Re: Import of DragonFly Mail Agent
from Mark Felder: > Yes, however the Sendmail in base on FreeBSD 8 and 9 is compiled against > OpenSSL < 1.0 which means it's missing support for TLS 1.2, SNI, and > other modern best practice features. That suggests putting sendmail to ports rather than base system, so that updates would not depend on FreeBSD system release timing. Such an argument was the big reason why pkg (pkgng) is a port rather than part of base system. Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
Bryan Drewery wrote this message on Mon, Feb 24, 2014 at 09:40 -0600: > The RC script also leads to much confusion in this configuration: > > > # service sendmail stop > > Stopping sendmail. > > Waiting for PIDS: 80956. > > sendmail_submit not running? (check /var/run/sendmail.pid). > > Stopping sendmail_clientmqueue. > > Waiting for PIDS: 81322. > > It wasn't running? Was it broken? Is that why I couldn't send mail? > > > # service sendmail start > > Cannot 'start' sendmail. Set sendmail_enable to YES in /etc/rc.conf or use > > 'onestart' instead of 'start'. > > Oh, it didn't start? > > > # ps uaxw|grep sendmail > > root 64518 0.0 0.1 6020 2980 ?? Ss 10:19AM 0:00.00 > > sendmail: accepting connections (sendmail) > > smmsp 64726 0.0 0.1 6020 2924 ?? Ss 10:19AM 0:00.00 > > sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) > > Oh. > > Can I restart? > > > # service sendmail restart > > Cannot 'restart' sendmail. Set sendmail_enable to YES in /etc/rc.conf or > > use 'onerestart' instead of 'restart'. > > Stopping sendmail_submit. > > Oh it looks dead again. > > > # ps uaxw|grep sendmail > > smmsp 64726 0.0 0.0 6020 0 ?? IWs - 0:00.00 > > sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) > > root 88210 0.0 0.1 6020 3008 ?? Ss 10:20AM 0:00.00 > > sendmail: accepting connections (sendmail) > > root 93369 0.0 0.1 3464 1296 18 S+ 10:20AM 0:00.00 grep > > sendmail > > Nope. > > RC script bugs aside, how about modifying the actual configuration? The problem with the above is that the people who did the work did enough for it to work in their configuration and dropped it in.. Having recently fixed some of this, it's clear that they didn't bother to test starting/stopping parts of sendmail and more complicated configurations... This is standard stuff that needs to be maintained... and I don't belive dma will magicly fix stuff like the above... It just means someone will rewrite it with a new set of bugs... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2014-02-25 16:31, RW wrote: > On Mon, 24 Feb 2014 19:24:02 -0500 (EST) > Benjamin Kaduk wrote: > >> On Mon, 24 Feb 2014, Lyndon Nerenberg wrote: >> >>> >>> What would really help is if the ports fetch-recursive-list target >>> could extend to reliably include the distfiles for the runtime >>> dependencies as well. But I'm not even sure that's possible. We >>> tried a few different things, but in the end we had to brute force >>> it by running 'make fetch' in every one of the ports directories in >>> order to get all the distfiles onto an external system, which we >>> then rsynced to a USB drive, marched inside, and rsynced to the >>> fileserver. Not pretty ... but with all the distfiles at hand we >>> knew the inside ports builds wouldn't fail due to missing >>> dependencies. >> >> I'm rather confused by why it isn't working for you. >> http://svnweb.freebsd.org/ports/head/Mk/bsd.port.mk?revision=345884&view=markup#l5187 >> >> is quite clearly looking in ALL-DEPENDS-LIST, which includes runtime >> dependencies. The only thing I can think of is that non-default >> configurations are in play, so that 'make config && make >> config-recursive' should be (re-)run until it does not prompt, and >> only then fetch-recursive-list be used. > > > One oddity is that fetch-recursive-list generates a script that > downloads all the files into the current directory. It doesn't take > account of the fact that some ports look for their files are in a > sub-directory. Some snippets from a script that is used to manage updates, tinderboxe builds, poudriere builds ... I collected all ports that are required to build my environments from tinderbox (./tc listPorts) and others in a plain txt file. in the format $cat/$port. ... databases/php5-pdo databases/php5-pdo_mysql databases/php5-pdo_pgsql databases/php5-pdo_sqlite databases/php5-pgsql databases/postgresql92-client databases/postgresql92-server databases/postgresql93-client databases/postgresql93-server databases/py-gdbm databases/rrdtool databases/rrdtool12 databases/sqlite3 ... Reading this file in a loop with a command like the following will fetch all required distfiles. while read port; do env -i WRKDIRPREFIX=/tmp/rbtrash PKG_DBDIR=/var/empty \ LOCALBASE=/var/empty make fetch -DBATCH -C /usr/ports/${port} \ -DCLEAN_FETCH_ENV -DDISABLE_CONFLICTS done < $path/to/interesting/port/list A list of all required dependency's can be generated with this command (for a single port or in the sample loop (s/fetch/all-depends-list/) $> make all-depends-list /usr/ports/$cat/${port} Ports tree updates (portsnap or svn up) are written to a log which is used to generate a list of ports where the distfile is maybe missing, the loop reads then only this new list. The directory with all distfiles is distributed via httpd to all build systems (make.conf: MASTER_SITE_OVERRIDE=$central/fetch/server/url ) Hope this gives some ideas ;) -- olli ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Tue, Feb 25, 2014, at 10:07, Michel Talon wrote: > Thomas Mueller wrote > > > There needs to be better documentation of sendmail if it is to be kept, and > > the option to compile sendmail for fuller function including > >SSL and TLS > > Apparently sendmail is compiled with ssl/tls support in FreeBSD, > standard. This is what i get by sending mail from my > freshly installed FreeBSD-10 machine niobe to the lab's mailhub (running > postfix) > Yes, however the Sendmail in base on FreeBSD 8 and 9 is compiled against OpenSSL < 1.0 which means it's missing support for TLS 1.2, SNI, and other modern best practice features. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/24/2014 6:56 AM, Daniel Kalchev wrote: On 24.02.14 13:47, Thomas Mueller wrote: I don't believe BSD users use base system of itself to send and receive email. They use ports (FreeBSD) or equivalent in other BSDs. One of the beauties of the BSD 'base system' is that upon installation you have an usable workstation/server environment that can be immediately used for most Internet-related tasks -- and this most certainly includes SMTP. Or NTP. Or... used to include DNS. Your beautiful base system ready for most Internet-related tasks does not have a: - GUI - browser - media player - email client - IRC client - office suite I'm wondering what you consider "most" internet tasks. If I want a basic internet desktop, I need to install a couple hundred ports to achieve that. If I want a server that follows best practices, I have to install openssl from ports, which means I *can't* use the in-base sendmail even if I wanted to. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Tue, Feb 25, 2014 at 11:30:56AM +0100, Baptiste Daroussin wrote: > On Mon, Feb 24, 2014 at 11:50:10PM +0100, Jilles Tjoelker wrote: > > On Mon, Feb 24, 2014 at 07:01:54PM +0400, Slawa Olhovchenkov wrote: > > > On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: > > > > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > > > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > > > > As some of you may have noticed, I have imorted a couple of days > > > > > > ago dma (DragonFly Mail Agent) in base. I have been asked to > > > > > > explain my motivation so here they are. > > > > > What's about suid, security separations & etc? > > > > What do you mean? dma is changing user as soon as possible, dma will > > > > be capsicumized, what else do you want as informations? > > > sendmail (in the past) have same behaviour (run as root and chage > > > user). > > > This is some security risk. > > > For many scenario change user is not simple (for example -- send file > > > from local user A to local user B, file with permsion 0400). > > > sendmail will be forced to change behaviour -- mailnull suid program > > > for place mail into queue and root daemon for deliver to user. > > > This is more complex. > > > Can be dma avoid this way? > > I'm a bit disappointed that dma uses setuid/setgid binaries, although it > > is not a regression because sendmail also uses this Unix misfeature. > > To avoid the large attack surface of set*id binaries (the untrusted user > > can set many process parameters, pass strange file descriptors, send > > signals, etc), I think it is better to implement trusted submission > > differently. A privileged daemon (not necessarily running as root) can > > listen on a Unix domain socket and use getpeereid(3) to verify the > > credentials of the client. > As long as $anyone locally can send emails, what is the point of > checking getpeereid(3)? Checking getpeereid(3) is useful to provide a more reliable indication of which user account originated the message, for example on web hosting servers. For this, it is best if the smarthost authenticates dma so a user cannot bypass dma. -- Jilles Tjoelker ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/24/2014 6:56 AM, Daniel Kalchev wrote: One of the many problems with removing functionality is very well illustrated by what happens now, when you upgrade an pre-10 system running nameserver: you end up without it and eventually without your nameserver database as well. Imagine, one day a user updates their 10-stable to 11-stable only to find out mail is no more. I understand your point, but that would mean they didn't read the release notes or UPGRADING prior to doing so. That is not a problem we can fix in software. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
Thomas Mueller wrote > There needs to be better documentation of sendmail if it is to be kept, and > the option to compile sendmail for fuller function including >SSL and TLS Apparently sendmail is compiled with ssl/tls support in FreeBSD, standard. This is what i get by sending mail from my freshly installed FreeBSD-10 machine niobe to the lab's mailhub (running postfix) Received: from niobe.lpthe.jussieu.fr (niobe.lpthe.jussieu.fr [134.157.10.41]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "niobe.lpthe.jussieu.fr", Issuer "niobe.lpthe.jussieu.fr" (not verified)) by parthe.lpthe.jussieu.fr (Postfix) with ESMTPS id 18143E4DE9 and indeed i see niobe% telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 niobe.lpthe.jussieu.fr ESMTP Sendmail 8.14.7/8.14.7; Tue, 25 Feb 2014 16:41:11 +0100 (CET) ehlo lpthe.jussieu.fr 250-niobe.lpthe.jussieu.fr Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-STARTTLS 250-DELIVERBY 250 HELP There is a directory /etc/mail/certs with various certs, presumably self signed, which has been created at installation. -- Michel Talon ta...@lpthe.jussieu.fr smime.p7s Description: S/MIME cryptographic signature
