Re: Mail delivery from Postfix to remote IMAP

[Greg A. Woods]

At Tue, 23 Apr 2024 01:41:11 +0200, Steffen Nurpmeso  wrote:
Subject: Re: Mail delivery from Postfix to remote IMAP
>
> SPF should never have been introduced

I agree _VERY_ much!  It still does absolutely nothing to reduce SMTP
abuse or increase trust in any way whatsoever.

--
Greg A. Woods 

Kelowna, BC +1 250 762-7675   RoboHack 
Planix, Inc.  Avoncote Farms 


pgpXhX5pfLz6i.pgp
Description: OpenPGP Digital Signature

cryptic pkgin SSL cert error

[beaker]

Hello,

I have a 9.3/i386 VM on which I recently ran
  $ sudo pkgin update ; sudo pkgin upgrade ;sudo pkgin autoremove

which worked but subsequent attempts to use pkgin report the following error:

--
$ sudo pkgin update 
cleaning database from 
http://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All entries...
reading local summary...
processing local summary...
processing remote summary 
(https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All)...
3061459968:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
3061459968:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
3061459968:error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify 
failed:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c:1921:
pkgin: Could not fetch 
https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/9.3/All/pkg_summary.xz: 
Authentication error
--

A work-around is to edit /usr/pkg/etc/pkgin/repositories.conf so
it only uses http not https but I'd really rather not do that going
forward so I'm looking for some guidance on how to fix wahatever
is causing this SSL certificate verification error.

System info:
$ pkgin -v
pkgin 23.8.1 (using SQLite 3.26.0)
$ uname -a |cut -d' ' -f4-12
NetBSD 9.3_STABLE (GENERIC) #0: Mon Mar 25 15:54:20 UTC
$ uname -m
i386

Re: Mail delivery from Postfix to remote IMAP

[Greg Troxel]

Rhialto  writes:

> The trouble with plain forwarding is that my mail server's domain name
> doesn't match the domain name in the From: header, and doesn't match the
> envelope FROM domain, and it doesn't match the SPF policy of the sender
> domain etc etc. Those are things that are checked by DKIM/DMARC/SPF.

DKIM checks the signature.
SPF checks the sending server.
DMARC doesn't check anything, but specifies that a message should be
disfavored unless either DKIM or SPF passes.

Not modifying the message is exactly the right thing to do.

> And you can't change the From: header because that is changing the mail
> (and invalidates the DKIM signature), and neither can you change the
> envelope FROM address because bounces (as far as they happen) won't work.

It's bad to change either, regardless.

> Unfortunately DKIM is designed to break forwarding... I can't think of a
> way to change an email message to make it DKIM-compliant.

You can't; that's the point.

> Mailing lists can get away with changing the From: header to something
> like "l...@example.org (Rhialto via Example-List)" (and that's already
> an ugly thing to do) but that's not an option for individual mails.

I don't think they get away with it.  They do it anyway and people that
understand standards tell them they are doing it wrong.  But their
internet license is not revoked and they aren't jailed, if that's what
you mean by get away.


There's something else, which is that spam filtering is a local call, so
you can't reason "if I do X it will be ok".  It might or might not be,
and it can change  in the future.

Because of this, I think delivering to IMAP via some kind of IMAP client
delivery agent is reasonable.

The other thing to do is to tell them that they have an account on your
domain, and they can IMAP to you to get mail, and use submission to your
server to send mail, and that's that.

Re: Mail delivery from Postfix to remote IMAP

[Steffen Nurpmeso]

Greg A. Woods wrote in
 :
 |First off let me second what Steffen says!

SPF should never have been introduced as it breaks any mail
forwarder; just spring last year i contacted postmaster@ of
FreeBSD because i got bounces when i replied to some @freebsd.org
that forwarded to @gmail.
I mean, that is practically any university or project which
offers permanent addresses to their (former) members as they live
on.  And it is so funny given how SMTP started hopping.

Ditto DMARC that breaks any mailing-list.
Well in fact the DKIM key breaks, of course, if a ML footer or
subject tag is added.  (If it would be me DMARC would be dropped
and a minimally updated DKIM would take its part and signal the
necessity of the presence of a DKIM signature through the
existence of a "new" DNS entry.  Ie, that *always* fails then.)

