Re: Need help securing SMTP (thunderbird says it's not encrypted)

[Nick Holland]

On 07/27/17 08:56, Paul Covello wrote:
...
> I can send and receive mail ok using Apple Mail on my mac.
> Thunderbird is another story…  I am warned when I set up the
> account that SMTP is NOT encrypted.

Thunderbird is a mail CLIENT.  It knows nothing about what encryption
your mail TRANSPORT is doing out on the 'net, but that's what you are
showing us the config of.

It's probably referring to your IMAP connection to your dovecot server.
That's all it really knows about.  Make sure you are talking SSL/TLS to
dovecot, make sure dovecot is configured for that, and that you have PF
letting the right port though.

It MIGHT Be talking about outgoing mail...but a quick look at
Thunderbird here shows that it defaults to port 465 for encrypted, and
you are talking about 587.

Nick.

Re: IPv6 autoconf

[Thomas Smith]

On July 27, 2017 at 6:35:23 PM, jungle boogie
(jungleboog...@gmail.com(mailto:jungleboog...@gmail.com)) wrote:

> On 07/27/2017 05:41 PM, Thomas Smith wrote:
> > Hi,
> >
> >
> > Can anyone advise on this please?
> >
>
> What do you see when you do:
> doas sh /etc/netstart

Sanitized output.

% doas sh /etc/netstart
DHCPREQUEST on em0 to 255.255.255.255
DHCPACK from xx.xx.x.x (xx:xx:xx:xx:xx:xx)
bound to  -- renewal in 43199 seconds.

Re: IPv6 autoconf

[jungle boogie]

On 07/27/2017 05:41 PM, Thomas Smith wrote:

Hi,


Can anyone advise on this please?



What do you see when you do:
doas sh /etc/netstart




Thank you,

~ Tom

IPv6 autoconf

[Thomas Smith]

Hi,

My ISP (Cox) supports IPv6 and I have this working on a MikroTik
router--it pulls an address and prefix, creates a default route,
creates an address pool for internal clients, etc.

I've been working to configure a similar setup in OpenBSD 6.1 but I've
been unable to even get the outside interface to pull an IPv6 address
from Cox (IPv4 is working properly).

I’ve tried both `inet6 autoconf` and `rtsol` in
/etc/hostname.em0--both have worked in other IPv6 environments I’ve
run OpenBSD in, but neither are working in this context.

Can anyone advise on this please?

Thank you,

~ Tom

Re: Using queueing on asynchronous interface

[Kaya Saman]

On 07/27/2017 05:30 PM, Stuart Henderson wrote:

On 2017-07-26, Kaya Saman  wrote:

[snip]

I'm finding that I don't really need much in the way of "downstream"
queueing though. It might be needed in special cases but using mikeb's
shiny new fq-codel code in -current, one single queue definition on the
upstream interface is keeping traffic flowing nicely.

queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 
qlimit 1000 default

Is fq_codel already implemented in -current yet?

Yes.


I just grabbed the latest snapshot but can't find the files in the
sys/net directory??

https://github.com/openbsd/src/tree/master/sys/net

https://github.com/openbsd/src/commits/master/sys/net/fq_codel.c
(and other files).




Sorry if I wasn't clear... I was trying to say that I don't have those 
files:


fq_codel.c
fq_codel.h

in my sys/net directory:

# ls |sort
CVS
bpf.c
bpf.h
bpf_filter.c
bpfdesc.h
bridgestp.c
bsd-comp.c
ethertypes.h
hfsc.c
hfsc.h
if.c
if.h
if_aoe.c
if_aoe.h
if_arp.h
if_bridge.c
if_bridge.h
if_dl.h
if_enc.c
if_enc.h
if_ethersubr.c
if_gif.c
if_gif.h
if_gre.c
if_gre.h
if_llc.h
if_loop.c
if_media.c
if_media.h
if_mpe.c
if_pflog.c
if_pflog.h
if_pflow.c
if_pflow.h
if_pfsync.c
if_pfsync.h
if_ppp.c
if_ppp.h
if_pppoe.c
if_pppoe.h
if_pppvar.h
if_pppx.c
if_sl.c
if_slvar.h
if_sppp.h
if_spppsubr.c
if_trunk.c
if_trunk.h
if_tun.c
if_tun.h
if_types.h
if_var.h
if_vether.c
if_vlan.c
if_vlan_var.h
if_vxlan.c
if_vxlan.h
netisr.c
netisr.h
pf.c
pf_if.c
pf_ioctl.c
pf_lb.c
pf_norm.c
pf_osfp.c
pf_ruleset.c
pf_table.c
pfkey.c
pfkeyv2.c
pfkeyv2.h
pfkeyv2_convert.c
pfkeyv2_parsemessage.c
pfvar.h
pipex.c
pipex.h
pipex_local.h
ppp-comp.h
ppp-deflate.c
ppp_defs.h
ppp_tty.c
radix.c
radix.h
radix_mpath.c
radix_mpath.h
raw_cb.c
raw_cb.h
raw_usrreq.c
route.c
route.h
rtsock.c
slcompress.c
slcompress.h
slip.h
trunklacp.c
trunklacp.h

which is odd - maybe I updated from a mirror which hadn't been sync'ed 
yet with the latest. Just checked the "snapshots" directory and looks 
like it got updated today so will try again now  :-)


Thanks again Stuart for all your help!

