Re: need help with honeypot

[kasak]

чт, 2 нояб. 2023 г. в 09:51, kasak :
>
> пн, 23 окт. 2023 г. в 09:11, kasak :
> >
> > пт, 20 окт. 2023 г. в 19:52, Юрий Иванов :
> > >
> > > Sorry for off top...
> > > ...but thanks for your OpenBSD PF book Peter :-)
> > > 
> > > От: kasak 
> > > Отправлено: 20 октября 2023 г. 8:48
> > > Кому: Peter N. M. Hansteen 
> > > Копия: misc@opensmtpd.org 
> > > Тема: Re: need help with honeypot
> > >
> > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen :
> > > >
> > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> > > > > In traps file I have list of spoiled addresses for example 
> > > > > aa...@tvema.ru
> > > > > But mail is not accepted :(
> > > >
> > > > This sounds like you are more or less trying to imitate the greytrapping
> > > > feature of OpenBSD spamd.
> > >
> > > Yes, it is something similar, but not quite. I'm no need of
> > > greytrapping, I want to teach rspamd.
> > > Hope I can do this without spamd.
> > >
> > > > You might want to read this article of mine (gosh, it's been 11 years)
> > > > and links therein for inspiration: 
> > > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
> > > > (also newly available trackerless but with even uglier formatting as 
> > > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
> > > > assuming, as usual that your system runs OpenBSD (also applicable with
> > > > minor adjustments on FreeBSD or NetBSD)
> > > >
> > > > - Peter
> > > >
> > > > --
> > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> > > > "Remember to set the evil bit on all malicious network traffic"
> > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> > >
> >
> > I did some experiment here, and looks like this is not "match"
> > problem, this is "action" problem.
> > If I change action "trap" to some real delivery method, it works.
> > So, I need to fix it with rspamc somehow.
>
> If someone interested, I have figured out how to do what I wanted to do.
>
> Here is howto:
> At first, collect spoiled email addresses to some list, for example
> /etc/mail/traps.
> Second, we must map these addresses to some local user, because
> otherwize, smtpd will not know where to put them.
> To do this, we must make another table, with mapping all addresses to
> _rspamd user.
> You can do this with a simple sed pattern:
> cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps
> Now we have two tables, traps for matching and virtualtraps for action.
>
> add something like this to smtpd.conf:
> 
> table traps file:/etc/mail/traps
> table virtualtraps file:/etc/mail/virtualtraps
>
> action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual
> 
>
> match from any for rcpt-to  action "trap"
> 
>
> The match directive should be placed above the main domain match.
> And voila!
> You can monitor teaching with grep:
> grep -F -f /etc/mail/traps /var/log/maillog

Folks, I just suddenly discovered that rspamd has a module to achieve
exactly similar functionality.
https://rspamd.com/doc/modules/spamtrap.html
I already tested it and it works like a charm!
How did I not notice it before?

Re: Need help with mail server configuration

[Thomas Bohl]

I received it (even in Thunderbird)! May I ask how did you do that? I 
tried so many ways today but none worked...


I clicked "New Message" in Thunderbird, entered your email and hit send. 
:-) Have you tried sending from your nogafam.eu address?




telnet mail.ivanroth.fr 25 times out, same for nc -4 mail.ivanroth.fr 25

mail command sends no error but no message is received.


To little information to help. Don't know what you entered, nor what the 
corresponding service logs were. What I would do at this stage is, I 
would run smtpd in the foreground with verbose output, to see it live 
reacting to inputs.

"smtpd -dvvv"



I changed the smtpd.conf to listen to 465:

-listen on 0.0.0.0 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
-listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


+listen on 0.0.0.0 port 25 tls pki mail.ivanroth.fr filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port 465 smtps pki mail.ivanroth.fr auth filter { 
check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
+listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


does this looks good to you?


You have two different filter sets for 465 and 587. Both ports a for 
you/your users to send mail. (Aka with Thunderbird) So I wouldn't use 
check_dyndns/etc. for 465. All public mail will be over 25.


Also, you aren't forcing the right hostname. Did you change the 
computers hostname instead?




When restarting the opensmtpd service, I noticed the following warnings:

warn: invalid envelope e84235315f00364e: unknown dispatcher

warn: invalid envelope b6797a98aad69976: unknown dispatcher

what do they mean?


You have two mails in the queue that can't be send/delivered. Happens 
when you have unfinished config and testing around.

"smtpctl show queue"
"smtpctl remove e84235315f00364e"
"smtpctl remove b6797a98aad69976"

Re: Need help with mail server configuration

[Thomas Bohl]

Hi,

Thank you for your reply. I spent a couple of hours on this today with 
not much luck. Please find my replies below.




Than check what is blocking port 25. Is it your Debian firewall or 
your VPS provider.


There is no VPS provider firewall. The one I can use is disabled. I 
asked support if there were any firewall beyond mine and their answer is 
no. I should get full access to any port I may need.


On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and 
FORWARD. I added explicit ACCEPT rules for testing but did not get 
better results.


But everything looks good now, all ports are publicly reachable. I did 
send you a test mail and your sever accepted it. (In plaintext but still.)


I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a 
shot. It reached your server. It couldn't do it the last time.




Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993.


I can reach all, except for 465. But that is ok because according to 
your smtpd.conf the server isn't listening on it.




Here is my smtpd.conf:

pki mail.ivanroth.fr cert 
"/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem"
pki mail.ivanroth.fr key 
"/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem"


filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', 
'.*\.dsl\..*' } junk


filter check_rdns phase connect match !rdns junk

filter check_fcrdns phase connect match !fcrdns junk

filter senderscore proc-exec "filter-senderscore -junkBelow 70 
-slowFactor 5000"


filter rspamd proc-exec "filter-rspamd"

table aliases file:/etc/aliases

listen on 0.0.0.0 tls pki mail.ivanroth.fr \
     filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


Your sever greets the world with

220 ivanroth.fr ESMTP OpenSMTPD

which is the wrong hostname, which leads to "opportunistic TLS failed, 
downgrading to plain". Try forcing the right hostname:


listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \
 filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on 0.0.0.0 port submission tls-require \
 hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \
 filter rspamd



#listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns, 
check_rdns, check_fcrdns, senderscore, rspamd }
#listen on ens3 port submission tls-require pki mail.ivanroth.fr auth 
filter rspamd


action "local_mail" maildir junk alias 
action "outbound" relay helo mail.ivanroth.fr

match from any for domain "ivanroth.fr" action "local_mail"
match for local action "local_mail"

match from any auth for any action "outbound"
match for any action "outbound"


If I'm not mistaken, the last line is redundant. (Without a "from", 
"from local" is implied, which intern implies "auth". Which is covered 
by the line "from any auth" before it.)