(There is a possibility that is used for eg IETF lists: if you
lookup the DMARC policy, and it announces that a modified email
would cause failure, you can setup a permanent alias, here one of
a well-known person who does 5322:

  From: Pete Re...ck 

ie real-address@dmarc. etc, so From: checks go for other DMARC
entries etc.  Well.

 |At Mon, 22 Apr 2024 21:15:08 +0200, Rhialto  wrote:
 |Subject: Re: Mail delivery from Postfix to remote IMAP
 |>
 |> and neither can you change the
 |> envelope FROM address because bounces (as far as they happen) won't work.
 |
 |I haven't verified this works right with Postfix, but if you're doing
 |forwarding with ~/.forward files then this should happen automatically.
 |
 |It does of course mean bounces do end up going to the account on the
 |forwarding host, not the original sender, but this is (in theory) what
 |people using ~/.forward files want -- the forwarding itself caused the
 |bounce, not the initial delivery to the forwarded account, so sending
 |the message back to the original sender is arguably wrong.
 |
 |Maybe you can increase your storage capacity and simply run local IMAP
 |service for all your domains and users?  Every modern IMAP client (MUA)
 |I've encountered has been able to easily handle multiple IMAP accounts,
 |and many of them have simple ways to aggregate all INBOXes, for example,
 |into one meta INBOX.

If there really is not other way, the MUA i maintain speaks IMAP
a bit; even though the new version is still not ready (and will
change configuration), and v14.9.24 is very old (and has quite
some bugs, and i have forgotten anything about it), it *could* be
that scripting it to move all mails forward to another box on
another server could be the solution.
With v14.10 (that is still not what i long for) as of hopefully
summer one could place your desire in a pipe even:

  

Re: Mail delivery from Postfix to remote IMAP

[Greg A. Woods]

First off let me second what Steffen says!

At Mon, 22 Apr 2024 21:15:08 +0200, Rhialto  wrote:
Subject: Re: Mail delivery from Postfix to remote IMAP
>
> and neither can you change the
> envelope FROM address because bounces (as far as they happen) won't work.

I haven't verified this works right with Postfix, but if you're doing
forwarding with ~/.forward files then this should happen automatically.

It does of course mean bounces do end up going to the account on the
forwarding host, not the original sender, but this is (in theory) what
people using ~/.forward files want -- the forwarding itself caused the
bounce, not the initial delivery to the forwarded account, so sending
the message back to the original sender is arguably wrong.

Maybe you can increase your storage capacity and simply run local IMAP
service for all your domains and users?  Every modern IMAP client (MUA)
I've encountered has been able to easily handle multiple IMAP accounts,
and many of them have simple ways to aggregate all INBOXes, for example,
into one meta INBOX.

--
Greg A. Woods 

Kelowna, BC +1 250 762-7675   RoboHack 
Planix, Inc.  Avoncote Farms 


pgplmxEfEXlMt.pgp
Description: OpenPGP Digital Signature

Re: Mail delivery from Postfix to remote IMAP

[Steffen Nurpmeso]

Rhialto wrote in
 :
 |On Mon 22 Apr 2024 at 11:20:59 -0700, Greg A. Woods wrote:
 |> Just keep doing what you're doing.  Anything else _is_ more roundabout.
 |> Why complicate things?  SMTP forwarding is the way to keep it working!
 |
 |I agree with you in spirit. Plain forwarding is a basic feature of SMTP.
 |
 |BUT.
 |
 |The trouble with plain forwarding is that my mail server's domain name
 |doesn't match the domain name in the From: header, and doesn't match the
 |envelope FROM domain, and it doesn't match the SPF policy of the sender
 |domain etc etc. Those are things that are checked by DKIM/DMARC/SPF.
 |
 |And you can't change the From: header because that is changing the mail
 |(and invalidates the DKIM signature), and neither can you change the
 |envelope FROM address because bounces (as far as they happen) won't work.
 |
 |> Of course fixing your mail server to do proper DKIM, or even just
 |> futzing with SPF (and PTR) records enough to get normal SMTP port#25
 |> through, i.e. without heavier AUTH and use of the submission service,
 |> would be even simpler.  I've done the latter, and hope to do more with
 |> DKIM soon (but _NOT_ with the milter mess!).
 |
 |Unfortunately DKIM is designed to break forwarding... I can't think of a

