Re: need help

2019-10-05 Thread Andrew Swartz

I've been lurking on this list for a long time but I've never posted.

I've attached a perl program I threw together a couple years ago which 
does recursive SPF resolution.  This might help your debugging.


For this type of testing, pass it a domain on STDIN:
echo 'gmail.com' | spf2ip.pl

I use it to create a daily whitelist of frequent domain IP's.  I use it 
by calling it with a filename argument. It reads the file which has a 
domain on each line, iterates through all the domains, recursively 
resolving each, and creating a long list of all the SPF IP's of all the 
domains in the file.


In default mode, it adds enough comments to explain how it generates the 
results.  For example, here is the output of the above command:


# echo 'gmail.com' | spf2ip.pl

#
# gmail.com
#
#  [REDIRECT=] _spf.google.com (depth=1)
#  [INCLUDE:] _netblocks.google.com (depth=2)
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
#  [INCLUDE:] _netblocks2.google.com (depth=2)
#  [INCLUDE:] _netblocks3.google.com (depth=2)
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22




SPF resolution of "microsoft.com" returns 76 IP's.

Adding a "-d" argument will output a lot more debug info, whereas "-q' 
suppresses any debug info and only outputs IP's.  The header of the perl 
file does some explanation, but it was only intended for me to read, so 
it is not a super thorough explanation.


And yes, it looks like a stereotypical perl program (ugly, quick, and 
functional).


Hope this helps,
-Andy







On 9/30/2019 7:21 AM, gil...@poolp.org wrote:

September 30, 2019 4:25 PM, "Denis Fondras"  wrote:


On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:


Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md

If you could test and report issues, it would be nice,


It seems IPv6 check is broken :

$ dig ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



will fix that, thanks



#!/usr/bin/perl

# PURPOSE/FUNCTION
# This program performs recursive DNS lookups of spf records (which are in TXT 
records)
# and keeps recursing until numeric addresses are reached.  Tested with IP4, 
but the regex's
# ~should~ function with IP6 addresses.

# INPUT
# filename: text file, one domain per line, # and blank lines ignored.
# STDIN: list of one or more domans to lookup

#OUTPUT
# single numeric address per line
# recursive comments will be included if ($DomainNameComments == 1)

# DEPENDENCIES:
# 1. PERL installed at the above target.
# 2. 'dig' command.

# ASSUMPTIONS:
# 1. This program DOES do recursive spf resolution (i.e. a reverse lookup of 
ALL spf-authorized sending IP's.)
# 2. This program does NOT do forward MX resolutions (i.e. lookup of where to 
send mail).

use Switch;

# Global variable which is the final product.
my @IPlist;
my $DomainNameComments = 1;
my @DomainNames;

my $ARGERROR=0;
# The HASH for the command line settings (i.e. arguments).
my %settings =  (   -q  =>  0,  # "quiet" which 
suppresses comments in output.
-d  =>  0   # 
"debug" which adds debug info to the output.
);
# Iterate through the args, confirming accuracy and making settings.
foreach my $arg (@ARGV) {
if (exists $settings{$arg}) { 
$settings{$arg} =  1;
}
else {
print "\'$arg\' is invalid argument!\n";
$ARGERROR++;
}
}
# Exit if any invalid arguments.
if ($ARGERROR) { exit; }


# Read domain names from STDIN.
foreach my $line (  ) {
chomp( $line );
foreach my $arg (split(' ',$line)) {
push(@DomainNames,$arg);
}

Re: need help

2019-09-30 Thread gilles
September 30, 2019 4:25 PM, "Denis Fondras"  wrote:

> On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> It seems IPv6 check is broken :
> 
> $ dig ledeuns.net TXT +short
> "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 
> -all"
> 
> $ ./spf ledeuns.net 185.22.129.1
> checking if 185.22.129.1 can send for ledeuns.net: fail
> $ ./spf ledeuns.net 185.22.129.11
> checking if 185.22.129.11 can send for ledeuns.net: pass
> $ ./spf ledeuns.net 2a00:6060:1::1
> checking if 2a00:6060:1::1 can send for ledeuns.net: fail


will fix that, thanks



Re: need help

2019-09-30 Thread gilles
September 30, 2019 4:51 PM, "Joel Carnat"  wrote:

> Le 30/09/2019 15:55, gil...@poolp.org a écrit :
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,
> 
> As much as I can understand it, recursion seem to not work.
> 
> Working example:
> # dig -t TXT carnat.net
> carnat.net. 14314 IN TXT "v=spf1 mx -all"
> # ./spf carnat.net 108.61.176.54
> checking if 108.61.176.54 can send for carnat.net: pass
> # ./spf carnat.net 157.55.9.128
> checking if 157.55.9.128 can send for carnat.net: fail
> 
> Not fully working example:
> # dig -t TXT outlook.com
> outlook.com. 600 IN TXT "v=spf1 include:spf-a.outlook.com 
> include:spf-b.outlook.com
> ip4:157.55.9.128/25 include:spf.protection.outlook.com 
> include:spf-a.hotmail.com
> include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"
> # ./spf outlook.com 157.55.9.128
> checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> pass
> 
> # dig -t TXT spf-a.hotmail.com
> spf-a.hotmail.com. 3600 IN TXT "v=spf1 ip4:157.55.0.192/26 
> ip4:157.55.1.128/26 ip4:157.55.2.0/25
> ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 
> ip4:65.55.116.0/25
> ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 
> ~all"
> # ./spf outlook.com 65.54.190.5
> checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail

I'll look into that, I thought I had handled this case already but I may have 
missed something



Re: need help

2019-09-30 Thread gilles
I'll investigate that, but spfwalk isn't a real SPF resolver and may
yield incorrect results, it just helps a bit.


September 30, 2019 4:27 PM, "Nick Ryan"  wrote:

> Seems to work fine for some hosts but not gmail.com or outlook.com
> 
> mail3$ smtpctl spf walk < 1 (this is gmail.com)
> 35.190.247.0/24
> 64.233.160.0/19
> 
> mail3$ ./spf gmail.com 35.190.247.3 <- in the output of spfwalk
> checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf gmail.com 185.185.185.185 <- made up address
> checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf poolp.org 45.76.46.201
> checking if 45.76.46.201 can send for poolp.org: pass
> mail3$ ./spf poolp.org 45.76.46.202
> checking if 45.76.46.202 can send for poolp.org: fail
> 
> Regards - Nick
> 
> On 30/09/2019 14:55, gil...@poolp.org wrote:
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,



Re: need help

2019-09-30 Thread gilles
yup

September 30, 2019 4:23 PM, "Chris Bennett"  
wrote:

> ./spf no-seas-necio.ninja 162.255.139.10: pass
> ./spf no-seas-necio.ninja 162.255.139.11: soft-fail
> 
> Which matches my spf entry. v=spf1 mx ~all.
> Is that the correct response?
> 
> Chris Bennett



Re: need help

2019-09-30 Thread gilles
yes, this is debug code which i don't  want to spend time making portable ;-)


September 30, 2019 4:10 PM, "Reio Remma"  wrote:

> On 30/09/2019 16:55, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> Is it OpenBSD only atm?
> 
> On CentOS 7:
> 
> $ make
> Makefile:26: *** missing separator.  Stop.
> 
> Reio



Re: need help

2019-09-30 Thread Denis Fondras
On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> Hello,
> 
> I'd like to bring native support for SPF in OpenSMTPD in a future release,
> but for this I need a bit of help to make sure my SPF resolver works fine.
> 
> I have created a repository with a standalone executable that performs the
> SPF lookup and checks if an IP address is allowed to send on behalf of the
> sending domain:
> 
> https://github.com/poolpOrg/spf
> 
> https://github.com/poolpOrg/spf/blob/master/README.md
> 
> 
> If you could test and report issues, it would be nice,
> 

It seems IPv6 check is broken :

$ dig  ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



Re: need help

2019-09-30 Thread Joel Carnat

Le 30/09/2019 15:55, gil...@poolp.org a écrit :

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,


As much as I can understand it, recursion seem to not work.