$ nmap localhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00028s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 993 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps


Every port is reachable from the public now. (For me at least.) Only you 
can tell if you went overboard with opening up everything.

Re: Need help with mail server configuration

[Thomas Bohl]

Hello,

I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the 
domain I'm using for that test is ivanroth.fr, with the subdomain 
mail.ivanroth.fr as advised in the article.


DNS and rDNS seems fine, host and dig reply what they are supposed to.

On the server, I created an account with my first name (ivan) and I am 
using i...@ivanroth.fr as the test mail address.



  * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from
the server
  * I cannot send from the outside to that address
  * I cannot send from that address using Thunderbird

When looking at systemctl status opensmtpd, I see some errors I don't 
understand like :


debian opensmtpd smtp-out: No valid route for 
[connector:[]->[relay:ivanroth.fr,smtp],0x0]


Your smtp server can't be reached by others.

$ nc -4 mail.ivanroth.fr 25

Closes immediately: Server isn't running or firewall answers with 
REJECT. It could be a iptables firewall on your VPS as well as one from 
OVH. (I don't know OVH but I do know that some VPS providers have a 
extra firewall you need to configure separately.)



$ nc -6 mail.ivanroth.fr 25
Eventually times out: IPv6 not working or a firewall is configured to 
just DROP incoming packages. (I can't even ping your IPv6 address, while 
IPv4 works.)



From all the ports(25, 465, 587, 143, 993) I have tested only IPv4 
IMAP(143) is reachable. (Which is consistent with you saying Thunderbird 
reading works.)

$ nc -4 mail.ivanroth.fr 143
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready.

^C




I don't really know where to start digging. If someone could point me to 
some direction, it would be nice.


I would first suggest to get IPv4 working and therefore temporarily 
removing the  record from mail.ivanroth.fr.
Than check what is blocking port 25. Is it your Debian firewall or your 
VPS provider.
You than most likely want to unblock port 465 or 587 for mail submission 
with Thunderbird.


If after that you still have problems post your entire smptd.conf please.

Last step. Fix IPv6.

Need help with mail server configuration

[ivan]

Hi,

This is my first mail server installation attempt and I need help 
locating and fixing one or several issues.


I followed Gilles's post here: 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/


I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the 
domain I'm using for that test is ivanroth.fr, with the subdomain 
mail.ivanroth.fr as advised in the article.


DNS and rDNS seems fine, host and dig reply what they are supposed to.

On the server, I created an account with my first name (ivan) and I am 
using i...@ivanroth.fr as the test mail address.


Now comes the issue.

 * I can send mail from local server to the outside using mutt (and
   having it configured to use the Maildir folder).
 * I can access my server from Thunderbird, reading folders (the Sent
   folder gets populated correctly)
 * I can receive local mail sent from system (I was not in the sudoers
   file and got the mail addressed to root because root is aliased to
   ivan in the aliases file)

but

 * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from
   the server
 * I cannot send from the outside to that address
 * I cannot send from that address using Thunderbird

When looking at systemctl status opensmtpd, I see some errors I don't 
understand like :


debian opensmtpd smtp-out: No valid route for 
[connector:[]->[relay:ivanroth.fr,smtp],0x0]


I don't really know where to start digging. If someone could point me to 
some direction, it would be nice.


Let me just say that I'm not a server administration noob (not a pro at 
all but I'm pretty used to web server administration) but, for some 
reason, the mail issue remains completely obscure to me. Please show me 
the light :)


Ivan

Re: need help with honeypot

[kasak]

пн, 23 окт. 2023 г. в 09:11, kasak :
>
> пт, 20 окт. 2023 г. в 19:52, Юрий Иванов :
> >
> > Sorry for off top...
> > ...but thanks for your OpenBSD PF book Peter :-)
> > 
> > От: kasak 
> > Отправлено: 20 октября 2023 г. 8:48
> > Кому: Peter N. M. Hansteen 
> > Копия: misc@opensmtpd.org 
> > Тема: Re: need help with honeypot
> >
> > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen :
> > >
> > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> > > > In traps file I have list of spoiled addresses for example 
> > > > aa...@tvema.ru
> > > > But mail is not accepted :(
> > >
> > > This sounds like you are more or less trying to imitate the greytrapping
> > > feature of OpenBSD spamd.
> >
> > Yes, it is something similar, but not quite. I'm no need of
> > greytrapping, I want to teach rspamd.
> > Hope I can do this without spamd.
> >
> > > You might want to read this article of mine (gosh, it's been 11 years)
> > > and links therein for inspiration: 
> > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
> > > (also newly available trackerless but with even uglier formatting as 
> > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
> > > assuming, as usual that your system runs OpenBSD (also applicable with
> > > minor adjustments on FreeBSD or NetBSD)
> > >
> > > - Peter
> > >
> > > --
> > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> > > "Remember to set the evil bit on all malicious network traffic"
> > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> >
>
> I did some experiment here, and looks like this is not "match"
> problem, this is "action" problem.
> If I change action "trap" to some real delivery method, it works.
> So, I need to fix it with rspamc somehow.

If someone interested, I have figured out how to do what I wanted to do.

Here is howto:
At first, collect spoiled email addresses to some list, for example
/etc/mail/traps.
Second, we must map these addresses to some local user, because
otherwize, smtpd will not know where to put them.
To do this, we must make another table, with mapping all addresses to
_rspamd user.
You can do this with a simple sed pattern:
cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps
Now we have two tables, traps for matching and virtualtraps for action.

add something like this to smtpd.conf:

table traps file:/etc/mail/traps
table virtualtraps file:/etc/mail/virtualtraps

action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual


match from any for rcpt-to  action "trap"


The match directive should be placed above the main domain match.
And voila!
You can monitor teaching with grep:
grep -F -f /etc/mail/traps /var/log/maillog

Re: need help with rcpt-to (was: need help with honeypot)

[kasak]

пн, 23 окт. 2023 г. в 22:30, kasak :
>
> i'm sorry to bother you again, but it seem that I made a trap for myself.
>
> I spend couple of hours changing configs and comparing smtpd behavior.
> It looks like rcpt-to condition works and do not works simultaneously.
>
> For now I have simplified my config to contain this strings:
>
> action "trap" maildir "/home/kasak/spam"
> match from any for rcpt-to "aa...@tvema.ru" action "trap"
>
> and again I'm stuck on: smtp failed-command command="RCPT
> TO: ORCPT=rfc822;aa...@tvema.ru" result="550 Invalid
> recipient: "
>
> So, it actually knows about aa...@tvema.ru, because otherwise, the
> next line "for domain tvema.ru" should work (and it work on other
> recipients)
>
> simultaneously, it count aa...@tvema.ru as invalid recipient.
>
> please help me, how is should be used?