That is SPF, which does not survive more than one hop.

 |way to change an email message to make it DKIM-compliant. Mailing lists

That is DMARC.  (DKIM default is to ignore failures.)

 |can get away with changing the From: header to something like
 |"l...@example.org (Rhialto via Example-List)" (and that's already an
 |ugly thing to do) but that's not an option for individual mails.

For forwarding what you (UNFORTUNATELY) need is SRS aka
https://github.com/roehling/postsrsd.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: need your advice before new Raspberry Pi purchase

[Ramiro Aceves]

El 22/4/24 a las 20:09, John Klos escribió:

Hi,

Cause lighttpd was familar to me, I  have used it under raspbian and 
Debian.

 Lighttpd Web server, home minidlna film server.


If your usage is simple, then bozohttpd's setup will be very simple. For 
instance, my setup is just four lines in /etc/inetd.conf (two each for 
IPv4 and IPv6 http, and two for https).


I'm interested in minidlna. Currently I can send web links to mp4 files 
and people know how to Airplay them to their TVs, but I'd love to be 
able to set up a simple media server that'd let people browse their 
media straight from their TVs.


BTW - here's my Raspberry Pi 4 server:

https://www.reddit.com/r/raspberry_pi/comments/w3yaes/my_updated_1u_raspberry_pi_4_server/


Oh, beautiful 1U server, well done!

Minidlna seems simple to configure. I have only used it to serve films 
for my wife and daughter at home, nothing exotic.


About bozohttpd. I use lighttpd for very simple experimental WEB pages 
using https, PHP and digest auth sha256 authentication. I think that 
bozohttpd server only support basic authentication:


   HTTP BASIC AUTHORIZATION
 bozohttpd has support for HTTP Basic Authorization.  If a file 
named .htpasswd exists in the directory of the current request, 
bozohttpd will restrict access to documents in that directory using the 
RFC 2617 HTTP "Basic" authentication scheme.


 Note: This does not recursively protect any sub-directories.

I have to experiment.

Thanks so much.
Ramiro.







John

Re: Mail delivery from Postfix to remote IMAP

[Rhialto]

On Mon 22 Apr 2024 at 11:20:59 -0700, Greg A. Woods wrote:
> Just keep doing what you're doing.  Anything else _is_ more roundabout.
> Why complicate things?  SMTP forwarding is the way to keep it working!

I agree with you in spirit. Plain forwarding is a basic feature of SMTP.

BUT.

The trouble with plain forwarding is that my mail server's domain name
doesn't match the domain name in the From: header, and doesn't match the
envelope FROM domain, and it doesn't match the SPF policy of the sender
domain etc etc. Those are things that are checked by DKIM/DMARC/SPF.

And you can't change the From: header because that is changing the mail
(and invalidates the DKIM signature), and neither can you change the
envelope FROM address because bounces (as far as they happen) won't work.

> Of course fixing your mail server to do proper DKIM, or even just
> futzing with SPF (and PTR) records enough to get normal SMTP port#25
> through, i.e. without heavier AUTH and use of the submission service,
> would be even simpler.  I've done the latter, and hope to do more with
> DKIM soon (but _NOT_ with the milter mess!).

Unfortunately DKIM is designed to break forwarding... I can't think of a
way to change an email message to make it DKIM-compliant. Mailing lists
can get away with changing the From: header to something like
"l...@example.org (Rhialto via Example-List)" (and that's already an
ugly thing to do) but that's not an option for individual mails.

