Re: tls-require not working as expected

2017-02-13 Thread Gilles Chehade 
On Mon, Feb 13, 2017 at 01:11:53PM +0100, Gilles Chehade wrote:
> On Mon, Feb 06, 2017 at 06:31:28PM +0100, Gilles Chehade wrote:
> > I'm currently swamped until this Saturday
> > 
> > Can you open an issue on our github account so I can work on a fix
> > hopefully this week-end ?
> > 
> 
> So I looked at the issue and reproduced it, turns out that during a
> cleanup to factor parse.y, eric@ accidentally forgot to carry this
> flag so it would never propagate down to the listener.
> 
> I have a diff ready which is pending review / ok and which should be
> committed later today. I'll push to github so you can give it a try
> and we'll have this part of the next release, minor or major.
> 

committed to github, will be part of next snapshot very likely tomorrow
or after tomorrow,

thanks for reporting


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: tls-require not working as expected

2017-02-13 Thread Gilles Chehade 
On Mon, Feb 06, 2017 at 06:31:28PM +0100, Gilles Chehade wrote:
> I'm currently swamped until this Saturday
> 
> Can you open an issue on our github account so I can work on a fix
> hopefully this week-end ?
> 

So I looked at the issue and reproduced it, turns out that during a
cleanup to factor parse.y, eric@ accidentally forgot to carry this
flag so it would never propagate down to the listener.

I have a diff ready which is pending review / ok and which should be
committed later today. I'll push to github so you can give it a try
and we'll have this part of the next release, minor or major.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: tls-require not working as expected

2017-01-30 Thread Jason Mann 
Here it is:

--- smtpd.conf ---
ca mail.mydomain.net certificate "/usr/local/etc/letsencrypt/archive/
mydomain.net/chain1.pem"
pki mail.mydomain.net certificate "/usr/local/etc/letsencrypt/archive/
mydomain.net/cert1.pem"
pki mail.mydomain.net key "/usr/local/etc/letsencrypt/archive/
mydomain.net/privkey1.pem"
pki mail.mydomain.net dhparams "/etc/ssl/dh2048.pem"

listen on lo0 hostname localhost

listen on egress tls-require hostname mail.mydomain.net

table aliases db:/usr/local/etc/mail/aliases.db
table vdomains file:/usr/local/etc/mail/virtualdomains
table vusers file:/usr/local/etc/mail/virtualusers

accept from any for domain  virtual  deliver to maildir
accept for local alias  deliver to maildir
accept for any relay
--- end smtpd.conf ---

virtualdomains just lists three domains I own, while virtualusers maps
jason@ those domains to my local user.

Thanks.

Jason

On 30 January 2017 at 10:24, Gilles Chehade  wrote:

> On Fri, Jan 27, 2017 at 02:41:47PM +, Jason Mann wrote:
> > Hello list.
> >
> > I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm
> seeing
> > anomalous behaviour with one of my listen directives.
> >
> > The directive in question is:
> >
> >   listen on egress tls-require hostname mail.mydomain.net
> >
> > My only other listen directive is usual localhost one.
> >
>
> can you show your full config please ?
>
>
> > The smtpd.conf man page states: "tls-require may be used to force clients
> > to establish a secure connection before being allowed to start an SMTP
> > transaction".
> >
> > I ran a telnet test against the server to see how the forcing of TLS
> takes
> > place, but it didn't happen.  I was able to manually submit a message to
> > OpenSMTPD without TLS as follows:
> >
> > $ telnet a.mx.mydomain.net 25
> > Trying :xxx:xx:xxx::x:...
> > Connected to a.mx.mydomain.net.
> > Escape character is '^]'.
> > 220 mail.mydomain.net ESMTP OpenSMTPD
> > HELO jmann-mbp
> > 250 mail.mydomain.net Hello jmann-mbp
> > [IPv6::::::::],
> > pleased to meet you
> > MAIL FROM:
> > 250 2.0.0: Ok
> > RCPT TO:
> > 250 2.1.5 Destination address valid: Recipient ok
> > DATA
> > 354 Enter mail, end with "." on a line by itself
> > From: Jason Mann 
> > To: Jason Mann 
> > Subject: Test 4
> >
> > This is a test.
> > .
> > 250 2.0.0: f20f3998 Message accepted for delivery
> > QUIT
> > 221 2.0.0: Bye
> >
> > What may be wrong here?
> >
> > Kind regards,
> >
> > Jason
>
> --
> Gilles Chehade
>
> https://www.poolp.org  @poolpOrg
>