I found the solution! This has not worked because I have no local user
for "aa...@tvema.ru"
So, I added a virtual table with mapping aa...@tvema.ru to the local
user and now everything is fine!

need help with rcpt-to (was: need help with honeypot)

[kasak]

i'm sorry to bother you again, but it seem that I made a trap for myself.

I spend couple of hours changing configs and comparing smtpd behavior.
It looks like rcpt-to condition works and do not works simultaneously.

For now I have simplified my config to contain this strings:

action "trap" maildir "/home/kasak/spam"
match from any for rcpt-to "aa...@tvema.ru" action "trap"

and again I'm stuck on: smtp failed-command command="RCPT
TO: ORCPT=rfc822;aa...@tvema.ru" result="550 Invalid
recipient: "

So, it actually knows about aa...@tvema.ru, because otherwise, the
next line "for domain tvema.ru" should work (and it work on other
recipients)

simultaneously, it count aa...@tvema.ru as invalid recipient.

please help me, how is should be used?

Re: need help with honeypot

[kasak]

пт, 20 окт. 2023 г. в 19:52, Юрий Иванов :
>
> Sorry for off top...
> ...but thanks for your OpenBSD PF book Peter :-)
> 
> От: kasak 
> Отправлено: 20 октября 2023 г. 8:48
> Кому: Peter N. M. Hansteen 
> Копия: misc@opensmtpd.org 
> Тема: Re: need help with honeypot
>
> чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen :
> >
> > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> > > In traps file I have list of spoiled addresses for example aa...@tvema.ru
> > > But mail is not accepted :(
> >
> > This sounds like you are more or less trying to imitate the greytrapping
> > feature of OpenBSD spamd.
>
> Yes, it is something similar, but not quite. I'm no need of
> greytrapping, I want to teach rspamd.
> Hope I can do this without spamd.
>
> > You might want to read this article of mine (gosh, it's been 11 years)
> > and links therein for inspiration: 
> > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
> > (also newly available trackerless but with even uglier formatting as 
> > https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
> > assuming, as usual that your system runs OpenBSD (also applicable with
> > minor adjustments on FreeBSD or NetBSD)
> >
> > - Peter
> >
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> > "Remember to set the evil bit on all malicious network traffic"
> > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>

I did some experiment here, and looks like this is not "match"
problem, this is "action" problem.
If I change action "trap" to some real delivery method, it works.
So, I need to fix it with rspamc somehow.

RE: need help with honeypot

[Юрий Иванов]

Sorry for off top...
...but thanks for your OpenBSD PF book Peter :-)

От: kasak 
Отправлено: 20 октября 2023 г. 8:48
Кому: Peter N. M. Hansteen 
Копия: misc@opensmtpd.org 
Тема: Re: need help with honeypot

чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen :
>
> On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> > In traps file I have list of spoiled addresses for example aa...@tvema.ru
> > But mail is not accepted :(
>
> This sounds like you are more or less trying to imitate the greytrapping
> feature of OpenBSD spamd.

Yes, it is something similar, but not quite. I'm no need of
greytrapping, I want to teach rspamd.
Hope I can do this without spamd.

> You might want to read this article of mine (gosh, it's been 11 years)
> and links therein for inspiration: 
> https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
> (also newly available trackerless but with even uglier formatting as 
> https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
> assuming, as usual that your system runs OpenBSD (also applicable with
> minor adjustments on FreeBSD or NetBSD)
>
> - Peter
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: need help with honeypot

[kasak]

чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen :
>
> On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> > In traps file I have list of spoiled addresses for example aa...@tvema.ru
> > But mail is not accepted :(
>
> This sounds like you are more or less trying to imitate the greytrapping
> feature of OpenBSD spamd.

Yes, it is something similar, but not quite. I'm no need of
greytrapping, I want to teach rspamd.
Hope I can do this without spamd.

> You might want to read this article of mine (gosh, it's been 11 years)
> and links therein for inspiration: 
> https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
> (also newly available trackerless but with even uglier formatting as 
> https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
> assuming, as usual that your system runs OpenBSD (also applicable with
> minor adjustments on FreeBSD or NetBSD)
>
> - Peter
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: need help with honeypot

[Peter N. M. Hansteen]

On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote:
> In traps file I have list of spoiled addresses for example aa...@tvema.ru
> But mail is not accepted :(

This sounds like you are more or less trying to imitate the greytrapping
feature of OpenBSD spamd.

You might want to read this article of mine (gosh, it's been 11 years)
and links therein for inspiration: 
https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html
(also newly available trackerless but with even uglier formatting as 
https://nxdomain.no/~peter/in_the_name_of_sane_email.html),
assuming, as usual that your system runs OpenBSD (also applicable with
minor adjustments on FreeBSD or NetBSD)

- Peter

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

need help with honeypot

[kasak]

hello misc! I'm not able to fix my problem myself and I need some help!

I want to create honeypot on my relay, and here is my conf (i have
cropped pki lines):

filter "rspamd" proc-exec "filter-rspamd"
table mailer { 172.16.0.25 }

table aliases file:/etc/mail/aliases

table honeypot file:/etc/mail/traps

listen on socket
listen on lo0
listen on egress tls pki tvema.ru hostname tvema.ru filter rspamd ciphers compat
listen on 172.16.0.1 tls pki gater filter rspamd

action "local_mail" mbox alias 
action "outbound" relay helo tvema.ru

action "tomailer" relay host 172.16.0.25 tls no-verify
action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add"

match from local for local action "local_mail"

match ! from src  for rcpt-to  action "trap"
match from any for domain "tvema.ru" action "tomailer"

match from src  for any action "outbound"
match from local for any action "outbound"

In traps file I have list of spoiled addresses for example aa...@tvema.ru
But mail is not accepted :(

Oct 16 14:28:38 gater smtpd[11899]: 55daaef921ae98d5 smtp
failed-command command="RCPT TO:" result="550 Invalid
recipient: "

This mail was not originated from "src mailer" and it looks like match
rule actually works, because otherwise it would be delivered to
"tomailer".
Now am I missing?

