Can anyone in Alberta sign into their health records with OpenBSD?
I'm still using 7.4, but wondering if anyone from Alberta is able to use any version of OpenBSD and any browser to sign in to access their Health Records at: https://myhealth.alberta.ca/uam/pages/Dashboard.aspx
Re: New filters auth and sign
On Sat, 01 Jun 2024 08:45:00 +0100, "Corey Hickman" wrote: > > does it have policy server included? for instance, when DKIM fails, the > policy can be set up to deny the message. > Right now it ignores DMARC as if it doesn't exist. Doing a DMARC lookup for domain and inserting it's results into the header is possible and not a big deal, but it has some issues. The first is parsing the From header. It is durable, but different MUA may follow different logic and parser for this can be quite complicated. And complicated means bugs. The second is more ideological. DMARC needs something that aggregates the results and sends out reports. It shouldn't be a filter for smtpd. But a filter can write it's decision to log, and something should harvest it to process and create reports that need to be sent. Anyway, forensic reports, which should be close to real-time and include a lot of things from the original email, is a much more complicated story. All this brings up the question of personal data / GDPR and DMARC. I know of a very good analysis of DMARC and GDPR in the case of German law [1], which can be summarized as a quote: The reports are fundamentally permitted and justified under data protection law. However, the principle of proportionality is to be complied with at all times. Based on this analysis, I assume that only aggregated reports can be used without legal headaches in the EU. But implementing only a part of DMARC seems as much worse than not implementing it at all, and implementing it in its entirety requires a lot of pieces in place, much more than just a filter. Thus, DMARC was discussed on the OpenBSD mailing lists a few months ago [2]. As a conclusion, I personally use the p=none policy, because I assume that my mail should be delivered, and To is not the final destination, it's a kind of starting direction of the mail's way to the recipient. Footnotes: [1] https://certified-senders.org/wp-content/uploads/2018/08/Report_DMARC_and_GDPR.pdf [2] https://marc.info/?l=openbsd-misc=171015367409290=2 -- wbr, Kirill
Re: New filters auth and sign
June 1, 2024 at 7:34 AM, "Kirill A. Korinsky" wrote: > > Greetings, > > I'd like to announce a two new filters for OpenSMTD which better to use > > together: auth and sign. > does it have policy server included? for instance, when DKIM fails, the policy can be set up to deny the message. Thanks.
Re: New filters auth and sign
On Sat, 01 Jun 2024 00:34:41 +0100, Kirill A. Korinsky wrote: > > Greetings, > > I'd like to announce a two new filters for OpenSMTD which better to use > together: auth and sign. > Oops, wrong list. It should be m...@opensmtpd.org. Sorry for nosy. -- wbr, Kirill
New filters auth and sign
Greetings, I'd like to announce a two new filters for OpenSMTD which better to use together: auth and sign. auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds Authentication-Results header or ARC-Authentication-Results. sign is a filter which adds DKMI or ARC signature, or ARC seal. For example, I run configuration: filter "auth" proc-exec "filter-auth" listen on egress port smtp ... filter { admdscrub, "auth", dnsbl } filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D /etc/mail/domains \ -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user _dkimsign group _dkimsign filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_auth proc-exec "filter-auth -A" filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal } listen on egress port submission ... filter sign Here all incomming messages is autorised by adding Authentication-Results, and all outcomming messages: - signed by two DKMI signature with correct domain (list in /etc/mail/domains) - signed by one ARC signature with domain mx.catap.net - seal by one ARC seal with domain mx.catap.net Yeah, it is possible to use different selectors for ARC signature and seal, but I haven't tested it. The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD. Man pages for both filters are updated. Thus, sign filter is drop-in replacment for filter-dkimsign. Code available here: - https://github.com/catap/opensmtpd-filter-auth - https://github.com/catap/opensmtpd-filter-sign I also attached ports for OpenBSD which I used to run it. How stable it is? Well, enough to share and ask for feedback. It may contains bugs, but it should be fine to use. Produced signature was tested against gmail, yahoo, icloud.com and dkimpy and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or 47 (what does it mean?) and produced invalid signature as the next in ARC chain (tested by dkimpy). Thus, this email were sent via server which uses that filters, so, headers from this email a good example. -- wbr, Kirill filters.tgz Description: Binary data
Re: OpenSMTPD + rspamd to sign mail.
> On 8/12/21 5:09 AM, latin...@vcn.bc.ca wrote: >> Hello >> >> After: >> # pkg_add redis rspamd opensmtpd-filter-rspamd successfully >> >> i got: >> # rcctl start rspamd >> rspamd(failed) >> >> then I did: >> # rspamd -d >> 2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run >> rspamd workers as root user, please add -u and -g options to select a >> proper unprivilleged user or specify --insecure flag >> >> How to interpret it please? >> >> I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did >> # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose >> i >> should do rspamd:_rspamd to change -u and -g >> >> thanks for your attention. >> > What is the contents of your /etc/rc.d/rspamd file? It should include > lines like: > > Â Â daemon="/usr/local/bin/rspamd" > Â Â daemon_flags="-u _rspamd -g _rspamd" #!/bin/ksh # # $OpenBSD: rspamd.rc,v 1.4 2019/10/29 22:50:14 sthen Exp $ daemon="/usr/local/bin/rspamd" daemon_flags="-u _rspamd -g _rspamd" . /etc/rc.d/rc.subr pexp="rspamd: main process.*" rc_pre() { install -d /var/run/rspamd } rc_cmd $1 > > Also, did you remember to enable the service with "rcctl enable rspamd" > Yes, i did it: rcctl enable redis rcctl enable rspamd rcctl start redis rcctl start rspamd Thanks to respond.
Re: OpenSMTPD + rspamd to sign mail.
On 8/12/21 5:09 AM, latin...@vcn.bc.ca wrote: Hello After: # pkg_add redis rspamd opensmtpd-filter-rspamd successfully i got: # rcctl start rspamd rspamd(failed) then I did: # rspamd -d 2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run rspamd workers as root user, please add -u and -g options to select a proper unprivilleged user or specify --insecure flag How to interpret it please? I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose i should do rspamd:_rspamd to change -u and -g thanks for your attention. What is the contents of your /etc/rc.d/rspamd file? It should include lines like: daemon="/usr/local/bin/rspamd" daemon_flags="-u _rspamd -g _rspamd" Also, did you remember to enable the service with "rcctl enable rspamd"
OpenSMTPD + rspamd to sign mail.
Hello After: # pkg_add redis rspamd opensmtpd-filter-rspamd successfully i got: # rcctl start rspamd rspamd(failed) then I did: # rspamd -d 2021-08-12 09:23:41 #0(main) ; main; detect_priv: cannot run rspamd workers as root user, please add -u and -g options to select a proper unprivilleged user or specify --insecure flag How to interpret it please? I did # chown R spamd:_rspamd /etc/mail/dkim but it fails, then i did # chown -R root:_spamd /etc/mail/dkim and it worked; anyway i suppose i should do rspamd:_rspamd to change -u and -g thanks for your attention.