Re: Import of DragonFly Mail Agent
On Mon, 24 Feb 2014 19:24:02 -0500 (EST) Benjamin Kaduk wrote: > On Mon, 24 Feb 2014, Lyndon Nerenberg wrote: > > > > > What would really help is if the ports fetch-recursive-list target > > could extend to reliably include the distfiles for the runtime > > dependencies as well. But I'm not even sure that's possible. We > > tried a few different things, but in the end we had to brute force > > it by running 'make fetch' in every one of the ports directories in > > order to get all the distfiles onto an external system, which we > > then rsynced to a USB drive, marched inside, and rsynced to the > > fileserver. Not pretty ... but with all the distfiles at hand we > > knew the inside ports builds wouldn't fail due to missing > > dependencies. > > I'm rather confused by why it isn't working for you. > http://svnweb.freebsd.org/ports/head/Mk/bsd.port.mk?revision=345884&view=markup#l5187 > > is quite clearly looking in ALL-DEPENDS-LIST, which includes runtime > dependencies. The only thing I can think of is that non-default > configurations are in play, so that 'make config && make > config-recursive' should be (re-)run until it does not prompt, and > only then fetch-recursive-list be used. One oddity is that fetch-recursive-list generates a script that downloads all the files into the current directory. It doesn't take account of the fact that some ports look for their files are in a sub-directory. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Re: Import of DragonFly Mail Agent
Am 24.02.2014 15:56, schrieb Daniel Kalchev: On 24.02.14 13:47, Thomas Mueller wrote: I don't believe BSD users use base system of itself to send and receive email. They use ports (FreeBSD) or equivalent in other BSDs. One of the beauties of the BSD 'base system' is that upon installation you have an usable workstation/server environment that can be immediately used for most Internet-related tasks -- and this most certainly includes SMTP. Or NTP. Or... used to include DNS. We can strip pieces of FreeBSD off and end up with an kernel. Or we could keep the system very much usable out of the box. +1! and I want nsupdate back in base. Matthias -- Matthias Meyser| XeNET GmbH Tel.: +49-5323-9489050| 38678 Clausthal-Zellerfeld, Marktstrasse 40 Fax: +49-5323-94014 | Registergericht: Amtsgericht Braunschweig HRB 110823 Email: mey...@xenet.de | Geschaeftsfuehrer: Matthias Meyser ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
from Julio Merino: > On Mon, Feb 24, 2014 at 6:47 AM, Thomas Mueller > wrote: > > To Julio Merino: How long did NetBSD include both sendmail and postfix in > > base? What NetBSD releases? What was the first release that included both > > sendmail and postfix, and the first release where sendmail was dropped? > As far as I can tell, postfix was added in NetBSD 1.5 (Dec 6, 2000), made > the default in NetBSD 2.0 (Dec 9, 2004) and sendmail was removed in NetBSD > 4.0 (Dec 19, 2007). That's a 7-year long transitional period. > I haven't been able to find the discussion for the removal of sendmail > unfortunately. Oldest NetBSD I still have installed is 4.0.1 i386. I had no 64-bit computer at that time. I don't know if NetBSD 4.0.1 i386 would connect on my current Ethernet Realtek 8111E. Postfix seems somewhat more user-friendly than sendmail, though I still got error sending mail, apparently because user name didn't match computer hostname. There needs to be better documentation of sendmail if it is to be kept, and the option to compile sendmail for fuller function including SSL and TLS. I hope dma will be well documented as to setup if it is imported into FreeBSD. Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 11:50:10PM +0100, Jilles Tjoelker wrote: > On Mon, Feb 24, 2014 at 07:01:54PM +0400, Slawa Olhovchenkov wrote: > > On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: > > > > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > > > > As some of you may have noticed, I have imorted a couple of days > > > > > ago dma (DragonFly Mail Agent) in base. I have been asked to > > > > > explain my motivation so here they are. > > > > > What's about suid, security separations & etc? > > > > What do you mean? dma is changing user as soon as possible, dma will > > > be capsicumized, what else do you want as informations? > > > sendmail (in the past) have same behaviour (run as root and chage > > user). > > This is some security risk. > > For many scenario change user is not simple (for example -- send file > > from local user A to local user B, file with permsion 0400). > > sendmail will be forced to change behaviour -- mailnull suid program > > for place mail into queue and root daemon for deliver to user. > > This is more complex. > > Can be dma avoid this way? > > I'm a bit disappointed that dma uses setuid/setgid binaries, although it > is not a regression because sendmail also uses this Unix misfeature. > > To avoid the large attack surface of set*id binaries (the untrusted user > can set many process parameters, pass strange file descriptors, send > signals, etc), I think it is better to implement trusted submission > differently. A privileged daemon (not necessarily running as root) can > listen on a Unix domain socket and use getpeereid(3) to verify the > credentials of the client. > As long as $anyone locally can send emails, what is the point of checking getpeereid(3)? regards, Bapt pgpqGMk_yxaRE.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On 25 Feb 2014, at 08:09, Daniel Kalchev wrote: > What we risk with "everything is a port" concept is that we live in a world > that there is a lot of software to chose from, but from time to time, the > software happens to be incompatible with FreeBSD in one way, or another. > Another risk is the confusion of too much choice. I think that, over the next few years, the hard line between base system and ports is going to become a little bit more of a gradient. I would like us to end up with multiple tiers: 1) These packages are required for absolutely everything, don't even think about not installing them even in a minimal service jail. 2) These packages are required for a useable system. They're in the default install, but if you're creating a jail you might not want them (e.g. nvi, some of the management tools) because you'll be doing all of your configuration with the version in the base system. 3) These packages are maintained by the FreeBSD project and are expected to integrate well with the base system. Some of them are part of various recommended installs for different configurations (e.g. graphical workstation, web server, whatever), but you can have a working minimal install without any of them. They will be supported for the duration of the release, including prompt security updates. 4) These packages are third-party programs that have been tested with FreeBSD and packaged by members of the FreeBSD project, but are developed independently. They will be supported on a best-effort basis for the release, but you may find that upgrading to a new version requires a newer release at some point. 5) These packages are provided by third parties, on third-party repositories, with no involvement from anyone in the FreeBSD project. Currently, the base system overlaps tiers 1-3, and ports overlaps tiers 3-4. Tier 3 is the source of most bikesheds, because there are lots of things that would benefit from some FreeBSD-specific integration work, are essential to a large section of the FreeBSD userbase, but are completely irrelevant to another large section. David ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 24.02.14 19:49, Mark Felder wrote: We can strip pieces of FreeBSD off and end up with an kernel. Or we could keep the system very much usable out of the box. Imagine a world where everything in FreeBSD is a package and we have a working "PROVIDES" framework. Upon installation you can choose the software that "provides" the MTA role. Same for DNS, NTP, database, webserver... That would be a great accomplishment along with a framework to create a master install image utilizing the options/packages you desire. I think this type of thing is definitely plausible if we keep moving forward. My personal opinion remains that complex software is better served/secured/maintained when it is handled in ports not in base. While I agree with all you say, it is worth noting that bind/sendmail/ntp have been very compatible with FreeBSD precisely because of their integration with the base system. What we risk with "everything is a port" concept is that we live in a world that there is a lot of software to chose from, but from time to time, the software happens to be incompatible with FreeBSD in one way, or another. Another risk is the confusion of too much choice. There is a fine balance to be found here. Daniel ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 25 Feb, Peter Jeremy wrote: > On 2014-Feb-24 10:44:30 -0600, Bryan Drewery wrote: >> >>I have the Oreilly sendmail book here and it's thicker than The Design >>and Implementation of the FreeBSD Operating System. That's quite an >>application! > > More impressively, ISTR it's thicker than "The Magic Garden Explained" > - which is the SVR4 internals. Not counting the covers, they are about the same thickness. It's thinner than "TCP/IP Illustrated Volume 2", and *way* thinner than "Advanced Programming in the UNIX Environment". ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2014-Feb-24 10:44:30 -0600, Bryan Drewery wrote: > >I have the Oreilly sendmail book here and it's thicker than The Design >and Implementation of the FreeBSD Operating System. That's quite an >application! More impressively, ISTR it's thicker than "The Magic Garden Explained" - which is the SVR4 internals. -- Peter Jeremy pgpXr6FrMeCfw.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 09:40:26AM -0600, Bryan Drewery wrote: > IMHO base should be the very minimalistic needs to get a server online, > and should be secure and simple by default. ... > Anything not meeting the bare-bones criteria can be installed with 'pkg > install' or ports. +1 (OTOH I am not volunteering to do the work :-) ) mcl ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 6:47 AM, Thomas Mueller wrote: > To Julio Merino: How long did NetBSD include both sendmail and postfix in > base? What NetBSD releases? What was the first release that included both > sendmail and postfix, and the first release where sendmail was dropped? > As far as I can tell, postfix was added in NetBSD 1.5 (Dec 6, 2000), made the default in NetBSD 2.0 (Dec 9, 2004) and sendmail was removed in NetBSD 4.0 (Dec 19, 2007). That's a 7-year long transitional period. I haven't been able to find the discussion for the removal of sendmail unfortunately. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/24/14, 7:47 PM, Thomas Mueller wrote: I never got far enough with DragonFlyBSD or OpenBSD on live USB to see osmpd or opensmtpd (OpenBSD or dma (DragonFly). I couldn't read hard drive from either OpenBSD or DragonFly, could read OpenBSD but not DragonFly live USB stick from FreeBSD and NetBSD, meaning poor interoperability on my system. But I find sendmail practically impossible to setup, and rather useless for my purposes. I use msmtp and mpop from ports for SMTP and POP3 mail, including SSL capability. These clients even allow multiple email accounts and multiple users, user name need not necessarily be the same as computer hostname. I've wondered if I'd lose anything by building FreeBSD WITHOUT_SENDMAIL. I looked and found mail/dma in FreeBSD ports tree. Could it be easily set up to use as SMTP client? I don't believe BSD users use base system of itself to send and receive email. They use ports (FreeBSD) or equivalent in other BSDs. I do (though recompiling with SASL and TLS was a pain in the neck. Can't really say for Linux; "base system" is ill-defined given the anarchy of many different distributions. To Julio Merino: How long did NetBSD include both sendmail and postfix in base? What NetBSD releases? What was the first release that included both sendmail and postfix, and the first release where sendmail was dropped? But I think sendmail is still available in pkgsrc for users who'd rather have sendmail. Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/24/14, 10:45 PM, Mark Felder wrote: On Mon, Feb 24, 2014, at 3:41, Joe Holden wrote: On 24/02/2014 04:26, Julio Merino wrote: On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: Hi, As some of you may have noticed, I have imorted a couple of days ago dma (DragonFly Mail Agent) in base. I have been asked to explain my motivation so here they are. DragonFly Mail Agent is a minimalistic mailer that is able to relay mails to some smtp servers (with TLS, authentication and so on) It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally (respecting aliases). I imported it because dma is lightweight, BSD license and easy to use. The code base is rather small and easy to capsicumize (which I plan to do) My initial goal is not to replace sendmail. But is it an eventual goal? *I* don't see why not, but if it is: what's the plan? How is the decision to drop sendmail going to be made when the time comes? (I.e. who _can_ and will make the call?) All I want is a small mailer simple to configure, and not listening to port 25, suitable for small environment (embedded and/or resource bounded) as well as for server deployment. Playing devil's advocate: what specific problems is this trying to solve? I'd argue, for example, that postfix can be also easily configured and can be made to not listen on port 25 for local mail delivery, while at the same time it is a fully-functional MTA that could replace sendmail altogether. (Which, by the way, is the configuration with which postfix ships within the NetBSD base system.) The reason I'm asking these questions is because I have seen NetBSD maintain two MTAs (sendmail + postfix) in the base system for _years_ and it was not a pretty situation. The eventual removal of sendmail was appreciated, but of course it came with the associated bikeshedding. *dons flame-proof suit* The trend towards having sensible lightweight things in the base is a good thing IMO. There is no need for things like bind (replaced by unbound), or a full featured mta like sendmail in the base, base install should contain enough to get going but for specific functions like performing MTA tasks, the user can install the appropriate software, such as postfix. Just my 2p :) I fully agree here. Lightweight services in base, fully featured in ports. It makes it easier for users to follow the latest and greatest MTA, DNS, etc this way as well. Once again I repeat my suggestion that we should at some stage be splitting up our distribution into a smaller "required" core, a slightly larger "usual" and a larger "extended" software sets, where the last one would be maintained in ports but with a distinction that failure in those ports is a reason to hold up a release etc. i.e. "some ports are more important than others" and we should take that into account officially. I'd also like to see the PCBSD PBI formats more integrates into our release.. Another nice feature of dma is that it's a perfect compliment to your lightweight jails -- emails can get out, but no worrying about conflicts on ports 25. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, 24 Feb 2014, Lyndon Nerenberg wrote: What would really help is if the ports fetch-recursive-list target could extend to reliably include the distfiles for the runtime dependencies as well. But I'm not even sure that's possible. We tried a few different things, but in the end we had to brute force it by running 'make fetch' in every one of the ports directories in order to get all the distfiles onto an external system, which we then rsynced to a USB drive, marched inside, and rsynced to the fileserver. Not pretty ... but with all the distfiles at hand we knew the inside ports builds wouldn't fail due to missing dependencies. I'm rather confused by why it isn't working for you. http://svnweb.freebsd.org/ports/head/Mk/bsd.port.mk?revision=345884&view=markup#l5187 is quite clearly looking in ALL-DEPENDS-LIST, which includes runtime dependencies. The only thing I can think of is that non-default configurations are in play, so that 'make config && make config-recursive' should be (re-)run until it does not prompt, and only then fetch-recursive-list be used. I suppose there could be broken ports that always prompt (ISTR kde used to do this), but I thought we had moved away from that. -Ben ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 07:01:54PM +0400, Slawa Olhovchenkov wrote: > On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: > > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > > As some of you may have noticed, I have imorted a couple of days > > > > ago dma (DragonFly Mail Agent) in base. I have been asked to > > > > explain my motivation so here they are. > > > What's about suid, security separations & etc? > > What do you mean? dma is changing user as soon as possible, dma will > > be capsicumized, what else do you want as informations? > sendmail (in the past) have same behaviour (run as root and chage > user). > This is some security risk. > For many scenario change user is not simple (for example -- send file > from local user A to local user B, file with permsion 0400). > sendmail will be forced to change behaviour -- mailnull suid program > for place mail into queue and root daemon for deliver to user. > This is more complex. > Can be dma avoid this way? I'm a bit disappointed that dma uses setuid/setgid binaries, although it is not a regression because sendmail also uses this Unix misfeature. To avoid the large attack surface of set*id binaries (the untrusted user can set many process parameters, pass strange file descriptors, send signals, etc), I think it is better to implement trusted submission differently. A privileged daemon (not necessarily running as root) can listen on a Unix domain socket and use getpeereid(3) to verify the credentials of the client. Note that the largest gain with set*id binaries is obtained when the last set*id binary is removed; we are pretty far from that. -- Jilles Tjoelker ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014, at 12:46, Bryan Drewery wrote: > On 2/23/2014 3:11 PM, Baptiste Daroussin wrote: > > Hi, > > > > As some of you may have noticed, I have imorted a couple of days ago dma > > (DragonFly Mail Agent) in base. I have been asked to explain my motivation > > so > > here they are. > > > > Does this support a /usr/sbin/sendmail wrapper for sending mail through > CLI? > Yes. mailer.conf: sendmail/usr/local/libexec/dma send-mail /usr/local/libexec/dma mailq /usr/local/libexec/dma ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 02/24/14 17:16, Lucius Rizzo wrote: > * Bryan Drewery [2014-02-24 09:40]: > >> Remembering the time I spent trying to configure sendmail to not accept >> inbound mail, and trying to get it to behave how I want, I fully support >> this. Of all the years I've messed with sendmail, I still have little >> understanding of how to configure it or if I've done it right. > > Hush! No sendmail hating :P. I remember it being a right of passage to > graduate to a ^real^ UNIX admin when you had lost half of your hair > while working on sendmail.cf. In a era now long gone, I remember > carrying the sendmail bible (thick with detailed instructions on cf > vars) as protection vs. say a baseball bat. > > The Sendmail manual was thick, heavy and while I never did use it as a > weapon; I had imagined many times throwing it at a server and see if > that maybe fixed the problem with sendmail.cf. > > I've worked with MTA's a lot. I have hated and loved Sendmail. ATM, I am > back in my I <3 Sendmail mode and have it running quite well -- with a > lot of cool milters on some of my servers. But sendmail is not for the > faint of heart, or ones who are at risk of hair loss. In fact, I would > highly discourage sendmail use in the latter case. > >> My exaggerated view of sendmail as a user: > > [...] > > Poof..that's easy :P > >>> # Uncomment if you want STARTTLS support (only used in combination >>> with # SECURETRANSFER) #STARTTLS >> >> Yes please. Simple. >> >> I'm not sure where to even start with sendmail to enable those >> options. > > > See! That wasn't hard at all!! I don't get why people get so worried. > What you posted was mostly mc stuff anyways. I would be far more > impressed if you would have debugged that in the cf or via sendmail > flags. :))) > > I often use ssmtp on servers that run Wordpress etc and collect most > mail to a mailhub which routes it internally and externally. > > I <3 Sendmail. > I have been using Sendmail for about 25 years now and I must say that I still find it quite satisfactory, though a bit overkill for the current needs of me and my customers. And I certainly lost a lot of hair, but not just due to using Sendmail 8-). So you understand that I grew quite attached to Sendmail. Nevertheless, I would like see Sendmail moved to ports and replaced by DMA in base, as proposed by Baptiste. Sendmail can receive much better care as a port and it also should become much easier to configure it for special needs (authentication, etc). This would also open possibilities to experiment more with newer and lighter MTA's like Postfix and