Working example:
# dig -t TXT carnat.net
carnat.net. 14314   IN  TXT "v=spf1 mx -all"
# ./spf carnat.net 108.61.176.54
checking if 108.61.176.54 can send for carnat.net: pass
# ./spf carnat.net 157.55.9.128
checking if 157.55.9.128 can send for carnat.net: fail

Not fully working example:
# dig -t TXT outlook.com
outlook.com.600 IN  TXT "v=spf1 
include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 
include:spf.protection.outlook.com include:spf-a.hotmail.com 
include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"

# ./spf outlook.com 157.55.9.128
checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
EXISTS: 0
pass

# dig -t TXT spf-a.hotmail.com
spf-a.hotmail.com.  3600IN  TXT "v=spf1 
ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 
ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 
ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 
ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all"

# ./spf outlook.com 65.54.190.5
checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail



Re: need help

2019-09-30 Thread Nick Ryan

Seems to work fine for some hosts but not gmail.com or outlook.com

mail3$ smtpctl spf walk < 1   (this is gmail.com)
35.190.247.0/24
64.233.160.0/19

mail3$ ./spf gmail.com 35.190.247.3   <- in the output of spfwalk
checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf gmail.com 185.185.185.185 <- made up address
checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf poolp.org 45.76.46.201
checking if 45.76.46.201 can send for poolp.org: pass
mail3$ ./spf poolp.org 45.76.46.202
checking if 45.76.46.202 can send for poolp.org: fail

Regards - Nick

On 30/09/2019 14:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,




Re: need help

2019-09-30 Thread Chris Bennett
./spf no-seas-necio.ninja 162.255.139.10: pass
./spf no-seas-necio.ninja 162.255.139.11: soft-fail

Which matches my spf entry. v=spf1 mx ~all.
Is that the correct response?

Chris Bennett





Re: need help

2019-09-30 Thread Edgar Pettijohn

On Sep 30, 2019 9:10 AM, Reio Remma  wrote:
>
> On 30/09/2019 16:55, gil...@poolp.org wrote:
> > Hello,
> >
> > I'd like to bring native support for SPF in OpenSMTPD in a future release,
> > but for this I need a bit of help to make sure my SPF resolver works fine.
> >
> > I have created a repository with a standalone executable that performs the
> > SPF lookup and checks if an IP address is allowed to send on behalf of the
> > sending domain:
> >
> > https://github.com/poolpOrg/spf
> >
> > https://github.com/poolpOrg/spf/blob/master/README.md
> >
> >
> > If you could test and report issues, it would be nice,
> >
>
> Is it OpenBSD only atm?
>
> On CentOS 7:
>
> $ make
> Makefile:26: *** missing separator.  Stop.
>
> Reio
>
>

Looking at the makefile. My guess is yes, but you could try bmake and see if it 
gets further.

Edgar

Re: need help

2019-09-30 Thread Reio Remma

On 30/09/2019 16:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Is it OpenBSD only atm?

On CentOS 7:

$ make
Makefile:26: *** missing separator.  Stop.

Reio




need help

2019-09-30 Thread gilles
Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Re: need help to understand the logic of new grammar

2018-10-31 Thread Илья Коскин
I'll try to answer myself.
As i see, the options "from local" and "for local" is the defaults, and can
be omitted?
So, the first match can be cut to
match action "mbox" ??
the my first question i have understood, if "from local" is the default,
than it will not work without "from any"
the second question was about "from any" in the 4th match. I see, if i try
to send email, i connect to egress, so this is not local, and will not
work. also i cant use "from "
and in trird match, mails from dkim proxy come to lo0, so they are
processed as local and the rule can be extended to:
match from local tag DKIM for any action "relay" am i right?

so the last question, can i limit mta to inet4 only?