[patch] use acme-client to sign certificated with ecdsa keys
Hello, This is a short patch to let acme-client accept ECDSA keys now that letsencrypt accepts signing certificates with those keys. This functionality is present in certbot, so it might be a good idea to let acme-client accept that too. The key needs to be generated manually i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem Best Regards Index: rsa.c === RCS file: /cvs/src/usr.sbin/acme-client/rsa.c,v retrieving revision 1.7 diff -u -p -r1.7 rsa.c --- rsa.c 28 Jul 2018 15:25:23 - 1.7 +++ rsa.c 22 May 2019 11:17:47 - @@ -79,7 +79,8 @@ rsa_key_load(FILE *f, const char *fname) if (pkey == NULL) { warnx("%s: PEM_read_PrivateKey", fname); return NULL; - } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA) + } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA || + EVP_PKEY_type(pkey->type) == EVP_PKEY_EC ) return pkey; warnx("%s: unsupported key type", fname); smime.p7s Description: S/MIME Cryptographic Signature
Re: mail sign/encrypt
On 09/05/18 19:44, Rudolf Sykora wrote: > I want a small thing, hence Thunderbird is out. > Similarly, mutt does way too many things (it's not just MUA), > similarly (al)pine. (And both use ncurses, which I also > want to avoid). > > For me mmh, mblaze or similar (eg. plan9 tools) is the way to go. > Even snail is way too complex. Agreed, it depends on your use case, but for sure Thunderbird is a heavy-weight. Turn on message filtering, and it has a particularly nasty memory-leak I find: brings my desktop at work (with 16GB RAM) to its knees after about 3 days running. > So for now I sign and send email (prepared in message.txt) with this: > > openssl smime -sign -in message.txt -text -signer sec/certCVUT.mycrt.pem \ > -inkey sec/certCVUT.mykey.pem -certfile sec/certCVUT.caChain.pem \ > -from rudolf.syk...@cvut.cz -to rsyk...@disroot.org \ > -subject "HI" | sendmail -t > > where certCVUT.mycrt.pem contains my certificate, > certCVUT.mykey.pem contains my private key, and > certCVUT.caChain.pem contains the chain of ca's. > All these can be obtained from the .p12 file using > appropriate openssl commands. As I say, it depends on whether you're after S/MIME or OpenPGP; and Tony's advice was for OpenPGP. Thunderbird on its own can do S/MIME. For completeness; signing and encrypting an email using GnuPG and sendmail: prepare message.txt; headers.txt, then $ gpg --encrypt --clear-sign -a -r rsyk...@disroot.org < message.txt \ | cat headers.txt - \ | sendmail -t would probably do the trick. (Untested) -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: mail sign/encrypt
> > I'd suggest Thunderbird + Enigmail I want a small thing, hence Thunderbird is out. Similarly, mutt does way too many things (it's not just MUA), similarly (al)pine. (And both use ncurses, which I also want to avoid). For me mmh, mblaze or similar (eg. plan9 tools) is the way to go. Even snail is way too complex. So for now I sign and send email (prepared in message.txt) with this: openssl smime -sign -in message.txt -text -signer sec/certCVUT.mycrt.pem \ -inkey sec/certCVUT.mykey.pem -certfile sec/certCVUT.caChain.pem \ -from rudolf.syk...@cvut.cz -to rsyk...@disroot.org \ -subject "HI" | sendmail -t where certCVUT.mycrt.pem contains my certificate, certCVUT.mykey.pem contains my private key, and certCVUT.caChain.pem contains the chain of ca's. All these can be obtained from the .p12 file using appropriate openssl commands. Thanks Ruda
Re: mail sign/encrypt
On 05/05/18 08:31, Tony Boston wrote: > On 05/03/18 10:30, Rudolf Sykora wrote: >> Hello misc, >> >> I'd like to be able to optionally >> - sign my email, >> - encrypt the email. >> >> I have a certificate in the .p12 form, >> containing my private key and two certificates, >> one of them mine. >> >> I want to prepare mail locally, i.e. to use >> some simple locally installed MUA. >> >> Is there a way with the default "mail" program, >> or do I have to install some more powerful MUA? >> >> Thanks >> Ruda >> > > I'd suggest Thunderbird + Enigmail for that but that really depends on > what machine you're running on or if you want to go for CLI only > > just my 2 cents It's also worth noting that this would encrypt/sign using the OpenPGP standard. The discussion of .p12 certificates makes me suspicious the author is after S/MIME, which Thunderbird can do without any extensions. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
Re: mail sign/encrypt
On 05/03/18 10:30, Rudolf Sykora wrote: > Hello misc, > > I'd like to be able to optionally > - sign my email, > - encrypt the email. > > I have a certificate in the .p12 form, > containing my private key and two certificates, > one of them mine. > > I want to prepare mail locally, i.e. to use > some simple locally installed MUA. > > Is there a way with the default "mail" program, > or do I have to install some more powerful MUA? > > Thanks > Ruda > I'd suggest Thunderbird + Enigmail for that but that really depends on what machine you're running on or if you want to go for CLI only just my 2 cents -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 signature.asc Description: OpenPGP digital signature
Re: mail sign/encrypt
Hello again Rudolf. Rudolf Sykora <rudolf.syk...@gmail.com> wrote: |I'd like to be able to optionally |- sign my email, |- encrypt the email. | |I have a certificate in the .p12 form, |containing my private key and two certificates, |one of them mine. | |I want to prepare mail locally, i.e. to use |some simple locally installed MUA. | |Is there a way with the default "mail" program, |or do I have to install some more powerful MUA? S-nail can do that indeed, and once v14.9.10 finally really gets included in ports (and brings in 30+ months of what i call development), then you could even do at least some useful things with the on-compose-.. hooks that you have suggested over two years ago, too. And i see potential for improvement, also of the manual. Thanks. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
mail sign/encrypt
Hello misc, I'd like to be able to optionally - sign my email, - encrypt the email. I have a certificate in the .p12 form, containing my private key and two certificates, one of them mine. I want to prepare mail locally, i.e. to use some simple locally installed MUA. Is there a way with the default "mail" program, or do I have to install some more powerful MUA? Thanks Ruda
Re: How does dpb sign packages in 6.1 ?
Ok thanks Stuart & Marc, and of course I managed to pebkac through my ports update script... G. On 05/04/17 10:43, Marc Espie wrote: dpb no longer does. Use pkg_sign(1) directly like sthen says. Before, signing directly during pkg_create(1) made some sense, since the archive was built just once with the signature inside. Now that the signature is outside, there is no gain to having pkg_create(1) sign directly, so that was scraped out.
Re: How does dpb sign packages in 6.1 ?
dpb no longer does. Use pkg_sign(1) directly like sthen says. Before, signing directly during pkg_create(1) made some sense, since the archive was built just once with the signature inside. Now that the signature is outside, there is no gain to having pkg_create(1) sign directly, so that was scraped out.
Re: How does dpb sign packages in 6.1 ?
On 2017-04-04, Noth <nothingn...@citycable.ch> wrote: >I'm trying to use dpb in 6.1-current, and my setup works till it > tries to sign the package it makes and then fails with this message: .. > I've updated my signify keys and placed them in $CHROOT/etc/signify. I > can't work out what dpb is expecting now that we no longer have > SIGNING_PARAMETERS in mk.conf . Use pkg_sign(1) separately after the build. For official builds this is done on a different machine.
How does dpb sign packages in 6.1 ?