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert
\X/ There is no AI. There is just someone else's work.   --I. Rose


signature.asc
Description: PGP signature

Re: Mail delivery from Postfix to remote IMAP

[Greg A. Woods]

At Mon, 22 Apr 2024 19:39:05 +0200, Rhialto  wrote:
Subject: Re: Mail delivery from Postfix to remote IMAP
>
> On Mon 22 Apr 2024 at 19:29:13 +0200, Hauke Fath (SPG) wrote:
> > You would have to have a local delivery
> > agent that (working with stored user credentials) also acts as an IMAP
> > _client_. Interesting concept...
>
> I'd expect some little program already exists that, say, takes a mail
> message on stdin and puts it in some configured imap mailbox... but I
> haven't found one yet. Then I could just use an alias:
>
> u...@isp.tld: "|imap-delivery user:passw...@imap.isp.tld"

That's what a local delivery agent does, effectively, but without
needing the each user's credentials.

Local delivery agents work on a different premise.  The LDA uses its own
master key, so to speak, to authenticate and authorize the MTA to do
delivery to _any_ _local_ mailbox.

I don't know the specifics of Dovecot, but in the Cyrus IMAP server it's
called "lmtpd", and it uses the LMTP protocol, and it uses (or can use)
LMTP AUTH to authenticate the MTA, and it can be configured to listen
either locally on a UNIX (filesystem) socket, or on an internet socket
(IP:port).

However no mailbox provider in their right mind would ever allow any
third party to have LMTP access to their IMAP server!

The whole point of allowing a network connection to LMTP is so that you
can have a farm of SMTP servers all accepting incoming mail and
delivering to one IMAP server.  I once maintained a system with a half
dozen incoming SMTP servers all feeding one big IMAP server.

SMTP goes between unaffiliated systems.  LMTP is "local" to one .

There are programs that can mirror IMAP mailboxes between IMAP servers,
(e.g. mail/isync) but I think that's a different use case than yours.


--
Greg A. Woods 

Kelowna, BC +1 250 762-7675   RoboHack 
Planix, Inc.  Avoncote Farms 


pgpcIV51Rytvl.pgp
Description: OpenPGP Digital Signature

Re: Mail delivery from Postfix to remote IMAP

[Greg A. Woods]

At Mon, 22 Apr 2024 18:27:05 +0200, Rhialto  wrote:
Subject: Mail delivery from Postfix to remote IMAP
>
> I have a local IMAP server running as well, so I could deliver to that
> and then do an IMAP-move, but that seems rather roundabout and requires
> creating some service which gets somehow triggered to do this. I don't
> have much space available though. A direct delivery would seem better to
> me.

Just keep doing what you're doing.  Anything else _is_ more roundabout.
Why complicate things?  SMTP forwarding is the way to keep it working!

Of course fixing your mail server to do proper DKIM, or even just
futzing with SPF (and PTR) records enough to get normal SMTP port#25
through, i.e. without heavier AUTH and use of the submission service,
would be even simpler.  I've done the latter, and hope to do more with
DKIM soon (but _NOT_ with the milter mess!).

--
Greg A. Woods 

Kelowna, BC +1 250 762-7675   RoboHack 
Planix, Inc.  Avoncote Farms 


pgpmA9lRU9qc9.pgp
Description: OpenPGP Digital Signature

Re: need your advice before new Raspberry Pi purchase

[John Klos]

Hi,


Cause lighttpd was familar to me, I  have used it under raspbian and Debian.

 Lighttpd Web server, home minidlna film server.


If your usage is simple, then bozohttpd's setup will be very simple. For 
instance, my setup is just four lines in /etc/inetd.conf (two each for 
IPv4 and IPv6 http, and two for https).


I'm interested in minidlna. Currently I can send web links to mp4 files 
and people know how to Airplay them to their TVs, but I'd love to be able 
to set up a simple media server that'd let people browse their media 
straight from their TVs.


BTW - here's my Raspberry Pi 4 server:

https://www.reddit.com/r/raspberry_pi/comments/w3yaes/my_updated_1u_raspberry_pi_4_server/

John

Re: Mail delivery from Postfix to remote IMAP

[Rhialto]

On Mon 22 Apr 2024 at 19:29:13 +0200, Hauke Fath (SPG) wrote:
> On 2024-04-22 18:27, Rhialto wrote:
> > Since mails can be transferred from one IMAP server to another,
> 
> ... by an IMAP client, or server?