ср, 31 окт. 2018 г. в 15:04, Илья Коскин :

> Hello list! Please look at my match-action definitions:
>
> action "mbox" mbox alias 
> action "mda" mda "/usr/local/bin/procmail" alias 
> action "relay" relay
> action "relay_dkim" relay host smtp://127.0.0.1:10027
>
> match for local action "mbox"
> match from any for domain  action "mda"#2nd match
> match tag DKIM for any action "relay"   #3rd match
> match auth from any for any action "relay_dkim"  #4th match
>
> I have some questions about matches.
> 1) If I remove "from any" in the second match, smtpd will not accept any
> mail from internet. Why?
> 2) In the 4th match, again, without "from any" I can't send mail to
> anywhere. How can I know, where i need to use "from any" and where i don't?
> For example 3rd match work without "from any"
> 3) is this config comosed secure and correctly?
> maybe it is option to use
> match auth from  for any action "relay_dkim" ?
> if this work, it can partially help to prevent spamming from compromised
> users.
>
> Also, is there any way to limit mta sending only from ipv4?
>
> Thank's!
>
>


need help to understand the logic of new grammar

2018-10-31 Thread Илья Коскин
Hello list! Please look at my match-action definitions:

action "mbox" mbox alias 
action "mda" mda "/usr/local/bin/procmail" alias 
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027

match for local action "mbox"
match from any for domain  action "mda"#2nd match
match tag DKIM for any action "relay"   #3rd match
match auth from any for any action "relay_dkim"  #4th match

I have some questions about matches.
1) If I remove "from any" in the second match, smtpd will not accept any
mail from internet. Why?
2) In the 4th match, again, without "from any" I can't send mail to
anywhere. How can I know, where i need to use "from any" and where i don't?
For example 3rd match work without "from any"
3) is this config comosed secure and correctly?
maybe it is option to use
match auth from  for any action "relay_dkim" ?
if this work, it can partially help to prevent spamming from compromised
users.

Also, is there any way to limit mta sending only from ipv4?

Thank's!


Need help for LDAP + smtpd

2018-02-24 Thread Thuban
Hello,
I would like to build a server with smtpd+dovecot with LDAP auth.

Does anyone has any advice or doc up to date to do this?
I only found [1], for 5.7 so I guess things have changed

Regards.

[1] : 
https://www.tumfatig.net/20150718/opensmtpd-dovecot-and-ldapd-on-openbsd-5-7/#How_OpenSMTPD_works_with_LDAP_data
-- 
thuban


signature.asc
Description: PGP signature


Re: Need help with configuration using DNS aliases

2016-02-12 Thread Edgar Pettijohn
Yes it can. However, 

By default, when connecting to a remote server, smtpd(8) advertises its default 
server name. A hostname parameter may be specified to advertise the alternate 
hostname name. If the source parameter is used, the hostnames parameter may be 
specified to advertise a hostname based on the source address. Table names 
contains a mapping of IP addresses to hostnames and smtpd(8) will automatically 
select the name that matches its source address when connected to the remote 
server. The hostname and hostnames parameters are mutually exclusive.

You need separate ip's for hostname selection in relay context.

