_vmail_vdomains_id| sequence | vmail
public | seq_vmail_vusers_id | sequence | vmail
public | vdomains | table| vmail
public | vusers | table| vmail
This database is used by dovecot & opensmtpd for authentication (for encoding:
use smtpctl encrypt).
All email are stored in the Maildir format, and store in the disk:
/var/vmail/some.domain.tld/SomeUsers/Maildir
For this, following packages have to be installed
_opensmtpd-extras-201703132115p1 extras
_opensmtpd-extras-pgsql-201703132115p1
Extract from smtpd.conf:
(…)
###
#
## Define Table
#
table aliases db:/etc/mail/aliases.db
table vdomains postgres:/etc/mail/pgsql.conf
table passwdpostgres:/etc/mail/pgsql.conf
table valiases postgres:/etc/mail/pgsql.conf
(…)
Below, the database interface (/etc/mail/pgsql.conf)
# smtpd.conf: table users pgsql:/etc/mail/pgsql.conf
conninfo host='myHost' user=’myUser' password='myPassword' dbname='myDBName'
# Alias lookup query
#
query_alias select destination from myRelation where email=$1;
#
# Domain lookup query
#
query_domain select domain from myRelation where domain=$1;
#
# User lookup query
#
#query_userinfo select 1001,1001,'/var/vmail/' from vusers where email=$1;
#
# Credentials lookup query
#
query_credentials select email, password from credentials where email=$1 and
active = 'Y'; # <-- here your SQL request
Sorry for my bad english. I hope that it will be helping.
Olivier.
De : Reio Remma [mailto:r...@mrstuudio.ee]
Envoyé : Sunday, February 4, 2018 3:02 PM
À : misc@opensmtpd.org
Objet : Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users working
completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account so I'm
trying to use userbase, but userbase seems to take username without the domain
part as key.
query_userinfo SELECT 5000, 5000, CONCAT('/home/dovecot/domains/',
domain, '/', username ) AS homedir FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)
Mail sent to b...@domain-two.com will end up at b...@domain-one.com mailbox.
Am I missing something about using virtuals in general? I'm starting to feel a
little stupid here. :)
Thanks,
Reio
Re: Userbase question.
Hey!
uid/gid are for vmail (/home/dovecot directory). I've looked at the
smtpd lookup trace and query_userinfo queries the database purely by
user name (without domain part). That is essentially where all
virtuality fails. :/ If the database was queried by the full e-mail
address (not unlike the virtual alias query), I could extract the domain
part easily and proceed from there.
In Dovecot I've specified the username + domain separately in MySQL
lookups where clauses.
Thanks!
Reio
On 04.02.2018 19:18, Edgar Pettijohn wrote:
does the system have a uid and gid 5000? I'm using mysql myself, but i
don't have a userinfo section. I'm guessing it should still work the
same as the userinfo table described in table(5) though. Unfortunantly
I am no sql expert, so I would just recommend verifying that your
query does what you expect it to do perhaps run it from the command
line and see what you get.
On 02/04/18 10:32, Reio Remma wrote:
Current smtpd.conf below.
As I understand userbase is the only way to let OpenSMTPD know where
to look for
table aliases mysql:/etc/opensmtpd/mysql.conf
table domains mysql:/etc/opensmtpd/mysql.conf
table userinfo mysql:/etc/opensmtpd/mysql.conf
table credentials mysql:/etc/opensmtpd/mysql.conf
listen on 0.0.0.0 port 25 tls pki bwo.mrstuudio.ee
listen on 0.0.0.0 port 587 tls-require pki bwo.mrstuudio.ee auth
listen on lo port 10025 tag Filtered
listen on lo port 10027 tag Signed
accept tagged Filtered for domain virtual
userbase deliver to lmtp "/var/run/dovecot/lmtp" rcpt-to
accept from any for domain relay via lmtp://127.0.0.1:10024
accept tagged Signed for any relay via tls://orc.mrstuudio.ee
accept from local for any relay via lmtp://127.0.0.1:10026
---
mysql.conf
query_alias SELECT username FROM users WHERE email = ?;
query_domain SELECT domain FROM users WHERE domain = ?
LIMIT 1;
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
query_credentials SELECT username, password FROM users WHERE
email = ?;
Thanks,
Reio
On 04.02.2018 18:09, Edgar Pettijohn wrote:
what does your smtpd.conf look like?
On 02/04/18 08:01, Reio Remma wrote:
Hello!
I'm trying to figure out how I can have virtual domains/users
working completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account
so I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)
Mail sent to b...@domain-two.com will end up at b...@domain-one.com
mailbox.
Am I missing something about using virtuals in general? I'm
starting to feel a little stupid here. :)
Thanks,
Reio
Re: Userbase question.
what does your smtpd.conf look like?
On 02/04/18 08:01, Reio Remma wrote:
Hello!
I'm trying to figure out how I can have virtual domains/users working
completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account so
I'm trying to use userbase, but userbase seems to take username
without the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir
FROM users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)
Mail sent to b...@domain-two.com will end up at b...@domain-one.com mailbox.
Am I missing something about using virtuals in general? I'm starting
to feel a little stupid here. :)
Thanks,
Reio
Userbase question.
Hello!
I'm trying to figure out how I can have virtual domains/users working
completely decoupled from system users.
Every virtual/alias path seem to want to end up at a system account so
I'm trying to use userbase, but userbase seems to take username without
the domain part as key.
query_userinfo SELECT 5000, 5000,
CONCAT('/home/dovecot/domains/', domain, '/', username ) AS homedir FROM
users WHERE username = ?;
domain-one.com
- bob
- emily
domain-two.com
- john
- albert
- bob (not the same bob as b...@domain-one.com)
Mail sent to b...@domain-two.com will end up at b...@domain-one.com mailbox.
Am I missing something about using virtuals in general? I'm starting to
feel a little stupid here. :)
Thanks,
Reio
Re: FAQ question
Mea cup, mea maxima culpa…
Thank you for the swat with the clue stick.
> On Oct 30, 2017, at 9:54 AM, Bruno Pagani wrote:
> Both. A passwd table is a passwd table, an auth table is an auth table. The
> latter is the standard format for OpenSMTPd, the former is a classical format
> that OpenSMTPd support through the file driver of the same name.
>
>
It was the error that Joris pointed out with the {BLF-CRYPT} in the passwd file.
> You’ve missed one line: “A standard OpenBSD installation as well as a recent
> installation of OpenSMTPD-extras including: table-passwd […] is assumed”.
>
> Regards,
> Bruno
I did indeed and that was carelessness on my part. Again, thanks all for the
correction.
smime.p7s
Description: S/MIME cryptographic signature
Re: FAQ question
Hi,
Le 30/10/2017 à 15:23, Chris Eidem a écrit :
> I’m attempting to create a multi-domain opensmtpd+dovecot set up. I have a
> question about the FAQ example. In it you have the following line in the
> config:
>
> listen on egress port 587 tls-require pki mail.example.com auth
>
> and you have the passwd table in the dovecot as follows:
>
> j...@example.com:$2b$...encrypted...password...::
> u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G
>
> But in tables.5 it is stated that auth tables are in this format:
>
> Credentials tables are mappings of credentials. They can be used in two
> contexts:
> listen on tls [...] auth
>
> In a listener context, the credentials are a mapping of username and
> encrypted passwords:
> user1 $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
> user2 $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
>
> I am getting failures attempting to connect to my submission port. The part
> of my config relevant is:
> listen on lo0
> listen on egress port 25 tls pki mail.ceidem.com
> listen on egress port 465 tls-require pki mail.ceidem.com
> listen on egress port 587 tls-require pki mail.ceidem.com auth
>
> with the passwd file:
>
> cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::
>
> Which is correct? What have I missed?