Re: need help to solve route loop

[Илья Коскин]

Great! Thank's for clarifying! Now i see!
Thank you very much!

вт, 10 авг. 2021 г. в 18:53, Thomas Bohl :
>
> Hello,
>
>  > action "outbound" relay
>  >
>  > action "tomailer" relay host 172.16.2.5
>  >
> > match from local for local action "local_mail"
> > match from local for any action "outbound"
> >
> > match from any for domain "mydomain.here" action "tomailer"
> > match from src  for any action "outbound"
>
> The line "match from local for any action "outbound"" comes before
> "match from any for domain "mydomain.here" action "tomailer"".
>
> Therefore, locally send mails to "mydomain.here" go straight to relay,
> instead of 172.16.2.5. Relay uses the public MX record and lands on itself.
>
>
> > looks like this is a message from mailer-daemon with subject: Message
> > accepted for delivery
>
> "Message accepted" is not a mail subject. It just says that the
> receiving server accepted the mail.
>

Re: need help to solve route loop

[Thomas Bohl]

Hello,

> action "outbound" relay
>
> action "tomailer" relay host 172.16.2.5
>

match from local for local action "local_mail"
match from local for any action "outbound"

match from any for domain "mydomain.here" action "tomailer"
match from src  for any action "outbound"


The line "match from local for any action "outbound"" comes before 
"match from any for domain "mydomain.here" action "tomailer"".


Therefore, locally send mails to "mydomain.here" go straight to relay, 
instead of 172.16.2.5. Relay uses the public MX record and lands on itself.




looks like this is a message from mailer-daemon with subject: Message
accepted for delivery


"Message accepted" is not a mail subject. It just says that the 
receiving server accepted the mail.

need help to solve route loop

[Илья Коскин]

hello misc!
I need to configure opensmtpd to be a relay between local mail server and world.
Here is my conf:

pki gater cert "/etc/ssl/local.crt"
pki gater key "/etc/ssl/private/local.key"

filter "rspamd" proc-exec "filter-rspamd"
table mailer { 172.16.2.5 }

table aliases file:/etc/mail/aliases

listen on lo0
listen on egress tls pki tvema.ru hostname tvema.ru filter rspamd
listen on 172.16.0.1 tls pki gater filter rspamd

action "local_mail" mbox alias 
action "outbound" relay

action "tomailer" relay host 172.16.2.5

match from local for local action "local_mail"
match from local for any action "outbound"

match from any for domain "mydomain.here" action "tomailer"
match from src  for any action "outbound"

It mostly work, but sometimes server itself want to send mail to
users, and we have a loop:


Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message
msgid=b9e2ff2c size=1068255 nrcpt=1 proto=ESMTP
Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope
evpid=b9e2ff2c5a1938f6 from=<> to=
Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f51e906746 mta delivery
evpid=cbb10abbe054c669 from=<> to= rcpt=<->
source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=4s
result="Ok" stat="250 2.0.0 b9e2ff2c Message accepted for delivery"
Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message
msgid=70bc8e71 size=1069024 nrcpt=1 proto=ESMTP
Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope
evpid=70bc8e71318648d7 from=<> to=
Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f51e906746 mta delivery
evpid=b9e2ff2c5a1938f6 from=<> to= rcpt=<->
source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s
result="Ok" stat="250 2.0.0 70bc8e71 Message accepted for delivery"
Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message
msgid=16202305 size=1069793 nrcpt=1 proto=ESMTP
Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope
evpid=162023051dae4938 from=<> to=
Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f51e906746 mta delivery
evpid=70bc8e71318648d7 from=<> to= rcpt=<->
source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s
result="Ok" stat="250 2.0.0 16202305 Message accepted for delivery"
Aug 10 16:33:18 gater smtpd[40569]: warn: loop detected
Aug 10 16:33:18 gater smtpd[40569]: 33eeb7f6e2a67883 smtp
failed-command command="DATA" result="500 5.4.6 Routing loop detected:
Loop detected"
Aug 10 16:33:18 gater smtpd[40569]: 33eeb7f51e906746 mta delivery
evpid=162023051dae4938 from=<> to= rcpt=<->
source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s
result="PermFail" stat="500 5.4.6 Routing loop detected: Loop
detected"
Aug 10 16:33:18 gater smtpd[50493]: warn: queue: no return path!
Aug 10 16:33:28 gater smtpd[40569]: 33eeb7f6e2a67883 smtp disconnected
reason=quit
Aug 10 16:33:28 gater smtpd[40569]: 33eeb7f51e906746 mta disconnected
reason=quit messages=98

looks like this is a message from mailer-daemon with subject: Message
accepted for delivery
How can i solve such type of loops?
Thank's in advance

Re: need help

[Andrew Swartz]

I've been lurking on this list for a long time but I've never posted.

I've attached a perl program I threw together a couple years ago which 
does recursive SPF resolution.  This might help your debugging.


For this type of testing, pass it a domain on STDIN:
echo 'gmail.com' | spf2ip.pl

I use it to create a daily whitelist of frequent domain IP's.  I use it 
by calling it with a filename argument. It reads the file which has a 
domain on each line, iterates through all the domains, recursively 
resolving each, and creating a long list of all the SPF IP's of all the 
domains in the file.


In default mode, it adds enough comments to explain how it generates the 
results.  For example, here is the output of the above command:


# echo 'gmail.com' | spf2ip.pl

#
# gmail.com
#
#  [REDIRECT=] _spf.google.com (depth=1)
#  [INCLUDE:] _netblocks.google.com (depth=2)
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
#  [INCLUDE:] _netblocks2.google.com (depth=2)
#  [INCLUDE:] _netblocks3.google.com (depth=2)
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22




SPF resolution of "microsoft.com" returns 76 IP's.

Adding a "-d" argument will output a lot more debug info, whereas "-q' 
suppresses any debug info and only outputs IP's.  The header of the perl 
file does some explanation, but it was only intended for me to read, so 
it is not a super thorough explanation.