Sent from my iPhone

> On Feb 12, 2016, at 5:08 PM, Michael Burk  wrote:
> 
> After some experimentation I think I can compress this problem down to one 
> question:
> 
> Is it possible for an OpenSMTPD host to process email addressed to two 
> different host names, both of which resolve to the same address?
> 
> When I set "mailname," any mail sent to that name works fine. Mail addressed 
> to the alternate host name loops.
> 
> I thought the "virtual" keyword would be for this purpose, but I've had no 
> luck with it.
> 
> Thanks,
> 
>> On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:
>> Thanks Craig for the reply.
>> 
>> I changed the CNAME to an A record as you suggested. Sadly, it still loops 
>> when I send the email to the "alternate" name. It seems that OpenSMTPD 
>> doesn't realize that the two names are the same server.
>> 
>> I should mention that the whole reason we have an alias is that I have two 
>> servers setup as mail servers, and the alias gives us an easy way to switch 
>> hosts if one goes down (all mail is addressed to the alias). Also, I have no 
>> MX records. I don't know if I should, but Sendmail has always worked without 
>> it.
>> 
>>> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner  
>>> wrote:
>>> Hi Michael,
>>> 
>>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>>> >
>>> > If I send a message to the server's CNAME, it goes into a loop which is
>>> > eventually detected and shut down:
>>> >
>>> 
>>> Try switching from DNS CNAMES to DNS A records:
>>> 
>>> RFC2181 has:
>>> 
>>> "10.3. MX and NS records
>>> 
>>> The domain name used as the value of a NS resource record, or part of
>>> the value of a MX resource record must not be an alias.  Not only is the
>>> specification clear on this point, but using an alias in either of these
>>> positions neither works as well as might be hoped, nor well fulfills the
>>> ambition that may have led to this approach.  This domain name must have
>>> as its value one or more address records.  Currently those will be A
>>> records, however in the future other record types giving addressing
>>> information may be acceptable.  It can also have other RRs,
>>> but never a CNAME RR. "
>>> 
>>> http://tools.ietf.org/html/rfc2181#section-10.3
>>> 
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


Re: Need help with configuration using DNS aliases

2016-02-12 Thread Michael Burk
After some experimentation I think I can compress this problem down to one
question:

Is it possible for an OpenSMTPD host to process email addressed to two
different host names, both of which resolve to the same address?

When I set "mailname," any mail sent to that name works fine. Mail
addressed to the alternate host name loops.

I thought the "virtual" keyword would be for this purpose, but I've had no
luck with it.

Thanks,

On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:

> Thanks Craig for the reply.
>
> I changed the CNAME to an A record as you suggested. Sadly, it still loops
> when I send the email to the "alternate" name. It seems that OpenSMTPD
> doesn't realize that the two names are the same server.
>
> I should mention that the whole reason we have an alias is that I have two
> servers setup as mail servers, and the alias gives us an easy way to switch
> hosts if one goes down (all mail is addressed to the alias). Also, I have
> no MX records. I don't know if I should, but Sendmail has always worked
> without it.
>
> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner 
> wrote:
>
>> Hi Michael,
>>
>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>> >
>> > If I send a message to the server's CNAME, it goes into a loop which is
>> > eventually detected and shut down:
>> >
>>
>> Try switching from DNS CNAMES to DNS A records:
>>
>> RFC2181 has:
>>
>> "10.3. MX and NS records
>>
>> The domain name used as the value of a NS resource record, or part of
>> the value of a MX resource record must not be an alias.  Not only is the
>> specification clear on this point, but using an alias in either of these
>> positions neither works as well as might be hoped, nor well fulfills the
>> ambition that may have led to this approach.  This domain name must have
>> as its value one or more address records.  Currently those will be A
>> records, however in the future other record types giving addressing
>> information may be acceptable.  It can also have other RRs,
>> but never a CNAME RR. "
>>
>> http://tools.ietf.org/html/rfc2181#section-10.3
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>>
>


Need help with configuration using DNS aliases

2016-02-08 Thread Michael Burk
Hello,


We have a departmental server that serves as a simple mail hub mostly to
keep track of internal mailing lists. The /etc/mail/aliases file expands
names to our corporate emails or things like mail-SMS gateways. We've used
sendmail for years, but I want to switch to OpenSMTPD.