Both. A passwd table is a passwd table, an auth table is an auth table.
The latter is the standard format for OpenSMTPd, the former is a
classical format that OpenSMTPd support through the file driver of the
same name.
To understand your issue, we would need to know the table you have defined.
You should have something like `table passwd passwd:/etc/mail/passwd`
pointing toward your passwd file.
Also, are you trying to connect to 587 or 465? If the latter, note that
you’re missing the auth part on this line, so this might only be used to
deliver mail to local recipients.
In any case, please give more details about “failures attempting to
connect”, what kind of failures ?
> Also, in the FAQ, you have the following config section:
>
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> But is it never mentioned that the passwd file driver is included in
> opensmtpd-extras. Took me a bit to figure that out.
You’ve missed one line: “A standard OpenBSD installation as well as a
recent installation of OpenSMTPD-extras including: table-passwd […] is
assumed”.
Regards,
Bruno
signature.asc
Description: OpenPGP digital signature
Re: FAQ question
I suggest reading the FAQ again.
On Mon, 30 Oct 2017, at 03:23 PM, Chris Eidem wrote:
> I’m attempting to create a multi-domain opensmtpd+dovecot set up. I have
> a question about the FAQ example. In it you have the following line in
> the config:
>
> listen on egress port 587 tls-require pki mail.example.com auth
>
> and you have the passwd table in the dovecot as follows:
>
> j...@example.com:$2b$...encrypted...password...::
> u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G
>
> But in tables.5 it is stated that auth tables are in this format:
>
> Credentials tables are mappings of credentials. They can be used in two
> contexts:
> listen on tls [...] auth
Yes but this is table-passwd.5
It's OpenSMTPD-extras feature.
>
> In a listener context, the credentials are a mapping of username and
> encrypted passwords:
> user1 $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
> user2 $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
>
> I am getting failures attempting to connect to my submission port. The
> part of my config relevant is:
> listen on lo0
> listen on egress port 25 tls pki mail.ceidem.com
> listen on egress port 465 tls-require pki mail.ceidem.com
> listen on egress port 587 tls-require pki mail.ceidem.com auth
>
> with the passwd file:
>
> cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::
Did you try what is exactly in the FAQ?
Without the {BLF-CRYPT} part?
>
> Which is correct? What have I missed?
>
> Also, in the FAQ, you have the following config section:
>
> # tables setup
> table aliases file:/etc/mail/aliases
> table domains file:/etc/mail/domains
> table passwd passwd:/etc/mail/passwd
> table virtuals file:/etc/mail/virtuals
>
> But is it never mentioned that the passwd file driver is included in
> opensmtpd-extras. Took me a bit to figure that out.
Yes it is.
>
> Thank you for your time,
> Chris
> Email had 1 attachment:
> + smime.p7s
> 3k (application/pkcs7-signature)
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
FAQ question
I’m attempting to create a multi-domain opensmtpd+dovecot set up. I have a
question about the FAQ example. In it you have the following line in the
config:
listen on egress port 587 tls-require pki mail.example.com auth
and you have the passwd table in the dovecot as follows:
j...@example.com:$2b$...encrypted...password...::
u...@example.net:$2b$...encrypted...password...::userdb_quota_rule=*:storage=1G
But in tables.5 it is stated that auth tables are in this format:
Credentials tables are mappings of credentials. They can be used in two
contexts:
listen on tls [...] auth
In a listener context, the credentials are a mapping of username and encrypted
passwords:
user1 $2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe
user2 $2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK
I am getting failures attempting to connect to my submission port. The part of
my config relevant is:
listen on lo0
listen on egress port 25 tls pki mail.ceidem.com
listen on egress port 465 tls-require pki mail.ceidem.com
listen on egress port 587 tls-require pki mail.ceidem.com auth
with the passwd file:
cei...@ceidem.com:{BLF-CRYPT}$2a$05$...encrypted...password...::
Which is correct? What have I missed?
Also, in the FAQ, you have the following config section:
# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals
But is it never mentioned that the passwd file driver is included in
opensmtpd-extras. Took me a bit to figure that out.
Thank you for your time,
Chris
smime.p7s
Description: S/MIME cryptographic signature
question about procmail and delimiter
Hi,
I am using OpenSMTPD (6.0.2) on Debian Stretch and want to pass the delimiter
values via procmail to dovecot sieve.
My smtpd.conf:
pki server.pragmasec.nl certificate
"/etc/letsencrypt/live/pragmasec.nl/fullchain.pem"
pki server.pragmasec.nl key "/etc/letsencrypt/live/pragmasec.nl/privkey.pem"
listen on localhost
listen on ens3 port 25 tls pki server.pragmasec.nl hostname server.pragmasec.nl
auth-optional
listen on ens3 port 587 tls-require pki server.pragmasec.nl hostname
server.pragmasec.nl auth-optional
table vdomains file:/usr/local/etc/vdomains
table vusers file:/usr/local/etc/vusers
expire 7d
limit mta inet4
accept from any for domain virtual deliver to mda
"/usr/bin/procmail -f -"
accept from local for any relay
My .procmailrc:
SHELL=/usr/local/bin/bash
VERBOSE=yes
DELIVER=/usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
#DELIVER=/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}
LOGFILE=/var/log/procmail.log
DEFAULT=$HOME/Maildir/
ORGMAIL=$HOME/Maildir/
#DROPPRIVS=yes
DEBUG=YES
#
### virus scanning
#
:0fw
| /usr/local/procmail2virustotal/checkvirus.py
:0
* ^X-Virus-Flag: YES
$DEFAULT/.Virus/new
:0 w
| $DELIVER
:0
$DEFAULT
The thing is, when I am using postfix and use '/usr/bin/procmail -p’ it proxies
the username+det...@domain.com nicely to procmail which then delivers it to
dovecot sieve and it finally filters the delimiter nicely.
If I change to OpenSMTPD and use the same procmail command the detail is cut of
by OpenSMTPD:
procmail: Assigning "DEFAULT=/home/mve/Maildir/"
procmail: Assigning "ORGMAIL=/home/mve/Maildir/"
procmail: Assigning "DEBUG=YES"
procmail: Executing "/usr/local/procmail2virustotal/checkvirus.py"
procmail: [12334] Mon Aug 28 11:47:43 2017
procmail: No match on "^X-Virus-Flag: YES"
procmail: Executing "/usr/lib/dovecot/dovecot-lda"
procmail: Assigning "LASTFOLDER=/usr/lib/dovecot/dovecot-lda"
procmail: Notified comsat: "mve@:/usr/lib/dovecot/dovecot-lda"
Subject: sd
Folder: /usr/lib/dovecot/dovecot-lda
Notice the comsat line where mve@ is passed and not mve+detail@ to dovecot
sieve.
My question: what kind of command do I have to use in smtpd.conf to pass these
values to procmail?
I’ve got it working with dovecot-lda directly by using: deliver to mda
"/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}” but when
changing this to deliver to mda “/usr/bin/procmail -f %{sender} -a %{rcpt}” it
does not work.