OpenSMTPD without having parts of sendmail still lying around and sendmail being rebuilt on every buildworld. Go for it, and don't wait too long! Kind regards, Hans ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/23/2014 3:11 PM, Baptiste Daroussin wrote: > Hi, > > As some of you may have noticed, I have imorted a couple of days ago dma > (DragonFly Mail Agent) in base. I have been asked to explain my motivation so > here they are. > Does this support a /usr/sbin/sendmail wrapper for sending mail through CLI? -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 1:07 PM, Joe Nosay wrote: > > > > On Mon, Feb 24, 2014 at 12:53 PM, Mark Felder wrote: > >> >> >> On Mon, Feb 24, 2014, at 9:50, Lyndon Nerenberg wrote: >> > >> > On Feb 24, 2014, at 7:40 AM, Bryan Drewery >> wrote: >> > >> > > Anything not meeting the bare-bones criteria can be installed with >> 'pkg >> > > install' or ports. >> > >> > Try this in a shop where all your machines are completely air-gapped >> from >> > the internet. >> > Email had 1 attachment: >> > + signature.asc >> > 1k (application/pgp-signature) >> >> You might want to consult with Devin Teske. He deals with mass >> installations of airgapped FreeBSD and may be able to lend some tips on >> how he has tackled such challenges provided he doesn't have a massive >> NDA preventing him from talking about these high level details. >> ___ >> freebsd-current@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org >> " >> > > > Since Nathan did the basic setup of bsdinstall, why not ask him if it can > be configured with an options screen? > On the screen, let the user have his/her choice for mail agent, time > server, et al; but, the user is able to only choose one. Just an isea. > I meant "idea". Sorry ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 12:53 PM, Mark Felder wrote: > > > On Mon, Feb 24, 2014, at 9:50, Lyndon Nerenberg wrote: > > > > On Feb 24, 2014, at 7:40 AM, Bryan Drewery wrote: > > > > > Anything not meeting the bare-bones criteria can be installed with 'pkg > > > install' or ports. > > > > Try this in a shop where all your machines are completely air-gapped from > > the internet. > > Email had 1 attachment: > > + signature.asc > > 1k (application/pgp-signature) > > You might want to consult with Devin Teske. He deals with mass > installations of airgapped FreeBSD and may be able to lend some tips on > how he has tackled such challenges provided he doesn't have a massive > NDA preventing him from talking about these high level details. > ___ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" > Since Nathan did the basic setup of bsdinstall, why not ask him if it can be configured with an options screen? On the screen, let the user have his/her choice for mail agent, time server, et al; but, the user is able to only choose one. Just an isea. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014, at 9:50, Lyndon Nerenberg wrote: > > On Feb 24, 2014, at 7:40 AM, Bryan Drewery wrote: > > > Anything not meeting the bare-bones criteria can be installed with 'pkg > > install' or ports. > > Try this in a shop where all your machines are completely air-gapped from > the internet. > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) You might want to consult with Devin Teske. He deals with mass installations of airgapped FreeBSD and may be able to lend some tips on how he has tackled such challenges provided he doesn't have a massive NDA preventing him from talking about these high level details. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014, at 8:56, Daniel Kalchev wrote: > > On 24.02.14 13:47, Thomas Mueller wrote: > > I don't believe BSD users use base system of itself to send and receive > > email. They use ports (FreeBSD) or equivalent in other BSDs. > > One of the beauties of the BSD 'base system' is that upon installation > you have an usable workstation/server environment that can be > immediately used for most Internet-related tasks -- and this most > certainly includes SMTP. Or NTP. Or... used to include DNS. > And one of the warts is our dedication to long support on FreeBSD releases; FreeBSD 8 is still supported with 8.3 and 8.4 releases. RELENG_8 was branched in August of 2009. FreeBSD 8.4 has an estimated EoL of June 30 2015. This is nearly 6 years since the original release -- an incredible amount of time to be maintaining such complex software. (Though I'm aware that Sendmail's release process is rather slow) > We can strip pieces of FreeBSD off and end up with an kernel. Or we > could keep the system very much usable out of the box. > Imagine a world where everything in FreeBSD is a package and we have a working "PROVIDES" framework. Upon installation you can choose the software that "provides" the MTA role. Same for DNS, NTP, database, webserver... That would be a great accomplishment along with a framework to create a master install image utilizing the options/packages you desire. I think this type of thing is definitely plausible if we keep moving forward. My personal opinion remains that complex software is better served/secured/maintained when it is handled in ports not in base. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Feb 24, 2014, at 8:50 AM, David Chisnall wrote: > Or, purely hypothetically, if your goal was to make it work, you could just > use Poudriere which will take a list of packages that you need and build a > package set for you, which you can stick on a DVD / USB stick / whatever and > take into your production environment. For all the air-gapped shops I dealt with, any package builds had to be done inside the air-gap. (Those were the rules - I didn't make them.) The bottom line was: the fewer external dependencies to build a basically useful system, the better. > If Poudriere doesn't do what you want, then constructive feature requests are > always welcome (bapt likes having us add things to his to-do list - he has > way too much free time). What would really help is if the ports fetch-recursive-list target could extend to reliably include the distfiles for the runtime dependencies as well. But I'm not even sure that's possible. We tried a few different things, but in the end we had to brute force it by running 'make fetch' in every one of the ports directories in order to get all the distfiles onto an external system, which we then rsynced to a USB drive, marched inside, and rsynced to the fileserver. Not pretty ... but with all the distfiles at hand we knew the inside ports builds wouldn't fail due to missing dependencies. --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Import of DragonFly Mail Agent
In message , Lyndon Nerenberg writes: >On Feb 24, 2014, at 7:56 AM, Poul-Henning Kamp = >wrote: > >> Bullshit. > >Sounds like your week didn't get off to a good start. No, I'm simply calling your argument bullshit, because it is. >> You got FreeBSD in there in the first place, there clearly >> is some kind of aperture through which software can migrate. > >Yes, we walk in a DVD-ROM with a FreeBSD installation image on it. So put your packages on there as well, if they're not already there (did you even check ?) Or do a "cd /usr/ports && make fetch" and write a (number of ?) DVD's with the resulting distfiles, and carry those behind the firewall, knowing that you have 20k pieces of software including NetHack and and an INTERCAL compiler, so you will never be bored, no matter how long airgap remains open. I've been doing exactly that since 1998 and I know it is both trivially easy and wonderfully assuring to the customer when you can tell them: "*All* the source code is here, and you are running a system verifiably compiled from it." Just recently one of those old but still running FreeBSD systems were plucked out for a random audit. They found the CD's in storage, installed the FreeBSD 2.2.5 on a machine, also from storage, recompiled everything from sources, built the embedded image, installed the image and passed all the test-cases. And yes, now we're talking about a much overdue upgrade. QED: Bullshit. And no, we obviously should not move /bin/sh to ports, but software maintained by compet^H^H^H^H^H^capable projects outside of FreeBSD should not be imported into FreeBSD absent compelling reasons, and already imported software should be constantly scrutinized to see if there are better solutions. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 24 Feb 2014, at 16:39, Lyndon Nerenberg wrote: > If the above doesn't work, you have to fall back to ports. And this is where > things get really hairy. Just generating the list of required distfiles is > problematic. 'make fetch-recursive-list' will give you a script to run to > pull down the direct build dependencies, but this misses run-time > dependencies. Generating that list takes a lot of manual work, and is *very* > time consuming. Or, purely hypothetically, if your goal was to make it work, you could just use Poudriere which will take a list of packages that you need and build a package set for you, which you can stick on a DVD / USB stick / whatever and take into your production environment. It will also let trivially update the package set to the latest version and build the packages with your specific configuration. If you need an environment this customised, but don't want to use the tools specifically designed for building such a setup, then you don't really get to complain. If Poudriere doesn't do what you want, then constructive feature requests are always welcome (bapt likes having us add things to his to-do list - he has way too much free time). David ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/24/2014 10:16 AM, Lucius Rizzo wrote: > * Bryan Drewery [2014-02-24 09:40]: > >> Remembering the time I spent trying to configure sendmail to not accept >> inbound mail, and trying to get it to behave how I want, I fully support >> this. Of all the years I've messed with sendmail, I still have little >> understanding of how to configure it or if I've done it right. > > Hush! No sendmail hating :P. I remember it being a right of passage to > graduate to a ^real^ UNIX admin when you had lost half of your hair > while working on sendmail.cf. In a era now long gone, I remember > carrying the sendmail bible (thick with detailed instructions on cf > vars) as protection vs. say a baseball bat. > I have the Oreilly sendmail book here and it's thicker than The Design and Implementation of the FreeBSD Operating System. That's quite an application! -- Regards, Bryan Drewery ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Feb 24, 2014, at 7:56 AM, Poul-Henning Kamp wrote: > Bullshit. Sounds like your week didn't get off to a good start. > You got FreeBSD in there in the first place, there clearly > is some kind of aperture through which software can migrate. Yes, we walk in a DVD-ROM with a FreeBSD installation image on it. This works because there is a self-contained installer that contains a very complete system. Certainly enough to build things like file servers and network infrastructure machines (dhcp, ntp, other general network services). Installing ports/pkgs, on the other hand, is a real pain. For pre-built packages, you can build a list of dependencies, download the packages to an external machine, copy them to a portable drive, and walk them over to a shared filesystem. This works, provided there are pre-built images of the package and its recursive dependency tree (and that they are configured in a way that works for your environment). If the above doesn't work, you have to fall back to ports. And this is where things get really hairy. Just generating the list of required distfiles is problematic. 