Re: need help with honeypot
чт, 2 нояб. 2023 г. в 09:51, kasak : > > пн, 23 окт. 2023 г. в 09:11, kasak : > > > > пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > > > > > Sorry for off top... > > > ...but thanks for your OpenBSD PF book Peter :-) > > > > > > От: kasak > > > Отправлено: 20 октября 2023 г. 8:48 > > > Кому: Peter N. M. Hansteen > > > Копия: misc@opensmtpd.org > > > Тема: Re: need help with honeypot > > > > > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > > > In traps file I have list of spoiled addresses for example > > > > > aa...@tvema.ru > > > > > But mail is not accepted :( > > > > > > > > This sounds like you are more or less trying to imitate the greytrapping > > > > feature of OpenBSD spamd. > > > > > > Yes, it is something similar, but not quite. I'm no need of > > > greytrapping, I want to teach rspamd. > > > Hope I can do this without spamd. > > > > > > > You might want to read this article of mine (gosh, it's been 11 years) > > > > and links therein for inspiration: > > > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > > > (also newly available trackerless but with even uglier formatting as > > > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > > > assuming, as usual that your system runs OpenBSD (also applicable with > > > > minor adjustments on FreeBSD or NetBSD) > > > > > > > > - Peter > > > > > > > > -- > > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > > > "Remember to set the evil bit on all malicious network traffic" > > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > > > > I did some experiment here, and looks like this is not "match" > > problem, this is "action" problem. > > If I change action "trap" to some real delivery method, it works. > > So, I need to fix it with rspamc somehow. > > If someone interested, I have figured out how to do what I wanted to do. > > Here is howto: > At first, collect spoiled email addresses to some list, for example > /etc/mail/traps. > Second, we must map these addresses to some local user, because > otherwize, smtpd will not know where to put them. > To do this, we must make another table, with mapping all addresses to > _rspamd user. > You can do this with a simple sed pattern: > cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps > Now we have two tables, traps for matching and virtualtraps for action. > > add something like this to smtpd.conf: > > table traps file:/etc/mail/traps > table virtualtraps file:/etc/mail/virtualtraps > > action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual > > > match from any for rcpt-to action "trap" > > > The match directive should be placed above the main domain match. > And voila! > You can monitor teaching with grep: > grep -F -f /etc/mail/traps /var/log/maillog Folks, I just suddenly discovered that rspamd has a module to achieve exactly similar functionality. https://rspamd.com/doc/modules/spamtrap.html I already tested it and it works like a charm! How did I not notice it before?
Re: Need help with mail server configuration
I received it (even in Thunderbird)! May I ask how did you do that? I tried so many ways today but none worked... I clicked "New Message" in Thunderbird, entered your email and hit send. :-) Have you tried sending from your nogafam.eu address? telnet mail.ivanroth.fr 25 times out, same for nc -4 mail.ivanroth.fr 25 mail command sends no error but no message is received. To little information to help. Don't know what you entered, nor what the corresponding service logs were. What I would do at this stage is, I would run smtpd in the foreground with verbose output, to see it live reacting to inputs. "smtpd -dvvv" I changed the smtpd.conf to listen to 465: -listen on 0.0.0.0 tls pki mail.ivanroth.fr filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } -listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth filter rspamd +listen on 0.0.0.0 port 25 tls pki mail.ivanroth.fr filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } +listen on 0.0.0.0 port 465 smtps pki mail.ivanroth.fr auth filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } +listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth filter rspamd does this looks good to you? You have two different filter sets for 465 and 587. Both ports a for you/your users to send mail. (Aka with Thunderbird) So I wouldn't use check_dyndns/etc. for 465. All public mail will be over 25. Also, you aren't forcing the right hostname. Did you change the computers hostname instead? When restarting the opensmtpd service, I noticed the following warnings: warn: invalid envelope e84235315f00364e: unknown dispatcher warn: invalid envelope b6797a98aad69976: unknown dispatcher what do they mean? You have two mails in the queue that can't be send/delivered. Happens when you have unfinished config and testing around. "smtpctl show queue" "smtpctl remove e84235315f00364e" "smtpctl remove b6797a98aad69976"
Re: Need help with mail server configuration
Hi, Thank you for your reply. I spent a couple of hours on this today with not much luck. Please find my replies below. Than check what is blocking port 25. Is it your Debian firewall or your VPS provider. There is no VPS provider firewall. The one I can use is disabled. I asked support if there were any firewall beyond mine and their answer is no. I should get full access to any port I may need. On the VPS, iptables is set to ACCEPT in every way, INPUT, OUTPUT and FORWARD. I added explicit ACCEPT rules for testing but did not get better results. But everything looks good now, all ports are publicly reachable. I did send you a test mail and your sever accepted it. (In plaintext but still.) I also gave http://www.antispam-ufrj.pads.ufrj.br/test-relay.html a shot. It reached your server. It couldn't do it the last time. Still, I can reach port 587 in addition do 143 but no 25 nor 465 and 993. I can reach all, except for 465. But that is ok because according to your smtpd.conf the server isn't listening on it. Here is my smtpd.conf: pki mail.ivanroth.fr cert "/etc/letsencrypt/live/mail.ivanroth.fr/fullchain.pem" pki mail.ivanroth.fr key "/etc/letsencrypt/live/mail.ivanroth.fr/privkey.pem" filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } junk filter check_rdns phase connect match !rdns junk filter check_fcrdns phase connect match !fcrdns junk filter senderscore proc-exec "filter-senderscore -junkBelow 70 -slowFactor 5000" filter rspamd proc-exec "filter-rspamd" table aliases file:/etc/aliases listen on 0.0.0.0 tls pki mail.ivanroth.fr \ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } listen on 0.0.0.0 port submission tls-require pki mail.ivanroth.fr auth filter rspamd Your sever greets the world with 220 ivanroth.fr ESMTP OpenSMTPD which is the wrong hostname, which leads to "opportunistic TLS failed, downgrading to plain". Try forcing the right hostname: listen on 0.0.0.0 hostname mail.ivanroth.fr tls pki mail.ivanroth.fr \ filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } listen on 0.0.0.0 port submission tls-require \ hostname mail.ivanroth.fr pki mail.ivanroth.fr auth \ filter rspamd #listen on ens3 tls pki mail.ivanroth.fr filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd } #listen on ens3 port submission tls-require pki mail.ivanroth.fr auth filter rspamd action "local_mail" maildir junk alias action "outbound" relay helo mail.ivanroth.fr match from any for domain "ivanroth.fr" action "local_mail" match for local action "local_mail" match from any auth for any action "outbound" match for any action "outbound" If I'm not mistaken, the last line is redundant. (Without a "from", "from local" is implied, which intern implies "auth". Which is covered by the line "from any auth" before it.) $ nmap localhost Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-10 21:58 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00028s latency). Other addresses for localhost (not scanned): ::1 Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 143/tcp open imap 443/tcp open https 587/tcp open submission 993/tcp open imaps Every port is reachable from the public now. (For me at least.) Only you can tell if you went overboard with opening up everything.