The following configuration works fine as long as I use the server's actual
name in the destination:


listen on lo0
listen on em0

table aliases db:/etc/mail/aliases.db

pki selenium.abc.example.com certificate "/etc/ssl/selenium.pem"
pki selenium.abc.example.com key "/etc/ssl/private/selenium.key"
pki selenium.abc.example.com ca "/etc/ssl/abcchain2.pem"

accept for local alias  deliver to mbox
accept from any for any relay


Example successful session (translates my first name to my corporate email
address):

Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: New session
4b0dece7604e2ab4 from host ytterbium.abc.example.com[10.1.217.70]
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message a4d2ba61
on session 4b0dece7604e2ab4: from=, to=<
mich...@selenium.abc.example.com>, size=488, ndest=1, proto=ESMTP
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Closing session
4b0dece7604e2ab4
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls://
10.1.217.34:25 (selenium.abc.example.com) on session 4b0decea9465f088...
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session
4b0decea9465f088
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: New session
4b0deceb7185e55e from host selenium.abc.example.com[10.1.217.34]
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message 63dd05ac
on session 4b0deceb7185e55e: from=, to=<
mich...@selenium.abc.example.com>, size=719, ndest=1, proto=ESMTP
Feb  8 16:12:17 selenium smtpd[30548]: relay: Ok for a4d2ba611f5d69f3:
session=4b0decea9465f088, from=, to=<
mich...@selenium.abc.example.com>, rcpt=<->, source=10.1.217.34,
relay=10.1.217.34 (selenium.abc.example.com), delay=0s, stat=250 2.0.0:
63dd05ac Message accepted for delivery
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls://
10.2.33.34:25 (mailhost.example.com) on session 4b0deceed4ae1a78...
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session
4b0deceed4ae1a78
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Started TLS on session
4b0deceed4ae1a78: version=TLSv1/SSLv3, cipher=DHE-RSA-AES256-SHA, bits=256
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Server certificate
verification succeeded on session 4b0deceed4ae1a78
Feb  8 16:12:17 selenium smtpd[30548]: relay: Ok for 63dd05ac3126ba1f:
session=4b0deceed4ae1a78, from=, to=<
michael.b...@example.com>, rcpt=,
source=10.1.217.34, relay=10.2.33.34 (mailhost.example.com), delay=0s,
stat=250 2.0.0 Ok: queued as AC2FBCA1FE
Feb  8 16:12:27 selenium smtpd[30548]: smtp-in: Closing session
4b0deceb7185e55e
Feb  8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session
4b0decea9465f088: 1 message sent.
Feb  8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session
4b0deceed4ae1a78: 1 message sent.


If I send a message to the server's CNAME, it goes into a loop which is
eventually detected and shut down:

...
Feb  8 16:14:17 selenium smtpd[30548]: warn: loop detected
Feb  8 16:14:17 selenium smtpd[30548]: smtp-in: Failed command on session
4b0decf39bd54111: "DATA" => 500 5.4.6 Routing loop detected: Loop detected
Feb  8 16:14:17 selenium smtpd[30548]: relay: PermFail for
63bffc06b4c44cec: session=4b0decf2a712e432, from=<
bu...@ytterbium.abc.example.com>, to=,
rcpt=<->, source=10.1.217.34, relay=10.1.217.34 (selenium.abc.example.com),
delay=1s, stat=500 5.4.6 Routing loop detected: Loop detected
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: New session
4b0decf71e1730a5 from host selenium.abc.example.com [local]
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: Accepted message 293cbf9d
on session 4b0decf71e1730a5: from=<>, to=,
size=23050, ndest=1, proto=ESMTP
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: Closing session
4b0decf71e1730a5
Feb  8 16:14:27 selenium smtpd[30548]: smtp-in: Closing session
4b0decf39bd54111
Feb  8 16:14:27 selenium smtpd[30548]: smtp-out: Closing session
4b0decf2a712e432: 98 messages sent.
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: Error on session
4b0decf6733a5e76: IO Error: No route to host
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: Disabling route [] <->
10.1.217.70 (ytterbium.abc.example.com) for 800s
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: No valid route for
[connector:[]->[relay:ytterbium.abc.example.com],0x0]
Feb  8 16:14:51 selenium smtpd[30548]: relay: TempFail for
195cd84d2faa71d4: session=, from=<>, to=<
bu...@ytterbium.abc.example.com>, rcpt=<->, source=-, relay=
ytterbium.abc.example.com, delay=8m1s, stat=Network 