Hi all, I'm trying to use dpb in 6.1-current, and my setup works till it tries to sign the package it makes and then fails with this message: ==> Building package for bzip2-1.0.6p8 Create /data/packages/amd64/all/bzip2-1.0.6p8.tgz ^Mreading plist|ESC[KESC[K^Mchecking dependencies|ESC[KESC[K^Mchecksumming|ESC[KESC[K^MESC[13C | 0%ESC[K^MESC[13C** | 3%ESC[K^MESC[15C* | 6%ESC[K^MESC[16C** | 9%ESC[K^MESC[18C** | 11%ESC[K^MESC[20C** | 14%ESC[K^MESC[22C* | 17%ESC[K^MESC[23C** | 20%ESC[K^MESC[25C** | 23%ESC[K^MESC[27C** | 26%ESC[K^MESC[29C*| 29%ESC[K^MESC[30C** | 31%ESC[K^MESC[32C**| 34%ESC[K^MESC[34C** | 37%ESC[K^MESC[36C* | 40%ESC[K^MESC[37C** | 43%ESC[K^MESC[39C** | 46%ESC[K^MESC[41C** | 49%ESC[K^MESC[43C* | 51%ESC[K^MESC[44C**| 54%ESC[K^MESC[46C** | 57%ESC[K^MESC[48C**| 60%ESC[K^MESC[50C* | 63%ESC[K^MESC[51C** | 66%ESC[K^MESC[53C** | 69%ESC[K^MESC[55C** | 71%ESC[K^MESC[57C* | 74%ESC[K^MESC[58C** | 77%ESC[K^MESC[60C** | 80%ESC[K^MESC[62C** | 83%ESC[K^MESC[64C* | 86%ESC[K^MESC[65C** | 89%ESC[K^MESC[67C** | 91%ESC[K^MESC[69C** | 94%ESC[K^MESC[71C* | 97%ESC[K^MESC[72C**|100%ESC[K^MESC[K^Marchiving|ESC[KESC[K^MESC[10C | 0%ESC[K^MESC[10C | 1%ESC[K^MESC[10C* | 1%ESC[K^MESC[11C** | 11%ESC[K^MESC[17C** | 15%ESC[K^MESC[19C* | 15%ESC[K^MESC[20C* | 17%ESC[K^MESC[21C** | 38%ESC[K^MESC[35C | 58%ESC[K^MESC[47C* | 59%ESC[K^MESC[48C**| 63%ESC[K^MESC[50C* | 64%ESC[K^MESC[51C***|100%ESC[K^MESC[Kfile:/data/packages/amd64/tmp/bzip2-1.0.6p8.tgz: unsigned package (signify(1) doesn't see old-style signatures) Fatal error: Bad package /data/packages/amd64/tmp/bzip2-1.0.6p8.tgz at /usr/ports/infrastructure/bin/register-plist line 527. *** Error 1 in archivers/bzip2 (/usr/ports/infrastructure/mk/bsd.port.mk:1895 '/data/packages/amd64/all/bzip2-1.0.6p8.tgz') *** Error 1 in archivers/bzip2 (/usr/ports/infrastructure/mk/bsd.port.mk:2416 '_internal-package') *** Error 1 in archivers/bzip2 (/usr/ports/infrastructure/mk/bsd.port.mk:2396 'package') ===> Exiting archivers/bzip2 with an error *** Error 1 in /usr/ports (infrastructure/mk/bsd.port.subdir.mk:147 'package') Error: job failed 256 I've updated my signify keys and placed them in $CHROOT/etc/signify. I can't work out what dpb is expecting now that we no longer have SIGNING_PARAMETERS in mk.conf . Any ideas? Cheers, Noth
Re: dkimproxy_out doesn't sign my outgoing messages
On Wed, Nov 09, 2016 at 06:13:47PM +0100, Walter Alejandro Iglesias wrote: > Taking in care /etc/rc.d/dkimproxy_out flags: > > daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy > --group=_dkimproxy" > > These files should be owned by _dkimproxy user and group. > It worked! Big thanks trondd! (Next time I promise to read the logs more carefully)
Re: dkimproxy_out doesn't sign my outgoing messages
On Wed, Nov 09, 2016 at 11:57:18AM -0500, trondd wrote: > Should also be in the maillog. Hey, I think I found the problem: Nov 9 10:37:12 server dkimproxy.out[38514]: signing error: Error: cannot read /var/dkimproxy/default.private: Permission denied The permissions are: # ls -l /var/dkimproxy/ total 8 -rw--- 1 root wheel 887 Nov 9 10:50 default.private -rw--- 1 root wheel 313 Nov 9 10:50 default.txt Taking in care /etc/rc.d/dkimproxy_out flags: daemon_flags="--conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy --group=_dkimproxy" These files should be owned by _dkimproxy user and group.
Re: dkimproxy_out doesn't sign my outgoing messages
trondd, Your response was also useful to me in another more important way. I took a look to the headers of your message and I observe gmail says your dkim is correct: Authentication-Results: mx.google.com; dkim=pass header.i=@kagu-tsuchi.com; However, I had to rescue your message from my gmail SPAM folder! So, I wonder if all these efforts are in vain. :-) (I'm starting to think spammers are sponsored by them)
Re: dkimproxy_out doesn't sign my outgoing messages
On Wed, November 9, 2016 11:39 am, Walter Alejandro Iglesias wrote: > On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote: >> On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote: >> > Hi everyone, >> > >> > First of all, is dkimproxy a work in progress? >> > >> > If it's not, then the long one. I've tried something similar to >> > the example in smtpd.conf(5). Outgoing messages don't get signed. >> > >> > >> > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy >> > >> > /etc/dkimproxy_out.conf >> > --- >> > listen127.0.0.1:10027 >> > relay 127.0.0.1:10028 >> > domainmydomain.com >> > signature dkim(c=relaxed) >> > signature domainkeys(c=nofws) >> > keyfile /var/dkimproxy/default.private >> > selector default >> > >> > >> > /etc/mail/smptd.conf >> > --- >> > egress_int="em0" >> > server="server.mydomain.com" >> > ca $server certificate "/etc/ssl/acme/chain.pem" >> > >> > table aliases file:/etc/mail/aliases >> > table valiases file:/etc/mail/valiases >> > table vdomains file:/etc/mail/vdomains >> > table addresses file:/etc/mail/addresses >> > table users file:/etc/mail/users >> > >> > pki $server certificate "/etc/ssl/acme/cert.pem" >> > pki $server key "/etc/ssl/acme/private/privkey.pem" >> > >> > listen on lo0 >> > listen on lo0 port 10028 tag DKIM >> > listen on $egress_int port 25 tls pki $server >> > listen on $egress_int port 465 smtps pki $server auth senders >> > masquerade >> > >> > accept from any for domain virtual deliver to >> mbox >> > accept for local alias deliver to mbox >> > accept tagged DKIM for any relay >> > accept from local sender for any relay via >> > smtp://127.0.0.1:10027 >> > >> > >> > Do I need to do something else? (running current) >> > >> > >> >Walter >> > >> >> Did you add the public key part to DNS for your domain? What's going on >> in maillog? > > I forgot to mention that, yes, I added the DNS record and checked its > validity using this site: > > http://dkimcore.org/tools/keycheck.html > > That tells me it's ok. Then I been sending to this testing address: > > check-a...@verifier.port25.com > > where I'm told (in a replay to my same address) the message isn't signed. > > /var/log/maillog just shows the message as correctly delivered: > > Nov 9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery > evpid=1da22dbaa5825b53 from=<.*@mydomain.com> > to=rcpt=<-> source="192.168.1.101" > relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250 > 2.6.0 message received" > > >> Are the mails being forwarded to dkimproxy_out and back into >> smtpd as expected? >> > > How can I check this? > Should also be in the maillog. You should see smtpd accept the initial connection and relay it to 127.0.0.1 10027. Then accept a new connection from 127.0.0.1 or localhost and relay to the destination. If you don't see that, you can use tcpdump to see if the proxy is ever contacted. You can also trace which rules smtpd matched on. man smtpctl and search for trace. I run this at home, but can't access the machine from where I am. I can double check your configs later.