Re: Need help with mail server configuration
Hello, I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the domain I'm using for that test is ivanroth.fr, with the subdomain mail.ivanroth.fr as advised in the article. DNS and rDNS seems fine, host and dig reply what they are supposed to. On the server, I created an account with my first name (ivan) and I am using i...@ivanroth.fr as the test mail address. * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from the server * I cannot send from the outside to that address * I cannot send from that address using Thunderbird When looking at systemctl status opensmtpd, I see some errors I don't understand like : debian opensmtpd smtp-out: No valid route for [connector:[]->[relay:ivanroth.fr,smtp],0x0] Your smtp server can't be reached by others. $ nc -4 mail.ivanroth.fr 25 Closes immediately: Server isn't running or firewall answers with REJECT. It could be a iptables firewall on your VPS as well as one from OVH. (I don't know OVH but I do know that some VPS providers have a extra firewall you need to configure separately.) $ nc -6 mail.ivanroth.fr 25 Eventually times out: IPv6 not working or a firewall is configured to just DROP incoming packages. (I can't even ping your IPv6 address, while IPv4 works.) From all the ports(25, 465, 587, 143, 993) I have tested only IPv4 IMAP(143) is reachable. (Which is consistent with you saying Thunderbird reading works.) $ nc -4 mail.ivanroth.fr 143 * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] Dovecot (Debian) ready. ^C I don't really know where to start digging. If someone could point me to some direction, it would be nice. I would first suggest to get IPv4 working and therefore temporarily removing the record from mail.ivanroth.fr. Than check what is blocking port 25. Is it your Debian firewall or your VPS provider. You than most likely want to unblock port 465 or 587 for mail submission with Thunderbird. If after that you still have problems post your entire smptd.conf please. Last step. Fix IPv6.
Need help with mail server configuration
Hi, This is my first mail server installation attempt and I need help locating and fixing one or several issues. I followed Gilles's post here: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ I am running a Debian 12 server hosted at OVH. It's a fresh VPS, and the domain I'm using for that test is ivanroth.fr, with the subdomain mail.ivanroth.fr as advised in the article. DNS and rDNS seems fine, host and dig reply what they are supposed to. On the server, I created an account with my first name (ivan) and I am using i...@ivanroth.fr as the test mail address. Now comes the issue. * I can send mail from local server to the outside using mutt (and having it configured to use the Maildir folder). * I can access my server from Thunderbird, reading folders (the Sent folder gets populated correctly) * I can receive local mail sent from system (I was not in the sudoers file and got the mail addressed to root because root is aliased to ivan in the aliases file) but * I cannot send a mail to myself (i...@ivanroth.fr) using mutt from the server * I cannot send from the outside to that address * I cannot send from that address using Thunderbird When looking at systemctl status opensmtpd, I see some errors I don't understand like : debian opensmtpd smtp-out: No valid route for [connector:[]->[relay:ivanroth.fr,smtp],0x0] I don't really know where to start digging. If someone could point me to some direction, it would be nice. Let me just say that I'm not a server administration noob (not a pro at all but I'm pretty used to web server administration) but, for some reason, the mail issue remains completely obscure to me. Please show me the light :) Ivan
Re: need help with honeypot
пн, 23 окт. 2023 г. в 09:11, kasak : > > пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > > > Sorry for off top... > > ...but thanks for your OpenBSD PF book Peter :-) > > > > От: kasak > > Отправлено: 20 октября 2023 г. 8:48 > > Кому: Peter N. M. Hansteen > > Копия: misc@opensmtpd.org > > Тема: Re: need help with honeypot > > > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > > In traps file I have list of spoiled addresses for example > > > > aa...@tvema.ru > > > > But mail is not accepted :( > > > > > > This sounds like you are more or less trying to imitate the greytrapping > > > feature of OpenBSD spamd. > > > > Yes, it is something similar, but not quite. I'm no need of > > greytrapping, I want to teach rspamd. > > Hope I can do this without spamd. > > > > > You might want to read this article of mine (gosh, it's been 11 years) > > > and links therein for inspiration: > > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > > (also newly available trackerless but with even uglier formatting as > > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > > assuming, as usual that your system runs OpenBSD (also applicable with > > > minor adjustments on FreeBSD or NetBSD) > > > > > > - Peter > > > > > > -- > > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > > "Remember to set the evil bit on all malicious network traffic" > > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > > > > I did some experiment here, and looks like this is not "match" > problem, this is "action" problem. > If I change action "trap" to some real delivery method, it works. > So, I need to fix it with rspamc somehow. If someone interested, I have figured out how to do what I wanted to do. Here is howto: At first, collect spoiled email addresses to some list, for example /etc/mail/traps. Second, we must map these addresses to some local user, because otherwize, smtpd will not know where to put them. To do this, we must make another table, with mapping all addresses to _rspamd user. You can do this with a simple sed pattern: cat /etc/mail/traps | sed 's/$/ _rspamd/' > /etc/mail/virtualtraps Now we have two tables, traps for matching and virtualtraps for action. add something like this to smtpd.conf: table traps file:/etc/mail/traps table virtualtraps file:/etc/mail/virtualtraps action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" virtual match from any for rcpt-to action "trap" The match directive should be placed above the main domain match. And voila! You can monitor teaching with grep: grep -F -f /etc/mail/traps /var/log/maillog
Re: need help with rcpt-to (was: need help with honeypot)
пн, 23 окт. 2023 г. в 22:30, kasak : > > i'm sorry to bother you again, but it seem that I made a trap for myself. > > I spend couple of hours changing configs and comparing smtpd behavior. > It looks like rcpt-to condition works and do not works simultaneously. > > For now I have simplified my config to contain this strings: > > action "trap" maildir "/home/kasak/spam" > match from any for rcpt-to "aa...@tvema.ru" action "trap" > > and again I'm stuck on: smtp failed-command command="RCPT > TO: ORCPT=rfc822;aa...@tvema.ru" result="550 Invalid > recipient: " > > So, it actually knows about aa...@tvema.ru, because otherwise, the > next line "for domain tvema.ru" should work (and it work on other > recipients) > > simultaneously, it count aa...@tvema.ru as invalid recipient. > > please help me, how is should be used? I found the solution! This has not worked because I have no local user for "aa...@tvema.ru" So, I added a virtual table with mapping aa...@tvema.ru to the local user and now everything is fine!
need help with rcpt-to (was: need help with honeypot)
i'm sorry to bother you again, but it seem that I made a trap for myself. I spend couple of hours changing configs and comparing smtpd behavior. It looks like rcpt-to condition works and do not works simultaneously. For now I have simplified my config to contain this strings: action "trap" maildir "/home/kasak/spam" match from any for rcpt-to "aa...@tvema.ru" action "trap" and again I'm stuck on: smtp failed-command command="RCPT TO: ORCPT=rfc822;aa...@tvema.ru" result="550 Invalid recipient: " So, it actually knows about aa...@tvema.ru, because otherwise, the next line "for domain tvema.ru" should work (and it work on other recipients) simultaneously, it count aa...@tvema.ru as invalid recipient. please help me, how is should be used?