'make fetch-recursive-list' will give you a script to run to pull down the direct build dependencies, but this misses run-time dependencies. Generating that list takes a lot of manual work, and is *very* time consuming. The increasing focus on securing systems from network attacks in only increasing the number of air-gapped environments (and I know this from first hand experience). The sort of massive unbundling that a few people are tossing around here has the potential to exponentially increase the workload of people operating in the environments I have witnessed (and worked in). I want them to realize that there are ramifications to those sort of changes that need to be taken into consideration. These days UNIX tends to be single-user environment, for the most part. Because of that it is very easy for people to get into the mindset that "if I don't use it, nobody else uses it," and thus losing sight of the whole being so much greater than the sum of its parts. That said, I can understand wanting to unbundle some of the very complex but lesser used components (e.g. bind). But there's always a balancing act to be performed here. Making every command in /usr/bin its own package serves nobody. (Yes, I exaggerate to make a point.) --lyndon signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Import of DragonFly Mail Agent
On 2/24/2014 9:56 AM, Poul-Henning Kamp wrote: > In message , Lyndon > Nerenberg > writes: > >> Try this in a shop where all your machines are completely air-gapped >>from the internet. > > Bullshit. > > You got FreeBSD in there in the first place, there clearly > is some kind of aperture through which software can migrate. > This. You pulled in something from somewhere. Build your own packages from that somewhere and send them along in your image to 'pkg add' on first boot, or install them into the image directly so they are already there. I can't imagine an air-gapped default FreeBSD being of much use without *any* packages/ports installed. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: Import of DragonFly Mail Agent
On Feb 24, 2014 7:50 AM, "Lyndon Nerenberg" wrote: > > > On Feb 24, 2014, at 7:40 AM, Bryan Drewery wrote: > > > Anything not meeting the bare-bones criteria can be installed with 'pkg > > install' or ports. > > Try this in a shop where all your machines are completely air-gapped from the internet. Install from DVD which includes the vast majority of packages built from the ports tree. If you have a way to install FreeBSD, you have a way to get software onto it. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
* Bryan Drewery [2014-02-24 09:40]: > Remembering the time I spent trying to configure sendmail to not accept > inbound mail, and trying to get it to behave how I want, I fully support > this. Of all the years I've messed with sendmail, I still have little > understanding of how to configure it or if I've done it right. Hush! No sendmail hating :P. I remember it being a right of passage to graduate to a ^real^ UNIX admin when you had lost half of your hair while working on sendmail.cf. In a era now long gone, I remember carrying the sendmail bible (thick with detailed instructions on cf vars) as protection vs. say a baseball bat. The Sendmail manual was thick, heavy and while I never did use it as a weapon; I had imagined many times throwing it at a server and see if that maybe fixed the problem with sendmail.cf. I've worked with MTA's a lot. I have hated and loved Sendmail. ATM, I am back in my I <3 Sendmail mode and have it running quite well -- with a lot of cool milters on some of my servers. But sendmail is not for the faint of heart, or ones who are at risk of hair loss. In fact, I would highly discourage sendmail use in the latter case. > My exaggerated view of sendmail as a user: [...] Poof..that's easy :P > > # Uncomment if you want STARTTLS support (only used in combination > > with # SECURETRANSFER) #STARTTLS > > Yes please. Simple. > > I'm not sure where to even start with sendmail to enable those > options. See! That wasn't hard at all!! I don't get why people get so worried. What you posted was mostly mc stuff anyways. I would be far more impressed if you would have debugged that in the cf or via sendmail flags. :))) I often use ssmtp on servers that run Wordpress etc and collect most mail to a mailhub which routes it internally and externally. I <3 Sendmail. -- | _o_ |_)o_ _ _ |_|_|(_||_|_> | \|/_/_(_) - Lucius.Tel -- ++ The greatest griefs are those we cause ourselves. ++ ++ -- Sophocles ++ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 15:40, Poul-Henning Kamp wrote: In message <530b666a.1000...@rewt.org.uk>, Joe Holden writes: Please check how NTP is authenticated before giving bad advice, it's all in the RFC. v3 or v4? It is an optional part of the spec in both cases and again isn't required for 99% of people using ntpd as a client, which was the entire point of this exercise in the first place. Authentication of NTP is rapidly gaining focus these days, for obvious reasons, so I think adopting software now which don't support it would be needlessly shortsighted. 3 years ago I would have agree with you, but not now. Fair enough, that isn't the real problem we are facing but rather than derail this thread even further I think it would be best to discuss that another day :) ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
In message , Lyndon Nerenberg writes: >Try this in a shop where all your machines are completely air-gapped >from the internet. Bullshit. You got FreeBSD in there in the first place, there clearly is some kind of aperture through which software can migrate. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Feb 24, 2014, at 7:40 AM, Bryan Drewery wrote: > Anything not meeting the bare-bones criteria can be installed with 'pkg > install' or ports. Try this in a shop where all your machines are completely air-gapped from the internet. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
In message <530b666a.1000...@rewt.org.uk>, Joe Holden writes: >> Please check how NTP is authenticated before giving bad advice, >> it's all in the RFC. >> >v3 or v4? It is an optional part of the spec in both cases and again >isn't required for 99% of people using ntpd as a client, which was the >entire point of this exercise in the first place. Authentication of NTP is rapidly gaining focus these days, for obvious reasons, so I think adopting software now which don't support it would be needlessly shortsighted. 3 years ago I would have agree with you, but not now. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 2/23/2014 3:11 PM, Baptiste Daroussin wrote: > Hi, > > As some of you may have noticed, I have imorted a couple of days ago dma > (DragonFly Mail Agent) in base. I have been asked to explain my motivation so > here they are. > > DragonFly Mail Agent is a minimalistic mailer that is able to relay mails to > some smtp servers (with TLS, authentication and so on) > > It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally > (respecting aliases). > > I imported it because dma is lightweight, BSD license and easy to use. > IMHO base should be the very minimalistic needs to get a server online, and should be secure and simple by default. Being able to connect to the server sending *out* messages to the world is quite important. Receiving and processing messages is not. I.e., there is no httpd, it is not critical for operation of system. There is no desktop environment or scripting language as they are not critical. Anything not meeting the bare-bones criteria can be installed with 'pkg install' or ports. Having an full smtpd in base scares me as I never know if it is configured to prevent relaying or not. I go to extremes and block port 25/587 to be sure. Remembering the time I spent trying to configure sendmail to not accept inbound mail, and trying to get it to behave how I want, I fully support this. Of all the years I've messed with sendmail, I still have little understanding of how to configure it or if I've done it right. My exaggerated view of sendmail as a user: > # grep sendmail /etc/defaults/rc.conf > mta_start_script="/etc/rc.sendmail" > # Settings for /etc/rc.sendmail and /etc/rc.d/sendmail: > sendmail_enable="NO"# Run the sendmail inbound daemon (YES/NO). > sendmail_pidfile="/var/run/sendmail.pid"# sendmail pid file > sendmail_procname="/usr/sbin/sendmail" # sendmail process name > sendmail_flags="-L sm-mta -bd -q30m" # Flags to sendmail (as a server) > sendmail_submit_enable="YES"# Start a localhost-only MTA for mail > submission > sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost" > sendmail_outbound_enable="YES" # Dequeue stuck mail (YES/NO). > sendmail_outbound_flags="-L sm-queue -q30m" # Flags to sendmail (outbound > only) > sendmail_msp_queue_enable="YES" # Dequeue stuck clientmqueue mail (YES/NO). > sendmail_msp_queue_flags="-L sm-msp-queue -Ac -q30m" > # Flags for sendmail_msp_queue daemon. > sendmail_rebuild_aliases="NO" # Run newaliases if necessary (YES/NO). > # grep sendmail /etc/rc.conf > sendmail_enable="NO" > sendmail_submit_enable="YES" > sendmail_outbound_enable="NO" > sendmail_msp_queue_enable="YES" This is quite obscure. Sendmail is not enabled? Outbound is not enabled? Sure they are. Submit is enabled? Is that port 587? 0.0.0.0:25? I don't want that. The RC script also leads to much confusion in this configuration: > # service sendmail stop > Stopping sendmail. > Waiting for PIDS: 80956. > sendmail_submit not running? (check /var/run/sendmail.pid). > Stopping sendmail_clientmqueue. > Waiting for PIDS: 81322. It wasn't running? Was it broken? Is that why I couldn't send mail? > # service sendmail start > Cannot 'start' sendmail. Set sendmail_enable to YES in /etc/rc.conf or use > 'onestart' instead of 'start'. Oh, it didn't start? > # ps uaxw|grep sendmail > root 64518 0.0 0.1 6020 2980 ?? Ss 10:19AM 0:00.00 sendmail: > accepting connections (sendmail) > smmsp 64726 0.0 0.1 6020 2924 ?? Ss 10:19AM 0:00.00 sendmail: > Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) Oh. Can I restart? > # service sendmail restart > Cannot 'restart' sendmail. Set sendmail_enable to YES in /etc/rc.conf or use > 'onerestart' instead of 'restart'. > Stopping sendmail_submit. Oh it looks dead again. > # ps uaxw|grep sendmail > smmsp 64726 0.0 0.0 6020 0 ?? IWs - 0:00.00 sendmail: > Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) > root 88210 0.0 0.1 6020 3008 ?? Ss 10:20AM 0:00.00 sendmail: > accepting connections (sendmail) > root 93369 0.0 0.1 3464 1296 18 S+ 10:20AM 0:00.00 grep > sendmail Nope. RC script bugs aside, how about modifying the actual configuration? > [/etc/mail] # ls > ./READMEaliases.db > freebsd.submit.cf mailer.conf submit.cf > ../ access.sample freebsd.cf > freebsd.submit.mc mailertable.samplevirtusertable.sample > Makefile aliases freebsd.mchelpfile > sendmail.cf *lost* I just want to relay elsewhere. > # grep -i relay *|wc -l > 232 Having done this before I know it is SMART_HOST: > # grep SMART * > freebsd.mc:dnl define(`SMART_HOST', `your.isp.mail.server') So do I edit this mc file? Then what? run make? Do I need it in the freebsd.submit.mc too? sendmail