Also tried the -p option and -f - but all options seem not to pass the
user+detail@ to procmail when using OpenSMTPD.
Not saying this is because of OpenSMTPD and mostly my own config error but I am
just trying to figure out if someone got it working with procmail preserving
the user+detail@ with procmail.
Thanks for any help.
regards,
Michiel
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Spamd question with Spamtrap
Hello, Spamd has been really efficient in blocking spam. A few of them passed through once in a while but there's no discomfort. But, I'm not able to use spamtrap. #spamdb -T -a ""# spamdb | grep SPAMTRAP SPAMTRAP| But when I telnet port 25 and try to send a mail, a GREY entry is created, and after the holdtime mail are passing through 1) During the GREY phase, my PF redirects connections to spamdmatch in on $ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25 pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 127.0.0.1 port 8025 2) But after the holdtime flows by pass spamd and go directly to the mail serverpass in log (to pflog1) quick on $ext_if proto tcp from to $mailserver port 25 flags S/SA modulate state And I placed PF rules in this ordermatch in on $ext_if proto tcp to $ext_if port 25 rdr-to $mailserver port 25pass in log (to pflog1) quick on $ext_if proto tcp from to $mailserver port 25 flags S/SA modulate state pass in quick on $ext_if proto tcp from any to $mailserver port 25 divert-to 127.0.0.1 port 8025 Do you see anything abnormal or have advice ? Regards
Re: Memiks a new user of opensmtpd and question about rspamd
Hi Gilles, I currently use emailrelay to interact with rspamd and opensmtpd. Forward all incoming mails to emailrelay scan them with rspamd and forward them again to opensmtpd with SPAN_IN tag. That works great but I would like to simplify this architecture. So, thanks for the answer, I will wait for your explanation. BR, Frédéric. 8 février 2017 08:58 "Gilles Chehade" a écrit: > On Tue, Feb 07, 2017 at 12:38:54PM +, M??m??ks wrote: > >> Hello, > > Hello, > >> I am a new user of opensmtpd and I really like it. > > Cool > >> I would like to create a filter to interact with rspamd or a plugin... > > Filters are not a thing yet, I'll post a lengthy explanation about plans > for it next week and why it's taking the time it's taking as well as how > we intend to move forward with them. > > For now, your only option is either to integrate the spam filter through > the spampd proxy or a custom mda. There is a tutorial currently floating > in Russian that explains how to use it with a custom mda, I do not speak > Russian but Google translate made it understandable to me. > >> Do you know where I can find some documentation about development of >> opensmtpd? > > use the source, Luke. > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: Memiks a new user of opensmtpd and question about rspamd
On Tue, Feb 07, 2017 at 12:38:54PM +, M??m??ks wrote: > Hello, > Hello, > I am a new user of opensmtpd and I really like it. > Cool > I would like to create a filter to interact with rspamd or a plugin... > Filters are not a thing yet, I'll post a lengthy explanation about plans for it next week and why it's taking the time it's taking as well as how we intend to move forward with them. For now, your only option is either to integrate the spam filter through the spampd proxy or a custom mda. There is a tutorial currently floating in Russian that explains how to use it with a custom mda, I do not speak Russian but Google translate made it understandable to me. > Do you know where I can find some documentation about development of > opensmtpd? > use the source, Luke. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Memiks a new user of opensmtpd and question about rspamd
Hello, I am a new user of opensmtpd and I really like it. I would like to create a filter to interact with rspamd or a plugin... Do you know where I can find some documentation about development of opensmtpd? Thanks a lot, BR, Frédéric LESUR.
question about mapping one domain to another
Hi,
I have the following vuser file to map email addresses to a local user but also
map my other alias domains to the same config for the defined first domain:
m...@domain1.nlmve
t...@domain1.nl test
@domain2.nl@domain1.nl
@domain2.nl @domain1.nl
This gives an error: d9fd3bd7c65dbc3d smtp event=failed-command command="RCPT
TO:" result="451 Temporary failure”
My config on OpenBSD 6.0:
# $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
# pki/ssl/certs
pki server.pragmasec.nl key
"/etc/letsencrypt/live/server.pragmasec.nl/privkey.pem"
pki server.pragmasec.nl certificate
"/etc/letsencrypt/live/server.pragmasec.nl/fullchain.pem"
# listen
listen on lo
listen on em0 port 25 hostname server.pragmasec.nl tls pki server.pragmasec.nl
listen on em0 port 587 hostname server.pragmasec.nl tls-require pki
server.pragmasec.nl auth mask-source
# queue expiry
expire 7d
# virtual domains and users
table vdomains "/etc/mail/vdomains"
table vusers "/etc/mail/vusers"
# our accepted relays
accept from any for domain virtual deliver to mda
"/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -a %{rcpt}"
accept from local for any relay
How can I map m...@domain2.nl to m...@domain1.nl but also *@domain2.nl ->
*@domain1.nl ?
Basically forward the email to the domain1.nl configuration and see if the
email address exists.
Cheers,
Michiel
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about CentOS 7 and OpenSMTPD-Extras
Hi! There's a very good step by step "recipe" at http://technoquarter.blogspot.ch, including ClamAV and spamassassin (and more). It's very easy to set up - even without filters. Another very good guide can be found at https://frozen-geek.net/openbsd-email-server-1/ Virtual users, mysql? No problem. https://www.mail-archive.com/misc@opensmtpd.org/msg01426.html regards, --markus > On 28.07.2016, at 10:21, Michiel van Es wrote: > > Hello, > > I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the > OpenSMTPD-Extras setup. > > I have 2 questions: > > - I don’t see the clamav, spam assassin, etc filters not anymore, are they > now default installed? If not how do I install them? > > ... > > How can I fix this? > > Thanks for the help. > > Cheers, > > Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about CentOS 7 and OpenSMTPD-Extras
On Thu, Jul 28, 2016 at 11:42:27AM +0200, Michiel van Es wrote: > > > On 28 Jul 2016, at 11:01, Gilles Chehade wrote: > > > > On Thu, Jul 28, 2016 at 10:21:04AM +0200, Michiel van Es wrote: > >> Hello, > >> > >> I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with > >> the OpenSMTPD-Extras setup. > >> > >> I have 2 questions: > >> > >> - I don???t see the clamav, spam assassin, etc filters not anymore, are > >> they now default installed? If not how do I install them? > >> > > > > Yes, there's been an abuse of this. > > > > We enabled filters to help us developers find the proper API, stabilize > > it and get it ready now that the server-side part is done. The goal was > > to write filters that stress particular bits of the API, and figure out > > if we missed stuff in the API for a filter to be able to do things. The > > filters were marked experimental in the release not precisely for that. > > > > It turns out that very quickly this ran out of control. > > > > Filters were written FOR users, many working around API limitations and > > not trying to plug them, people advocated use of many filters without a > > clear warning that they were experimental and soon we started getting a > > tons of bug reports about specific filters that resulted in crashes. > > > > I decided to cut the crap and remove them from -extras into their own > > specific branches so people don't get tricked into installing > > experimental / buggy stuff assuming its stable. > > > > You have to be a developer to use them, figure out if they are doing > > something that should better be in the API and fix your own bugs. If > > you are not a developer, you can still install them by fetching the > > appropriate branch on git, but you're on your own then. > > > > I am no developer but am willing to try the different branches :) > How would i install them? one by one? so first the opensmtpd-extras, then the > filters that I like? > If you're asking, then you're the wrong audience ;-) > > > > This needs a fix, please fill a bug report on github and I'll deal with it > > shortly ;-) > > I can not create an issue at the OpenSMTPD-Extras repo, I can create an issue > for OpenSMTPD but not the extras repo. > Shall I create it on the OpenSMTPD repo? > Yes, we only have one bug tracker to make it easier to process. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about CentOS 7 and OpenSMTPD-Extras