Re: dkimproxy_out doesn't sign my outgoing messages
On Wed, Nov 09, 2016 at 09:27:58AM -0500, trondd wrote: > On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote: > > Hi everyone, > > > > First of all, is dkimproxy a work in progress? > > > > If it's not, then the long one. I've tried something similar to > > the example in smtpd.conf(5). Outgoing messages don't get signed. > > > > > > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy > > > > /etc/dkimproxy_out.conf > > --- > > listen127.0.0.1:10027 > > relay 127.0.0.1:10028 > > domainmydomain.com > > signature dkim(c=relaxed) > > signature domainkeys(c=nofws) > > keyfile /var/dkimproxy/default.private > > selector default > > > > > > /etc/mail/smptd.conf > > --- > > egress_int="em0" > > server="server.mydomain.com" > > ca $server certificate "/etc/ssl/acme/chain.pem" > > > > table aliases file:/etc/mail/aliases > > table valiases file:/etc/mail/valiases > > table vdomains file:/etc/mail/vdomains > > table addresses file:/etc/mail/addresses > > table users file:/etc/mail/users > > > > pki $server certificate "/etc/ssl/acme/cert.pem" > > pki $server key "/etc/ssl/acme/private/privkey.pem" > > > > listen on lo0 > > listen on lo0 port 10028 tag DKIM > > listen on $egress_int port 25 tls pki $server > > listen on $egress_int port 465 smtps pki $server auth senders > > masquerade > > > > accept from any for domain virtual deliver to mbox > > accept for local alias deliver to mbox > > accept tagged DKIM for any relay > > accept from local sender for any relay via > > smtp://127.0.0.1:10027 > > > > > > Do I need to do something else? (running current) > > > > > > Walter > > > > Did you add the public key part to DNS for your domain? What's going on > in maillog? I forgot to mention that, yes, I added the DNS record and checked its validity using this site: http://dkimcore.org/tools/keycheck.html That tells me it's ok. Then I been sending to this testing address: check-a...@verifier.port25.com where I'm told (in a replay to my same address) the message isn't signed. /var/log/maillog just shows the message as correctly delivered: Nov 9 14:16:39 server smtpd[68603]: 44fc40aeb913cba0 mta event=delivery evpid=1da22dbaa5825b53 from=<.*@mydomain.com> to=rcpt=<-> source="192.168.1.101" relay="??.??.??.??" (verifier.port25.com)" delay=2s result="Ok" stat="250 2.6.0 message received" > Are the mails being forwarded to dkimproxy_out and back into > smtpd as expected? > How can I check this?
Re: dkimproxy_out doesn't sign my outgoing messages
On Wed, November 9, 2016 9:14 am, Walter Alejandro Iglesias wrote: > Hi everyone, > > First of all, is dkimproxy a work in progress? > > If it's not, then the long one. I've tried something similar to > the example in smtpd.conf(5). Outgoing messages don't get signed. > > > # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy > > /etc/dkimproxy_out.conf > --- > listen127.0.0.1:10027 > relay 127.0.0.1:10028 > domainmydomain.com > signature dkim(c=relaxed) > signature domainkeys(c=nofws) > keyfile /var/dkimproxy/default.private > selector default > > > /etc/mail/smptd.conf > --- > egress_int="em0" > server="server.mydomain.com" > ca $server certificate "/etc/ssl/acme/chain.pem" > > table aliases file:/etc/mail/aliases > table valiases file:/etc/mail/valiases > table vdomains file:/etc/mail/vdomains > table addresses file:/etc/mail/addresses > table users file:/etc/mail/users > > pki $server certificate "/etc/ssl/acme/cert.pem" > pki $server key "/etc/ssl/acme/private/privkey.pem" > > listen on lo0 > listen on lo0 port 10028 tag DKIM > listen on $egress_int port 25 tls pki $server > listen on $egress_int port 465 smtps pki $server auth senders > masquerade > > accept from any for domain virtual deliver to mbox > accept for local alias deliver to mbox > accept tagged DKIM for any relay > accept from local sender for any relay via > smtp://127.0.0.1:10027 > > > Do I need to do something else? (running current) > > > Walter > Did you add the public key part to DNS for your domain? What's going on in maillog? Are the mails being forwarded to dkimproxy_out and back into smtpd as expected?
dkimproxy_out doesn't sign my outgoing messages
Hi everyone, First of all, is dkimproxy a work in progress? If it's not, then the long one. I've tried something similar to the example in smtpd.conf(5). Outgoing messages don't get signed. # dkim-genkey -s default -d mydomain.com -r -D /var/dkimproxy /etc/dkimproxy_out.conf --- listen127.0.0.1:10027 relay 127.0.0.1:10028 domainmydomain.com signature dkim(c=relaxed) signature domainkeys(c=nofws) keyfile /var/dkimproxy/default.private selector default /etc/mail/smptd.conf --- egress_int="em0" server="server.mydomain.com" ca $server certificate "/etc/ssl/acme/chain.pem" table aliases file:/etc/mail/aliases table valiases file:/etc/mail/valiases table vdomains file:/etc/mail/vdomains table addresses file:/etc/mail/addresses table users file:/etc/mail/users pki $server certificate "/etc/ssl/acme/cert.pem" pki $server key "/etc/ssl/acme/private/privkey.pem" listen on lo0 listen on lo0 port 10028 tag DKIM listen on $egress_int port 25 tls pki $server listen on $egress_int port 465 smtps pki $server auth senders masquerade accept from any for domain virtual deliver to mbox accept for local alias deliver to mbox accept tagged DKIM for any relay accept from local sender for any relay via smtp://127.0.0.1:10027 Do I need to do something else? (running current) Walter
# sign
Hi guys! In Enghlish_US way, you have no certainties. # symbol, I've always named 'hash', but from recent research I found which is also named: number, pound, octothorpe, octothorp, octothorn... which is the exact name for it? (In computer way naturally...) Thanks for reply.
Re: # sign
On 6/17/2015 12:52 PM, Max Power wrote: Hi guys! In Enghlish_US way, you have no certainties. # symbol, I've always named 'hash', but from recent research I found which is also named: number, pound, octothorpe, octothorp, octothorn... which is the exact name for it? (In computer way naturally...) Thanks for reply. hash
Re: # sign
hash Wikipedia says that he use of hash for this sign may have come from Baudot, which predated both ASCII and EBCDIC. I thought everyone here knew that this sign is actually historically called `sliced unicorn hearts' after the specific pattern their heart display when thinly sliced. Oh, I'd kill for a unicorn heart carpaccio, right now. It's been too long since I last had some.
Re: # sign
Max Power wrote: which is the exact name for it? (In computer way naturally...) Havelåge - the Danish way. Best regards, Mikkel C. Simonsen
Re: # sign
On 2015-06-17 13:58, Terry Tyson wrote: On 6/17/2015 12:52 PM, Max Power wrote: Hi guys! In Enghlish_US way, you have no certainties. # symbol, I've always named 'hash', but from recent research I found which is also named: number, pound, octothorpe, octothorp, octothorn... which is the exact name for it? (In computer way naturally...) Thanks for reply. Computer way? Which computer? If you mean ASCII representation, # would be 0010 0011. If instead you prefer EBCDIC, # would be 0111 1011. hash Wikipedia says that he use of hash for this sign may have come from Baudot, which predated both ASCII and EBCDIC.