And yes, it looks like a stereotypical perl program (ugly, quick, and 
functional).


Hope this helps,
-Andy







On 9/30/2019 7:21 AM, gil...@poolp.org wrote:

September 30, 2019 4:25 PM, "Denis Fondras"  wrote:


On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:


Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md

If you could test and report issues, it would be nice,


It seems IPv6 check is broken :

$ dig ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



will fix that, thanks



#!/usr/bin/perl

# PURPOSE/FUNCTION
# This program performs recursive DNS lookups of spf records (which are in TXT 
records)
# and keeps recursing until numeric addresses are reached.  Tested with IP4, 
but the regex's
# ~should~ function with IP6 addresses.

# INPUT
# filename: text file, one domain per line, # and blank lines ignored.
# STDIN: list of one or more domans to lookup

#OUTPUT
# single numeric address per line
# recursive comments will be included if ($DomainNameComments == 1)

# DEPENDENCIES:
# 1. PERL installed at the above target.
# 2. 'dig' command.

# ASSUMPTIONS:
# 1. This program DOES do recursive spf resolution (i.e. a reverse lookup of 
ALL spf-authorized sending IP's.)
# 2. This program does NOT do forward MX resolutions (i.e. lookup of where to 
send mail).

use Switch;

# Global variable which is the final product.
my @IPlist;
my $DomainNameComments = 1;
my @DomainNames;

my $ARGERROR=0;
# The HASH for the command line settings (i.e. arguments).
my %settings =  (   -q  =>  0,  # "quiet" which 
suppresses comments in output.
-d  =>  0   # 
"debug" which adds debug info to the output.
);
# Iterate through the args, confirming accuracy and making settings.
foreach my $arg (@ARGV) {
if (exists $settings{$arg}) { 
$settings{$arg} =  1;
}
else {
print "\'$arg\' is invalid argument!\n";
$ARGERROR++;
}
}
# Exit if any invalid arguments.
if ($ARGERROR) { exit; }


# Read domain names from STDIN.
foreach my $line (  ) {
chomp( $line );
foreach my $arg (split(' ',$line)) {
push(@DomainNames,$arg);
}

Re: need help

[gilles]

September 30, 2019 4:25 PM, "Denis Fondras"  wrote:

> On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> It seems IPv6 check is broken :
> 
> $ dig ledeuns.net TXT +short
> "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 
> -all"
> 
> $ ./spf ledeuns.net 185.22.129.1
> checking if 185.22.129.1 can send for ledeuns.net: fail
> $ ./spf ledeuns.net 185.22.129.11
> checking if 185.22.129.11 can send for ledeuns.net: pass
> $ ./spf ledeuns.net 2a00:6060:1::1
> checking if 2a00:6060:1::1 can send for ledeuns.net: fail


will fix that, thanks

Re: need help

[gilles]

September 30, 2019 4:51 PM, "Joel Carnat"  wrote:

> Le 30/09/2019 15:55, gil...@poolp.org a écrit :
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,
> 
> As much as I can understand it, recursion seem to not work.
> 
> Working example:
> # dig -t TXT carnat.net
> carnat.net. 14314 IN TXT "v=spf1 mx -all"
> # ./spf carnat.net 108.61.176.54
> checking if 108.61.176.54 can send for carnat.net: pass
> # ./spf carnat.net 157.55.9.128
> checking if 157.55.9.128 can send for carnat.net: fail
> 
> Not fully working example:
> # dig -t TXT outlook.com
> outlook.com. 600 IN TXT "v=spf1 include:spf-a.outlook.com 
> include:spf-b.outlook.com
> ip4:157.55.9.128/25 include:spf.protection.outlook.com 
> include:spf-a.hotmail.com
> include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"
> # ./spf outlook.com 157.55.9.128
> checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> pass
> 
> # dig -t TXT spf-a.hotmail.com
> spf-a.hotmail.com. 3600 IN TXT "v=spf1 ip4:157.55.0.192/26 
> ip4:157.55.1.128/26 ip4:157.55.2.0/25
> ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 
> ip4:65.55.116.0/25
> ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 
> ~all"
> # ./spf outlook.com 65.54.190.5
> checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail

I'll look into that, I thought I had handled this case already but I may have 
missed something

Re: need help

[gilles]

I'll investigate that, but spfwalk isn't a real SPF resolver and may
yield incorrect results, it just helps a bit.


September 30, 2019 4:27 PM, "Nick Ryan"  wrote:

> Seems to work fine for some hosts but not gmail.com or outlook.com
> 
> mail3$ smtpctl spf walk < 1 (this is gmail.com)
> 35.190.247.0/24
> 64.233.160.0/19
> 
> mail3$ ./spf gmail.com 35.190.247.3 <- in the output of spfwalk
> checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf gmail.com 185.185.185.185 <- made up address
> checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf poolp.org 45.76.46.201
> checking if 45.76.46.201 can send for poolp.org: pass
> mail3$ ./spf poolp.org 45.76.46.202
> checking if 45.76.46.202 can send for poolp.org: fail
> 
> Regards - Nick
> 
> On 30/09/2019 14:55, gil...@poolp.org wrote:
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,

Re: need help

[gilles]

yup

September 30, 2019 4:23 PM, "Chris Bennett"  
wrote:

> ./spf no-seas-necio.ninja 162.255.139.10: pass
> ./spf no-seas-necio.ninja 162.255.139.11: soft-fail
> 
> Which matches my spf entry. v=spf1 mx ~all.
> Is that the correct response?
> 
> Chris Bennett

Re: need help

[gilles]

yes, this is debug code which i don't  want to spend time making portable ;-)


September 30, 2019 4:10 PM, "Reio Remma"  wrote:

> On 30/09/2019 16:55, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> Is it OpenBSD only atm?
> 
> On CentOS 7:
> 
> $ make
> Makefile:26: *** missing separator.  Stop.
> 
> Reio

Re: need help

[Denis Fondras]

On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> Hello,
> 
> I'd like to bring native support for SPF in OpenSMTPD in a future release,
> but for this I need a bit of help to make sure my SPF resolver works fine.
> 
> I have created a repository with a standalone executable that performs the
> SPF lookup and checks if an IP address is allowed to send on behalf of the
> sending domain:
> 
> https://github.com/poolpOrg/spf
> 
> https://github.com/poolpOrg/spf/blob/master/README.md
> 
> 
> If you could test and report issues, it would be nice,
> 

It seems IPv6 check is broken :

$ dig  ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail

Re: need help

[Joel Carnat]

Le 30/09/2019 15:55, gil...@poolp.org a écrit :

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,


As much as I can understand it, recursion seem to not work.