> On 28 Jul 2016, at 11:01, Gilles Chehade wrote: > > On Thu, Jul 28, 2016 at 10:21:04AM +0200, Michiel van Es wrote: >> Hello, >> >> I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with >> the OpenSMTPD-Extras setup. >> >> I have 2 questions: >> >> - I don???t see the clamav, spam assassin, etc filters not anymore, are they >> now default installed? If not how do I install them? >> > > Yes, there's been an abuse of this. > > We enabled filters to help us developers find the proper API, stabilize > it and get it ready now that the server-side part is done. The goal was > to write filters that stress particular bits of the API, and figure out > if we missed stuff in the API for a filter to be able to do things. The > filters were marked experimental in the release not precisely for that. > > It turns out that very quickly this ran out of control. > > Filters were written FOR users, many working around API limitations and > not trying to plug them, people advocated use of many filters without a > clear warning that they were experimental and soon we started getting a > tons of bug reports about specific filters that resulted in crashes. > > I decided to cut the crap and remove them from -extras into their own > specific branches so people don't get tricked into installing > experimental / buggy stuff assuming its stable. > > You have to be a developer to use them, figure out if they are doing > something that should better be in the API and fix your own bugs. If > you are not a developer, you can still install them by fetching the > appropriate branch on git, but you're on your own then. > I am no developer but am willing to try the different branches :) How would i install them? one by one? so first the opensmtpd-extras, then the filters that I like? > >> - When trying to compile the OpenSMTPD-Extras git repo on my CentOS 7 64 bit >> machine I get: >> >> ../../../api/rfc2822.c: In function ???rfc2822_header_callback???: >> ../../../api/rfc2822.c:221:45: warning: comparison between signed and >> unsigned integer expressions [-Wsign-compare] >> if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) >> ^ >> ../../../api/rfc2822.c: In function ???rfc2822_missing_header_callback???: >> ../../../api/rfc2822.c:249:45: warning: comparison between signed and >> unsigned integer expressions [-Wsign-compare] >> if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) >> ^ >> make[4]: *** [../../../api/rfc2822.o] Error 1 >> make[4]: Leaving directory >> `/usr/local/OpenSMTPD-extras/extras/filters/filter-stub' >> make[3]: *** [all-recursive] Error 1 >> make[3]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters' >> make[2]: *** [all-recursive] Error 1 >> make[2]: Leaving directory `/usr/local/OpenSMTPD-extras/extras' >> make[1]: *** [all-recursive] Error 1 >> make[1]: Leaving directory `/usr/local/OpenSMTPD-extras' >> make: *** [all] Error 2 >> >> How can I fix this? >> > > This needs a fix, please fill a bug report on github and I'll deal with it > shortly ;-) I can not create an issue at the OpenSMTPD-Extras repo, I can create an issue for OpenSMTPD but not the extras repo. Shall I create it on the OpenSMTPD repo? > >> >> Thanks for the help. >> > > No problem. > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg Michiel > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question about CentOS 7 and OpenSMTPD-Extras
On Thu, Jul 28, 2016 at 10:21:04AM +0200, Michiel van Es wrote: > Hello, > > I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the > OpenSMTPD-Extras setup. > > I have 2 questions: > > - I don???t see the clamav, spam assassin, etc filters not anymore, are they > now default installed? If not how do I install them? > Yes, there's been an abuse of this. We enabled filters to help us developers find the proper API, stabilize it and get it ready now that the server-side part is done. The goal was to write filters that stress particular bits of the API, and figure out if we missed stuff in the API for a filter to be able to do things. The filters were marked experimental in the release not precisely for that. It turns out that very quickly this ran out of control. Filters were written FOR users, many working around API limitations and not trying to plug them, people advocated use of many filters without a clear warning that they were experimental and soon we started getting a tons of bug reports about specific filters that resulted in crashes. I decided to cut the crap and remove them from -extras into their own specific branches so people don't get tricked into installing experimental / buggy stuff assuming its stable. You have to be a developer to use them, figure out if they are doing something that should better be in the API and fix your own bugs. If you are not a developer, you can still install them by fetching the appropriate branch on git, but you're on your own then. > - When trying to compile the OpenSMTPD-Extras git repo on my CentOS 7 64 bit > machine I get: > > ../../../api/rfc2822.c: In function ???rfc2822_header_callback???: > ../../../api/rfc2822.c:221:45: warning: comparison between signed and > unsigned integer expressions [-Wsign-compare] > if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) > ^ > ../../../api/rfc2822.c: In function ???rfc2822_missing_header_callback???: > ../../../api/rfc2822.c:249:45: warning: comparison between signed and > unsigned integer expressions [-Wsign-compare] > if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) > ^ > make[4]: *** [../../../api/rfc2822.o] Error 1 > make[4]: Leaving directory > `/usr/local/OpenSMTPD-extras/extras/filters/filter-stub' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/usr/local/OpenSMTPD-extras/extras' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/usr/local/OpenSMTPD-extras' > make: *** [all] Error 2 > > How can I fix this? > This needs a fix, please fill a bug report on github and I'll deal with it shortly ;-) > > Thanks for the help. > No problem. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
question about CentOS 7 and OpenSMTPD-Extras
Hello, I am trying to replace my Postfix + Amavisd-new setup with OpenSMTPD with the OpenSMTPD-Extras setup. I have 2 questions: - I don’t see the clamav, spam assassin, etc filters not anymore, are they now default installed? If not how do I install them? - When trying to compile the OpenSMTPD-Extras git repo on my CentOS 7 64 bit machine I get: ../../../api/rfc2822.c: In function ‘rfc2822_header_callback’: ../../../api/rfc2822.c:221:45: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) ^ ../../../api/rfc2822.c: In function ‘rfc2822_missing_header_callback’: ../../../api/rfc2822.c:249:45: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] if (strlcpy(buffer, header, sizeof buffer) >= sizeof buffer) ^ make[4]: *** [../../../api/rfc2822.o] Error 1 make[4]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters/filter-stub' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/usr/local/OpenSMTPD-extras/extras/filters' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/OpenSMTPD-extras/extras' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/OpenSMTPD-extras' make: *** [all] Error 2 How can I fix this? Thanks for the help. Cheers, Michiel -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: recipient question
Hello,
Hope this help:
listen on bce1
listen on lo2
table example.com "/etc/mail/example.com"
table a...@example.com "/etc/mail/a...@example.com"
table spammers "/etc/mail/spammers"
table restrict { a...@example.com }
table to_restrict { presid...@example.com, tresor...@example.com,
secreta...@example.com }
max-message-size 1M
reject from any sender
accept from any sender for domain "example.com" recipient
alias
accept from local senderfor domain "example.com" recipient
alias
reject from any for domain "example.com" recipient
accept from any for domain "example.com" alias
accept for any relay
Regards,
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: recipient question
Thanks for these two answers! On Thu, Mar 24, 2016, Edgar Pettijohn wrote: > I've used it in the past. The following should work. > accept from any for domain recipient deliver to mbox On Thu, Mar 24, 2016, Gilles Chehade wrote: > You can't name a table after a keyword: > > recipient Actually that was a typo, the table is named . Serves me right for re-typing an example, which I usually know better than to try. The syntax errors were caused by the order of things in the grammar. As Edgar pointed out, the syntax he gave does work once you get past #1, BUT it does not work if you put the aliases back in, unless you put it just the right place: WORKS: accept from any for domain recipient deliver to lmtp localhost: accept from any for domain alias deliver to mbox FAILS: accept from any for domain alias recipient deliver to lmtp localhost: accept from any for domain alias deliver to mbox WORKING SMTPD ACCEPT RECIPIENT SYNTAX: accept from any for domain recipient alias deliver to lmtp localhost: accept from any for domain alias deliver to mbox I hope that, despite requiring the mildly counter-intuitive order, that it will expand the aliases before selecting the recipients? Guess I'll find out later today when/if I get the alternate experimental MDA up and running, now that I know what I was trying here is at least plausible. Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: recipient question
You can't name a table after a keyword:
recipient
Le 23 mars 2016 11:32 PM, "Ian Darwin" a écrit :
> > At this time, the list is very low volume, feel free to introduce
> yourself
> > ;-)
>
> Hola! This is Ian Darwin, sometime OpenBSD committer (ports, mostly, but I
> also wrote
> the old file(1) command "a while ago"), Java geek, tech instructor/author,
> and photographer.