Client. Even dovecot (which I already use) has something like that
already: dsync(1) or doveadm-sync(1) (the name seems somewhat
inconsistent).

> Postfix doesn't speak IMAP, does it?

No, even to (a local) Dovecot it delivers to the mbox file, or via lmtp,
or other similar options.

> You would have to have a local delivery
> agent that (working with stored user credentials) also acts as an IMAP
> _client_. Interesting concept...

I'd expect some little program already exists that, say, takes a mail
message on stdin and puts it in some configured imap mailbox... but I
haven't found one yet. Then I could just use an alias:

u...@isp.tld:   "|imap-delivery user:passw...@imap.isp.tld"

> Hauke
-Olaf.
-- 
___ Olaf 'Rhialto' Seibert
\X/ There is no AI. There is just someone else's work.   --I. Rose


signature.asc
Description: PGP signature

Re: Mail delivery from Postfix to remote IMAP

[Hauke Fath (SPG)]

On 2024-04-22 18:27, Rhialto wrote:

Since mails can be transferred from one IMAP server to another,


... by an IMAP client, or server?


I know
it is possible to inject emails into IMAP mailboxes.


Yes, with a local delivery agent, on behalf of the local MTA. Or from 
within an IMAP client - works nicely. But that doesn't solve your problem.



But is there some convenient way already to do this from Postfix?


Postfix doesn't speak IMAP, does it? You would have to have a local 
delivery agent that (working with stored user credentials) also acts as 
an IMAP _client_. Interesting concept...


Cheerio,
Hauke

--
 The ASCII Ribbon CampaignHauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
 Respect for open standards  Ruf +49-6151-16-21344

Re: need your advice before new Raspberry Pi purchase

[Ramiro Aceves]

Cause lighttpd was familar to me, I  have used it under raspbian and Debian.

El 22/4/24 a las 16:03, Justin Parrott escribió:

why do you choose lighttpd over the one distributed with n?

On Sun, Apr 21, 2024 at 4:08 PM Ramiro Aceves > wrote:




El 21/4/24 a las 20:33, Justin Parrott escribió:
 > what do you use it for?

Lighttpd Web server, home minidlna film server.

 >
 > On Sat, Apr 20, 2024 at 2:24 PM Ramiro Aceves mailto:ea1...@gmail.com>
 > >> wrote:
 >
 >     Hello,
 >
 >     I am thinking about buying a more powerful Raspberry Pi than
my actual
 >     Raspberry Pi ZeroW. I like very much how NetBSD operating
system is
 >     working although I was a bit dissapointed with WIFI driver
for the
 >     builtin WIFI device, I feel that I can control the OS and it
is the
 >     OS I
 >     was looking for, simple and straightforward without bells and
whistles.
 >
 >     In general NetBSD works fine in the Pi once you get used to it,
 >     everything makes sense soon, you fell confortable and why not
to say, I
 >     am in a new world after many years using Linux and needed new
 >     sensations. On the Zero W WIFI bwfm driver did not work well and
 >     overcome that buying a USB WIFI dongle with RTL 8188EU chip
that works
 >     almost ok (with no channel switching  in the router). Now I
am going to
 >     use only ethernet network connection so WIFI will not be a
problem.
 >
 >
 >     I have been reading
 > https://wiki.netbsd.org/ports/evbarm/raspberry_pi/