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 13:52, Poul-Henning Kamp wrote: In message <530b2dee.3030...@rewt.org.uk>, Joe Holden writes: The other point I should make here is that if you care that much about time security you shouldn't be contacting ntp servers over 3rd party networks anyway, at least not without some IP-level encryption/authentication, or use a source that can't easily be used as an attack surface, such as GPS/MSF etc. Please check how NTP is authenticated before giving bad advice, it's all in the RFC. v3 or v4? It is an optional part of the spec in both cases and again isn't required for 99% of people using ntpd as a client, which was the entire point of this exercise in the first place. If the argument is that X feature is missing then we may as well replace sendmail with exim as it has even more features, for example. But most importantly, explain how it was bad advice? There are provisions for integrity checking (not authentication) and autokey. My point was that if you need to authenticate ntp to avoid mitm-style attacks then perhaps the setup you have is wrong. If there is something huge I have missed then feel free to correct me! ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 24.02.14 13:47, Thomas Mueller wrote: I don't believe BSD users use base system of itself to send and receive email. They use ports (FreeBSD) or equivalent in other BSDs. One of the beauties of the BSD 'base system' is that upon installation you have an usable workstation/server environment that can be immediately used for most Internet-related tasks -- and this most certainly includes SMTP. Or NTP. Or... used to include DNS. We can strip pieces of FreeBSD off and end up with an kernel. Or we could keep the system very much usable out of the box. Indeed, the current integration of sendmail is far from optimal. In fact, BIND was better integrated but is now gone. NTP is also pretty well integrated -- it is nice to have ready access to such tools on *any* FreeBSD system. If one needs to strip down FreeBSD, there are already plenty of tools to do it, including WITHOUT_SENDMAIL. One of the many problems with removing functionality is very well illustrated by what happens now, when you upgrade an pre-10 system running nameserver: you end up without it and eventually without your nameserver database as well. Imagine, one day a user updates their 10-stable to 11-stable only to find out mail is no more. Currently, without any user configuration, sendmail is run in send-only mode. You need to explicitly request for it to not run at all. If there is suitable replacement that performs the tasks the send-only sendmail does, I see no problem to remove it. Or at least make it non-default for a release or two. The only remaining issue to solve is "I just upgraded FreeBSD and now mail is not working". Perhaps by installing sendmail with pkg if it is requested in rc.conf? Daniel ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > > > As some of you may have noticed, I have imorted a couple of days ago dma > > > (DragonFly Mail Agent) in base. I have been asked to explain my > > > motivation so > > > here they are. > > > > What's about suid, security separations & etc? > > What do you mean? dma is changing user as soon as possible, dma will be > capsicumized, what else do you want as informations? sendmail (in the past) have same behaviour (run as root and chage user). This is some security risk. For many scenario change user is not simple (for example -- send file from local user A to local user B, file with permsion 0400). sendmail will be forced to change behaviour -- mailnull suid program for place mail into queue and root daemon for deliver to user. This is more complex. Can be dma avoid this way? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014, at 3:41, Joe Holden wrote: > On 24/02/2014 04:26, Julio Merino wrote: > > On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: > > > >> Hi, > >> > >> As some of you may have noticed, I have imorted a couple of days ago dma > >> (DragonFly Mail Agent) in base. I have been asked to explain my motivation > >> so > >> here they are. > >> > >> DragonFly Mail Agent is a minimalistic mailer that is able to relay mails > >> to > >> some smtp servers (with TLS, authentication and so on) > >> > >> It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally > >> (respecting aliases). > >> > >> I imported it because dma is lightweight, BSD license and easy to use. > >> > >> The code base is rather small and easy to capsicumize (which I plan to do) > >> > >> My initial goal is not to replace sendmail. > > > > > > But is it an eventual goal? *I* don't see why not, but if it is: what's > > the plan? How is the decision to drop sendmail going to be made when the > > time comes? (I.e. who _can_ and will make the call?) > > > > > >> All I want is a small mailer > >> simple to configure, and not listening to port 25, suitable for small > >> environment (embedded and/or resource bounded) as well as for server > >> deployment. > >> > > > > Playing devil's advocate: what specific problems is this trying to solve? > > I'd argue, for example, that postfix can be also easily configured and can > > be made to not listen on port 25 for local mail delivery, while at the same > > time it is a fully-functional MTA that could replace sendmail altogether. > > (Which, by the way, is the configuration with which postfix ships within > > the NetBSD base system.) > > > > The reason I'm asking these questions is because I have seen NetBSD > > maintain two MTAs (sendmail + postfix) in the base system for _years_ and > > it was not a pretty situation. The eventual removal of sendmail was > > appreciated, but of course it came with the associated bikeshedding. > *dons flame-proof suit* > > The trend towards having sensible lightweight things in the base is a > good thing IMO. There is no need for things like bind (replaced by > unbound), or a full featured mta like sendmail in the base, base install > should contain enough to get going but for specific functions like > performing MTA tasks, the user can install the appropriate software, > such as postfix. > > Just my 2p :) > I fully agree here. Lightweight services in base, fully featured in ports. It makes it easier for users to follow the latest and greatest MTA, DNS, etc this way as well. Another nice feature of dma is that it's a perfect compliment to your lightweight jails -- emails can get out, but no worrying about conflicts on ports 25. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > As some of you may have noticed, I have imorted a couple of days ago dma > > (DragonFly Mail Agent) in base. I have been asked to explain my motivation > > so > > here they are. > > What's about suid, security separations & etc? What do you mean? dma is changing user as soon as possible, dma will be capsicumized, what else do you want as informations? regards, Bapt pgpUcUDC1pDni.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > As some of you may have noticed, I have imorted a couple of days ago dma > (DragonFly Mail Agent) in base. I have been asked to explain my motivation so > here they are. What's about suid, security separations & etc? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
In message <530b2dee.3030...@rewt.org.uk>, Joe Holden writes: >The other point I should make here is that if you care that much about >time security you shouldn't be contacting ntp servers over 3rd party >networks anyway, at least not without some IP-level >encryption/authentication, or use a source that can't easily be used as >an attack surface, such as GPS/MSF etc. Please check how NTP is authenticated before giving bad advice, it's all in the RFC. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
I never got far enough with DragonFlyBSD or OpenBSD on live USB to see osmpd or opensmtpd (OpenBSD or dma (DragonFly). I couldn't read hard drive from either OpenBSD or DragonFly, could read OpenBSD but not DragonFly live USB stick from FreeBSD and NetBSD, meaning poor interoperability on my system. But I find sendmail practically impossible to setup, and rather useless for my purposes. I use msmtp and mpop from ports for SMTP and POP3 mail, including SSL capability. These clients even allow multiple email accounts and multiple users, user name need not necessarily be the same as computer hostname. I've wondered if I'd lose anything by building FreeBSD WITHOUT_SENDMAIL. I looked and found mail/dma in FreeBSD ports tree. Could it be easily set up to use as SMTP client? I don't believe BSD users use base system of itself to send and receive email. They use ports (FreeBSD) or equivalent in other BSDs. Can't really say for Linux; "base system" is ill-defined given the anarchy of many different distributions. To Julio Merino: How long did NetBSD include both sendmail and postfix in base? What NetBSD releases? What was the first release that included both sendmail and postfix, and the first release where sendmail was dropped? But I think sendmail is still available in pkgsrc for users who'd rather have sendmail. Tom ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 11:26, Joe Holden wrote: On 24/02/2014 11:18, Ollivier Robert wrote: According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: hm, I can't say I have noticed this as being a problem where I've used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. I suspect if you can't be reasonably sure about the integrity of your network traffic you have other problems anyway... one can run ntpd -s to get a similar function to ntpdate/sntp. But again, for 99% of installs as a client, auth and/or ntpv4 doesn't matter and much like sendmail/dma, one can always install ntp.org from ports if they require authentication (I've never seen it used). The other point I should make here is that if you care that much about time security you shouldn't be contacting ntp servers over 3rd party networks anyway, at least not without some IP-level encryption/authentication, or use a source that can't easily be used as an attack surface, such as GPS/MSF etc. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 11:18, Ollivier Robert wrote: According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: hm, I can't say I have noticed this as being a problem where I've used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. I suspect if you can't be reasonably sure about the integrity of your network traffic you have other problems anyway... one can run ntpd -s to get a similar function to ntpdate/sntp. But again, for 99% of installs as a client, auth and/or ntpv4 doesn't matter and much like sendmail/dma, one can always install ntp.org from ports if they require authentication (I've never seen it used). ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: > hm, I can't say I have noticed this as being a problem where I've > used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- robe...@keltia.net In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
