Re: smtpd dies with fatal: smtp: ssltree out of sync
I'll just add that I was testing this with the 5.3 release so it doesn't appear to be related to the recent pki changes. .joel On Tue, Dec 31, 2013 at 4:26 PM, Mikolaj Kucharski miko...@kucharski.namewrote: Joel Knight had similar problem in the past and he gave me a clue that the problem my be related to multiple certificates in one single file (lile cert.pem has). Below change makes OpenSMTPD running again for me: --- /etc/mail/smtpd.confWed Jan 1 00:23:52 2014 +++ /etc/mail/smtpd.confWed Jan 1 00:24:04 2014 @@ -6,7 +6,6 @@ bounce-warn 4h, 1d, 2d expire 7d -pki openbsd.my.domain ca /etc/ssl/cert.pem pki openbsd.my.domain key /etc/mail/certs/smtpd.key pki openbsd.my.domain dhparams /etc/mail/certs/dh4096.pem pki openbsd.my.domain certificate /etc/mail/certs/smtpd.crt Thanks again Joel! On Mon, Dec 30, 2013 at 10:45:46PM +, Mikolaj Kucharski wrote: Hi, I've just upgraded my OpenBSD-based mail server to: OpenBSD 5.4-current (GENERIC.MP) #187: Sat Dec 28 17:15:20 MST 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP and I cannot figure out where is the problem in my smtpd config: # /etc/mail/smtpd.conf ext_if = re0 max-message-size 35m bounce-warn 4h, 1d, 2d expire 7d pki openbsd.my.domain ca /etc/ssl/cert.pem pki openbsd.my.domain key /etc/mail/certs/smtpd.key pki openbsd.my.domain dhparams /etc/mail/certs/dh4096.pem pki openbsd.my.domain certificate /etc/mail/certs/smtpd.crt listen on lo0 listen on $ext_if tls pki openbsd.my.domain auth-optional table aliases db:/etc/mail/aliases.db accept from any for local alias aliases deliver to mbox accept from local for any relay # smtpd -n -f /etc/mail/smtpd.conf configuration OK # smtpd -dvvv -f /etc/mail/smtpd.conf debug: init ssl-tree info: loading pki information for openbsd.my.domain info: OpenSMTPD 5.4.1 starting debug: bounce warning after 4h debug: bounce warning after 1d debug: bounce warning after 2d debug: using fs queue backend debug: using ramqueue scheduler backend debug: using ram stat backend info: startup [debug mode] debug: parent_send_config_ruleset: reloading debug: parent_send_config_mfa: reloading debug: parent_send_config: configuring smtp mfa: building simple chains... mfa: building complex chains... mfa: done building complex chains mfa: done building default chain debug: mfa ready smtpd: fatal: smtp: ssltree out of sync warn: mfa - smtp: pipe closed warn: control - smtp: pipe closed warn: parent - smtp: pipe closed failed to open table aliases warn: mta - control: pipe closed warn: mda - control: pipe closed warn: scheduler - control: pipe closed debug: queue: done loading queue into scheduler warn: queue - smtp: pipe closed # pgrep -lf smtpd | wc -l 0 Any idea what I'm doing wrong? -- best regards q#
apologies for the noise (interesting article)!
http://www.itnews.com.au/News/368564,server-vendors-named-in-nsa-spying-toolkit.aspx?eid=1edate=20131231utm_source=20131231_AMutm_medium=newsletterutm_campaign=daily_newsletter
Re: wrong installpath in pkg.conf
On Dec 31 10:31:14, h...@stare.cz wrote: The last few installs have put this into my pkg.conf: installpath = ftp://ftp5.eu.openbsd.org/pub/OpenBSD/snapshots/packages// Apparently, the architecture part is empty somehow. Forgot to say, this is i386. The bug is still there in the Dec 31 snapshot.
NSA spy catalog (was: Re: apologies for the noise (interesting article)!)
mufurcz mufu...@iinet.net.au wrote: http://www.itnews.com.au/News/368564,server-vendors-named-in-nsa-spying-toolkit.aspx?eid=1edate=20131231utm_source=20131231_AMutm_medium=newsletterutm_campaign=daily_newsletter That's just a summary article about Applebaum's 30C3 talk. I don't know if any part of the English-language press has picked up on this in equivalent detail, but Der Spiegel has published part of the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: http://www.spiegel.de/netzwelt/netzpolitik/interaktive-grafik-hier-sitzen-die-spaeh-werkzeuge-der-nsa-a-941030.html Just click on the marked spots on the image map to pop up individual galleries. Don't miss the right part of the map. You can ignore the German text, which is just explanations for people who don't know computers or English. I'm particularly intrigued by the radar return bugs. It's 2014, and somehow I've woken up in a cyberpunk novel. -- Christian naddy Weisgerber na...@mips.inka.de
Re: NSA spy catalog (was: Re: apologies for the noise (interesting article)!)