Re: need help with honeypot
пт, 20 окт. 2023 г. в 19:52, Юрий Иванов : > > Sorry for off top... > ...but thanks for your OpenBSD PF book Peter :-) > > От: kasak > Отправлено: 20 октября 2023 г. 8:48 > Кому: Peter N. M. Hansteen > Копия: misc@opensmtpd.org > Тема: Re: need help with honeypot > > чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > > But mail is not accepted :( > > > > This sounds like you are more or less trying to imitate the greytrapping > > feature of OpenBSD spamd. > > Yes, it is something similar, but not quite. I'm no need of > greytrapping, I want to teach rspamd. > Hope I can do this without spamd. > > > You might want to read this article of mine (gosh, it's been 11 years) > > and links therein for inspiration: > > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > > (also newly available trackerless but with even uglier formatting as > > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > > assuming, as usual that your system runs OpenBSD (also applicable with > > minor adjustments on FreeBSD or NetBSD) > > > > - Peter > > > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > > "Remember to set the evil bit on all malicious network traffic" > > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > I did some experiment here, and looks like this is not "match" problem, this is "action" problem. If I change action "trap" to some real delivery method, it works. So, I need to fix it with rspamc somehow.
RE: need help with honeypot
Sorry for off top... ...but thanks for your OpenBSD PF book Peter :-) От: kasak Отправлено: 20 октября 2023 г. 8:48 Кому: Peter N. M. Hansteen Копия: misc@opensmtpd.org Тема: Re: need help with honeypot чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > But mail is not accepted :( > > This sounds like you are more or less trying to imitate the greytrapping > feature of OpenBSD spamd. Yes, it is something similar, but not quite. I'm no need of greytrapping, I want to teach rspamd. Hope I can do this without spamd. > You might want to read this article of mine (gosh, it's been 11 years) > and links therein for inspiration: > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > (also newly available trackerless but with even uglier formatting as > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > assuming, as usual that your system runs OpenBSD (also applicable with > minor adjustments on FreeBSD or NetBSD) > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: need help with honeypot
чт, 19 окт. 2023 г. в 19:52, Peter N. M. Hansteen : > > On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > > In traps file I have list of spoiled addresses for example aa...@tvema.ru > > But mail is not accepted :( > > This sounds like you are more or less trying to imitate the greytrapping > feature of OpenBSD spamd. Yes, it is something similar, but not quite. I'm no need of greytrapping, I want to teach rspamd. Hope I can do this without spamd. > You might want to read this article of mine (gosh, it's been 11 years) > and links therein for inspiration: > https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html > (also newly available trackerless but with even uglier formatting as > https://nxdomain.no/~peter/in_the_name_of_sane_email.html), > assuming, as usual that your system runs OpenBSD (also applicable with > minor adjustments on FreeBSD or NetBSD) > > - Peter > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: need help with honeypot
On Thu, Oct 19, 2023 at 09:05:56AM +0300, kasak wrote: > In traps file I have list of spoiled addresses for example aa...@tvema.ru > But mail is not accepted :( This sounds like you are more or less trying to imitate the greytrapping feature of OpenBSD spamd. You might want to read this article of mine (gosh, it's been 11 years) and links therein for inspiration: https://bsdly.blogspot.com/2012/05/in-name-of-sane-email-setting-up-spamd.html (also newly available trackerless but with even uglier formatting as https://nxdomain.no/~peter/in_the_name_of_sane_email.html), assuming, as usual that your system runs OpenBSD (also applicable with minor adjustments on FreeBSD or NetBSD) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
need help with honeypot
hello misc! I'm not able to fix my problem myself and I need some help! I want to create honeypot on my relay, and here is my conf (i have cropped pki lines): filter "rspamd" proc-exec "filter-rspamd" table mailer { 172.16.0.25 } table aliases file:/etc/mail/aliases table honeypot file:/etc/mail/traps listen on socket listen on lo0 listen on egress tls pki tvema.ru hostname tvema.ru filter rspamd ciphers compat listen on 172.16.0.1 tls pki gater filter rspamd action "local_mail" mbox alias action "outbound" relay helo tvema.ru action "tomailer" relay host 172.16.0.25 tls no-verify action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add" match from local for local action "local_mail" match ! from src for rcpt-to action "trap" match from any for domain "tvema.ru" action "tomailer" match from src for any action "outbound" match from local for any action "outbound" In traps file I have list of spoiled addresses for example aa...@tvema.ru But mail is not accepted :( Oct 16 14:28:38 gater smtpd[11899]: 55daaef921ae98d5 smtp failed-command command="RCPT TO:" result="550 Invalid recipient: " This mail was not originated from "src mailer" and it looks like match rule actually works, because otherwise it would be delivered to "tomailer". Now am I missing?
Re: need help to solve route loop
Great! Thank's for clarifying! Now i see! Thank you very much! вт, 10 авг. 2021 г. в 18:53, Thomas Bohl : > > Hello, > > > action "outbound" relay > > > > action "tomailer" relay host 172.16.2.5 > > > > match from local for local action "local_mail" > > match from local for any action "outbound" > > > > match from any for domain "mydomain.here" action "tomailer" > > match from src for any action "outbound" > > The line "match from local for any action "outbound"" comes before > "match from any for domain "mydomain.here" action "tomailer"". > > Therefore, locally send mails to "mydomain.here" go straight to relay, > instead of 172.16.2.5. Relay uses the public MX record and lands on itself. > > > > looks like this is a message from mailer-daemon with subject: Message > > accepted for delivery > > "Message accepted" is not a mail subject. It just says that the > receiving server accepted the mail. >
Re: need help to solve route loop
Hello, > action "outbound" relay > > action "tomailer" relay host 172.16.2.5 > match from local for local action "local_mail" match from local for any action "outbound" match from any for domain "mydomain.here" action "tomailer" match from src for any action "outbound" The line "match from local for any action "outbound"" comes before "match from any for domain "mydomain.here" action "tomailer"". Therefore, locally send mails to "mydomain.here" go straight to relay, instead of 172.16.2.5. Relay uses the public MX record and lands on itself. looks like this is a message from mailer-daemon with subject: Message accepted for delivery "Message accepted" is not a mail subject. It just says that the receiving server accepted the mail.
