Re: OpenSMTPD on CentOS 8.
On 2020-03-07 02:30, Reio Remma wrote: > On 07.03.2020 0:41, Ihor Antonov wrote: > > On 2020-03-06 23:05, Reio Remma wrote: > > > Hello! > > > > > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware > > > failure on the old machine). I've successfully built an RPM of OpenSMTPD > > > for > > > CentOS 8 and it's running nicely, however I've a problem with the global > > > crypto policies in CentOS 8. > > > > > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone > > > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading > > > the whole system from DEFAULT to LEGACY crypto policy? > > Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially > > sinice it is considered to be not safe) > > Because my thinking is it's better than the plain text the clients fall back > to. Or is it not so? Good question. Will other smtp servers fall back to plaintext if TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not force TLSv1.3 yet, but I also really dont want to communicate with systems that are so outdated that they dont support TLSv1.2. But that is a matter of personal choice probably.
Re: OpenSMTPD on CentOS 8.
On 2020-03-06 23:05, Reio Remma wrote: > Hello! > > I was forced to upgrade our mail server to CentOS 8 (thanks to hardware > failure on the old machine). I've successfully built an RPM of OpenSMTPD for > CentOS 8 and it's running nicely, however I've a problem with the global > crypto policies in CentOS 8. > > Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone > got any experience on how to allow TLSv1 for OpenSMTPD without downgrading > the whole system from DEFAULT to LEGACY crypto policy? Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially sinice it is considered to be not safe) Ihor
Re: Filter API and protocol
Hey Ionel It is great to hear that you like OpenSMTPD! I currently use zimbra for a very small home mailserver setup and I also plan to move to OpenSMTPD. I have not noticed any spam problems yet, but I have a different problem with zimbra - it is a resource devouring java monster.. Take a look at [ https://github.com/poolpOrg/filter-rspamd, | https://github.com/poolpOrg/filter-rspamd, ] It is written in Go, and this is the filter that Gilles uses for rspamd. Ihor From: "GARDAIS Ionel" To: misc@opensmtpd.org Sent: Tuesday, December 3, 2019 11:26:44 AM Subject: Filter API and protocol Hi list, I've installed OpenSMTPD on a fresh OpenBSD to act as a simple-yet-powerful MX for inbound trafic. Our current zimbra mono-server installation is quite bad at spam detection thus I gave a try to rspamd. First results are encouraging and I really appreciate the ease of configuration of OpenSMTPD and the clarity of its logs. I'd like to add a feature to our setup : prefixing all incoming emails' subject with a string, only once (i.e. not if the said string is already in the subject). It seems to me that this should be made as a filter in OpenSMTPD, with a low-precedence to be placed after DKIM verification. I'd like to give a try at this solution. Do you have pointers to the filter protocol or to an hello-world filter ? Thanks,
Re: portable layer rework
On Tuesday, November 19, 2019 12:07:10 AM PST gil...@poolp.org wrote: > Ihor Antonov has setup a CI that lets us spot failures to build on Linux > glibc/musl, however: > > - we don't have CI for FreeBSD, NetBSD, DFlyBSD, OSX, Solaris As soon as I get some free time I will setup FreeBSD and OpenBSD builds on SourceHut [1][2] so at least these 2 should be covered soon. [1] https://man.sr.ht/builds.sr.ht/compatibility.md [2] https://sourcehut.org/blog/2019-09-12-sourcehut-makes-bsd-software-better/ -- Ihor Antonov https://useplaintext.email
Re: 6.6.1p1 fails to build on Void Linux
On Tuesday, November 12, 2019 12:43:25 AM EST Gilles Chehade wrote: > On Mon, Nov 11, 2019 at 08:10:50PM -0600, epektasis wrote: > > Thank you for your reply. Libevent-2.1.11_1 is installed. So is > > autoconf-2.69_7, automake-1.16.1_2, bison-3.4.2_1, libtool-2.4.6_4, and > > libasr-1.0.3_1. There are several fatal errors for some missing header > > files; I guess I'll try to track them down and see if I can get this > > going again. I'll let you know. > > In some distributions, packages are split between two, so you have for > example libevent and libevent-dev, the former for runtime dependencies > and the second for build time dependencies with headers and such. This > may be the case here ? > > I'm on my openbsd laptop right now, as soon as I boot on a Linux one I > will try to build on void linux and get back to you, cheers. Hi epektasis, Can you create a docker file that reproduces your problem? We use docker in our CI, and here is an example for Alpine Linux: https://github.com/OpenSMTPD/OpenSMTPD/blob/portable/ci/docker/ Dockerfile.alpine If you can provide something similar but using Void it will be much easier for us to reproduce and troubleshoot the issue. Thanks -- Ihor Antonov https://useplaintext.email
Re: Portable buildung issues
Yes, this is the one
On October 22, 2019 7:52:29 AM EDT, Reio Remma wrote:
>Looks suspiciously like this.