Quoting Christian Weisgerber na...@mips.inka.de: mufurcz mufu...@iinet.net.au wrote: http://www.itnews.com.au/News/368564,server-vendors-named-in-nsa-spying-toolkit.aspx?eid=1edate=20131231utm_source=20131231_AMutm_medium=newsletterutm_campaign=daily_newsletter That's just a summary article about Applebaum's 30C3 talk. I don't know if any part of the English-language press has picked up on this in equivalent detail, but Der Spiegel has published part of the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: http://www.spiegel.de/netzwelt/netzpolitik/interaktive-grafik-hier-sitzen-die-spaeh-werkzeuge-der-nsa-a-941030.html Just click on the marked spots on the image map to pop up individual galleries. Don't miss the right part of the map. You can ignore the German text, which is just explanations for people who don't know computers or English. I'm particularly intrigued by the radar return bugs. It's 2014, and somehow I've woken up in a cyberpunk novel. -- Christian naddy Weisgerber na...@mips.inka.de Thank you very much! This is very interesting.. Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca - This message was sent using ForeTell-POST 4.9
Re: NSA spy catalog
On 01/01/14 11:47, Vijay Sankar wrote: Quoting Christian Weisgerber na...@mips.inka.de: mufurcz mufu...@iinet.net.au wrote: http://www.itnews.com.au/News/368564,server-vendors-named-in-nsa-spying-toolkit.aspx?eid=1edate=20131231utm_source=20131231_AMutm_medium=newsletterutm_campaign=daily_newsletter That's just a summary article about Applebaum's 30C3 talk. I don't know if any part of the English-language press has picked up on this in equivalent detail, but Der Spiegel has published part of the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: http://www.spiegel.de/netzwelt/netzpolitik/interaktive-grafik-hier-sitzen-die-spaeh-werkzeuge-der-nsa-a-941030.html Just click on the marked spots on the image map to pop up individual galleries. Don't miss the right part of the map. You can ignore the German text, which is just explanations for people who don't know computers or English. I'm particularly intrigued by the radar return bugs. It's 2014, and somehow I've woken up in a cyberpunk novel. -- Christian naddy Weisgerber na...@mips.inka.de Thank you very much! This is very interesting.. Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited vsan...@foretell.ca - This message was sent using ForeTell-POST 4.9 If you find clicking on the pictures annoying, there's a zip file on cryptome with the pdfs.
Re: NSA spy catalog (was: Re: apologies for the noise (interesting article)!)
On Wed, Jan 01, 2014 at 04:13:38PM +, Christian Weisgerber wrote: the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: The unit costs are pretty stiff for most of the gadgets but some of them appear to be free. Anyway: When can we expect OpenBSD support for these devices? Gotta love this on in particular: http://www.spiegel.de/static/happ/netzwelt/2014/na/v1/pub/img/Mobilfunk/S3224_GENISIS.jpg
Re: wrong installpath in pkg.conf
On 01/01/14 14:35, Jan Stary wrote: On Dec 31 10:31:14, h...@stare.cz wrote: The last few installs have put this into my pkg.conf: installpath = ftp://ftp5.eu.openbsd.org/pub/OpenBSD/snapshots/packages// Apparently, the architecture part is empty somehow. Forgot to say, this is i386. The bug is still there in the Dec 31 snapshot. Which install media and kernel? I'll assume bsd.rd, ramdisk_cd style. From looking at the code, this would mean `arch -s` returns an empty response. Can someone else confirm this behaviour from the installer? /Alexander
Re: NSA spy catalog (was: Re: apologies for the noise (interesting article)!)