In message <530b2953.3030...@rewt.org.uk>, Joe Holden writes: >> openntpd not able to authenticate the sources it is using and thus lack a big >> ntp feature as a client. Last I looked its clock-discipline algorithm were non-existent, it just slammed the clock around. >hm, I can't say I have noticed this as being a problem where I've used >it, are there any scenarios where this is a showstopper? Yes, for this date and time it is a showstopper. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 11:13:23AM +, Joe Holden wrote: > On 24/02/2014 11:08, Baptiste Daroussin wrote: > > On Mon, Feb 24, 2014 at 11:04:48AM +, Joe Holden wrote: > >> On 24/02/2014 10:56, Poul-Henning Kamp wrote: > >>> In message <530b2500.5030...@rewt.org.uk>, Joe Holden writes: > >>> > Can I also suggest that ntp.org shouldn't be in the base either? :P > >>> > >>> I absolutely agree, but the replacement is less clear in that case. > >>> > >>> > >> I'd suggest openntpd as a candidate as it would require less work than > >> dntpd since that has some kernel changes. > >> > >> At ~400K it is pretty lightweight and doesn't listen at all by default, > >> suitable as a default ntpd that just maintains time - one can always > >> install ntp.org from ports should they need more features (such as > >> access control and monlist, etc) > > > > openntpd not able to authenticate the sources it is using and thus lack a > > big > > ntp feature as a client. > > > > regards, > > Bapt > > > hm, I can't say I have noticed this as being a problem where I've used > it, are there any scenarios where this is a showstopper? Yes when you really need to trust what ntp sources you are using, which means there are lots of scenarios. regards, Bapt pgpRBW4zzgZze.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On 24/02/2014 11:08, Baptiste Daroussin wrote: On Mon, Feb 24, 2014 at 11:04:48AM +, Joe Holden wrote: On 24/02/2014 10:56, Poul-Henning Kamp wrote: In message <530b2500.5030...@rewt.org.uk>, Joe Holden writes: Can I also suggest that ntp.org shouldn't be in the base either? :P I absolutely agree, but the replacement is less clear in that case. I'd suggest openntpd as a candidate as it would require less work than dntpd since that has some kernel changes. At ~400K it is pretty lightweight and doesn't listen at all by default, suitable as a default ntpd that just maintains time - one can always install ntp.org from ports should they need more features (such as access control and monlist, etc) openntpd not able to authenticate the sources it is using and thus lack a big ntp feature as a client. regards, Bapt hm, I can't say I have noticed this as being a problem where I've used it, are there any scenarios where this is a showstopper? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 11:04:48AM +, Joe Holden wrote: > On 24/02/2014 10:56, Poul-Henning Kamp wrote: > > In message <530b2500.5030...@rewt.org.uk>, Joe Holden writes: > > > >> Can I also suggest that ntp.org shouldn't be in the base either? :P > > > > I absolutely agree, but the replacement is less clear in that case. > > > > > I'd suggest openntpd as a candidate as it would require less work than > dntpd since that has some kernel changes. > > At ~400K it is pretty lightweight and doesn't listen at all by default, > suitable as a default ntpd that just maintains time - one can always > install ntp.org from ports should they need more features (such as > access control and monlist, etc) openntpd not able to authenticate the sources it is using and thus lack a big ntp feature as a client. regards, Bapt pgpvHtzhKeN_u.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On 24/02/2014 10:56, Poul-Henning Kamp wrote: In message <530b2500.5030...@rewt.org.uk>, Joe Holden writes: Can I also suggest that ntp.org shouldn't be in the base either? :P I absolutely agree, but the replacement is less clear in that case. I'd suggest openntpd as a candidate as it would require less work than dntpd since that has some kernel changes. At ~400K it is pretty lightweight and doesn't listen at all by default, suitable as a default ntpd that just maintains time - one can always install ntp.org from ports should they need more features (such as access control and monlist, etc) ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
In message <530b2500.5030...@rewt.org.uk>, Joe Holden writes: >Can I also suggest that ntp.org shouldn't be in the base either? :P I absolutely agree, but the replacement is less clear in that case. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 24/02/2014 10:00, Baptiste Daroussin wrote: On Mon, Feb 24, 2014 at 09:56:05AM +, Poul-Henning Kamp wrote: In message <530b13ca.6000...@rewt.org.uk>, Joe Holden writes: On 24/02/2014 04:26, Julio Merino wrote: On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: As some of you may have noticed, I have imorted a couple of days ago dma (DragonFly Mail Agent) in base. I have been asked to explain my motivation so here they are. I'd argue, for example, that postfix can be also easily configured and can be made to not listen on port 25 for local mail delivery, while at the same time it is a fully-functional MTA that could replace sendmail altogether. The trend towards having sensible lightweight things in the base is a good thing IMO. Fully agree. To the extent we can manage it, we should have minimal client-focused tools for things like DNS, SMTP and NTP in the tree and make it trivial for people to install the fully featured server version of their choice from ports. That's is what I'm doing with dma :) you want a full featured smtp server: pkg install ${FAVORITESMTP:-opensmtpd} regards, Bapt Can I also suggest that ntp.org shouldn't be in the base either? :P ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 09:56:05AM +, Poul-Henning Kamp wrote: > In message <530b13ca.6000...@rewt.org.uk>, Joe Holden writes: > >On 24/02/2014 04:26, Julio Merino wrote: > >> On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin > >> wrote: > > >>> As some of you may have noticed, I have imorted a couple of days ago dma > >>> (DragonFly Mail Agent) in base. I have been asked to explain my motivation > >>> so here they are. > > >> I'd argue, for example, that postfix can be also easily configured and can > >> be made to not listen on port 25 for local mail delivery, while at the same > >> time it is a fully-functional MTA that could replace sendmail altogether. > > >The trend towards having sensible lightweight things in the base is a > >good thing IMO. > > Fully agree. > > To the extent we can manage it, we should have minimal client-focused > tools for things like DNS, SMTP and NTP in the tree and make it > trivial for people to install the fully featured server version of > their choice from ports. That's is what I'm doing with dma :) you want a full featured smtp server: pkg install ${FAVORITESMTP:-opensmtpd} regards, Bapt pgpPev5S4fve2.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
In message <530b13ca.6000...@rewt.org.uk>, Joe Holden writes: >On 24/02/2014 04:26, Julio Merino wrote: >> On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: >>> As some of you may have noticed, I have imorted a couple of days ago dma >>> (DragonFly Mail Agent) in base. I have been asked to explain my motivation >>> so here they are. >> I'd argue, for example, that postfix can be also easily configured and can >> be made to not listen on port 25 for local mail delivery, while at the same >> time it is a fully-functional MTA that could replace sendmail altogether. >The trend towards having sensible lightweight things in the base is a >good thing IMO. Fully agree. To the extent we can manage it, we should have minimal client-focused tools for things like DNS, SMTP and NTP in the tree and make it trivial for people to install the fully featured server version of their choice from ports. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On 24/02/2014 04:26, Julio Merino wrote: On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: Hi, As some of you may have noticed, I have imorted a couple of days ago dma (DragonFly Mail Agent) in base. I have been asked to explain my motivation so here they are. DragonFly Mail Agent is a minimalistic mailer that is able to relay mails to some smtp servers (with TLS, authentication and so on) It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally (respecting aliases). I imported it because dma is lightweight, BSD license and easy to use. The code base is rather small and easy to capsicumize (which I plan to do) My initial goal is not to replace sendmail. But is it an eventual goal? *I* don't see why not, but if it is: what's the plan? How is the decision to drop sendmail going to be made when the time comes? (I.e. who _can_ and will make the call?) All I want is a small mailer simple to configure, and not listening to port 25, suitable for small environment (embedded and/or resource bounded) as well as for server deployment. Playing devil's advocate: what specific problems is this trying to solve? I'd argue, for example, that postfix can be also easily configured and can be made to not listen on port 25 for local mail delivery, while at the same time it is a fully-functional MTA that could replace sendmail altogether. (Which, by the way, is the configuration with which postfix ships within the NetBSD base system.) The reason I'm asking these questions is because I have seen NetBSD maintain two MTAs (sendmail + postfix) in the base system for _years_ and it was not a pretty situation. The eventual removal of sendmail was appreciated, but of course it came with the associated bikeshedding. *dons flame-proof suit* The trend towards having sensible lightweight things in the base is a good thing IMO. There is no need for things like bind (replaced by unbound), or a full featured mta like sendmail in the base, base install should contain enough to get going but for specific functions like performing MTA tasks, the user can install the appropriate software, such as postfix. Just my 2p :) ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 12:38:14PM +0400, Lev Serebryakov wrote: > Hello, Baptiste. > You wrote 24 февраля 2014 г., 1:11:56: > > BD> DragonFly Mail Agent is a minimalistic mailer that is able to relay mails > to > BD> some smtp servers (with TLS, authentication and so on) > One question: why not OpenSMTPD from OpenBSD? Just because it is not minimalistic, but I have to admit that OpenSMTPD is really attractive as well :) (and iirc it doesn't support NULLCLIENT - not 100% sure about that) regards, Bapt pgpZsVWAE5i9n.