>
>https://github.com/OpenSMTPD/OpenSMTPD/issues/944
>
>Good luck,
>Reio
>
>On 22/10/2019 14:45, gil...@poolp.org wrote:
>> we really really really need more details, I have no idea what system
>that is :-)
>>
>> October 22, 2019 1:38 PM, "John Smith"
>wrote:
>>
>>> Hello,
>>>
>>> cloned today, I am having problems building smtpd. After configure:
>>>
>>> /data/git/opensmtp # make
>>> make all-recursive
>>> make[1]: Entering directory '/data/git/opensmtp'
>>> Making all in openbsd-compat
>>> make[2]: Entering directory '/data/git/opensmtp/openbsd-compat'
>>> gcc -DHAVE_CONFIG_H -I. -I.. -I../smtpd -I../openbsd-compat
>-I../openbsd-compat/err_h
>>> -I/usr/include -march=skylake -fomit-frame-pointer -O2 -pipe -fPIC
>-DPIC -Wall -Wpointer-arith
>>> -Wuninitialized -Wsign-compare -Wformat-security
>-Wsizeof-pointer-memaccess -Wno-pointer-sign
>>> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fPIE
>-D_BSD_SOURCE -D_DEFAULT_SOURCE
>>> -c -o arc4random.o arc4random.c
>>> arc4random.c:167:21: error: macro "arc4random_stir" passed 1
>arguments, but takes just 0
>>> arc4random_stir(void)
>>> ^
>>> arc4random.c:168:1: error: expected '=', ',', ';', 'asm' or
>'__attribute__' before '{' token
>>> {
>>> ^
>>> make[2]: *** [Makefile:445: arc4random.o] Error 1
>>> make[2]: Leaving directory '/data/git/opensmtp/openbsd-compat'
>>> make[1]: *** [Makefile:418: all-recursive] Error 1
>>> make[1]: Leaving directory '/data/git/opensmtp'
>>> make: *** [Makefile:350: all] Error 2
>>>
>>> Any idea what I might be missing? As I have a rather minimal system,
>some package my be lacking.
>>> Any further details that are needed?
>>>
>>> Thanks
>>>
>>> Ede
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Portable buildung issues
Hi Ede.
I have seen same error on Alpine Linux.
Most likely you have libressl abd libressl-dev, while version 6.6 works with
openssl.
There is a bug in configuration code that prevents the building opnbsd-compat
libs when you have libressl. I will add github issue link later. But for now
just try replacing libressl with openssl
Ihor
On October 22, 2019 7:38:13 AM EDT, John Smith wrote:
>Hello,
>
>cloned today, I am having problems building smtpd. After configure:
>
>
>/data/git/opensmtp # make
>make all-recursive
>make[1]: Entering directory '/data/git/opensmtp'
>Making all in openbsd-compat
>make[2]: Entering directory '/data/git/opensmtp/openbsd-compat'
>gcc -DHAVE_CONFIG_H -I. -I.. -I../smtpd -I../openbsd-compat
>-I../openbsd-compat/err_h -I/usr/include -march=skylake
>-fomit-frame-pointer -O2 -pipe -fPIC -DPIC -Wall -Wpointer-arith
>-Wuninitialized -Wsign-compare -Wformat-security
>-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
>-fno-strict-aliasing -fno-builtin-memset -fPIE -D_BSD_SOURCE
>-D_DEFAULT_SOURCE -c -o arc4random.o arc4random.c
>arc4random.c:167:21: error: macro "arc4random_stir" passed 1 arguments,
>but takes just 0
> arc4random_stir(void)
> ^
>arc4random.c:168:1: error: expected '=', ',', ';', 'asm' or
>'__attribute__' before '{' token
> {
> ^
>make[2]: *** [Makefile:445: arc4random.o] Error 1
>make[2]: Leaving directory '/data/git/opensmtp/openbsd-compat'
>make[1]: *** [Makefile:418: all-recursive] Error 1
>make[1]: Leaving directory '/data/git/opensmtp'
>make: *** [Makefile:350: all] Error 2
>
>Any idea what I might be missing? As I have a rather minimal system,
>some package my be lacking. Any further details that are needed?
>
>Thanks
>
>Ede
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Docker build is failing
> > On Thu, 2019-10-10 at 14:46 -0400, Ihor Antonov wrote:
> > > Docker build of portable branch is broken
> > > Github issue
> > https://github.com/OpenSMTPD/OpenSMTPD/issues/944
> >
I think I found the problem, but I don't know how to fix it.
