Re: tls-require not working as expected
On Mon, Feb 13, 2017 at 01:11:53PM +0100, Gilles Chehade wrote: > On Mon, Feb 06, 2017 at 06:31:28PM +0100, Gilles Chehade wrote: > > I'm currently swamped until this Saturday > > > > Can you open an issue on our github account so I can work on a fix > > hopefully this week-end ? > > > > So I looked at the issue and reproduced it, turns out that during a > cleanup to factor parse.y, eric@ accidentally forgot to carry this > flag so it would never propagate down to the listener. > > I have a diff ready which is pending review / ok and which should be > committed later today. I'll push to github so you can give it a try > and we'll have this part of the next release, minor or major. > committed to github, will be part of next snapshot very likely tomorrow or after tomorrow, thanks for reporting -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls-require not working as expected
On Mon, Feb 06, 2017 at 06:31:28PM +0100, Gilles Chehade wrote: > I'm currently swamped until this Saturday > > Can you open an issue on our github account so I can work on a fix > hopefully this week-end ? > So I looked at the issue and reproduced it, turns out that during a cleanup to factor parse.y, eric@ accidentally forgot to carry this flag so it would never propagate down to the listener. I have a diff ready which is pending review / ok and which should be committed later today. I'll push to github so you can give it a try and we'll have this part of the next release, minor or major. -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls-require not working as expected
Here it is: --- smtpd.conf --- ca mail.mydomain.net certificate "/usr/local/etc/letsencrypt/archive/ mydomain.net/chain1.pem" pki mail.mydomain.net certificate "/usr/local/etc/letsencrypt/archive/ mydomain.net/cert1.pem" pki mail.mydomain.net key "/usr/local/etc/letsencrypt/archive/ mydomain.net/privkey1.pem" pki mail.mydomain.net dhparams "/etc/ssl/dh2048.pem" listen on lo0 hostname localhost listen on egress tls-require hostname mail.mydomain.net table aliases db:/usr/local/etc/mail/aliases.db table vdomains file:/usr/local/etc/mail/virtualdomains table vusers file:/usr/local/etc/mail/virtualusers accept from any for domain virtual deliver to maildir accept for local alias deliver to maildir accept for any relay --- end smtpd.conf --- virtualdomains just lists three domains I own, while virtualusers maps jason@ those domains to my local user. Thanks. Jason On 30 January 2017 at 10:24, Gilles Chehadewrote: > On Fri, Jan 27, 2017 at 02:41:47PM +, Jason Mann wrote: > > Hello list. > > > > I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm > seeing > > anomalous behaviour with one of my listen directives. > > > > The directive in question is: > > > > listen on egress tls-require hostname mail.mydomain.net > > > > My only other listen directive is usual localhost one. > > > > can you show your full config please ? > > > > The smtpd.conf man page states: "tls-require may be used to force clients > > to establish a secure connection before being allowed to start an SMTP > > transaction". > > > > I ran a telnet test against the server to see how the forcing of TLS > takes > > place, but it didn't happen. I was able to manually submit a message to > > OpenSMTPD without TLS as follows: > > > > $ telnet a.mx.mydomain.net 25 > > Trying :xxx:xx:xxx::x:... > > Connected to a.mx.mydomain.net. > > Escape character is '^]'. > > 220 mail.mydomain.net ESMTP OpenSMTPD > > HELO jmann-mbp > > 250 mail.mydomain.net Hello jmann-mbp > > [IPv6::::::::], > > pleased to meet you > > MAIL FROM: > > 250 2.0.0: Ok > > RCPT TO: > > 250 2.1.5 Destination address valid: Recipient ok > > DATA > > 354 Enter mail, end with "." on a line by itself > > From: Jason Mann > > To: Jason Mann > > Subject: Test 4 > > > > This is a test. > > . > > 250 2.0.0: f20f3998 Message accepted for delivery > > QUIT > > 221 2.0.0: Bye > > > > What may be wrong here? > > > > Kind regards, > > > > Jason > > -- > Gilles Chehade > > https://www.poolp.org @poolpOrg >
Re: tls-require not working as expected
On Fri, Jan 27, 2017 at 02:41:47PM +, Jason Mann wrote: > Hello list. > > I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm seeing > anomalous behaviour with one of my listen directives. > > The directive in question is: > > listen on egress tls-require hostname mail.mydomain.net > > My only other listen directive is usual localhost one. > can you show your full config please ? > The smtpd.conf man page states: "tls-require may be used to force clients > to establish a secure connection before being allowed to start an SMTP > transaction". > > I ran a telnet test against the server to see how the forcing of TLS takes > place, but it didn't happen. I was able to manually submit a message to > OpenSMTPD without TLS as follows: > > $ telnet a.mx.mydomain.net 25 > Trying :xxx:xx:xxx::x:... > Connected to a.mx.mydomain.net. > Escape character is '^]'. > 220 mail.mydomain.net ESMTP OpenSMTPD > HELO jmann-mbp > 250 mail.mydomain.net Hello jmann-mbp > [IPv6::::::::], > pleased to meet you > MAIL FROM:> 250 2.0.0: Ok > RCPT TO: > 250 2.1.5 Destination address valid: Recipient ok > DATA > 354 Enter mail, end with "." on a line by itself > From: Jason Mann > To: Jason Mann > Subject: Test 4 > > This is a test. > . > 250 2.0.0: f20f3998 Message accepted for delivery > QUIT > 221 2.0.0: Bye > > What may be wrong here? > > Kind regards, > > Jason -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: tls-require not working as expected
jason.mann+opensm...@gmail.com (Jason Mann), 2017.01.27 (Fri) 15:41 (CET): > Hello list. > > I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but I'm seeing > anomalous behaviour with one of my listen directives. > > The directive in question is: > > listen on egress tls-require hostname mail.mydomain.net > > My only other listen directive is usual localhost one. > > The smtpd.conf man page states: "tls-require may be used to force clients > to establish a secure connection before being allowed to start an SMTP > transaction". > > I ran a telnet test against the server to see how the forcing of TLS takes > place, but it didn't happen. I was able to manually submit a message to > OpenSMTPD without TLS as follows: $ for i in smtp mta expand lookup rules; do smtpctl trace $i; done (do your test and watch your logfiles to see what goes why where.) $ for i in smtp mta expand lookup rules; do smtpctl untrace $i; done Be quick, lots of output to your log file. Marcus > $ telnet a.mx.mydomain.net 25 > Trying :xxx:xx:xxx::x:... > Connected to a.mx.mydomain.net. > Escape character is '^]'. > 220 mail.mydomain.net ESMTP OpenSMTPD > HELO jmann-mbp > 250 mail.mydomain.net Hello jmann-mbp > [IPv6::::::::], > pleased to meet you > MAIL FROM:> 250 2.0.0: Ok > RCPT TO: > 250 2.1.5 Destination address valid: Recipient ok > DATA > 354 Enter mail, end with "." on a line by itself > From: Jason Mann > To: Jason Mann > Subject: Test 4 > > This is a test. > . > 250 2.0.0: f20f3998 Message accepted for delivery > QUIT > 221 2.0.0: Bye > > What may be wrong here? > > Kind regards, > > Jason > > > !DSPAM:588b5c5b241071631238794! -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org