 >     >
 >     but information is a bit confusing.
 >
 >     "As of early 2024, NetBSD does not support the Raspberry Pi 5."
 >
 >     Reading that I inmediatly discarded the Raspberry Pi 5
choice. Being
 >     realistic I think It does not work in NetBSD 10 now and I
estimate it
 >     will not work well for perhaps some years. Life is short, I
cannot wait
 >     and so I think RaspberryPi 4 should be my buying target.
 >
 >
 >     "NetBSD 10"
 >
 >           "RPI4 general support (but there are issues)"
 >
 >     Seems explained below.
 >
 >
 >           "RPI4 ethernet (Broadcom GENETv5) (but the man page for
 >     genet(4) is
 >     missing)"
 >
 >     Can I be sure that ethernet will work fine and reliable?
Network speed?
 >
 >
 >           "builtin bluetooth on RPI3 (RPI0W? RPI4?)"
 >
 >     Does bluetooth work on the Pi4?
 >
 >
 >           "builtin WiFi on RPI0W, RPI3 and RPI4 - bwfm(4)"
 >
 >     Does WIFI bwfm  driver work as badly as in the ZeroW? Not
relevant for
 >     my future use of the Pi 4 cause I will use it through
ethernet but that
 >     will be a bonus, just curious.
 >
 >
 >           "RPI4 xhci does not work with a straight netbsd-10 install"
 >
 >     I seems that below is the explanation.
 >
 >           "RPI4 hardware rng does not work with a straight netbsd-10
 >     install"
 >
 >     I seems that below is the explanation.
 >
 >
 >     The following chapter is very confusing for me:
 >
 >
 >     "Issues and Workarounds"
 >     "RPI4 xhci"
 >
 >     "With the netbsd-10 arm64.img on a RPI4 (most of them), the
pci driver
 >     is missing and therefore xhci will not attach, so the USB
ports will
 >     not
 >     work. One workaround is to switch to UEFI, but that leads to
a 3GB
 >     memory limit and needing a monitor. Another is to add kernel
config.
 >     One
 >     can also add the hardware rng. Adding the following to
GENERIC64.local
 >     results in both working; you likely also need a dtb that
includes the
 >     RNG. \todo Explain why this isn't in GENERIC64 or link to a PR.
 >
 >     GENERIC64
 >
 >     bcm2838pcie* at fdt?                    # STB PCIe host
controller
 >     bcm2838rng* at fdt?                     # RPI4 RNG
 >
 >     There is some need to load firmware for the xhci driver, but
apparently
 >     that works, once the above is added"
 >
 >
 >     Does it mean that using  "traditional booting" you end with
non working
 >     USB ports? Will you even end without keyboard? I mainly will
use the Pi
 >     headless via ssh but need the keyboard in the first
configuring steps.
 >
 >     After switching to UEFI you will make USB ports work but 8 GB
 >     RapberryPi
 >     will be reduced to 3 GB only with no workaround? What do
"needing 

Mail delivery from Postfix to remote IMAP

[Rhialto]

I am providing family with an email address on my server. So far I deliver
their mail by forwarding it to their ISP, by using a time-honoured standard
forward.

However, thanks to the fantastic invention of DKIM and SPF and that sort
of things, that is breaking more and more.

For now I work around it by getting Postfix to deliver to the ISP's
submission port and authenticate as the recipient. I hope that this
works around DKIM, DMARC and SPF checks. See below for how this works.

But since I am impersonating them already anyway, I might as well
deliver mail directly via IMAP to their mailbox. That would presumably
be much more certain to actually arrive.

Since mails can be transferred from one IMAP server to another, I know
it is possible to inject emails into IMAP mailboxes.

But is there some convenient way already to do this from Postfix?
Everything I found so far is copying or moving from one mailbox to
another, or out of IMAP entirely.

I have a local IMAP server running as well, so I could deliver to that
and then do an IMAP-move, but that seems rather roundabout and requires
creating some service which gets somehow triggered to do this. I don't
have much space available though. A direct delivery would seem better to
me.

===

Appendix: how to deliver mail, authenticated as the recipient, using
Postfix.

Create an entry in the /etc/postfix/transport map:

# /etc/postfix/transport
# Run postmap /etc/postfix/transport   to update
# man 5 transport
# See master.cf for smtp-isp: transports.
u...@isp.tld  smtp-isp:[mail.isp.tld]:587

In main.cf, arrange to use this file:

transport_maps = hash:/etc/postfix/transport

In master.cf, set up the transport:

# Delivery method for u...@isp.tld
# Triggered from transport.db
smtp-isp  unix  -   -   y   -   2   smtp
-o syslog_name=to-isp
-o smtp_sasl_auth_enable=yes
-o smtp_sasl_password_maps=hash:/etc/postfix/to-isp-password
-o smtp_sasl_security_options=

In to-isp-password:

# lhs: destination spelled the same as in transport file.
[mail.isp.tld]:587   username-as-used-at-isp:password

Update with postmap /etc/postfix/to-isp-password

You can even have different users at the same ISP, by using different
transports for them, each with their own password file.