need help to solve route loop
hello misc! I need to configure opensmtpd to be a relay between local mail server and world. Here is my conf: pki gater cert "/etc/ssl/local.crt" pki gater key "/etc/ssl/private/local.key" filter "rspamd" proc-exec "filter-rspamd" table mailer { 172.16.2.5 } table aliases file:/etc/mail/aliases listen on lo0 listen on egress tls pki tvema.ru hostname tvema.ru filter rspamd listen on 172.16.0.1 tls pki gater filter rspamd action "local_mail" mbox alias action "outbound" relay action "tomailer" relay host 172.16.2.5 match from local for local action "local_mail" match from local for any action "outbound" match from any for domain "mydomain.here" action "tomailer" match from src for any action "outbound" It mostly work, but sometimes server itself want to send mail to users, and we have a loop: Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message msgid=b9e2ff2c size=1068255 nrcpt=1 proto=ESMTP Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope evpid=b9e2ff2c5a1938f6 from=<> to= Aug 10 16:33:12 gater smtpd[40569]: 33eeb7f51e906746 mta delivery evpid=cbb10abbe054c669 from=<> to= rcpt=<-> source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=4s result="Ok" stat="250 2.0.0 b9e2ff2c Message accepted for delivery" Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message msgid=70bc8e71 size=1069024 nrcpt=1 proto=ESMTP Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope evpid=70bc8e71318648d7 from=<> to= Aug 10 16:33:14 gater smtpd[40569]: 33eeb7f51e906746 mta delivery evpid=b9e2ff2c5a1938f6 from=<> to= rcpt=<-> source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s result="Ok" stat="250 2.0.0 70bc8e71 Message accepted for delivery" Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f6e2a67883 smtp message msgid=16202305 size=1069793 nrcpt=1 proto=ESMTP Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f6e2a67883 smtp envelope evpid=162023051dae4938 from=<> to= Aug 10 16:33:16 gater smtpd[40569]: 33eeb7f51e906746 mta delivery evpid=70bc8e71318648d7 from=<> to= rcpt=<-> source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s result="Ok" stat="250 2.0.0 16202305 Message accepted for delivery" Aug 10 16:33:18 gater smtpd[40569]: warn: loop detected Aug 10 16:33:18 gater smtpd[40569]: 33eeb7f6e2a67883 smtp failed-command command="DATA" result="500 5.4.6 Routing loop detected: Loop detected" Aug 10 16:33:18 gater smtpd[40569]: 33eeb7f51e906746 mta delivery evpid=162023051dae4938 from=<> to= rcpt=<-> source="my.ip.he.re" relay="my.ip.he.re (mydomain.here)" delay=3s result="PermFail" stat="500 5.4.6 Routing loop detected: Loop detected" Aug 10 16:33:18 gater smtpd[50493]: warn: queue: no return path! Aug 10 16:33:28 gater smtpd[40569]: 33eeb7f6e2a67883 smtp disconnected reason=quit Aug 10 16:33:28 gater smtpd[40569]: 33eeb7f51e906746 mta disconnected reason=quit messages=98 looks like this is a message from mailer-daemon with subject: Message accepted for delivery How can i solve such type of loops? Thank's in advance
Re: need help
I've been lurking on this list for a long time but I've never posted. I've attached a perl program I threw together a couple years ago which does recursive SPF resolution. This might help your debugging. For this type of testing, pass it a domain on STDIN: echo 'gmail.com' | spf2ip.pl I use it to create a daily whitelist of frequent domain IP's. I use it by calling it with a filename argument. It reads the file which has a domain on each line, iterates through all the domains, recursively resolving each, and creating a long list of all the SPF IP's of all the domains in the file. In default mode, it adds enough comments to explain how it generates the results. For example, here is the output of the above command: # echo 'gmail.com' | spf2ip.pl # # gmail.com # # [REDIRECT=] _spf.google.com (depth=1) # [INCLUDE:] _netblocks.google.com (depth=2) 35.190.247.0/24 64.233.160.0/19 66.102.0.0/20 66.249.80.0/20 72.14.192.0/18 74.125.0.0/16 108.177.8.0/21 173.194.0.0/16 209.85.128.0/17 216.58.192.0/19 216.239.32.0/19 # [INCLUDE:] _netblocks2.google.com (depth=2) # [INCLUDE:] _netblocks3.google.com (depth=2) 172.217.0.0/19 172.217.32.0/20 172.217.128.0/19 172.217.160.0/20 172.217.192.0/19 108.177.96.0/19 35.191.0.0/16 130.211.0.0/22 SPF resolution of "microsoft.com" returns 76 IP's. Adding a "-d" argument will output a lot more debug info, whereas "-q' suppresses any debug info and only outputs IP's. The header of the perl file does some explanation, but it was only intended for me to read, so it is not a super thorough explanation. And yes, it looks like a stereotypical perl program (ugly, quick, and functional). Hope this helps, -Andy On 9/30/2019 7:21 AM, gil...@poolp.org wrote: September 30, 2019 4:25 PM, "Denis Fondras" wrote: On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote: Hello, I'd like to bring native support for SPF in OpenSMTPD in a future release, but for this I need a bit of help to make sure my SPF resolver works fine. I have created a repository with a standalone executable that performs the SPF lookup and checks if an IP address is allowed to send on behalf of the sending domain: https://github.com/poolpOrg/spf https://github.com/poolpOrg/spf/blob/master/README.md If you could test and report issues, it would be nice, It seems IPv6 check is broken : $ dig ledeuns.net TXT +short "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all" $ ./spf ledeuns.net 185.22.129.1 checking if 185.22.129.1 can send for ledeuns.net: fail $ ./spf ledeuns.net 185.22.129.11 checking if 185.22.129.11 can send for ledeuns.net: pass $ ./spf ledeuns.net 2a00:6060:1::1 checking if 2a00:6060:1::1 can send for ledeuns.net: fail will fix that, thanks #!/usr/bin/perl # PURPOSE/FUNCTION # This program performs recursive DNS lookups of spf records (which are in TXT records) # and keeps recursing until numeric addresses are reached. Tested with IP4, but the regex's # ~should~ function with IP6 addresses. # INPUT # filename: text file, one domain per line, # and blank lines ignored. # STDIN: list of one or more domans to lookup #OUTPUT # single numeric address per line # recursive comments will be included if ($DomainNameComments == 1) # DEPENDENCIES: # 1. PERL installed at the above target. # 2. 'dig' command. # ASSUMPTIONS: # 1. This program DOES do recursive spf resolution (i.e. a reverse lookup of ALL spf-authorized sending IP's.) # 2. This program does NOT do forward MX resolutions (i.e. lookup of where to send mail). use Switch; # Global variable which is the final product. my @IPlist; my $DomainNameComments = 1; my @DomainNames; my $ARGERROR=0; # The HASH for the command line settings (i.e. arguments). my %settings = ( -q => 0, # "quiet" which suppresses comments in output. -d => 0 # "debug" which adds debug info to the output. ); # Iterate through the args, confirming accuracy and making settings. foreach my $arg (@ARGV) { if (exists $settings{$arg}) { $settings{$arg} = 1; } else { print "\'$arg\' is invalid argument!\n"; $ARGERROR++; } } # Exit if any invalid arguments. if ($ARGERROR) { exit; } # Read domain names from STDIN. foreach my $line ( ) { chomp( $line ); foreach my $arg (split(' ',$line)) { push(@DomainNames,$arg); }