>
> I've been running smtpd on my OpenBSD laptop for I think a couple of years
> and in production on a low-volume server for maybe a year (it's been up for
> 220 days so maybe 3/4 of a year, I dunno).
>
> I'm asking if anybody has a working example with "recipient"?
>
> What I planned to do was divert one person's (myself, #1 guinea pig)
> incoming
> mail to a different MDA for testing a new MDA. I tried taking this
> existing line:
>
> accept from any for domain alias deliver to mbox
>
> and cloning it, the first version to add "recipient { "per...@dom.ain" }"
> and the second as above. I tried putting the recipient after the domain,
> e.g.,
>
> accept from any for domain recipient alias
> deliver to mbox
>
> Why after? Because the man page says "Further filtering may be achieved on
> specific recipients if desired" and "further" implies after - the man page
> has no example of this (whether you write the table as a table rule or
> inline should not matter, but I did try both before sending this post).
>
> Also tried putting it in a variety of other places, replacing some
> phrases, etc.
>
> I could not come up with anything that didn't give the dreaded :-)
> "smtpd.conf:24: syntax error"
>
> Is this the right tool for this job, and, if so, how does it actually work?
>
> Thanks if anyone can steer me right on this.
>
> Ian
>
> --
> You received this mail because you are subscribed to misc@opensmtpd.org
> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>
>
Re: recipient question
I've used it in the past. The following should work.
table tablename file:/etc/mail/something
accept from any for domain recipient deliver to mbox
/etc/mail/something
u...@something.com
On 03/23/16 17:31, Ian Darwin wrote:
At this time, the list is very low volume, feel free to introduce yourself
;-)
Hola! This is Ian Darwin, sometime OpenBSD committer (ports, mostly, but I also
wrote
the old file(1) command "a while ago"), Java geek, tech instructor/author, and
photographer.
I've been running smtpd on my OpenBSD laptop for I think a couple of years
and in production on a low-volume server for maybe a year (it's been up for
220 days so maybe 3/4 of a year, I dunno).
I'm asking if anybody has a working example with "recipient"?
What I planned to do was divert one person's (myself, #1 guinea pig) incoming
mail to a different MDA for testing a new MDA. I tried taking this existing
line:
accept from any for domain alias deliver to mbox
and cloning it, the first version to add "recipient { "per...@dom.ain" }"
and the second as above. I tried putting the recipient after the domain, e.g.,
accept from any for domain recipient alias
deliver to mbox
Why after? Because the man page says "Further filtering may be achieved on
specific recipients if desired" and "further" implies after - the man page
has no example of this (whether you write the table as a table rule or
inline should not matter, but I did try both before sending this post).
Also tried putting it in a variety of other places, replacing some phrases, etc.
I could not come up with anything that didn't give the dreaded :-) "smtpd.conf:24:
syntax error"
Is this the right tool for this job, and, if so, how does it actually work?
Thanks if anyone can steer me right on this.
Ian
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
recipient question
> At this time, the list is very low volume, feel free to introduce yourself
> ;-)
Hola! This is Ian Darwin, sometime OpenBSD committer (ports, mostly, but I also
wrote
the old file(1) command "a while ago"), Java geek, tech instructor/author, and
photographer.
I've been running smtpd on my OpenBSD laptop for I think a couple of years
and in production on a low-volume server for maybe a year (it's been up for
220 days so maybe 3/4 of a year, I dunno).
I'm asking if anybody has a working example with "recipient"?
What I planned to do was divert one person's (myself, #1 guinea pig) incoming
mail to a different MDA for testing a new MDA. I tried taking this existing
line:
accept from any for domain alias deliver to mbox
and cloning it, the first version to add "recipient { "per...@dom.ain" }"
and the second as above. I tried putting the recipient after the domain, e.g.,
accept from any for domain recipient alias
deliver to mbox
Why after? Because the man page says "Further filtering may be achieved on
specific recipients if desired" and "further" implies after - the man page
has no example of this (whether you write the table as a table rule or
inline should not matter, but I did try both before sending this post).
Also tried putting it in a variety of other places, replacing some phrases, etc.
I could not come up with anything that didn't give the dreaded :-)
"smtpd.conf:24: syntax error"
Is this the right tool for this job, and, if so, how does it actually work?
Thanks if anyone can steer me right on this.
Ian
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Thu, Dec 24, 2015 at 09:42:56AM +0100, Gilles Chehade wrote: > > Out of curiosity, does anyone know how many people run OpenSMTP on > > the offending systems compared to OpenBSD? According to Debian popcon (an opt-in "popularity contest" for packages), there are >= 19 people with opensmtpd installed on Debian. https://qa.debian.org/popcon.php?package=opensmtpd On Thu, Dec 24, 2015 at 07:17:12PM +0600, Denis Fateyev wrote: > As an analogue, I can remember a mailing list thread in Debian where > people were discussing Libressl packaging into Debian. They produced > tens of messages but came to nothing at that point. Indeed, Debian doesn't have libressl packaged yet, and as far as I know, there's nobody actively working on packaging it either. Here's the referenced discussion regarding getting it into Debian. There's been no activity on it in a year an a half. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754513 Unfortunately, I don't have the time to take on packaging libressl mysellf, nor do I want to take on the responsibility of maintaining it long-term and dealing with any potential security vulnerabilities that may arise in it, so it boils down to needing someone else to volunteer to take care of it. Happy holidays, Ryan -- |_)|_/ Ryan Kavanagh | Debian Developer | \| \ http://ryanak.ca/ | GPG Key 4A11C97A -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Dec 24, 2015 7:31 PM, "Gilles Chehade" wrote: > On Thu, Dec 24, 2015 at 07:17:12PM +0600, Denis Fateyev wrote: > > > > Well, you asked what distributions packagers thought, and I presented it > > from point of the specific distribution. There are always some issues, not > > only pure technical ones. > > > > I know and the reason I'm stating clearly my thoughts on this is so that > you and others understand our position. I get it that you don't have all > solutions at hands and that it might take time to solve them. We currently have neither libressl requested nor specific policy for this very case. Due to possible name collision and such we need to settle and regulate lots of things, since something will definitely come out even though the changes might look trivial. > > I'll re-open libressl packaging discussion in Fedora right after Christmas, > > and in case of positive decision me or anybody else would support libressl > > pro bono. There is no schedule here. > > > > Understood but that would already be a great step for us, > Thanks I'm personally not against of libressl as any other library, too. But it always brings a lot of flame talks and concerns which packagers naturally try to avoid. Let's see how it will go this time :-) --- wbr, Denis.