Working example:
# dig -t TXT carnat.net
carnat.net. 14314   IN  TXT "v=spf1 mx -all"
# ./spf carnat.net 108.61.176.54
checking if 108.61.176.54 can send for carnat.net: pass
# ./spf carnat.net 157.55.9.128
checking if 157.55.9.128 can send for carnat.net: fail

Not fully working example:
# dig -t TXT outlook.com
outlook.com.600 IN  TXT "v=spf1 
include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 
include:spf.protection.outlook.com include:spf-a.hotmail.com 
include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"

# ./spf outlook.com 157.55.9.128
checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
EXISTS: 0
pass

# dig -t TXT spf-a.hotmail.com
spf-a.hotmail.com.  3600IN  TXT "v=spf1 
ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 
ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 
ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 
ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all"

# ./spf outlook.com 65.54.190.5
checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

Re: need help

[Nick Ryan]

Seems to work fine for some hosts but not gmail.com or outlook.com

mail3$ smtpctl spf walk < 1   (this is gmail.com)
35.190.247.0/24
64.233.160.0/19

mail3$ ./spf gmail.com 35.190.247.3   <- in the output of spfwalk
checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf gmail.com 185.185.185.185 <- made up address
checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf poolp.org 45.76.46.201
checking if 45.76.46.201 can send for poolp.org: pass
mail3$ ./spf poolp.org 45.76.46.202
checking if 45.76.46.202 can send for poolp.org: fail

Regards - Nick

On 30/09/2019 14:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,

Re: need help

[Chris Bennett]

./spf no-seas-necio.ninja 162.255.139.10: pass
./spf no-seas-necio.ninja 162.255.139.11: soft-fail

Which matches my spf entry. v=spf1 mx ~all.
Is that the correct response?

Chris Bennett

Re: need help

[Edgar Pettijohn]

On Sep 30, 2019 9:10 AM, Reio Remma  wrote:
>
> On 30/09/2019 16:55, gil...@poolp.org wrote:
> > Hello,
> >
> > I'd like to bring native support for SPF in OpenSMTPD in a future release,
> > but for this I need a bit of help to make sure my SPF resolver works fine.
> >
> > I have created a repository with a standalone executable that performs the
> > SPF lookup and checks if an IP address is allowed to send on behalf of the
> > sending domain:
> >
> > https://github.com/poolpOrg/spf
> >
> > https://github.com/poolpOrg/spf/blob/master/README.md
> >
> >
> > If you could test and report issues, it would be nice,
> >
>
> Is it OpenBSD only atm?
>
> On CentOS 7:
>
> $ make
> Makefile:26: *** missing separator.  Stop.
>
> Reio
>
>

Looking at the makefile. My guess is yes, but you could try bmake and see if it 
gets further.

Edgar

Re: need help

[Reio Remma]

On 30/09/2019 16:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Is it OpenBSD only atm?

On CentOS 7:

$ make
Makefile:26: *** missing separator.  Stop.

Reio

need help

[gilles]

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,

Re: need help to understand the logic of new grammar

[Илья Коскин]

I'll try to answer myself.
As i see, the options "from local" and "for local" is the defaults, and can
be omitted?
So, the first match can be cut to
match action "mbox" ??
the my first question i have understood, if "from local" is the default,
than it will not work without "from any"
the second question was about "from any" in the 4th match. I see, if i try
to send email, i connect to egress, so this is not local, and will not
work. also i cant use "from "
and in trird match, mails from dkim proxy come to lo0, so they are
processed as local and the rule can be extended to:
match from local tag DKIM for any action "relay" am i right?

so the last question, can i limit mta to inet4 only?

ср, 31 окт. 2018 г. в 15:04, Илья Коскин :

> Hello list! Please look at my match-action definitions:
>
> action "mbox" mbox alias 
> action "mda" mda "/usr/local/bin/procmail" alias 
> action "relay" relay
> action "relay_dkim" relay host smtp://127.0.0.1:10027
>
> match for local action "mbox"
> match from any for domain  action "mda"#2nd match
> match tag DKIM for any action "relay"   #3rd match
> match auth from any for any action "relay_dkim"  #4th match
>
> I have some questions about matches.
> 1) If I remove "from any" in the second match, smtpd will not accept any
> mail from internet. Why?
> 2) In the 4th match, again, without "from any" I can't send mail to
> anywhere. How can I know, where i need to use "from any" and where i don't?
> For example 3rd match work without "from any"
> 3) is this config comosed secure and correctly?
> maybe it is option to use
> match auth from  for any action "relay_dkim" ?
> if this work, it can partially help to prevent spamming from compromised
> users.
>
> Also, is there any way to limit mta sending only from ipv4?
>
> Thank's!
>
>

need help to understand the logic of new grammar

[Илья Коскин]

Hello list! Please look at my match-action definitions:

action "mbox" mbox alias 
action "mda" mda "/usr/local/bin/procmail" alias 
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027

match for local action "mbox"
match from any for domain  action "mda"#2nd match
match tag DKIM for any action "relay"   #3rd match
match auth from any for any action "relay_dkim"  #4th match

I have some questions about matches.
1) If I remove "from any" in the second match, smtpd will not accept any
mail from internet. Why?
2) In the 4th match, again, without "from any" I can't send mail to
anywhere. How can I know, where i need to use "from any" and where i don't?
For example 3rd match work without "from any"
3) is this config comosed secure and correctly?
maybe it is option to use
match auth from  for any action "relay_dkim" ?
if this work, it can partially help to prevent spamming from compromised
users.

Also, is there any way to limit mta sending only from ipv4?

Thank's!

Need help for LDAP + smtpd

[Thuban]

Hello,
I would like to build a server with smtpd+dovecot with LDAP auth.

Does anyone has any advice or doc up to date to do this?
I only found [1], for 5.7 so I guess things have changed

Regards.