Re: Daemons can't have hyphen (-) sign in the name
Well I guess that explains :S Thanks On Sun, Mar 15, 2015 at 7:24 PM, Antoine Jacoutot ajacou...@bsdfrog.org wrote: On Sun, Mar 15, 2015 at 07:08:52PM +0200, Igor Konforti wrote: I was writing Deamon by name /etc/rc.d/example-client and all a time I was getting error that ${daemon_user} is client After looking at source code of rc.subr http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92conten t-type=text/x-cvsweb-markup I saw the following: ``` _name=$(basename $0) eval _rcuser=\${${_name}_user} [ -n ${_rcuser} ] daemon_user=${_rcuser} ``` So, if we have a deamon by name example-client because of eval there will be always $daemon_user: ``` -bash-4.2# eval _rcuser=\${example-client_user} -bash-4.2# echo $_rcuser client_user ``` I'm not sure if this is bug or the feature, therefore I'm posting this in misc but if you guys confirm it is a bug I'll send it to bugs@ This of course can be really fixed really easy. man rc.subr: ... DESCRIPTION Apart from a few notable exceptions, rc scripts must follow this naming policy: 1. Use the same name as the daemon it is referring to. 2. Dashes (â-â) have to be converted to underscores (â_â). -- Antoine
Daemons can't have hyphen (-) sign in the name
I was writing Deamon by name /etc/rc.d/example-client and all a time I was getting error that ${daemon_user} is client After looking at source code of rc.subr http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92content-type=text/x-cvsweb-markup I saw the following: ``` _name=$(basename $0) eval _rcuser=\${${_name}_user} [ -n ${_rcuser} ] daemon_user=${_rcuser} ``` So, if we have a deamon by name example-client because of eval there will be always $daemon_user: ``` -bash-4.2# eval _rcuser=\${example-client_user} -bash-4.2# echo $_rcuser client_user ``` I'm not sure if this is bug or the feature, therefore I'm posting this in misc but if you guys confirm it is a bug I'll send it to bugs@ This of course can be really fixed really easy. Regards
Re: Daemons can't have hyphen (-) sign in the name
On Sun, Mar 15, 2015 at 07:08:52PM +0200, Igor Konforti wrote: I was writing Deamon by name /etc/rc.d/example-client and all a time I was getting error that ${daemon_user} is client After looking at source code of rc.subr http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.92content-type=text/x-cvsweb-markup I saw the following: ``` _name=$(basename $0) eval _rcuser=\${${_name}_user} [ -n ${_rcuser} ] daemon_user=${_rcuser} ``` So, if we have a deamon by name example-client because of eval there will be always $daemon_user: ``` -bash-4.2# eval _rcuser=\${example-client_user} -bash-4.2# echo $_rcuser client_user ``` I'm not sure if this is bug or the feature, therefore I'm posting this in misc but if you guys confirm it is a bug I'll send it to bugs@ This of course can be really fixed really easy. man rc.subr: ... DESCRIPTION Apart from a few notable exceptions, rc scripts must follow this naming policy: 1. Use the same name as the daemon it is referring to. 2. Dashes (‘-’) have to be converted to underscores (‘_’). -- Antoine
Sign A Rama souhaite s'implanter dans votre ville
Si ce message ne s'affiche pas correctement, cliquez ICI ( http://www.benoitfougerais.fr/Franchise/Signarama/Emailing/SAR-NewsLetter201 0.html ) ( https://spreadsheets.google.com/viewform?hl=frcfg=trueformkey=dEFkaDNXWXNn TDRMOHRiSXFXOVJLa2c6MA ) Votre parcours vous donne maintenant la confiance et lenvie de vous investir pour votre compte ?Vous jtes un organisateur au tempirament commercial ? Meneur diquipe ? Alors rencontrons-nous ! Je suis Olivier Fossat, Franchiseur de SIGNARAMA en France. SIGNARAMA est le 1er riseau mondial de communication visuelle depuis 25 ans. Nos produits sont partout. Vous les utilisez ` chaque minute sans y prjter attention et navez, bien sur, jamais mesuri la valeur de notre activiti jusqu` ce mail ! Au del` des chiffres, notre mitier est trhs attachant car la relation client y est trhs personnelle. Nos clients, tous dirigeants, commergants, artisans nous enrichissent de tous les mitiers quils exercent et cest dabord leur confiance quils nous accordent. De plus, tous nos produits portent de la valeur car ils sont faits sur mesure : nous y mettons notre icoute, notre criativiti et rialisons des solutions qui aident nos clients ` faire la diffirence dans leurs entreprises : Chartes graphiques, enseignes, flottes de vihicules, de vitrines, signalitique, PLV. Nous sommes le spicialiste du service, le meilleur avantage concurrentiel qui soit ! Je vous invite ` me laisser vos coordonnies pour jtre contacti. https://spreadsheets.google.com/viewform?hl=frcfg=trueformkey=dEFkaDNXWXNnT DRMOHRiSXFXOVJLa2c6MA [demime 1.01d removed an attachment of type image/png which had a name of SAR-Banniere2.png] [demime 1.01d removed an attachment of type image/png which had a name of SAR-IMGnews.png]
Re: Real men don't attack sign men
Marc Balmer wrote: Richard Stallman wrote: I doubt someone who is truly unfriendly could organize a hackathon, a friendly social event. He may be perfectly friendly to others. What is relevant is that he tends to be unfriendly to me. What is relevant is that you are a hypocrite and come to our mailing lists talking bullshit about OpenBSD. You do not only offend Theo, but all of the OpenBSD / OpenSSH developers. And many of the OpenBSD users, as well, who appreciate the work done by the OpenBSD developers and do not wish to see the project slagged off the cuff by people in the spotlight. Breeno
Re: Real men don't attack sign men
I doubt someone who is truly unfriendly could organize a hackathon, a friendly social event. He may be perfectly friendly to others. What is relevant is that he tends to be unfriendly to me. The same argument could be made about your unfriendliness. We could not talk to you since you have *proven* to be unfriendly: http://z505.com/images/gnu-sign.png I criticized ATI firmly when it refused to release the specs for its chips. I'm happy to say that in October another ATI speaker came to MIT and announced that ATI was supporting development of free drivers. I shook his hand. I was also told that my protest had made an impression at ATI, so I think it played a role in bringing about the change in policies. However, that was nothing on the scale of unfriendliness compared to what Theo has said to me -- both in this discussion, and previously. I used the word unfriendly as a deliberate understatement, because I did not want to start an argument about that side issue. (Others chose, in a hypersensitive fashion, to do so anyway.) I reserve my unfriendliness, such as it is, for the enemies of the free software movement -- which does not include OpenBSD. I have never urged people not to use OpenBSD. I do not campaign against OpenBSD and never did.
Re: Real men don't attack sign men
Richard Stallman wrote: I doubt someone who is truly unfriendly could organize a hackathon, a friendly social event. He may be perfectly friendly to others. What is relevant is that he tends to be unfriendly to me. What is relevant is that you are a hypocrite and come to our mailing lists talking bullshit about OpenBSD. You do not only offend Theo, but all of the OpenBSD / OpenSSH developers. We put a lot of effort into making a free operating system which is accompanied by a free ports system. Your stanzas are just pure insult. Someone acting like you must not complain about Theo being unfriendly. You call for it. Theo is only being direct and he is right. The same argument could be made about your unfriendliness. We could not talk to you since you have *proven* to be unfriendly: http://z505.com/images/gnu-sign.png I criticized ATI firmly when it refused to release the specs for its chips. I'm happy to say that in October another ATI speaker came to MIT and announced that ATI was supporting development of free drivers. I shook his hand. I was also told that my protest had made an impression at ATI, so I think it played a role in bringing about the change in policies. However, that was nothing on the scale of unfriendliness compared to what Theo has said to me -- both in this discussion, and previously. I used the word unfriendly as a deliberate understatement, because I did not want to start an argument about that side issue. (Others chose, in a hypersensitive fashion, to do so anyway.) I reserve my unfriendliness, such as it is, for the enemies of the free software movement -- which does not include OpenBSD. I have never urged people not to use OpenBSD. I do not campaign against OpenBSD and never did.