Re: tls-require not working as expected

2017-01-30 Thread Gilles Chehade 
On Fri, Jan 27, 2017 at 02:41:47PM +, Jason Mann wrote:
> Hello list.
> 
> I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm seeing
> anomalous behaviour with one of my listen directives.
> 
> The directive in question is:
> 
>   listen on egress tls-require hostname mail.mydomain.net
> 
> My only other listen directive is usual localhost one.
> 

can you show your full config please ?


> The smtpd.conf man page states: "tls-require may be used to force clients
> to establish a secure connection before being allowed to start an SMTP
> transaction".
> 
> I ran a telnet test against the server to see how the forcing of TLS takes
> place, but it didn't happen.  I was able to manually submit a message to
> OpenSMTPD without TLS as follows:
> 
> $ telnet a.mx.mydomain.net 25
> Trying :xxx:xx:xxx::x:...
> Connected to a.mx.mydomain.net.
> Escape character is '^]'.
> 220 mail.mydomain.net ESMTP OpenSMTPD
> HELO jmann-mbp
> 250 mail.mydomain.net Hello jmann-mbp
> [IPv6::::::::],
> pleased to meet you
> MAIL FROM:
> 250 2.0.0: Ok
> RCPT TO:
> 250 2.1.5 Destination address valid: Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> From: Jason Mann 
> To: Jason Mann 
> Subject: Test 4
> 
> This is a test.
> .
> 250 2.0.0: f20f3998 Message accepted for delivery
> QUIT
> 221 2.0.0: Bye
> 
> What may be wrong here?
> 
> Kind regards,
> 
> Jason

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: tls-require not working as expected

2017-01-28 Thread Marcus MERIGHI 
jason.mann+opensm...@gmail.com (Jason Mann), 2017.01.27 (Fri) 15:41 (CET):
> Hello list.
> 
> I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm seeing
> anomalous behaviour with one of my listen directives.
> 
> The directive in question is:
> 
>   listen on egress tls-require hostname mail.mydomain.net
> 
> My only other listen directive is usual localhost one.
> 
> The smtpd.conf man page states: "tls-require may be used to force clients
> to establish a secure connection before being allowed to start an SMTP
> transaction".
> 
> I ran a telnet test against the server to see how the forcing of TLS takes
> place, but it didn't happen.  I was able to manually submit a message to
> OpenSMTPD without TLS as follows:

$ for i in smtp mta expand lookup rules; do smtpctl trace $i; done
(do your test and watch your logfiles to see what goes why where.) 
$ for i in smtp mta expand lookup rules; do smtpctl untrace $i; done 

Be quick, lots of output to your log file.

Marcus

> $ telnet a.mx.mydomain.net 25
> Trying :xxx:xx:xxx::x:...
> Connected to a.mx.mydomain.net.
> Escape character is '^]'.
> 220 mail.mydomain.net ESMTP OpenSMTPD
> HELO jmann-mbp
> 250 mail.mydomain.net Hello jmann-mbp
> [IPv6::::::::],
> pleased to meet you
> MAIL FROM:
> 250 2.0.0: Ok
> RCPT TO:
> 250 2.1.5 Destination address valid: Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> From: Jason Mann 
> To: Jason Mann 
> Subject: Test 4
> 
> This is a test.
> .
> 250 2.0.0: f20f3998 Message accepted for delivery
> QUIT
> 221 2.0.0: Bye
> 
> What may be wrong here?
> 
> Kind regards,
> 
> Jason
> 
> 
> !DSPAM:588b5c5b241071631238794!

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org