[1] : 
https://www.tumfatig.net/20150718/opensmtpd-dovecot-and-ldapd-on-openbsd-5-7/#How_OpenSMTPD_works_with_LDAP_data
-- 
thuban


signature.asc
Description: PGP signature

Re: Need help with configuration using DNS aliases

[Edgar Pettijohn]

Yes it can. However, 

By default, when connecting to a remote server, smtpd(8) advertises its default 
server name. A hostname parameter may be specified to advertise the alternate 
hostname name. If the source parameter is used, the hostnames parameter may be 
specified to advertise a hostname based on the source address. Table names 
contains a mapping of IP addresses to hostnames and smtpd(8) will automatically 
select the name that matches its source address when connected to the remote 
server. The hostname and hostnames parameters are mutually exclusive.

You need separate ip's for hostname selection in relay context.

Sent from my iPhone

> On Feb 12, 2016, at 5:08 PM, Michael Burk  wrote:
> 
> After some experimentation I think I can compress this problem down to one 
> question:
> 
> Is it possible for an OpenSMTPD host to process email addressed to two 
> different host names, both of which resolve to the same address?
> 
> When I set "mailname," any mail sent to that name works fine. Mail addressed 
> to the alternate host name loops.
> 
> I thought the "virtual" keyword would be for this purpose, but I've had no 
> luck with it.
> 
> Thanks,
> 
>> On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:
>> Thanks Craig for the reply.
>> 
>> I changed the CNAME to an A record as you suggested. Sadly, it still loops 
>> when I send the email to the "alternate" name. It seems that OpenSMTPD 
>> doesn't realize that the two names are the same server.
>> 
>> I should mention that the whole reason we have an alias is that I have two 
>> servers setup as mail servers, and the alias gives us an easy way to switch 
>> hosts if one goes down (all mail is addressed to the alias). Also, I have no 
>> MX records. I don't know if I should, but Sendmail has always worked without 
>> it.
>> 
>>> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner  
>>> wrote:
>>> Hi Michael,
>>> 
>>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>>> >
>>> > If I send a message to the server's CNAME, it goes into a loop which is
>>> > eventually detected and shut down:
>>> >
>>> 
>>> Try switching from DNS CNAMES to DNS A records:
>>> 
>>> RFC2181 has:
>>> 
>>> "10.3. MX and NS records
>>> 
>>> The domain name used as the value of a NS resource record, or part of
>>> the value of a MX resource record must not be an alias.  Not only is the
>>> specification clear on this point, but using an alias in either of these
>>> positions neither works as well as might be hoped, nor well fulfills the
>>> ambition that may have led to this approach.  This domain name must have
>>> as its value one or more address records.  Currently those will be A
>>> records, however in the future other record types giving addressing
>>> information may be acceptable.  It can also have other RRs,
>>> but never a CNAME RR. "
>>> 
>>> http://tools.ietf.org/html/rfc2181#section-10.3
>>> 
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 

Re: Need help with configuration using DNS aliases

[Michael Burk]

After some experimentation I think I can compress this problem down to one
question:

Is it possible for an OpenSMTPD host to process email addressed to two
different host names, both of which resolve to the same address?

When I set "mailname," any mail sent to that name works fine. Mail
addressed to the alternate host name loops.

I thought the "virtual" keyword would be for this purpose, but I've had no
luck with it.

Thanks,

On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:

> Thanks Craig for the reply.
>
> I changed the CNAME to an A record as you suggested. Sadly, it still loops
> when I send the email to the "alternate" name. It seems that OpenSMTPD
> doesn't realize that the two names are the same server.
>
> I should mention that the whole reason we have an alias is that I have two
> servers setup as mail servers, and the alias gives us an easy way to switch
> hosts if one goes down (all mail is addressed to the alias). Also, I have
> no MX records. I don't know if I should, but Sendmail has always worked
> without it.
>
> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner 
> wrote:
>
>> Hi Michael,
>>
>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>> >
>> > If I send a message to the server's CNAME, it goes into a loop which is
>> > eventually detected and shut down:
>> >
>>
>> Try switching from DNS CNAMES to DNS A records:
>>
>> RFC2181 has:
>>
>> "10.3. MX and NS records
>>
>> The domain name used as the value of a NS resource record, or part of
>> the value of a MX resource record must not be an alias.  Not only is the
>> specification clear on this point, but using an alias in either of these
>> positions neither works as well as might be hoped, nor well fulfills the
>> ambition that may have led to this approach.  This domain name must have
>> as its value one or more address records.  Currently those will be A
>> records, however in the future other record types giving addressing
>> information may be acceptable.  It can also have other RRs,
>> but never a CNAME RR. "
>>
>> http://tools.ietf.org/html/rfc2181#section-10.3
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>>
>

Need help with configuration using DNS aliases

[Michael Burk]

Hello,


We have a departmental server that serves as a simple mail hub mostly to
keep track of internal mailing lists. The /etc/mail/aliases file expands
names to our corporate emails or things like mail-SMS gateways. We've used
sendmail for years, but I want to switch to OpenSMTPD.

The following configuration works fine as long as I use the server's actual
name in the destination:


listen on lo0
listen on em0

table aliases db:/etc/mail/aliases.db

pki selenium.abc.example.com certificate "/etc/ssl/selenium.pem"
pki selenium.abc.example.com key "/etc/ssl/private/selenium.key"
pki selenium.abc.example.com ca "/etc/ssl/abcchain2.pem"

accept for local alias  deliver to mbox
accept from any for any relay


Example successful session (translates my first name to my corporate email
address):

Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: New session
4b0dece7604e2ab4 from host ytterbium.abc.example.com[10.1.217.70]
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message a4d2ba61
on session 4b0dece7604e2ab4: from=, to=<
mich...@selenium.abc.example.com>, size=488, ndest=1, proto=ESMTP
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Closing session
4b0dece7604e2ab4
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls://
10.1.217.34:25 (selenium.abc.example.com) on session 4b0decea9465f088...
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session
4b0decea9465f088
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: New session
4b0deceb7185e55e from host selenium.abc.example.com[10.1.217.34]
Feb  8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message 63dd05ac
on session 4b0deceb7185e55e: from=, to=<
mich...@selenium.abc.example.com>, size=719, ndest=1, proto=ESMTP
Feb  8 16:12:17 selenium smtpd[30548]: relay: Ok for a4d2ba611f5d69f3:
session=4b0decea9465f088, from=, to=<
mich...@selenium.abc.example.com>, rcpt=<->, source=10.1.217.34,
relay=10.1.217.34 (selenium.abc.example.com), delay=0s, stat=250 2.0.0:
63dd05ac Message accepted for delivery
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls://
10.2.33.34:25 (mailhost.example.com) on session 4b0deceed4ae1a78...
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session
4b0deceed4ae1a78
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Started TLS on session
4b0deceed4ae1a78: version=TLSv1/SSLv3, cipher=DHE-RSA-AES256-SHA, bits=256
Feb  8 16:12:17 selenium smtpd[30548]: smtp-out: Server certificate
verification succeeded on session 4b0deceed4ae1a78
Feb  8 16:12:17 selenium smtpd[30548]: relay: Ok for 63dd05ac3126ba1f:
session=4b0deceed4ae1a78, from=, to=<
michael.b...@example.com>, rcpt=,
source=10.1.217.34, relay=10.2.33.34 (mailhost.example.com), delay=0s,
stat=250 2.0.0 Ok: queued as AC2FBCA1FE
Feb  8 16:12:27 selenium smtpd[30548]: smtp-in: Closing session
4b0deceb7185e55e
Feb  8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session
4b0decea9465f088: 1 message sent.
Feb  8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session
4b0deceed4ae1a78: 1 message sent.