Re: Real men don't attack sign men
Not calling someone unfriendly and just focusing on the conversation/technical details at hand, would be much more friendly.. even considering friendship wasn't the subject of discussion in the first place. Someone else attacked me on this list for not discussing this with Theo. I explained the reason in the gentlest way I could think of. The same argument could be made about your unfriendliness. We could not talk to you since you have *proven* to be unfriendly: http://z505.com/images/gnu-sign.png Any programmer or philosopher worth his salt can appear critical, analytical, or unfriendly at times. Security experts especially. I doubt someone who is truly unfriendly could organize a hackathon, a friendly social event. Remember, this is just email after all, Stallman. Take some of it with a grain of salt. Any time someone brings up the fact that openbsd has unfriendly programmers, we are to call them on it. Label it as: The OpenBSD Cliche Cliche: an idea that has been overused to the point of losing its intended force or novelty, That way, when anyone regurgitates this same old tired openbsd programmers are unfriendly argument, we can redirect them to a FUQ or FAQ. An example demonstration of this: Bum Bum wrote in message: blah blah blah OpenBSD programmers are unfriendly blah blah blah blah blah blah blah blah Not friendly blah blah Don't use it blah blah blah Because they are unfriendly blah blah blah Hello Bum Bum, that is an invalid argument. Please see: The OpenBSD Cliche. It is in the FUQ under the beaten dead horse section. Regards, L505 A philosopher who did not hurt anyone's feelings was not doing his job. --Plato (source: Wikipedia) A programmer who did not hurt anyone's feelings was not doing his job. --L505 (source: Z505)
Re: sign and timestamp
On Thu, Oct 04, 2007 at 05:03:41PM +0200, G?bri M?t? wrote: There'll be two main servers, a web server and a sql server. We have to insert a timestamp and a signature in the specified rows of tables. Periodically the sql server will make pdf documents from the data and we have to sign and timestamp these docs too. I also have to set up a firewall and a backup server, both of them will be OBSD. After what all of You wrote i guess one of the OBSD servers will act as the timestamping machine with the method of issuing a time file periodically, sign and hash it. I can setup a script for that, and another one for verification. Thats the easiest way i guess. As for why i dont want to use a public time stamping service: its much more flexible to do it on our own, and much more faster, and there are other reasons. Of course the results dont have to be verified buy total strangers, just those who work with the data from day-to-day. I'm not clear on what you will gain over just having all the boxes running ntp and having the SQL server inserting a time value on each row of the table, and having each row be non-alterable (other than, of course, by root), and having a time stamp put on the pdf document. Typical uses for real time stamps are for audit purposes. The only reason for an audit trail is to prove that records havnen't been altered either accidentally or intentionally/maliciously by someone within the organization. If this is for internal auditing only and your internal audit department requires something more than just a time-entry in an SQL file, then they should have sole controll over the server that does the time stamping. Nobody outside of the audit department should have any root privlidges. In which case, a dedicated dot-matrix printer that prints the file name, hash, and time stamp of files as they are received for stamping, would be prudent. Put multi-part paper in the printer and take a copy off-site (to the off-site auditors?) regularily. In any event, your system (policy, protocols, etc) should be approved by the people who will be needing to verify the veracity of the timestamps. Doug.
Re: sign and timestamp
On Wed, Oct 03, 2007 at 05:21:09PM -0700, Ted Unangst wrote: On 10/3/07, Gabri Mati [EMAIL PROTECTED] wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? you cannot provably timestamp anything. you can only provide copies or hashes at the time you would like to prove creation, either by sending it to the person you want to prove it to or a trusted third party. or generally publishing it, and hoping you can gather enough witnesses to testify when they first saw it. One solution is making sure it ends up on multiple public archives. Some clueful idiot spammed full-disclosure [1] with a `month of random hashes', which appears to have put a stop to the clueless idiots that posted hashes of their 'discoveries'. It shouldn't be too difficult to find an abandoned Usenet group that is still in Google's index, though, and if you use a sane posting frequency - once a week, or perhaps once a day - this is nowhere near as evil as the UUencoded pink bits that make up the majority of a Usenet feed nowadays. (Which should not be mistaken as this not being evil.) Be prepared for some cooks to harass you because you are obviously working for the CIA/Mossad/terrorists/greys, though. (Why do you hate America/Israel/Freedom/Humanity?!) (And all this is just a roundabout way of telling you that an external stamping service makes a lot more sense. What are you *really* trying to do?) Joachim [1] A security-related mailing list. Unmoderated, so vulnerabilities come through quickly but get lost in the diarrhea. -- TFMotD: rwalld, rpc.rwalld (8) - write messages to users currently logged in server
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There'll be two main servers, a web server and a sql server. We have to insert a timestamp and a signature in the specified rows of tables. Periodically the sql server will make pdf documents from the data and we have to sign and timestamp these docs too. I also have to set up a firewall and a backup server, both of them will be OBSD. After what all of You wrote i guess one of the OBSD servers will act as the timestamping machine with the method of issuing a time file periodically, sign and hash it. I can setup a script for that, and another one for verification. Thats the easiest way i guess. As for why i dont want to use a public time stamping service: its much more flexible to do it on our own, and much more faster, and there are other reasons. Of course the results dont have to be verified buy total strangers, just those who work with the data from day-to-day. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: On Wed, Oct 03, 2007 at 09:45:30PM +0200, G?bri M?t? wrote: A service will gather data in a database and this data has to be signed and timestamped for security reasons, and the archives of these data are also need to signed and timestamped. The data will be used for internal purposes, so another internal server can issue the signs and stamps. OK. This service gathering the data: is it your own dedicated server or is it an external service provider. Assuming that you don't controll (in a security sense) the database itself (if you did, why bother with this?). If I understand correclty: Database the data-gatherer can query. You set up a dedicated, physically secure box and provide it with a secure source of time (GPS?). Assuming that you don't want the latency for them to email the box a hash, have the box append a time stamp, sign it, and mail it back. You need a dedicated channel from the time server to the data-gatherer of latency low enough to meet the time-stamp requirements. Do you need to send the timestamp back to the data-gatherer or will they be sending the data to you by a slower method? You could either write a dedicated server or set up a lpd hack. They gather the data, tarball it, take a hash and put it in an index file (like an MD5SUM file in an ftp archive). They send a file containing only the hash and the unique tarball file name to the lpr on the time server. A dummy spool there hands the file to a 'filter' that takes that file, extracts the md5sum, file name, appends the time, and appends that whole line to a file. For hard copy, each line could be printed to dedicated dot-matrix printer as it is generated. Or your time server is running a database and the data-gather can issue the SQL insert query directly and the database system itself fills in a time-stamp field. Doug. iD8DBQFHBQDN8najRxwF9nkRAttfAKCJWn8wZuFbBH9Bjg+3jACkYaAw0gCbB+1Z 2eANpaLE6INNbm1DYeDw0xc= =JOK6 -END PGP SIGNATURE-
sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. - -- Gabri Mate [EMAIL PROTECTED] iD8DBQFHA8Gh8najRxwF9nkRAiceAKC5E4GSj9DyBFhADFhB7oBLBKvUZQCgs+ct hGyUmMhM39QHXhf/XadvH+o= =SFZt -END PGP SIGNATURE-
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry i wasn't totally specific. Yes, later on the reciever need to verify the timestamp. I was looking for an oss application but couldn't find any for timestamping. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. I suppose the first question is: is the time stamp for info only or does the recipient have to verify the accuracy of the timestamp? I.e. lets say you take the file you want to encrypt and sign, put it in a tarball that will protect the file's modification time, and encrypt and sign that. This gives the recipient your opinion on the timestamp and protects it from being changed enroute. However, the recipient can't verify that you or your system are telling the truth. I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. This would have to be a time server that is trusted by the recipient. I'll be interested to hear from someone who really knows about this. Doug. iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS MxT2+9gw9WpbIi6BXfeeSSc= =0rKL -END PGP SIGNATURE-
Re: sign and timestamp
On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. I suppose the first question is: is the time stamp for info only or does the recipient have to verify the accuracy of the timestamp? I.e. lets say you take the file you want to encrypt and sign, put it in a tarball that will protect the file's modification time, and encrypt and sign that. This gives the recipient your opinion on the timestamp and protects it from being changed enroute. However, the recipient can't verify that you or your system are telling the truth. I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. This would have to be a time server that is trusted by the recipient. I'll be interested to hear from someone who really knows about this. Doug.