Re: question to package maintainers
On Thu, Dec 24, 2015 at 07:17:12PM +0600, Denis Fateyev wrote: > > Well, you asked what distributions packagers thought, and I presented it > from point of the specific distribution. There are always some issues, not > only pure technical ones. > I know and the reason I'm stating clearly my thoughts on this is so that you and others understand our position. I get it that you don't have all solutions at hands and that it might take time to solve them. We're not killing OpenSSL support tomorrow, just preparing for this, and trying to assess what technical issues will fall on us while maintainers can assess what technical & non-technical issues will fall on them. > > There's no straight way, so how do we plan for a curvy way ? :-) > > Well, if you feel that way that openssl slows the development progress > down, but we have no idea when libressl will be available there, what can I > say? I would just propose to keep openssl support as long as possible. > Yes, however OpenSSL won't provide a libtls API, and this means that the current situation will go on forever which we don't want. We will keep openssl support for a while still, we're not killing it the day after tomorrow. > I'll re-open libressl packaging discussion in Fedora right after Christmas, > and in case of positive decision me or anybody else would support libressl > pro bono. There is no schedule here. > Understood but that would already be a great step for us, Thanks -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Dec 24, 2015 3:45 PM, "Gilles Chehade" wrote: > On Thu, Dec 24, 2015 at 04:34:34AM +0600, Denis Fateyev wrote: > > On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade wrote: > > > > > > > > What I'm wondering is if there's any reason that would prevent RHEL, for > > > example, to package LibreSSL in the same way that libasr was packaged so > > > that OpenSMTPD could specifically depend on it. > > > > > > The system would keep its default SSL library. > > > > > > > Well, it's only my opinion so I can miss some points here. Briefly, why > > libressl doesn't come here: > > > > 1) The first problem is that unlike third-party "libasr" library these > > chaps "libressl" and "openssl" are way too close, and it creates > > temptations and mistakes. Due to human nature, new options provide more > > possibility to slip up. Being provided with two similar options, some > > developers won't be considering open-(libre-)ssl corner cases you've > > mentioned for example, some will mix these two solutions up, etc. All > > users, in general, hate the idea that due to these changes something can be > > randomly broken. > > > > This loses me, or I'm missing a keypoint: > > To me, the fact that two libraries are close is not really a technical issue > that can't be overcome. Two different versions of OpenSSL could be installed > in different places, and this holds true for LibreSSL no ? I'm pretty sure it can be solved as pointed below, the questions is only the amount of efforts and time. Pointing that open and clear, the bigger distribution is, the more details should be clarified and resolved not to cross others interests. No offense meant, but if I spoke about Archlinux or Slackware whatsoever, I wouldn't even consider this an issue. When I realize how much committees I (or anybody else) would need to pass through just to introduce libressl parallel to openssl, it drives me nuts. As an analogue, I can remember a mailing list thread in Debian where people were discussing Libressl packaging into Debian. They produced tens of messages but came to nothing at that point. > > It can be solved, but I don't know anybody from the Fedora community who'd > > be willing to: > > > > - reconcile issues on similar soname provides, naming, versioning etc. > > with Fedora and RedHat technical board in order to avoid all possible > > intersections with this critical system component; > > - support "libressl" globally similar to "openssl" case, fixing security > > CVEs always getting in touch (being such package maintainer is not a > > one-time task); > > - consult RH/Fedora developers promptly fixing their libressl-specific > > issues - and all this responsibility on a voluntary basis. > > > > I can understand this but then it's a distribution specific issue and it isn't > limited by a technical problem. This can be taken into account when making the > move so that the package maintainer can sort things out but I don't think that > it should be a justification to prevent move and limit our progress. Well, you asked what distributions packagers thought, and I presented it from point of the specific distribution. There are always some issues, not only pure technical ones. > > 2) From the enterprise point of view, there is no sense to support it as an > > openssl replacement now. > > It's not FIPS-certified so they cannot use it in enterprise solutions where > > openssl currently in charge. For simplicity, better not to have an unusable > > alternative (in context of this situation, of course). They won't sponsor > > its maintenance so it's up to the community. Surely this can change if > > business sees a use case for this specific library's clone but there is no > > any so far. > > > > Unlike the above, this is irrelevant to me, I don't think any opensource > project should be driven by what makes sense to a particular company. > > We were sponsored full-time for over a year by my employer, and then the > direction we were taking no longer made sense for them. > > We could have adapted our direction to keep the sponsoring, but it would > have been a bad thing for the project, so we part ways (on sponsorship). I just described it all in details, the most clear as possible, to point out that there would be no any sponsorship from enterprise in this case. > There's no straight way, so how do we plan for a curvy way ? :-) Well, if you feel that way that openssl slows the development progress down, but we have no idea when libressl will be available there, what can I say? I would just propose to keep openssl support as long as possible. I'll re-open libressl packaging discussion in Fedora right after Christmas, and in case of positive decision me or anybody else would support libressl pro bono. There is no schedule here. --- wbr, Denis.