On 1/1/14, Erling Westenvik erling.westen...@gmail.com wrote: On Wed, Jan 01, 2014 at 04:13:38PM +, Christian Weisgerber wrote: the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: The unit costs are pretty stiff for most of the gadgets but some of them appear to be free. Anyway: When can we expect OpenBSD support for these devices? Gotta love this on in particular: http://www.spiegel.de/static/happ/netzwelt/2014/na/v1/pub/img/Mobilfunk/S3224_GENISIS.jpg i think i have one of those. --patrick
Re: wrong installpath in pkg.conf
On Jan 01 21:07:12, alexan...@beard.se wrote: On 01/01/14 14:35, Jan Stary wrote: On Dec 31 10:31:14, h...@stare.cz wrote: The last few installs have put this into my pkg.conf: installpath = ftp://ftp5.eu.openbsd.org/pub/OpenBSD/snapshots/packages// Apparently, the architecture part is empty somehow. Forgot to say, this is i386. The bug is still there in the Dec 31 snapshot. Which install media and kernel? I'll assume bsd.rd, ramdisk_cd style. Yes. From looking at the code, this would mean `arch -s` returns an empty response. Once installed, `arch -s` returns `i386' just fine. Can someone else confirm this behaviour from the installer? /Alexander
Re: wrong installpath in pkg.conf
On 01/01/14 22:07, Jan Stary wrote: On Jan 01 21:07:12, alexan...@beard.se wrote: On 01/01/14 14:35, Jan Stary wrote: On Dec 31 10:31:14, h...@stare.cz wrote: The last few installs have put this into my pkg.conf: installpath = ftp://ftp5.eu.openbsd.org/pub/OpenBSD/snapshots/packages// Apparently, the architecture part is empty somehow. Forgot to say, this is i386. The bug is still there in the Dec 31 snapshot. Which install media and kernel? I'll assume bsd.rd, ramdisk_cd style. Yes. From looking at the code, this would mean `arch -s` returns an empty response. Once installed, `arch -s` returns `i386' just fine. I've had reports saying it segfaults within the installer though, which would explain the result. That should have produced a Segmentation fault (core dumped) message after installing the sets. I'm not the most suited person to track this down though. /Alexander Can someone else confirm this behaviour from the installer? /Alexander
Re: dnscrypt-proxy
Em 31-12-2013 23:19, nixlists escreveu: Didn't know that OpenDNS supports DNSCurve. Does anyone else? With the recent *cough*storm about the certain entities planting implants and penetrating our collective mind-orifices through backdoors, and, subsequently, obviously, the bad guys (whom the entities employ, again, obviously (not the leaker) now having the keys to the kingdom of the locks that they themselves have forged, why shouldn't the whole kingdom adopt DNSCurve or something like it to protect itself? Even DNSSEC adoption has been ridiculously slow, but it doesn't offer privacy. Also DNSSEC uses poor by modern standards crypto, and suffers from amplification attacks. One would think that DNSCurve adoption at this point would take over IPv6. Ahhh, DNS fantasies... :)) Happy New Year! (Although something tells us all we should be worried about this one!) The integrity of the 'net is now futile. Conspiracy theories apart (or not), some people (you know who I'm talking about) strongly advise against using any company that is US based or use US based servers. On the dnscrypt page, http://dnscrypt.org/, there are a few options of resolvers that are not US based. The OpenDNS servers, are. I dream of an internet where everybody uses ipv6 with security extensions enabled by default. Where everybody uses tor and dnscrypt/curve solutions. And also, where everybody would use secure operating systems and have access to open and cheap hardware. Ah, the dreams. Let 2014 be a year that some of these dreams come true, hopefully. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: openbsd snmpd and disk/sensors monitoring