In ./openbsd-compat/openbsd-compat.h:
#if defined(HAVE_ARC4RANDOM_STIR)
void arc4random_stir(void);
#elif defined(HAVE_ARC4RANDOM) || defined(LIBRESSL_VERSION_NUMBER)
/* Recent system/libressl implementation; no need for explicit stir */
# define arc4random_stir()
#else
/* openbsd-compat/arc4random.c provides arc4random_stir() */
void arc4random_stir(void);
#endif
In ./openbsd-compat/arc4random.c:
void
arc4random_stir(void)
{
_ARC4_LOCK();
_rs_stir();
_ARC4_UNLOCK();
}
HAVE_ARC4RANDOM_STIR - not defined
HAVE_ARC4RANDOM - not defined
LIBRESSL_VERSION_NUMBER - defined!
so it results in mismatch between header definition and arc4random.c
# define arc4random_stir()
vs
void arc4random_stir(void)
Need your advice on how to fix this.
A side thought - every linux distro has libbsd[0] we should just use it
[0]https://gitlab.freedesktop.org/libbsd/libbsd
Re: Docker build is failing
On Thu, 2019-10-10 at 14:46 -0400, Ihor Antonov wrote: > Docker build of portable branch is broken, and has been for a while > now. I discovered this while trying to test out Gilles' rspamd > plugin, > which requires latest 6.6 version > > I am not a C developer, but from the error it a bit of googling it > looks like stuff from openbsd-compat/ is conflicting with some system > libraries. > > I did some bisecting and last good commit (in regards of Dockerfile > ) > which was a while ago. > > > Commit 9f6b7cc1b14624f919a6a9d7ac5a2ded002b2707 > > Author: Arthur Moore > > Date: Wed Feb 20 22:20:56 2019 -0500 > > > >Add an automated test to check if TLS certificates work > > > >This should allow Docker Hub to act as a CI platform. > > Github Actions CI seems to be working fine, but it uses ubuntu, not > alpine. I am happy to help fix/troubleshoot this but I > need guidance > from someone who knows C. I am also interested in building it for > Alpine as I need this for my future work. > > --- > Ihor Antonov > Forgot to include the link to github issue https://github.com/OpenSMTPD/OpenSMTPD/issues/944
Docker build is failing
Docker build of portable branch is broken, and has been for a while now. I discovered this while trying to test out Gilles' rspamd plugin, which requires latest 6.6 version I am not a C developer, but from the error it a bit of googling it looks like stuff from openbsd-compat/ is conflicting with some system libraries. I did some bisecting and last good commit (in regards of Dockerfile ) which was a while ago. > Commit 9f6b7cc1b14624f919a6a9d7ac5a2ded002b2707 > Author: Arthur Moore > Date: Wed Feb 20 22:20:56 2019 -0500 > >Add an automated test to check if TLS certificates work > >This should allow Docker Hub to act as a CI platform. Github Actions CI seems to be working fine, but it uses ubuntu, not alpine. I am happy to help fix/troubleshoot this but I need guidance from someone who knows C. I am also interested in building it for Alpine as I need this for my future work. --- Ihor Antonov
Re: How can I integrate opensmtpd with opendkim?
On Thu, 2019-10-10 at 18:14 +0200, Martijn van Duren wrote: > Hello Ihor, > > I'm not sure if you want to sign or verify signatures. Ideally I want both: sign my own outgoing emails and verify incoming mails signatures too. Former is probably higher on my priority list. > At the moment we have an API which allows us to write custom plugins Is there a good place to read the docs about the API? > and > I have written a dkim signer myself[0][1], but it's written > specifically > for OpenBSD and I haven't tested it on Linux (probably needs a few > tweaks for that). > > If you want something that does spamfiltering (including dkim verify) > see Gilles' rspamd plugin[2] or Joerg's spamassassin plugin[3]. I will most certainly give it a try. > If you're lazy just wait a few weeks for OpenBSD 6.6 to be released, > which will contain these filters in the package managers. If you > want to stay on Linux see how far you get with compiling these > codebases > yourself and contact me once you need help (at least the dkimsign > one). Thanks a lot. I use Docker (+ Kubernetes) a lot in my setup and I am not sure if OpanBSD has good alternatives, so for now I'd have to stick with Linux. > > [0] http://imperialat.at/dev/libopensmtpd/ > [1] http://imperialat.at/dev/filter-dkimsign/ > [2] https://github.com/poolpOrg/filter-rspamd/ > [3] https://www.umaxx.net
RE: How can I integrate opensmtpd with opendkim?
Hello everyone, I am seriously thinking about replacing Postfix with OpenSMTPD on my Linux box (I am very attracted by configuration simplicity and security-mindedness of the project) So I found this issue on github where Gilles is redirecting a user's question to mailing list. https://github.com/OpenSMTPD/OpenSMTPD/issues/733 Unfortunately I did not find any follow-ups on the subject. Is opensmtpd + opendkim possible? I know that there is new filter API released recently, is it something that can be used to achieve this Or maybe it is possible to write some sort of C plugin? (akin to table lookup API) I am not looking for any other DKIM solutions (dkimproxy is abandoned, and as for p5-Mail-DKIM I don't want to introduce Perl into my setup) I am very new to OpenSMTPD so I apologize for possibly stupid questions. Thanks --- Ihor Antonov