Re: relay from notebook not working (need help with configuration)

2015-09-10 Thread Jiri Navratil
On Wed, Sep 09, 2015 at 07:37:13PM +0200, Marcus MERIGHI wrote:
> j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST):
> > I wish to use on my notebook to deliver emails via relay to my server
> > regardless of location and Internet connection.
> > 
> > on notebook I have
> > 
> > accept from local for any relay via tls+auth://user@myserver auth
> > 
> 
> table relayauth { username= "passphrase" }
> accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \
>   
> 
> > on server I have
> > 
> > listen on egress tls pki myserver auth-optional
> > listen on egress port submission tls-require pki myserver auth
> 
> pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt"
> pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key"
> listen on egress port submission tls pki host.domain.tld auth tag msa
> 
> Bye, Max
> 
> > !DSPAM:55ee7f4a22061658913436!
> 


Thank you Max for your help.

It's working now. I had to add 587 port and change format of relayaut

I propose to adjust smtpd.conf(5) of these changes:

- add 587 port to example of accept for ...
- adjust secrets table format, as this one has been reported by smtpd -v as
  wrong (the created secrets.db)
   # echo "label username:password" > /etc/mail/secrets

next to it 
- /etc/rc.d/smtpd start  reported OK, but smtpd -v reported problem with
  secrets.db

next to it
- $ doas smtpctl resume mta 
is still reporting
command failed

Please let me know, if I can help debug it more.

Best regards,
Jiri

-- 
Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: relay from notebook not working (need help with configuration)

2015-09-09 Thread Marcus MERIGHI
j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST):
> I wish to use on my notebook to deliver emails via relay to my server
> regardless of location and Internet connection.
> 
> on notebook I have
> 
> accept from local for any relay via tls+auth://user@myserver auth
> 

table relayauth { username= "passphrase" }
accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \
  

> on server I have
> 
> listen on egress tls pki myserver auth-optional
> listen on egress port submission tls-require pki myserver auth

pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt"
pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key"
listen on egress port submission tls pki host.domain.tld auth tag msa

Bye, Max

> !DSPAM:55ee7f4a22061658913436!

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



relay from notebook not working (need help with configuration)

2015-09-08 Thread Jiri Navratil
Hello,

I wish to use on my notebook to deliver emails via relay to my server
regardless of location and Internet connection.

on notebook I have

:
accept from local for any relay via tls+auth://user@myserver auth 
:

on server I have

:
listen on egress tls pki myserver auth-optional
listen on egress port submission tls-require pki myserver auth


I tested it from my LAN and it worked.

Today I wrote few emails during comuting. After connection to network, I'm not
able to deliver

doas smtpctl show queue
reported firstly something about not resolved MX address

after
doas smtpctl schedule all 
5 envelopes scheduled

I'm getting
Network error on destination MXs

doas smtpctl resume mta 
command failed

In log I see
Sep  8 07:56:45 mynotebook smtpd[19575]: smtp-out: Error on session 
97f00336911384e4: TLS required but not supported by remote host

I'm using OpenBSD -current on notebook
OpenSMTPD 5.4.4

and OpenBSD 5.8 GENERIC.MP#1137 amd64 from snapshot on server
OpenSMTPD 5.4.4

Please
- is my configuration correct?
- shal I somehow debug the command failed output from smtpctl resume mta?
- is this approach (idea) of delivering emails this way correct?

Thank you,
Jiri

-- 
Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org