If I send a message to the server's CNAME, it goes into a loop which is
eventually detected and shut down:

...
Feb  8 16:14:17 selenium smtpd[30548]: warn: loop detected
Feb  8 16:14:17 selenium smtpd[30548]: smtp-in: Failed command on session
4b0decf39bd54111: "DATA" => 500 5.4.6 Routing loop detected: Loop detected
Feb  8 16:14:17 selenium smtpd[30548]: relay: PermFail for
63bffc06b4c44cec: session=4b0decf2a712e432, from=<
bu...@ytterbium.abc.example.com>, to=,
rcpt=<->, source=10.1.217.34, relay=10.1.217.34 (selenium.abc.example.com),
delay=1s, stat=500 5.4.6 Routing loop detected: Loop detected
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: New session
4b0decf71e1730a5 from host selenium.abc.example.com [local]
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: Accepted message 293cbf9d
on session 4b0decf71e1730a5: from=<>, to=,
size=23050, ndest=1, proto=ESMTP
Feb  8 16:14:18 selenium smtpd[30548]: smtp-in: Closing session
4b0decf71e1730a5
Feb  8 16:14:27 selenium smtpd[30548]: smtp-in: Closing session
4b0decf39bd54111
Feb  8 16:14:27 selenium smtpd[30548]: smtp-out: Closing session
4b0decf2a712e432: 98 messages sent.
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: Error on session
4b0decf6733a5e76: IO Error: No route to host
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: Disabling route [] <->
10.1.217.70 (ytterbium.abc.example.com) for 800s
Feb  8 16:14:45 selenium smtpd[30548]: smtp-out: No valid route for
[connector:[]->[relay:ytterbium.abc.example.com],0x0]
Feb  8 16:14:51 selenium smtpd[30548]: relay: TempFail for
195cd84d2faa71d4: session=, from=<>, to=<
bu...@ytterbium.abc.example.com>, rcpt=<->, source=-, relay=
ytterbium.abc.example.com, delay=8m1s, stat=Network 

Re: relay from notebook not working (need help with configuration)

[Jiri Navratil]

On Wed, Sep 09, 2015 at 07:37:13PM +0200, Marcus MERIGHI wrote:
> j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST):
> > I wish to use on my notebook to deliver emails via relay to my server
> > regardless of location and Internet connection.
> > 
> > on notebook I have
> > 
> > accept from local for any relay via tls+auth://user@myserver auth
> > 
> 
> table relayauth { username= "passphrase" }
> accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \
>   
> 
> > on server I have
> > 
> > listen on egress tls pki myserver auth-optional
> > listen on egress port submission tls-require pki myserver auth
> 
> pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt"
> pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key"
> listen on egress port submission tls pki host.domain.tld auth tag msa
> 
> Bye, Max
> 
> > !DSPAM:55ee7f4a22061658913436!
> 


Thank you Max for your help.

It's working now. I had to add 587 port and change format of relayaut

I propose to adjust smtpd.conf(5) of these changes:

- add 587 port to example of accept for ...
- adjust secrets table format, as this one has been reported by smtpd -v as
  wrong (the created secrets.db)
   # echo "label username:password" > /etc/mail/secrets

next to it 
- /etc/rc.d/smtpd start  reported OK, but smtpd -v reported problem with
  secrets.db

next to it
- $ doas smtpctl resume mta 
is still reporting
command failed

Please let me know, if I can help debug it more.

Best regards,
Jiri

-- 
Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: relay from notebook not working (need help with configuration)

[Marcus MERIGHI]

j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST):
> I wish to use on my notebook to deliver emails via relay to my server
> regardless of location and Internet connection.
> 
> on notebook I have
> 
> accept from local for any relay via tls+auth://user@myserver auth
> 

table relayauth { username= "passphrase" }
accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \
  

> on server I have
> 
> listen on egress tls pki myserver auth-optional
> listen on egress port submission tls-require pki myserver auth

pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt"
pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key"
listen on egress port submission tls pki host.domain.tld auth tag msa

Bye, Max

> !DSPAM:55ee7f4a22061658913436!

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

relay from notebook not working (need help with configuration)

[Jiri Navratil]

Hello,

I wish to use on my notebook to deliver emails via relay to my server
regardless of location and Internet connection.

on notebook I have

:
accept from local for any relay via tls+auth://user@myserver auth 
:

on server I have

:
listen on egress tls pki myserver auth-optional
listen on egress port submission tls-require pki myserver auth


I tested it from my LAN and it worked.

Today I wrote few emails during comuting. After connection to network, I'm not
able to deliver

doas smtpctl show queue
reported firstly something about not resolved MX address

after
doas smtpctl schedule all 
5 envelopes scheduled

I'm getting
Network error on destination MXs

doas smtpctl resume mta 
command failed

In log I see
Sep  8 07:56:45 mynotebook smtpd[19575]: smtp-out: Error on session 
97f00336911384e4: TLS required but not supported by remote host

I'm using OpenBSD -current on notebook
OpenSMTPD 5.4.4

and OpenBSD 5.8 GENERIC.MP#1137 amd64 from snapshot on server
OpenSMTPD 5.4.4

Please
- is my configuration correct?
- shal I somehow debug the command failed output from smtpctl resume mta?
- is this approach (idea) of delivering emails this way correct?

Thank you,
Jiri

-- 
Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org