Re: sign and timestamp
Without a mutually-trusted source of time cookies, it depends on specific needs. Further infomation on the nature of the transaction is required since I haven't heard of a pre-packaged oss application. Doug. On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote: Sorry i wasn't totally specific. Yes, later on the reciever need to verify the timestamp. I was looking for an oss application but couldn't find any for timestamping. Douglas A. Tutty ?rta: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. I suppose the first question is: is the time stamp for info only or does the recipient have to verify the accuracy of the timestamp? I.e. lets say you take the file you want to encrypt and sign, put it in a tarball that will protect the file's modification time, and encrypt and sign that. This gives the recipient your opinion on the timestamp and protects it from being changed enroute. However, the recipient can't verify that you or your system are telling the truth. I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. This would have to be a time server that is trusted by the recipient. I'll be interested to hear from someone who really knows about this. Doug. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS MxT2+9gw9WpbIi6BXfeeSSc= =0rKL -END PGP SIGNATURE-
Re: sign and timestamp
On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. The Big G is your friend [1]: http://www.itconsult.co.uk/stamper.htm (Obviously, one could sent them a hash instead of the original if one were afraid of sending data unencrypted over the net.) Joachim [1] Trust The Computer. The Computer is Your Friend. -- TFMotD: h2xs (1) - convert .h C header files to Perl extensions
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A service will gather data in a database and this data has to be signed and timestamped for security reasons, and the archives of these data are also need to signed and timestamped. The data will be used for internal purposes, so another internal server can issue the signs and stamps. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Douglas A. Tutty mrta: Without a mutually-trusted source of time cookies, it depends on specific needs. Further infomation on the nature of the transaction is required since I haven't heard of a pre-packaged oss application. Doug. On Wed, Oct 03, 2007 at 08:36:37PM +0200, G?bri M?t? wrote: Sorry i wasn't totally specific. Yes, later on the reciever need to verify the timestamp. I was looking for an oss application but couldn't find any for timestamping. Douglas A. Tutty ?rta: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. I suppose the first question is: is the time stamp for info only or does the recipient have to verify the accuracy of the timestamp? I.e. lets say you take the file you want to encrypt and sign, put it in a tarball that will protect the file's modification time, and encrypt and sign that. This gives the recipient your opinion on the timestamp and protects it from being changed enroute. However, the recipient can't verify that you or your system are telling the truth. I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. This would have to be a time server that is trusted by the recipient. I'll be interested to hear from someone who really knows about this. Doug. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFHA+E08najRxwF9nkRAkZnAJ9F83yBOJ7KhTgUngOtFAcCWJeDcwCeOEUS MxT2+9gw9WpbIi6BXfeeSSc= =0rKL -END PGP SIGNATURE- iD8DBQFHA/Fa8najRxwF9nkRAhEEAJ4+TygfHgFyHF5ih+UElEVQoiSrFQCgrMpq JzzHM57RLOmKE4dWMOCCalA= =HV+v -END PGP SIGNATURE-
Re: sign and timestamp
On 2007/10/03 21:36, Joachim Schipper wrote: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? google/patent search: haber stornetta dead trees: there's a little section in Applied Cryptography (surprise!), the basics are fairly obvious (send TTP a hash, they append a timestamp and sign the lot) but to prevent collusion between sender and TTP additional measures are normally used. The Big G is your friend [1]: http://www.itconsult.co.uk/stamper.htm Now it's October 2007 and RIPA part III is in force, .uk is not a great jurisdiction to be hosting cryptographic services.
Re: sign and timestamp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, but i wan't to solve this without an outsider for practical reasons. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Joachim Schipper mrta: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. The Big G is your friend [1]: http://www.itconsult.co.uk/stamper.htm (Obviously, one could sent them a hash instead of the original if one were afraid of sending data unencrypted over the net.) Joachim [1] Trust The Computer. The Computer is Your Friend. iD8DBQFHA/488najRxwF9nkRAk/sAKCFzKm7tBxsNHwFCYFdtHP8NWClXwCbBWcC jHWm4T+Eimk1p1ZQ2GyoKqc= =s5sI -END PGP SIGNATURE-
Re: sign and timestamp
I don't know if there's an accepted strategy, but if I had to create one from scratch, off the top of my head I'm thinking some time of time server. It would have to publish a signed file of the current time, say once per minute, so that you could include the hash in the above noted tarball. The recipient could note the time of that hash file, query the time server for the matching hash and compare the two. If they match, then the time matches. Slightly OT... That (and variations therof) would work for a 'not earlier than' lower bound, but I'm pretty sure there is a good theoretical reason why 'not later than' shouldn't be possible without a third party, making timestamping (in the sense of having happened in this given interval) impossible. I am open to contradiction though :) -- steev http://www.daikaiju.org.uk/~steve/
Re: sign and timestamp
On Wed, Oct 03, 2007 at 10:40:28PM +0200, G?bri M?t? wrote: Yes, but i wan't to solve this without an outsider for practical reasons. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu Joachim Schipper mrta: On Wed, Oct 03, 2007 at 06:21:53PM +0200, G??bri M??t?? wrote: Hey there! I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? Sorry for the stupid question but i really can't imagine it. The Big G is your friend [1]: http://www.itconsult.co.uk/stamper.htm (Obviously, one could sent them a hash instead of the original if one were afraid of sending data unencrypted over the net.) Joachim [1] Trust The Computer. The Computer is Your Friend. iD8DBQFHA/488najRxwF9nkRAk/sAKCFzKm7tBxsNHwFCYFdtHP8NWClXwCbBWcC jHWm4T+Eimk1p1ZQ2GyoKqc= =s5sI -END PGP SIGNATURE- Perhaps off-topic, but do consider improving your signal-to-noise ratio; I count one useful, albeit misspelled, line - remove the (non-delimited) sig, broken PGP signature, and useless cruft from replied messages. What you want to do is a lot more complicated. The easiest solution I can think of is chaining. For instance, given data_1, data_2, ..., data_n which must be signed on date_1, date_2, ..., date_n, define hash_0 = SOME_VALUE hash_i+1 = f(hash_i ++ data_i+1 ++ date_i+1) Here, f() is a hash function, for instance RIPEMD-160 or SHA2-256, and ++ denotes some mixing operation (XOR might be a good bet). Suppose you provide someone with frequent values of hash_i. If you later make a false claim about either data_j or date_j, and the other person has hash_i, hash_k, data_1, ..., data_k, and date_i, ..., date_k,, where i j = k, then you would be quickly found out. Of course, more sophisticated algorithms can do the same thing, but without revealing quite this much. Go read a good book; Practical Cryptography provides a good overview. Joachim Disclaimer: I am not a cryptographer, crypto is hard, and I'm tired. So no guarantees that the above actually works. -- PotD: x11/matchbox/matchbox-window-manager - window manager with a classic pda management policy
Re: sign and timestamp
On 10/3/07, Gabri Mati [EMAIL PROTECTED] wrote: I've read a lot about timestamping a document, but dunno how it works in practice. How can i apply a timestamp to a digitally signed or encrypted document? Like i encrypt or sign a document with gnupg, but before the process how can i timestamp it? you cannot provably timestamp anything. you can only provide copies or hashes at the time you would like to prove creation, either by sending it to the person you want to prove it to or a trusted third party. or generally publishing it, and hoping you can gather enough witnesses to testify when they first saw it.