Re: question to package maintainers
Sorry. Inadvertently sent an empty reply. > On 24 Dec 2015, at 23:36, Tim Hume wrote: > > > >>> On 24 Dec 2015, at 02:16, Gilles Chehade wrote: >>> On Wed, Dec 23, 2015 at 07:56:25PM +0600, Denis Fateyev wrote: On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade wrote: Would your distribution be affected if LibreSSL became a requirement ? OpenSMTPD is starting to rely on LibreSSL-specific functions that will force us to go through painful hacks to maintain that dual SSL support and I'd like to know if switching to a LibreSSL-only mode is an option at this point or still too early. >>> >>> >>> It would be a problem in RHEL (and its derivatives like CentOS, Scientific, >>> Oracle, et al), and Fedora. >>> There were no plans of implementing Libressl support before, and there are >>> no plans to do it now. >> >> I don't really get this, maybe there's a misunderstanding: >> >> I understand that RHEL and others don't intend to switch to LibreSSL for >> their default SSL library and I'm not suggesting they should, this isn't >> our call, it's unreasonable to assume every system will switch and there >> is no debate about this. >> >> What I'm wondering is if there's any reason that would prevent RHEL, for >> example, to package LibreSSL in the same way that libasr was packaged so >> that OpenSMTPD could specifically depend on it. >> >> The system would keep its default SSL library. >> >> >>> As you might realize, linking Libressl statically is also not an option. >> >> Yes, obviously I'm not advocating this ;-) >> >> >>> In my opinion, there is no point to forcibly depend on Libressl unless big >>> commercial players are interested in it. >> >> Actually there are very strong rationales for this, I'll if you want but >> the bottom line: >> >> - we're currently trying to support OpenSSL and LibreSSL as being the >> same library and we're hitting corner cases that require us to hack >> around detection, hack around compat and backport parts of LibreSSL >> code in standalone files just so OpenSSL keeps working. >> >> - we're facing cases of OpenSSL-induced #ifdefs because depending who >> built it, it lacks AES_GCM, it lacks SNI, it lacks this and that. I >> have broken SNI support at least once because of this. >> >> - ultimately, we want to get rid of the OpenSSL historical interface >> and rely on LibreSSL's libtls which will make TLS code readable. I >> think we can all agree that it's scary that the most dangerous bit >> of code in OpenSMTPD is also the less readable and the most error- >> prone, we should take some steps towards changing this... >> >> >> >> >> -- >> Gilles Chehade >> >> https://www.poolp.org @poolpOrg >> >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
> On 24 Dec 2015, at 02:16, Gilles Chehade wrote: > >> On Wed, Dec 23, 2015 at 07:56:25PM +0600, Denis Fateyev wrote: >>> On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade wrote: >>> >>> >>> Would your distribution be affected if LibreSSL became a requirement ? >>> >>> OpenSMTPD is starting to rely on LibreSSL-specific functions that will >>> force us to go through painful hacks to maintain that dual SSL support >>> and I'd like to know if switching to a LibreSSL-only mode is an option >>> at this point or still too early. >> >> >> It would be a problem in RHEL (and its derivatives like CentOS, Scientific, >> Oracle, et al), and Fedora. >> There were no plans of implementing Libressl support before, and there are >> no plans to do it now. > > I don't really get this, maybe there's a misunderstanding: > > I understand that RHEL and others don't intend to switch to LibreSSL for > their default SSL library and I'm not suggesting they should, this isn't > our call, it's unreasonable to assume every system will switch and there > is no debate about this. > > What I'm wondering is if there's any reason that would prevent RHEL, for > example, to package LibreSSL in the same way that libasr was packaged so > that OpenSMTPD could specifically depend on it. > > The system would keep its default SSL library. > > >> As you might realize, linking Libressl statically is also not an option. > > Yes, obviously I'm not advocating this ;-) > > >> In my opinion, there is no point to forcibly depend on Libressl unless big >> commercial players are interested in it. > > Actually there are very strong rationales for this, I'll if you want but > the bottom line: > > - we're currently trying to support OpenSSL and LibreSSL as being the > same library and we're hitting corner cases that require us to hack > around detection, hack around compat and backport parts of LibreSSL > code in standalone files just so OpenSSL keeps working. > > - we're facing cases of OpenSSL-induced #ifdefs because depending who > built it, it lacks AES_GCM, it lacks SNI, it lacks this and that. I > have broken SNI support at least once because of this. > > - ultimately, we want to get rid of the OpenSSL historical interface > and rely on LibreSSL's libtls which will make TLS code readable. I > think we can all agree that it's scary that the most dangerous bit > of code in OpenSMTPD is also the less readable and the most error- > prone, we should take some steps towards changing this... > > > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
Just before we dive further into this thread, I'd like to clarify that the reason for this debate is really to help establish a strategy forward, not a way to push for a change next week disregarding packagers. I want to be sure I understand the limiting factors here and there, so the change CAN happen (it is going to sooner or later), but in a way that does not hurt users and that packagers can cope with. On Thu, Dec 24, 2015 at 04:34:34AM +0600, Denis Fateyev wrote: > On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade wrote: > > > > > What I'm wondering is if there's any reason that would prevent RHEL, for > > example, to package LibreSSL in the same way that libasr was packaged so > > that OpenSMTPD could specifically depend on it. > > > > The system would keep its default SSL library. > > > > Well, it's only my opinion so I can miss some points here. Briefly, why > libressl doesn't come here: > > 1) The first problem is that unlike third-party "libasr" library these > chaps "libressl" and "openssl" are way too close, and it creates > temptations and mistakes. Due to human nature, new options provide more > possibility to slip up. Being provided with two similar options, some > developers won't be considering open-(libre-)ssl corner cases you've > mentioned for example, some will mix these two solutions up, etc. All > users, in general, hate the idea that due to these changes something can be > randomly broken. > This loses me, or I'm missing a keypoint: To me, the fact that two libraries are close is not really a technical issue that can't be overcome. Two different versions of OpenSSL could be installed in different places, and this holds true for LibreSSL no ? This seems more like a packaging issue because LibreSSL could very well stay in /usr/lib/libressl, or whatever is the convention on the target distro, so it lives side by side and doesn't affect other applications. Say tomorrow I started OpenWhateverD, it relied solely on LibreSSL's libtls, and you REALLY had an interest in it, how would you work that out ? > It can be solved, but I don't know anybody from the Fedora community who'd > be willing to: > > - reconcile issues on similar soname provides, naming, versioning etc. > with Fedora and RedHat technical board in order to avoid all possible > intersections with this critical system component; > - support "libressl" globally similar to "openssl" case, fixing security > CVEs always getting in touch (being such package maintainer is not a > one-time task); > - consult RH/Fedora developers promptly fixing their libressl-specific > issues - and all this responsibility on a voluntary basis. > I can understand this but then it's a distribution specific issue and it isn't limited by a technical problem. This can be taken into account when making the move so that the package maintainer can sort things out but I don't think that it should be a justification to prevent move and limit our progress. If no one in the Fedora community would be willing to work out a solution then it would be an indicator that we're holding back for a community that does not really care so much about having the project or not. If that was the case then it would question why we're holding back really :-) If there is a technical problem, then it is different because we're willing to help work things out. > 2) From the enterprise point of view, there is no sense to support it as an > openssl replacement now. > It's not FIPS-certified so they cannot use it in enterprise solutions where > openssl currently in charge. For simplicity, better not to have an unusable > alternative (in context of this situation, of course). They won't sponsor > its maintenance so it's up to the community. Surely this can change if > business sees a use case for this specific library's clone but there is no > any so far. > Unlike the above, this is irrelevant to me, I don't think any opensource project should be driven by what makes sense to a particular company. We were sponsored full-time for over a year by my employer, and then the direction we were taking no longer made sense for them. We could have adapted our direction to keep the sponsoring, but it would have been a bad thing for the project, so we part ways (on sponsorship). Clearly, I can take anything into account but not this :-) > The arguments on switching to libressl are quite logical, but I don't see a > straight way how to do it in RHEL and Fedora considering all above. > Ok, so then the question is: There's no straight way, so how do we plan for a curvy way ? :-) > By the way, how about GnuTLS support? >
Re: question to package maintainers