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert
\X/ There is no AI. There is just someone else's work.   --I. Rose


signature.asc
Description: PGP signature

Re: need your advice before new Raspberry Pi purchase

[Ramiro Aceves]

Hi John

El dom, 21 abr 2024 a las 23:44, John Klos () escribió:
>
> Hi,
>
> > "As of early 2024, NetBSD does not support the Raspberry Pi 5."
>
> I've lost interest in any new Raspberry Pi models since the
> corporatization of the Raspberry Pi Foundation. For higher performance ARM
> machines than the Raspberry Pi 4 hardware I already have, I'd go for a
> Rock Pro 5 or Orange Pi 5.

Interesting...

>
> >"RPI4 ethernet (Broadcom GENETv5) (but the man page for genet(4) is
> > missing)"
> >
> > Can I be sure that ethernet will work fine and reliable? Network speed?
>
> There were some issues last year with npf which I observed on one of my
> RPi 4 systems, but that's been addressed(-ish - not fixed, but mitigated).
>

Fine

> I've been running a RPi 4 with an uptime of 225 days as an NFS server for
> a fleet of machines that're running pkgsrc bulk builds.

Good!
>
> > "Issues and Workarounds"
> > "RPI4 xhci"
>
> I've never run any RPi 4 hardware without UEFI, although I tried a few
> times and don't remember any successes.

I will do it with UEFI as everybody says it is the way to go. Perhaps
the Install document should document this better in
https://cdn.netbsd.org/pub/NetBSD/NetBSD-10.0/evbarm-aarch64/INSTALL.html,
showing the different booting options.

>
> One of the things that UEFI does provide is that it makes having a serial
> console very easy. My colocated RPi 4 was connected to an RPi 3 so that I
> could boot the 4 with a serial console, get access to UEFI menus, boot
> single user, et cetera. This, together with a GPIO on the RPi3 wired to be
> able to reset the RPi 4, makes the RPi very useful as a remote server.

That is a good tip, one Rpi can resurrect the other in case of hang.

>
> > What is your final opinion about NetBSD in that board? Are there better
> > supported boards perhaps?
>
> I think different hardware has different uses. For almost instant booting,
> low power and small size, I use NanoPi Neo. For hardware-based VPN,
> for NAT / IPv6 / DNS / DHCP, et cetera, I use NanoPi R2S. For systems that
> need PCIe, I use RockPro64.
>
> I picked the Raspberry Pi 4 with a Flirc case for my 1U server because at
> the time it was not easy to find boards with 8 gigs of memory and with two
> USB 3 ports. I'm using the USB 3 ports to connect two large (8 TB)
> spinning rust disks in a raidframe mirror. For this configuration, it was
> ideal.
>
> What do you plan to use your Pi for?

Well, lighhttpd little personal web server, minidlna film server for
home. I am also thinking to use the RPi 4 to record audio from amateur
radio receivers with external USB cards (amateur radio and electronics
is my other hobby) or data from SDR network receivers. Also GPIO for
some automated tasks.

>
> > Many thanks and sorry for so many questions, just I want to be sure that I 
> > am
> > going to make a good and useful purchase. If I purchase a Rpi 4 instead of
> > Rpi 5 to have NetBSD support and It does not work ok, it will be a absolute
> > nonsense.
>
> Indeed. It's no fun to get something we can't use. The RPi 4 is very
> usable with NetBSD, although all of my experiences with things working
> very well is based on using UEFI.

Having received several positive reviews from you and others, I  have
just ordered my new RPi4,  is coming home on thursday. I think I am
going to have fun with it!.

We'll keep in touch, I will share the experience.
Regards.
Ramiro.


>
> > I appreciate your work very much and your comments and advice will be 
> > welcome
> > and very valuable for me.
>
> :)
>
> John Klos