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On 24 Feb 2014, at 08:35, Baptiste Daroussin wrote: > dma can exactly do that :) while being smaller than opensmtpd (which is very > very nice as well, this is the one I use when I need a full smtp setup :)) Sounds excellent then. We definitely should be moving to a world where all of the base system services are compartmentalised with capsicum and given the attack surface and complex security requirements of an MTA, it sounds like it would be an excellent idea. If you're willing to do the work then that's excellent (and makes you the de-facto winner of any resulting bikeshed)! It would be good to have it merged to 10 for 10.2 so that people can play with it early. If we decide to switch for 11, then it would also be a good idea to teach the upgrade process how to recognise non-default sendmail configurations (or, at least, ask the question), move them to /usr/local, and install a sendmail port, so that people who want to be using it will keep doing so. I'm only using sendmail because I learned just enough of the config file syntax to do what I wanted 10 or so years ago and then I had a working config and never overcame the inertia required to switch - a clean and modern replacement in base would give me the right incentive! David ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
Hello, Baptiste. You wrote 24 февраля 2014 г., 1:11:56: BD> DragonFly Mail Agent is a minimalistic mailer that is able to relay mails to BD> some smtp servers (with TLS, authentication and so on) One question: why not OpenSMTPD from OpenBSD? -- // Black Lion AKA Lev Serebryakov ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Mon, Feb 24, 2014 at 08:32:13AM +, David Chisnall wrote: > On 24 Feb 2014, at 07:34, Baptiste Daroussin wrote: > > > Usual complains about sendmail in base until now has been: > > - complex configuration > > - long history of security concerns > > - no need for a full mta in base > > The other complaint is that sendmail is only half of a useable MTA in base. > If you actually want to use it for anything other than local delivery, then > you need to turn on authentication, which means installing the saslauthd port > and then recompiling sendmail from source. As soon as you do a > freebsd-update, email stops working and you need to recompile sendmail again, > meaning that you can't get binary security updates for one of the parts of > the system with the worst security record. > > I would love to have something in the base system that can handle mail > delivery and authenticated relaying out of the box. OpenBSD now ships with > osmpd, which seems to work quite well for this, and if dma can as well then > I'm very much in favour of it. dma can exactly do that :) while being smaller than opensmtpd (which is very very nice as well, this is the one I use when I need a full smtp setup :)) regards, Bapt pgppUevqGuoCu.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On 24 Feb 2014, at 07:34, Baptiste Daroussin wrote: > Usual complains about sendmail in base until now has been: > - complex configuration > - long history of security concerns > - no need for a full mta in base The other complaint is that sendmail is only half of a useable MTA in base. If you actually want to use it for anything other than local delivery, then you need to turn on authentication, which means installing the saslauthd port and then recompiling sendmail from source. As soon as you do a freebsd-update, email stops working and you need to recompile sendmail again, meaning that you can't get binary security updates for one of the parts of the system with the worst security record. I would love to have something in the base system that can handle mail delivery and authenticated relaying out of the box. OpenBSD now ships with osmpd, which seems to work quite well for this, and if dma can as well then I'm very much in favour of it. David ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Import of DragonFly Mail Agent
On Sun, Feb 23, 2014 at 11:26:20PM -0500, Julio Merino wrote: > On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: > > > Hi, > > > > As some of you may have noticed, I have imorted a couple of days ago dma > > (DragonFly Mail Agent) in base. I have been asked to explain my motivation > > so > > here they are. > > > > DragonFly Mail Agent is a minimalistic mailer that is able to relay mails > > to > > some smtp servers (with TLS, authentication and so on) > > > > It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally > > (respecting aliases). > > > > I imported it because dma is lightweight, BSD license and easy to use. > > > > The code base is rather small and easy to capsicumize (which I plan to do) > > > > My initial goal is not to replace sendmail. > > > But is it an eventual goal? *I* don't see why not, but if it is: what's > the plan? How is the decision to drop sendmail going to be made when the > time comes? (I.e. who _can_ and will make the call?) Anyone at anytime can call for this ;) if some bits are missing in dma to achieve this goal I m willing to implement them. > > > > All I want is a small mailer > > simple to configure, and not listening to port 25, suitable for small > > environment (embedded and/or resource bounded) as well as for server > > deployment. > > > > Playing devil's advocate: what specific problems is this trying to solve? > I'd argue, for example, that postfix can be also easily configured and can > be made to not listen on port 25 for local mail delivery, while at the same > time it is a fully-functional MTA that could replace sendmail altogether. > (Which, by the way, is the configuration with which postfix ships within > the NetBSD base system.) > > The reason I'm asking these questions is because I have seen NetBSD > maintain two MTAs (sendmail + postfix) in the base system for _years_ and > it was not a pretty situation. The eventual removal of sendmail was > appreciated, but of course it came with the associated bikeshedding. I do understand that, one of the goal of this mail is also to get feedback from users about what they do expect, is dma fulfilling they normal requirememts for a local mailer in general purpose cases, if yes I do not see a reason not to remove sendmail from base. Usual complains about sendmail in base until now has been: - complex configuration - long history of security concerns - no need for a full mta in base regards, Bapt pgpbUcWzeaRsB.pgp Description: PGP signature
Re: Import of DragonFly Mail Agent
On Sun, Feb 23, 2014 at 4:11 PM, Baptiste Daroussin wrote: > Hi, > > As some of you may have noticed, I have imorted a couple of days ago dma > (DragonFly Mail Agent) in base. I have been asked to explain my motivation > so > here they are. > > DragonFly Mail Agent is a minimalistic mailer that is able to relay mails > to > some smtp servers (with TLS, authentication and so on) > > It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally > (respecting aliases). > > I imported it because dma is lightweight, BSD license and easy to use. > > The code base is rather small and easy to capsicumize (which I plan to do) > > My initial goal is not to replace sendmail. But is it an eventual goal? *I* don't see why not, but if it is: what's the plan? How is the decision to drop sendmail going to be made when the time comes? (I.e. who _can_ and will make the call?) > All I want is a small mailer > simple to configure, and not listening to port 25, suitable for small > environment (embedded and/or resource bounded) as well as for server > deployment. > Playing devil's advocate: what specific problems is this trying to solve? I'd argue, for example, that postfix can be also easily configured and can be made to not listen on port 25 for local mail delivery, while at the same time it is a fully-functional MTA that could replace sendmail altogether. (Which, by the way, is the configuration with which postfix ships within the NetBSD base system.) The reason I'm asking these questions is because I have seen NetBSD maintain two MTAs (sendmail + postfix) in the base system for _years_ and it was not a pretty situation. The eventual removal of sendmail was appreciated, but of course it came with the associated bikeshedding. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Import of DragonFly Mail Agent
Hi, As some of you may have noticed, I have imorted a couple of days ago dma (DragonFly Mail Agent) in base. I have been asked to explain my motivation so here they are. DragonFly Mail Agent is a minimalistic mailer that is able to relay mails to some smtp servers (with TLS, authentication and so on) It supports MASQUERADE and NULLCLIENT, and is able to deliver mails locally (respecting aliases). I imported it because dma is lightweight, BSD license and easy to use. The code base is rather small and easy to capsicumize (which I plan to do) My initial goal is not to replace sendmail. All I want is a small mailer simple to configure, and not listening to port 25, suitable for small environment (embedded and/or resource bounded) as well as for server deployment. To be honnest dma needs a bit of more work (improving the retry queue, capsicumize), but is working. I have read a couple of the past discussions about what are the requirements for base as a mailer (in case one want to remove sendmail) and yes dma is fulfilling all of them. That said I have never been a supporter of having a full mail server in base, as I consider a full mail server as being a specific use case so not required on all setup, in my opinion dma is the kind of mailer that fits better with base requirements. regards, Bapt pgpTLDKFX8PGm.pgp Description: PGP signature