On 2013-12-30, Julien T julien@gmail.com wrote: Hello, I'm trying to see if I can switch my new openbsd 5.4 box from net-snmp to snmpd and for now, I miss only 2 things, disk informations and sensors that are not in snmpd.conf man. For disk monitoring, I didn't find information anywhere. Checking the output of snmpwalk, I found the HOST-RESOURCES-MIB::hrStorageSize but the format seems different than net-snmp which makes an update needed to my cacti graph configuration (or did someone made an update openbsd template?). Any translation table? I don't have net-snmp running anywhere convenient to check how it looks at the moment, but to get a value in bytes, hrStorageSize needs to be multiplied by the associated entry from hrStorageAllocationUnits. For sensors, I saw the MIB /usr/share/snmp/mibs/OPENBSD-SENSORS-MIB.txt but a snmpwalk of my host gives nothing Sensors works very nicely over snmp, but you are missing that by default snmpwalk doesn't walk over vendor mibs. If no OID argument is present, snmpwalk will search the subtree rooted at SNMPv2-SMI::mib-2 (including any MIB object values from other MIB modules, that are defined as lying within this subtree) $ snmpwalk -c $bleh sym OPENBSD-BASE-MIB::sensorsMIBObjects OPENBSD-SENSORS-MIB::sensorNumber.0 = INTEGER: 3 OPENBSD-SENSORS-MIB::sensorIndex.1 = INTEGER: 1 OPENBSD-SENSORS-MIB::sensorIndex.2 = INTEGER: 2 OPENBSD-SENSORS-MIB::sensorIndex.3 = INTEGER: 3 OPENBSD-SENSORS-MIB::sensorDescr.1 = STRING: temp0 OPENBSD-SENSORS-MIB::sensorDescr.2 = STRING: inner OPENBSD-SENSORS-MIB::sensorDescr.3 = STRING: sd3 OPENBSD-SENSORS-MIB::sensorType.1 = INTEGER: temperature(0) OPENBSD-SENSORS-MIB::sensorType.2 = INTEGER: temperature(0) OPENBSD-SENSORS-MIB::sensorType.3 = INTEGER: drive(13) OPENBSD-SENSORS-MIB::sensorDevice.1 = STRING: km0 OPENBSD-SENSORS-MIB::sensorDevice.2 = STRING: ugold0 OPENBSD-SENSORS-MIB::sensorDevice.3 = STRING: softraid0 OPENBSD-SENSORS-MIB::sensorValue.1 = STRING: 42.00 OPENBSD-SENSORS-MIB::sensorValue.2 = STRING: 21.87 OPENBSD-SENSORS-MIB::sensorValue.3 = STRING: online OPENBSD-SENSORS-MIB::sensorUnits.1 = STRING: degC OPENBSD-SENSORS-MIB::sensorUnits.2 = STRING: degC OPENBSD-SENSORS-MIB::sensorUnits.3 = OPENBSD-SENSORS-MIB::sensorStatus.1 = INTEGER: unspecified(0) OPENBSD-SENSORS-MIB::sensorStatus.2 = INTEGER: unspecified(0) OPENBSD-SENSORS-MIB::sensorStatus.3 = INTEGER: ok(1)
Re: NSA spy catalog (was: Re: apologies for the noise (interesting article)!)
On 1 January 2014 08:13, Christian Weisgerber na...@mips.inka.de wrote: mufurcz mufu...@iinet.net.au wrote: http://www.itnews.com.au/News/368564,server-vendors-named-in-nsa-spying-toolkit.aspx That's just a summary article about Applebaum's 30C3 talk. I don't Yes, might just go to it directly: http://www.youtube.com/watch?v=b0w36GAyZIA know if any part of the English-language press has picked up on this in equivalent detail, but Der Spiegel has published part of the NSA's actual 2008 spy gear catalog that makes for interesting reading, including such tidbits as unit cost and development status: http://www.spiegel.de/netzwelt/netzpolitik/interaktive-grafik-hier-sitzen-die-spaeh-werkzeuge-der-nsa-a-941030.html Just click on the marked spots on the image map to pop up individual galleries. Don't miss the right part of the map. You can ignore the German text, which is just explanations for people who don't know computers or English. There's an English version of this Interactive Graphic page, too: http://www.spiegel.de/international/world/a-941262.html Also, a complete set of all the pages from the alleged catalogue is available on a single page, via http://mailman.nanog.org/pipermail/nanog/2013-December/063182.html: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/ C.
Re: dmassage - openbsd 5.4 build failure
On 2013-12-25, Riccardo Mottola riccardo.mott...@libero.it wrote: Hi, prompted by the quest of a smaller kernel on my old OmniBook 800 (for which memory modules are harder to find than a standard laptop), I tried my luck with dmassage against a stock GENERIC 5.4 kernel conf. I used the generated config fil, except that I enabled a couple of more PCMCIA drivers, which are of course all disabled except the currently inserted card. Review the lines that dmassage has commented-out. You can fairly safely remove unused drivers for network/scsi/audio controllers/USB devices, but other drivers/pseudo-devices are more likely to give problems. Trimming out devices (especially some scsi and nic drivers) will trim out a lot, and if you then find you need to go further, you'll just need to take it step by step with educated guesses. dmassage is about 12 years old, it is useful in some cases but the generated config cannot be used directly.