On Thu, Dec 24, 2015 at 07:25:36PM +1100, Tim Hume wrote: > Having OpenSSL and LibreSSL living together on the same system seems > reasonable. Surely name conflicts can be worked around somehow? > That's my point ;-) > Out of curiosity, does anyone know how many people run OpenSMTP on the > offending systems compared to OpenBSD? > Nope, I'd say half users are OpenBSD, half are Linux/FreeBSD if my mails are anything close to reality. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
Having OpenSSL and LibreSSL living together on the same system seems reasonable. Surely name conflicts can be worked around somehow? Out of curiosity, does anyone know how many people run OpenSMTP on the offending systems compared to OpenBSD? Cheers, Tim Hume. > On 24 Dec 2015, at 03:06, Gilles Chehade wrote: > >> On Wed, Dec 23, 2015 at 07:56:02AM -0800, Richard wrote: >>> On Wed, 23 Dec 2015, Gilles Chehade wrote: >>> >>> What I'm wondering is if there's any reason that would prevent RHEL, for >>> example, to package LibreSSL in the same way that libasr was packaged so >>> that OpenSMTPD could specifically depend on it. >>> >>> The system would keep its default SSL library. >> >> Library name collision >> -- >> Libasr is a unique library name on Linux as far as I know and there is no >> problem installing it. >> >> LibreSSL contains library names libcrypto and libssl which collide with >> the identical names in OpenSSL on most Linux systems. >> >> Can the libcrypto and libssl library names in LibreSSL be changed? >> >> Maybe they can change to liblibrecrypto and liblibressl? >> >> LibreSSL also uses library libtls. >> Is libtls unique in Linux? >> >> If not maybe it can change to liblibretls? >> >> Changing the library names allows LibreSSL and OpenSSL to exist >> side by side on any Linux system. > > I'm well aware of that, but that's precisely what I'm suggesting: > > If the ONLY reason keeping from depending on LibreSSL is that there is a > problem currently with the library name, then we can take a step back to > think of a solution that would solve this and help us move forward. > > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to misc@opensmtpd.org > To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org > -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade wrote: > > What I'm wondering is if there's any reason that would prevent RHEL, for > example, to package LibreSSL in the same way that libasr was packaged so > that OpenSMTPD could specifically depend on it. > > The system would keep its default SSL library. > Well, it's only my opinion so I can miss some points here. Briefly, why libressl doesn't come here: 1) The first problem is that unlike third-party "libasr" library these chaps "libressl" and "openssl" are way too close, and it creates temptations and mistakes. Due to human nature, new options provide more possibility to slip up. Being provided with two similar options, some developers won't be considering open-(libre-)ssl corner cases you've mentioned for example, some will mix these two solutions up, etc. All users, in general, hate the idea that due to these changes something can be randomly broken. It can be solved, but I don't know anybody from the Fedora community who'd be willing to: - reconcile issues on similar soname provides, naming, versioning etc. with Fedora and RedHat technical board in order to avoid all possible intersections with this critical system component; - support "libressl" globally similar to "openssl" case, fixing security CVEs always getting in touch (being such package maintainer is not a one-time task); - consult RH/Fedora developers promptly fixing their libressl-specific issues - and all this responsibility on a voluntary basis. 2) From the enterprise point of view, there is no sense to support it as an openssl replacement now. It's not FIPS-certified so they cannot use it in enterprise solutions where openssl currently in charge. For simplicity, better not to have an unusable alternative (in context of this situation, of course). They won't sponsor its maintenance so it's up to the community. Surely this can change if business sees a use case for this specific library's clone but there is no any so far. The arguments on switching to libressl are quite logical, but I don't see a straight way how to do it in RHEL and Fedora considering all above. By the way, how about GnuTLS support? -- wbr, Denis.
Re: question to package maintainers
On Wed, 23 Dec 2015, Gilles Chehade wrote: > What I'm wondering is if there's any reason that would prevent RHEL, for > example, to package LibreSSL in the same way that libasr was packaged so > that OpenSMTPD could specifically depend on it. > > The system would keep its default SSL library. > Library name collision -- Libasr is a unique library name on Linux as far as I know and there is no problem installing it. LibreSSL contains library names libcrypto and libssl which collide with the identical names in OpenSSL on most Linux systems. Can the libcrypto and libssl library names in LibreSSL be changed? Maybe they can change to liblibrecrypto and liblibressl? LibreSSL also uses library libtls. Is libtls unique in Linux? If not maybe it can change to liblibretls? Changing the library names allows LibreSSL and OpenSSL to exist side by side on any Linux system. Richard Narron -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Wed, Dec 23, 2015 at 07:56:02AM -0800, Richard wrote: > On Wed, 23 Dec 2015, Gilles Chehade wrote: > > > What I'm wondering is if there's any reason that would prevent RHEL, for > > example, to package LibreSSL in the same way that libasr was packaged so > > that OpenSMTPD could specifically depend on it. > > > > The system would keep its default SSL library. > > > > Library name collision > -- > Libasr is a unique library name on Linux as far as I know and there is no > problem installing it. > > LibreSSL contains library names libcrypto and libssl which collide with > the identical names in OpenSSL on most Linux systems. > > Can the libcrypto and libssl library names in LibreSSL be changed? > > Maybe they can change to liblibrecrypto and liblibressl? > > LibreSSL also uses library libtls. > Is libtls unique in Linux? > > If not maybe it can change to liblibretls? > > Changing the library names allows LibreSSL and OpenSSL to exist > side by side on any Linux system. > I'm well aware of that, but that's precisely what I'm suggesting: If the ONLY reason keeping from depending on LibreSSL is that there is a problem currently with the library name, then we can take a step back to think of a solution that would solve this and help us move forward. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Wed, Dec 23, 2015 at 07:56:25PM +0600, Denis Fateyev wrote: > On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade wrote: > > > > > Would your distribution be affected if LibreSSL became a requirement ? > > > > OpenSMTPD is starting to rely on LibreSSL-specific functions that will > > force us to go through painful hacks to maintain that dual SSL support > > and I'd like to know if switching to a LibreSSL-only mode is an option > > at this point or still too early. > > > It would be a problem in RHEL (and its derivatives like CentOS, Scientific, > Oracle, et al), and Fedora. > There were no plans of implementing Libressl support before, and there are > no plans to do it now. > I don't really get this, maybe there's a misunderstanding: I understand that RHEL and others don't intend to switch to LibreSSL for their default SSL library and I'm not suggesting they should, this isn't our call, it's unreasonable to assume every system will switch and there is no debate about this. What I'm wondering is if there's any reason that would prevent RHEL, for example, to package LibreSSL in the same way that libasr was packaged so that OpenSMTPD could specifically depend on it. The system would keep its default SSL library. > As you might realize, linking Libressl statically is also not an option. > Yes, obviously I'm not advocating this ;-) > In my opinion, there is no point to forcibly depend on Libressl unless big > commercial players are interested in it. > Actually there are very strong rationales for this, I'll if you want but the bottom line: - we're currently trying to support OpenSSL and LibreSSL as being the same library and we're hitting corner cases that require us to hack around detection, hack around compat and backport parts of LibreSSL code in standalone files just so OpenSSL keeps working. - we're facing cases of OpenSSL-induced #ifdefs because depending who built it, it lacks AES_GCM, it lacks SNI, it lacks this and that. I have broken SNI support at least once because of this. - ultimately, we want to get rid of the OpenSSL historical interface and rely on LibreSSL's libtls which will make TLS code readable. I think we can all agree that it's scary that the most dangerous bit of code in OpenSMTPD is also the less readable and the most error- prone, we should take some steps towards changing this... -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: question to package maintainers
On Wed, Dec 23, 2015 at 6:23 PM, Gilles Chehade wrote: > > Would your distribution be affected if LibreSSL became a requirement ? > > OpenSMTPD is starting to rely on LibreSSL-specific functions that will > force us to go through painful hacks to maintain that dual SSL support > and I'd like to know if switching to a LibreSSL-only mode is an option > at this point or still too early. It would be a problem in RHEL (and its derivatives like CentOS, Scientific, Oracle, et al), and Fedora. There were no plans of implementing Libressl support before, and there are no plans to do it now. As you might realize, linking Libressl statically is also not an option. In my opinion, there is no point to forcibly depend on Libressl unless big commercial players are interested in it. -- wbr, Denis.