Re: sign and timestamp
On Wed, Oct 03, 2007 at 09:45:30PM +0200, G?bri M?t? wrote: A service will gather data in a database and this data has to be signed and timestamped for security reasons, and the archives of these data are also need to signed and timestamped. The data will be used for internal purposes, so another internal server can issue the signs and stamps. OK. This service gathering the data: is it your own dedicated server or is it an external service provider. Assuming that you don't controll (in a security sense) the database itself (if you did, why bother with this?). If I understand correclty: Database the data-gatherer can query. You set up a dedicated, physically secure box and provide it with a secure source of time (GPS?). Assuming that you don't want the latency for them to email the box a hash, have the box append a time stamp, sign it, and mail it back. You need a dedicated channel from the time server to the data-gatherer of latency low enough to meet the time-stamp requirements. Do you need to send the timestamp back to the data-gatherer or will they be sending the data to you by a slower method? You could either write a dedicated server or set up a lpd hack. They gather the data, tarball it, take a hash and put it in an index file (like an MD5SUM file in an ftp archive). They send a file containing only the hash and the unique tarball file name to the lpr on the time server. A dummy spool there hands the file to a 'filter' that takes that file, extracts the md5sum, file name, appends the time, and appends that whole line to a file. For hard copy, each line could be printed to dedicated dot-matrix printer as it is generated. Or your time server is running a database and the data-gather can issue the SQL insert query directly and the database system itself fills in a time-stamp field. Doug.
Please sign in your USAA account, verify and update your profile immediately
USAA Member Home [IMAGE] [IMAGE] Dear USAA. member, Our policy is to protect personal or financial information of USAA members. It has come to our attention that your account information needs to be updated due to inactive members, frauds and spoof reports. If you could please take 5-10 minutes out of your online experience and renew service. Once you have updated your records, your USAA session will not be interrupted and will continue as normal. Please sign in your USAA account, verify and update your profile by clicking this link: https://www.usaa.com/inet/ent_logon/Logon Thanks for your patience as we work together to protect your account.Security Departament, United Services Automobile Association
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote: Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. That should be no problem. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? There is no 'no synchronization' option. We never enforce the synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000 routes into OSPF and thinking all will be fine. Sure you may get bitten if you have routers that do not run iBGP in between the two iBGP routers but that's more a design problem and is solvable. Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Just add the 'tcp md5sig password fluffy' to a neighbor and bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear the session and activate tcp md5. You can do that one peer at a time. Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? redistribute ospf is currently not implemented. bgpd is currently not able to redistribute routes added by ospfd. This is on the todo list. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Neither ospfd nor bgpd know about administrative distances. Currently it is only save to use the two together if there are no equal routes. If both bgpd and ospfd try to add the same route to the kernel routing table it will result in undefined behaviour. (mostly the first one wins). Again this is on the todo list (even before the redistribute thing). Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 I think this is not doing what you think. depend on is only useful on carp(4) interfaces. It does not make sense for physical interfaces. announce all That's actually the default :) announce IPv6 none enforce neighbor-as no That one as well. set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) Iick. That will cause troubles with everything in the 172/8 range. You can add a rule like: allow from $carp prefix 172.16.0.0/24 afterwards. That would be much nicer. -- :wq Claudio
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
Claudio Jeker wrote: On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote: Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. That should be no problem. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? There is no 'no synchronization' option. We never enforce the synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000 routes into OSPF and thinking all will be fine. Sure you may get bitten if you have routers that do not run iBGP in between the two iBGP routers but that's more a design problem and is solvable. Hi Claudio Most documentation on BGP or OSPF is geared towards IOS systems or pro ISO systems like Zebra, with whatever options and syntax that comes with the territory. Finding alternatives for options like e.g. 'no synchronization' and'no auto-summary' when changing from (in my case) Zebra to OpenBGPD, is not covered too well in a otherwise fine documentation, but thank you for clarifying. A small paragraph in the bgpd.conf man page for people comming to OpenBGPD dealing with this would be nice. Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Just add the 'tcp md5sig password fluffy' to a neighbor and bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear the session and activate tcp md5. You can do that one peer at a time. Check. (thank you) Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? redistribute ospf is currently not implemented. bgpd is currently not able to redistribute routes added by ospfd. This is on the todo list. Perfect. Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Neither ospfd nor bgpd know about administrative distances. Currently it is only save to use the two together if there are no equal routes. If both bgpd and ospfd try to add the same route to the kernel routing table it will result in undefined behaviour. (mostly the first one wins). Again this is on the todo list (even before the redistribute thing). I guess reading BGP from Cisco literature would match learning TCP/IP with books from Microsoft ... The BGP implementation in Cisco IOS uses a administrative distance, hence the question. I you mean equal routes from a 'weight' point of view, then I have a problem. So fare all my peers have the same weight. Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 I think this is not doing what you think. depend on is only useful on carp(4) interfaces. It does not make sense for physical interfaces. I have carp1 on em5. I'll change em5 carp1 right away. Thank you. announce all That's actually the default :) I know. In every conf file I write what I want it to do (even defaults) and remove anything else. Makes it easy to parse for !me without having to know system 'default'. announce IPv6 none enforce neighbor-as no That one as well. Ditto. :) set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) Iick. That will cause troubles with
Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
* per engelbrecht [EMAIL PROTECTED] [2005-11-02 00:52]: I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. should just work. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. not needed. retarded idea in the first place... I mean, you don't need ip classless on OpenBSD either to tell it we're not in the 80s any more :) Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. # bgpctl reload next time the session(s) in question traverses IDLE the settings become active. you can force that using # bgpctl neighbor foo clear -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]
Hi all [20051019 snap i386] I've made a setup with two identical bgp routers. On each router there's 3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting these routers and finally pipes backwards to the internal nets. Part of bgpd.conf further down. I'm replacing a single router (no ospf) fbsd/zebra setup. Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 'no synchronization' option for this connection. Do I need it at all. Been poking around in /usr/src/usr.sbin/bgpd without solving it, but it's needed in zebra and Cisco IOS hence the question. A: ? Q: adding md5sig password, how can I activate these stepwise without having to take bgpd down/up and affecting all connections - ospfctl does not seem have it as an option. Would like to add md5sig one carrier at a time on a live system. A: ? Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and internal intfaces in area 0.0.0.1 (and from ospfd.conf) [...] fib-update yes redistribute connected [...] This is about redistributing routes - will the above let BGP and OSPF play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS A: ? Q: default gateway is added to the routing table after all interfaces are configured. BGP is adding information into the routing table and so does OSPF (updates). That's 3 times redistributing of routes between different protocols and with 3 different administrative distances but still in/from the same table. Since directly connected (0) or static (1) connections are superior to e.g. eBGP (20) and OSPF (110) then should or shouldn't /etc/mygate be removed from a BGP router before putting it into production. Will it/can it mock the routing decision despite 'weight' in bgpd.conf due to the lower distance. A: ? Part of bgpd.conf: [...] neighbor $peer0 { remote-as ABCD descrebgp sucks set nexthop aaa.aaa.aaa.aab multihop 10 local-address aaa.aaa.aaa.aaa announce self announce IPv6 none enforce neighbor-as yes set weight 100 #tcp md5sig password HotPotatoes } ... ... neighbor $carp { remote-as our_own_AS descrinternal local-address 172.16.0.1 depend on em5 announce all announce IPv6 none enforce neighbor-as no set weight 200 #tcp md5sig password NoPotatoes } I have a: deny from any prefix 172.16.0.0/12 prefixlen = 12 but the carp interface uses a /8 i.e. should be safe :) /per [EMAIL PROTECTED]