Re: need help
September 30, 2019 4:25 PM, "Denis Fondras" wrote: > On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote: > >> Hello, >> >> I'd like to bring native support for SPF in OpenSMTPD in a future release, >> but for this I need a bit of help to make sure my SPF resolver works fine. >> >> I have created a repository with a standalone executable that performs the >> SPF lookup and checks if an IP address is allowed to send on behalf of the >> sending domain: >> >> https://github.com/poolpOrg/spf >> >> https://github.com/poolpOrg/spf/blob/master/README.md >> >> If you could test and report issues, it would be nice, > > It seems IPv6 check is broken : > > $ dig ledeuns.net TXT +short > "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 > -all" > > $ ./spf ledeuns.net 185.22.129.1 > checking if 185.22.129.1 can send for ledeuns.net: fail > $ ./spf ledeuns.net 185.22.129.11 > checking if 185.22.129.11 can send for ledeuns.net: pass > $ ./spf ledeuns.net 2a00:6060:1::1 > checking if 2a00:6060:1::1 can send for ledeuns.net: fail will fix that, thanks
Re: need help
September 30, 2019 4:51 PM, "Joel Carnat" wrote: > Le 30/09/2019 15:55, gil...@poolp.org a écrit : > >> Hello, >> I'd like to bring native support for SPF in OpenSMTPD in a future > release, >> but for this I need a bit of help to make sure my SPF resolver works > fine. >> I have created a repository with a standalone executable that performs > the >> SPF lookup and checks if an IP address is allowed to send on behalf of > the >> sending domain: >> https://github.com/poolpOrg/spf >> https://github.com/poolpOrg/spf/blob/master/README.md >>> If you could test and report issues, it would be nice, > > As much as I can understand it, recursion seem to not work. > > Working example: > # dig -t TXT carnat.net > carnat.net. 14314 IN TXT "v=spf1 mx -all" > # ./spf carnat.net 108.61.176.54 > checking if 108.61.176.54 can send for carnat.net: pass > # ./spf carnat.net 157.55.9.128 > checking if 157.55.9.128 can send for carnat.net: fail > > Not fully working example: > # dig -t TXT outlook.com > outlook.com. 600 IN TXT "v=spf1 include:spf-a.outlook.com > include:spf-b.outlook.com > ip4:157.55.9.128/25 include:spf.protection.outlook.com > include:spf-a.hotmail.com > include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all" > # ./spf outlook.com 157.55.9.128 > checking if 157.55.9.128 can send for outlook.com: EXISTS: 0 > EXISTS: 0 > pass > > # dig -t TXT spf-a.hotmail.com > spf-a.hotmail.com. 3600 IN TXT "v=spf1 ip4:157.55.0.192/26 > ip4:157.55.1.128/26 ip4:157.55.2.0/25 > ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 > ip4:65.55.116.0/25 > ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 > ~all" > # ./spf outlook.com 65.54.190.5 > checking if 65.54.190.5 can send for outlook.com: EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > soft-fail I'll look into that, I thought I had handled this case already but I may have missed something
Re: need help
I'll investigate that, but spfwalk isn't a real SPF resolver and may yield incorrect results, it just helps a bit. September 30, 2019 4:27 PM, "Nick Ryan" wrote: > Seems to work fine for some hosts but not gmail.com or outlook.com > > mail3$ smtpctl spf walk < 1 (this is gmail.com) > 35.190.247.0/24 > 64.233.160.0/19 > > mail3$ ./spf gmail.com 35.190.247.3 <- in the output of spfwalk > checking if 35.190.247.3 can send for gmail.com: EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > soft-fail > > mail3$ ./spf gmail.com 185.185.185.185 <- made up address > checking if 185.185.185.185 can send for gmail.com: EXISTS: 0 > EXISTS: 0 > EXISTS: 0 > soft-fail > > mail3$ ./spf poolp.org 45.76.46.201 > checking if 45.76.46.201 can send for poolp.org: pass > mail3$ ./spf poolp.org 45.76.46.202 > checking if 45.76.46.202 can send for poolp.org: fail > > Regards - Nick > > On 30/09/2019 14:55, gil...@poolp.org wrote: > >> Hello, >> I'd like to bring native support for SPF in OpenSMTPD in a future > release, >> but for this I need a bit of help to make sure my SPF resolver works > fine. >> I have created a repository with a standalone executable that performs > the >> SPF lookup and checks if an IP address is allowed to send on behalf of > the >> sending domain: >> https://github.com/poolpOrg/spf >> https://github.com/poolpOrg/spf/blob/master/README.md >>> If you could test and report issues, it would be nice,
Re: need help
yup September 30, 2019 4:23 PM, "Chris Bennett" wrote: > ./spf no-seas-necio.ninja 162.255.139.10: pass > ./spf no-seas-necio.ninja 162.255.139.11: soft-fail > > Which matches my spf entry. v=spf1 mx ~all. > Is that the correct response? > > Chris Bennett
Re: need help
yes, this is debug code which i don't want to spend time making portable ;-) September 30, 2019 4:10 PM, "Reio Remma" wrote: > On 30/09/2019 16:55, gil...@poolp.org wrote: > >> Hello, >> >> I'd like to bring native support for SPF in OpenSMTPD in a future release, >> but for this I need a bit of help to make sure my SPF resolver works fine. >> >> I have created a repository with a standalone executable that performs the >> SPF lookup and checks if an IP address is allowed to send on behalf of the >> sending domain: >> >> https://github.com/poolpOrg/spf >> >> https://github.com/poolpOrg/spf/blob/master/README.md >> >> If you could test and report issues, it would be nice, > > Is it OpenBSD only atm? > > On CentOS 7: > > $ make > Makefile:26: *** missing separator. Stop. > > Reio
Re: need help
On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote: > Hello, > > I'd like to bring native support for SPF in OpenSMTPD in a future release, > but for this I need a bit of help to make sure my SPF resolver works fine. > > I have created a repository with a standalone executable that performs the > SPF lookup and checks if an IP address is allowed to send on behalf of the > sending domain: > > https://github.com/poolpOrg/spf > > https://github.com/poolpOrg/spf/blob/master/README.md > > > If you could test and report issues, it would be nice, > It seems IPv6 check is broken : $ dig ledeuns.net TXT +short "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all" $ ./spf ledeuns.net 185.22.129.1 checking if 185.22.129.1 can send for ledeuns.net: fail $ ./spf ledeuns.net 185.22.129.11 checking if 185.22.129.11 can send for ledeuns.net: pass $ ./spf ledeuns.net 2a00:6060:1::1 checking if 2a00:6060:1::1 can send for ledeuns.net: fail
Re: need help