Re: NSA spy catalog
Erling Westenvik wrote: Anyway: When can we expect OpenBSD support for these devices? Erling made my day :) -- Jack Woehr # We commonly say we have no time when, Box 51, Golden CO 80402 # of course, we have all that there is. http://www.softwoehr.com # - James Mason, _The Art of Chess_, 1905
Re: wrong installpath in pkg.conf
On 01/01/14 22:07, Jan Stary wrote: On Jan 01 21:07:12, alexan...@beard.se wrote: On 01/01/14 14:35, Jan Stary wrote: On Dec 31 10:31:14, h...@stare.cz wrote: The last few installs have put this into my pkg.conf: installpath = ftp://ftp5.eu.openbsd.org/pub/OpenBSD/snapshots/packages// Apparently, the architecture part is empty somehow. Forgot to say, this is i386. The bug is still there in the Dec 31 snapshot. Which install media and kernel? I'll assume bsd.rd, ramdisk_cd style. Yes. From looking at the code, this would mean `arch -s` returns an empty response. Once installed, `arch -s` returns `i386' just fine. I've had reports saying it segfaults within the installer though, which would explain the result. That should have produced a Segmentation fault (core dumped) message after installing the sets. I have seen nothing I would qualify as a bug report. Where's the install logs to demonstrate this?
Re: dmassage - openbsd 5.4 build failure
On 2013-12-25, Riccardo Mottola riccardo.mott...@libero.it wrote: Hi, prompted by the quest of a smaller kernel on my old OmniBook 800 (for which memory modules are harder to find than a standard laptop), I tried my luck with dmassage against a stock GENERIC 5.4 kernel conf. I used the generated config fil, except that I enabled a couple of more PCMCIA drivers, which are of course all disabled except the currently inserted card. Review the lines that dmassage has commented-out. You can fairly safely remove unused drivers for network/scsi/audio controllers/USB devices, but other drivers/pseudo-devices are more likely to give problems. Trimming out devices (especially some scsi and nic drivers) will trim out a lot, and if you then find you need to go further, you'll just need to take it step by step with educated guesses. dmassage is about 12 years old, it is useful in some cases but the generated config cannot be used directly. And remember that if you use it, you are running a non-GENERIC kernel. It isn't that we don't like people running non-GENERIC kernels. The isue is that people who run custom kernels are often the type who don't switch back to GENERIC kernels before telling us of a problem they have encountered, and they have waste our time enough in the past. So it isn't that we hate non-GENERIC kernels, it is that we hate people who treat us so poorly. I think dmassage being unmaintained for 12 years, and this issue just coming up now, probably says a lot about that type of person. It's a type of person who can't fix dmassage, and then, sends us a mail. Sorry, but it's the truth.
Re: dmassage - openbsd 5.4 build failure
On Wed, Jan 1, 2014, at 06:17 PM, Theo de Raadt wrote: I think dmassage being unmaintained for 12 years, and this issue just coming up now, probably says a lot about that type of person. It's a type of person who can't fix dmassage, and then, sends us a mail. Sorry, but it's the truth. Very little, if anything, has changed in either the kernel configuration procedure or the format of a kernel's dmesg in the last 12 years. So this is more a case of if it ain't broke, don't fix it. If anything has changed, it's what device drivers you can rip out and still get the kernel to compile. I will admit most of the reasons for doing so today are a lot less compelling in years past, when every byte of RAM counted for something (best example being a couple of non-PCI 486 systems when you could cut the kernel size almost in half by not putting in all those useless PCI drivers). Today, you have to try to find something with less than 128MiB of RAM in it, and the odds are in your favor of having more even if it's a dumpster rescue. The only use I can think of might be security (it's much harder to use an external USB storage device if the kernel is compiled not to look for them) but I'm sure there are better ways to do even this. -- Shawn K. Quinn skqu...@rushpost.com
Re: dmassage - openbsd 5.4 build failure
On Wed, Jan 1, 2014, at 06:17 PM, Theo de Raadt wrote: I think dmassage being unmaintained for 12 years, and this issue just coming up now, probably says a lot about that type of person. It's a type of person who can't fix dmassage, and then, sends us a mail. Sorry, but it's the truth. Very little, if anything, has changed in either the kernel configuration procedure or the format of a kernel's dmesg in the last 12 years. So this is more a case of if it ain't broke, don't fix it. So glad to have the expert speak.