Le 30/09/2019 15:55, gil...@poolp.org a écrit : Hello, I'd like to bring native support for SPF in OpenSMTPD in a future release, but for this I need a bit of help to make sure my SPF resolver works fine. I have created a repository with a standalone executable that performs the SPF lookup and checks if an IP address is allowed to send on behalf of the sending domain: https://github.com/poolpOrg/spf https://github.com/poolpOrg/spf/blob/master/README.md If you could test and report issues, it would be nice, As much as I can understand it, recursion seem to not work. Working example: # dig -t TXT carnat.net carnat.net. 14314 IN TXT "v=spf1 mx -all" # ./spf carnat.net 108.61.176.54 checking if 108.61.176.54 can send for carnat.net: pass # ./spf carnat.net 157.55.9.128 checking if 157.55.9.128 can send for carnat.net: fail Not fully working example: # dig -t TXT outlook.com outlook.com.600 IN TXT "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all" # ./spf outlook.com 157.55.9.128 checking if 157.55.9.128 can send for outlook.com: EXISTS: 0 EXISTS: 0 pass # dig -t TXT spf-a.hotmail.com spf-a.hotmail.com. 3600IN TXT "v=spf1 ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all" # ./spf outlook.com 65.54.190.5 checking if 65.54.190.5 can send for outlook.com: EXISTS: 0 EXISTS: 0 EXISTS: 0 EXISTS: 0 EXISTS: 0 EXISTS: 0 soft-fail
Re: need help
Seems to work fine for some hosts but not gmail.com or outlook.com mail3$ smtpctl spf walk < 1 (this is gmail.com) 35.190.247.0/24 64.233.160.0/19 mail3$ ./spf gmail.com 35.190.247.3 <- in the output of spfwalk checking if 35.190.247.3 can send for gmail.com: EXISTS: 0 EXISTS: 0 EXISTS: 0 soft-fail mail3$ ./spf gmail.com 185.185.185.185 <- made up address checking if 185.185.185.185 can send for gmail.com: EXISTS: 0 EXISTS: 0 EXISTS: 0 soft-fail mail3$ ./spf poolp.org 45.76.46.201 checking if 45.76.46.201 can send for poolp.org: pass mail3$ ./spf poolp.org 45.76.46.202 checking if 45.76.46.202 can send for poolp.org: fail Regards - Nick On 30/09/2019 14:55, gil...@poolp.org wrote: Hello, I'd like to bring native support for SPF in OpenSMTPD in a future release, but for this I need a bit of help to make sure my SPF resolver works fine. I have created a repository with a standalone executable that performs the SPF lookup and checks if an IP address is allowed to send on behalf of the sending domain: https://github.com/poolpOrg/spf https://github.com/poolpOrg/spf/blob/master/README.md If you could test and report issues, it would be nice,
Re: need help
./spf no-seas-necio.ninja 162.255.139.10: pass ./spf no-seas-necio.ninja 162.255.139.11: soft-fail Which matches my spf entry. v=spf1 mx ~all. Is that the correct response? Chris Bennett
Re: need help
On Sep 30, 2019 9:10 AM, Reio Remma wrote: > > On 30/09/2019 16:55, gil...@poolp.org wrote: > > Hello, > > > > I'd like to bring native support for SPF in OpenSMTPD in a future release, > > but for this I need a bit of help to make sure my SPF resolver works fine. > > > > I have created a repository with a standalone executable that performs the > > SPF lookup and checks if an IP address is allowed to send on behalf of the > > sending domain: > > > > https://github.com/poolpOrg/spf > > > > https://github.com/poolpOrg/spf/blob/master/README.md > > > > > > If you could test and report issues, it would be nice, > > > > Is it OpenBSD only atm? > > On CentOS 7: > > $ make > Makefile:26: *** missing separator. Stop. > > Reio > > Looking at the makefile. My guess is yes, but you could try bmake and see if it gets further. Edgar
Re: need help
On 30/09/2019 16:55, gil...@poolp.org wrote: Hello, I'd like to bring native support for SPF in OpenSMTPD in a future release, but for this I need a bit of help to make sure my SPF resolver works fine. I have created a repository with a standalone executable that performs the SPF lookup and checks if an IP address is allowed to send on behalf of the sending domain: https://github.com/poolpOrg/spf https://github.com/poolpOrg/spf/blob/master/README.md If you could test and report issues, it would be nice, Is it OpenBSD only atm? On CentOS 7: $ make Makefile:26: *** missing separator. Stop. Reio
need help
Hello, I'd like to bring native support for SPF in OpenSMTPD in a future release, but for this I need a bit of help to make sure my SPF resolver works fine. I have created a repository with a standalone executable that performs the SPF lookup and checks if an IP address is allowed to send on behalf of the sending domain: https://github.com/poolpOrg/spf https://github.com/poolpOrg/spf/blob/master/README.md If you could test and report issues, it would be nice,
Re: need help to understand the logic of new grammar
I'll try to answer myself. As i see, the options "from local" and "for local" is the defaults, and can be omitted? So, the first match can be cut to match action "mbox" ?? the my first question i have understood, if "from local" is the default, than it will not work without "from any" the second question was about "from any" in the 4th match. I see, if i try to send email, i connect to egress, so this is not local, and will not work. also i cant use "from " and in trird match, mails from dkim proxy come to lo0, so they are processed as local and the rule can be extended to: match from local tag DKIM for any action "relay" am i right? so the last question, can i limit mta to inet4 only? ср, 31 окт. 2018 г. в 15:04, Илья Коскин : > Hello list! Please look at my match-action definitions: > > action "mbox" mbox alias > action "mda" mda "/usr/local/bin/procmail" alias > action "relay" relay > action "relay_dkim" relay host smtp://127.0.0.1:10027 > > match for local action "mbox" > match from any for domain action "mda"#2nd match > match tag DKIM for any action "relay" #3rd match > match auth from any for any action "relay_dkim" #4th match > > I have some questions about matches. > 1) If I remove "from any" in the second match, smtpd will not accept any > mail from internet. Why? > 2) In the 4th match, again, without "from any" I can't send mail to > anywhere. How can I know, where i need to use "from any" and where i don't? > For example 3rd match work without "from any" > 3) is this config comosed secure and correctly? > maybe it is option to use > match auth from for any action "relay_dkim" ? > if this work, it can partially help to prevent spamming from compromised > users. > > Also, is there any way to limit mta sending only from ipv4? > > Thank's! > >
need help to understand the logic of new grammar
Hello list! Please look at my match-action definitions: action "mbox" mbox alias action "mda" mda "/usr/local/bin/procmail" alias action "relay" relay action "relay_dkim" relay host smtp://127.0.0.1:10027 match for local action "mbox" match from any for domain action "mda"#2nd match match tag DKIM for any action "relay" #3rd match match auth from any for any action "relay_dkim" #4th match I have some questions about matches. 1) If I remove "from any" in the second match, smtpd will not accept any mail from internet. Why? 2) In the 4th match, again, without "from any" I can't send mail to anywhere. How can I know, where i need to use "from any" and where i don't? For example 3rd match work without "from any" 3) is this config comosed secure and correctly? maybe it is option to use match auth from for any action "relay_dkim" ? if this work, it can partially help to prevent spamming from compromised users. Also, is there any way to limit mta sending only from ipv4? Thank's!
Need help for LDAP + smtpd
Hello, I would like to build a server with smtpd+dovecot with LDAP auth. Does anyone has any advice or doc up to date to do this? I only found [1], for 5.7 so I guess things have changed Regards. [1] : https://www.tumfatig.net/20150718/opensmtpd-dovecot-and-ldapd-on-openbsd-5-7/#How_OpenSMTPD_works_with_LDAP_data -- thuban signature.asc Description: PGP signature
Re: Need help with configuration using DNS aliases
Yes it can. However, By default, when connecting to a remote server, smtpd(8) advertises its default server name. A hostname parameter may be specified to advertise the alternate hostname name. If the source parameter is used, the hostnames parameter may be specified to advertise a hostname based on the source address. Table names contains a mapping of IP addresses to hostnames and smtpd(8) will automatically select the name that matches its source address when connected to the remote server. The hostname and hostnames parameters are mutually exclusive. You need separate ip's for hostname selection in relay context. Sent from my iPhone > On Feb 12, 2016, at 5:08 PM, Michael Burkwrote: > > After some experimentation I think I can compress this problem down to one > question: > > Is it possible for an OpenSMTPD host to process email addressed to two > different host names, both of which resolve to the same address? > > When I set "mailname," any mail sent to that name works fine. Mail addressed > to the alternate host name loops. > > I thought the "virtual" keyword would be for this purpose, but I've had no > luck with it. > > Thanks, > >> On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk wrote: >> Thanks Craig for the reply. >> >> I changed the CNAME to an A record as you suggested. Sadly, it still loops >> when I send the email to the "alternate" name. It seems that OpenSMTPD >> doesn't realize that the two names are the same server. >> >> I should mention that the whole reason we have an alias is that I have two >> servers setup as mail servers, and the alias gives us an easy way to switch >> hosts if one goes down (all mail is addressed to the alias). Also, I have no >> MX records. I don't know if I should, but Sendmail has always worked without >> it. >> >>> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner >>> wrote: >>> Hi Michael, >>> >>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote: >>> > >>> > If I send a message to the server's CNAME, it goes into a loop which is >>> > eventually detected and shut down: >>> > >>> >>> Try switching from DNS CNAMES to DNS A records: >>> >>> RFC2181 has: >>> >>> "10.3. MX and NS records >>> >>> The domain name used as the value of a NS resource record, or part of >>> the value of a MX resource record must not be an alias. Not only is the >>> specification clear on this point, but using an alias in either of these >>> positions neither works as well as might be hoped, nor well fulfills the >>> ambition that may have led to this approach. This domain name must have >>> as its value one or more address records. Currently those will be A >>> records, however in the future other record types giving addressing >>> information may be acceptable. It can also have other RRs, >>> but never a CNAME RR. " >>> >>> http://tools.ietf.org/html/rfc2181#section-10.3 >>> >>> -- >>> You received this mail because you are subscribed to misc@opensmtpd.org >>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >
Re: Need help with configuration using DNS aliases
After some experimentation I think I can compress this problem down to one question: Is it possible for an OpenSMTPD host to process email addressed to two different host names, both of which resolve to the same address? When I set "mailname," any mail sent to that name works fine. Mail addressed to the alternate host name loops. I thought the "virtual" keyword would be for this purpose, but I've had no luck with it. Thanks, On Tue, Feb 9, 2016 at 10:44 AM, Michael Burkwrote: > Thanks Craig for the reply. > > I changed the CNAME to an A record as you suggested. Sadly, it still loops > when I send the email to the "alternate" name. It seems that OpenSMTPD > doesn't realize that the two names are the same server. > > I should mention that the whole reason we have an alias is that I have two > servers setup as mail servers, and the alias gives us an easy way to switch > hosts if one goes down (all mail is addressed to the alias). Also, I have > no MX records. I don't know if I should, but Sendmail has always worked > without it. > > On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner > wrote: > >> Hi Michael, >> >> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote: >> > >> > If I send a message to the server's CNAME, it goes into a loop which is >> > eventually detected and shut down: >> > >> >> Try switching from DNS CNAMES to DNS A records: >> >> RFC2181 has: >> >> "10.3. MX and NS records >> >> The domain name used as the value of a NS resource record, or part of >> the value of a MX resource record must not be an alias. Not only is the >> specification clear on this point, but using an alias in either of these >> positions neither works as well as might be hoped, nor well fulfills the >> ambition that may have led to this approach. This domain name must have >> as its value one or more address records. Currently those will be A >> records, however in the future other record types giving addressing >> information may be acceptable. It can also have other RRs, >> but never a CNAME RR. " >> >> http://tools.ietf.org/html/rfc2181#section-10.3 >> >> -- >> You received this mail because you are subscribed to misc@opensmtpd.org >> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org >> >> >
Need help with configuration using DNS aliases
Hello, We have a departmental server that serves as a simple mail hub mostly to keep track of internal mailing lists. The /etc/mail/aliases file expands names to our corporate emails or things like mail-SMS gateways. We've used sendmail for years, but I want to switch to OpenSMTPD. The following configuration works fine as long as I use the server's actual name in the destination: listen on lo0 listen on em0 table aliases db:/etc/mail/aliases.db pki selenium.abc.example.com certificate "/etc/ssl/selenium.pem" pki selenium.abc.example.com key "/etc/ssl/private/selenium.key" pki selenium.abc.example.com ca "/etc/ssl/abcchain2.pem" accept for local alias deliver to mbox accept from any for any relay Example successful session (translates my first name to my corporate email address): Feb 8 16:12:17 selenium smtpd[30548]: smtp-in: New session 4b0dece7604e2ab4 from host ytterbium.abc.example.com[10.1.217.70] Feb 8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message a4d2ba61 on session 4b0dece7604e2ab4: from=, to=< mich...@selenium.abc.example.com>, size=488, ndest=1, proto=ESMTP Feb 8 16:12:17 selenium smtpd[30548]: smtp-in: Closing session 4b0dece7604e2ab4 Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls:// 10.1.217.34:25 (selenium.abc.example.com) on session 4b0decea9465f088... Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session 4b0decea9465f088 Feb 8 16:12:17 selenium smtpd[30548]: smtp-in: New session 4b0deceb7185e55e from host selenium.abc.example.com[10.1.217.34] Feb 8 16:12:17 selenium smtpd[30548]: smtp-in: Accepted message 63dd05ac on session 4b0deceb7185e55e: from= , to=< mich...@selenium.abc.example.com>, size=719, ndest=1, proto=ESMTP Feb 8 16:12:17 selenium smtpd[30548]: relay: Ok for a4d2ba611f5d69f3: session=4b0decea9465f088, from= , to=< mich...@selenium.abc.example.com>, rcpt=<->, source=10.1.217.34, relay=10.1.217.34 (selenium.abc.example.com), delay=0s, stat=250 2.0.0: 63dd05ac Message accepted for delivery Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Connecting to smtp+tls:// 10.2.33.34:25 (mailhost.example.com) on session 4b0deceed4ae1a78... Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Connected on session 4b0deceed4ae1a78 Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Started TLS on session 4b0deceed4ae1a78: version=TLSv1/SSLv3, cipher=DHE-RSA-AES256-SHA, bits=256 Feb 8 16:12:17 selenium smtpd[30548]: smtp-out: Server certificate verification succeeded on session 4b0deceed4ae1a78 Feb 8 16:12:17 selenium smtpd[30548]: relay: Ok for 63dd05ac3126ba1f: session=4b0deceed4ae1a78, from= , to=< michael.b...@example.com>, rcpt= , source=10.1.217.34, relay=10.2.33.34 (mailhost.example.com), delay=0s, stat=250 2.0.0 Ok: queued as AC2FBCA1FE Feb 8 16:12:27 selenium smtpd[30548]: smtp-in: Closing session 4b0deceb7185e55e Feb 8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session 4b0decea9465f088: 1 message sent. Feb 8 16:12:27 selenium smtpd[30548]: smtp-out: Closing session 4b0deceed4ae1a78: 1 message sent. If I send a message to the server's CNAME, it goes into a loop which is eventually detected and shut down: ... Feb 8 16:14:17 selenium smtpd[30548]: warn: loop detected Feb 8 16:14:17 selenium smtpd[30548]: smtp-in: Failed command on session 4b0decf39bd54111: "DATA" => 500 5.4.6 Routing loop detected: Loop detected Feb 8 16:14:17 selenium smtpd[30548]: relay: PermFail for 63bffc06b4c44cec: session=4b0decf2a712e432, from=< bu...@ytterbium.abc.example.com>, to= , rcpt=<->, source=10.1.217.34, relay=10.1.217.34 (selenium.abc.example.com), delay=1s, stat=500 5.4.6 Routing loop detected: Loop detected Feb 8 16:14:18 selenium smtpd[30548]: smtp-in: New session 4b0decf71e1730a5 from host selenium.abc.example.com [local] Feb 8 16:14:18 selenium smtpd[30548]: smtp-in: Accepted message 293cbf9d on session 4b0decf71e1730a5: from=<>, to= , size=23050, ndest=1, proto=ESMTP Feb 8 16:14:18 selenium smtpd[30548]: smtp-in: Closing session 4b0decf71e1730a5 Feb 8 16:14:27 selenium smtpd[30548]: smtp-in: Closing session 4b0decf39bd54111 Feb 8 16:14:27 selenium smtpd[30548]: smtp-out: Closing session 4b0decf2a712e432: 98 messages sent. Feb 8 16:14:45 selenium smtpd[30548]: smtp-out: Error on session 4b0decf6733a5e76: IO Error: No route to host Feb 8 16:14:45 selenium smtpd[30548]: smtp-out: Disabling route [] <-> 10.1.217.70 (ytterbium.abc.example.com) for 800s Feb 8 16:14:45 selenium smtpd[30548]: smtp-out: No valid route for [connector:[]->[relay:ytterbium.abc.example.com],0x0] Feb 8 16:14:51 selenium smtpd[30548]: relay: TempFail for 195cd84d2faa71d4: session=, from=<>, to=< bu...@ytterbium.abc.example.com>, rcpt=<->, source=-, relay= ytterbium.abc.example.com, delay=8m1s, stat=Network
Re: relay from notebook not working (need help with configuration)
On Wed, Sep 09, 2015 at 07:37:13PM +0200, Marcus MERIGHI wrote: > j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST): > > I wish to use on my notebook to deliver emails via relay to my server > > regardless of location and Internet connection. > > > > on notebook I have > > > > accept from local for any relay via tls+auth://user@myserver auth > > > > table relayauth { username= "passphrase" } > accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \ > > > > on server I have > > > > listen on egress tls pki myserver auth-optional > > listen on egress port submission tls-require pki myserver auth > > pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt" > pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key" > listen on egress port submission tls pki host.domain.tld auth tag msa > > Bye, Max > > > !DSPAM:55ee7f4a22061658913436! > Thank you Max for your help. It's working now. I had to add 587 port and change format of relayaut I propose to adjust smtpd.conf(5) of these changes: - add 587 port to example of accept for ... - adjust secrets table format, as this one has been reported by smtpd -v as wrong (the created secrets.db) # echo "label username:password" > /etc/mail/secrets next to it - /etc/rc.d/smtpd start reported OK, but smtpd -v reported problem with secrets.db next to it - $ doas smtpctl resume mta is still reporting command failed Please let me know, if I can help debug it more. Best regards, Jiri -- Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: relay from notebook not working (need help with configuration)
j...@navratil.cz (Jiri Navratil), 2015.09.08 (Tue) 08:24 (CEST): > I wish to use on my notebook to deliver emails via relay to my server > regardless of location and Internet connection. > > on notebook I have > > accept from local for any relay via tls+auth://user@myserver auth > table relayauth { username= "passphrase" } accept for any relay via tls+auth://usern...@msa.domain.tld:587 auth \ > on server I have > > listen on egress tls pki myserver auth-optional > listen on egress port submission tls-require pki myserver auth pki host.domain.tld certificate "/etc/ssl/tld.domain.host.crt" pki host.domain.tld key "/etc/ssl/private/tld.domain.host.key" listen on egress port submission tls pki host.domain.tld auth tag msa Bye, Max > !DSPAM:55ee7f4a22061658913436! -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
relay from notebook not working (need help with configuration)
Hello, I wish to use on my notebook to deliver emails via relay to my server regardless of location and Internet connection. on notebook I have : accept from local for any relay via tls+auth://user@myserver auth : on server I have : listen on egress tls pki myserver auth-optional listen on egress port submission tls-require pki myserver auth I tested it from my LAN and it worked. Today I wrote few emails during comuting. After connection to network, I'm not able to deliver doas smtpctl show queue reported firstly something about not resolved MX address after doas smtpctl schedule all 5 envelopes scheduled I'm getting Network error on destination MXs doas smtpctl resume mta command failed In log I see Sep 8 07:56:45 mynotebook smtpd[19575]: smtp-out: Error on session 97f00336911384e4: TLS required but not supported by remote host I'm using OpenBSD -current on notebook OpenSMTPD 5.4.4 and OpenBSD 5.8 GENERIC.MP#1137 amd64 from snapshot on server OpenSMTPD 5.4.4 Please - is my configuration correct? - shal I somehow debug the command failed output from smtpctl resume mta? - is this approach (idea) of delivering emails this way correct? Thank you, Jiri -- Jiri Navratil, http://kouc.navratil.cz, +420 222 767 131 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org