Regards,

Kaya

Re: vmd on Proliant DL360p Gen8: panic

[Mike Larkin]

On Wed, Jul 26, 2017 at 12:52:01PM +0200, Joaquín Herrero Pintado wrote:
> Hi,
> 
> I'm just trying vmm from OpenBSD 6.1 on a HP Proliant DL360p Gen8 and I'm
> having some issues I want to share just to help developers. I will be glad
> in using this machine to host a bunch of OpenBSD machines with relayd,
> httpd, etc to host services and help balancing other services from my
> organisation.
> 
> Here are the things I detected:
> 
> 1. In spite of booting bsd (or bsd.mp) from cd0a, after this the device cd0
> is not detected by the kernel and so is not available to install the sets.
> I managed to install OpenBSD from http.  You can see on dmesg output that
> no cd0 device is detected.
> 2. On dmesg there are some timeouts on pciide0:0:0:  device
> 3. Also on dmesg, after detecting pci15 at mainbus0 bus 32, there are
> several mem address conflicts
> 
> I don't know if (2) and (3) are related with the panic.
> 
> After getting root prompt I used fw_update to get vmm-bios.
> 
> I created and mounted a partition on /var/vmm to store there all vm images.
> 
> Then I tried start a new vm test machine using the same example as in
> vmctl(8) man page:
> 
> # cd /var/vmm
> # vmctl create disk.img -s 4.5G
> vmctl: imagefile created
> # vmctl start "myvm" -m 1G -i 1 -d disk.img
> vmctl: started vm 1 successfully, tty /dev/ttyp1
> # vmctl status
>ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
> #
> 
> The machine didn't appear as started so I checked log messages:
> 
> # tail /var/log/messages
> (...) vmd[71615]: myvm: started vm 1 successfully, tty /dev/ttyp1
> (...) vmd[42078]: vcpu_run_loop: vm 1 / vcpu 0 run ioctl failed: Invalid
> argument
> 
> While I was searching for info on this error (not touching the terminal) I
> got a kernel panic:
> 
> Data modified on freelist: word 154145165 of object 0xd4e3b400 size 0x6c
> previous type pcb (invalid addr 0xd4efb280)
> uvm_fault(0xd0ba8a40, 0xd4efb000, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at malloc+0x181: movl 0x8(%ebx),%eax
> ddb{0}>
> 

While this may or may not be related to vmm, is there a reason you are using
i386 here? You probably want amd64. Note that vmm on i386 should work but it's
possible something rotted recently. I don't have hardware at the moment to
verify but I can check into it next week.

In the meantime, can you confirm you really want i386 on this machine?

-ml

> 
> This is hardware description from sysctl
> 
> # sysctl hw
> hw.machine=i386
> hw.model=Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz ("GenuineIntel"
> 686-class)
> hw.ncpu=32
> hw.byteorder=1234
> hw.pagesize=4096
> hw.disknames=sd0:49c998d38dc7ac33
> hw.diskcount=1
> hw.sensors.acpitz0.temp0=8.30 degC (zone temperature)
> hw.sensors.cpu0.temp0=37.00 degC
> hw.sensors.ciss0.drive0=online (sd0), OK
> hw.cpuspeed=2594
> hw.setperf=100
> hw.vendor=HP
> hw.product=ProLiant DL360p Gen8
> hw.serialno=CZJ448063M
> hw.uuid=36353430-3831-435a-4a34-34383036334d
> hw.physmem=3184709632
> hw.usermem=3182665728
> hw.ncpufound=32
> hw.allowpowerdown=1
> hw.perfpolicy=manual
> 
> 
> This is the dmesg. Sorry, but is truncated at the start and I don't know
> how to get it complete:
> 
> ,ARAT
> cpu24 at mainbus0: apid 33 (application processor)
> cpu24: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz ("GenuineIntel" 686-class)
> 2.60 GHz
> cpu24:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
> cpu25 at mainbus0: apid 35 (application processor)
> cpu25: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz ("GenuineIntel" 686-class)
> 2.60 GHz
> cpu25:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
> cpu26 at mainbus0: apid 37 (application processor)
> cpu26: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz ("GenuineIntel" 686-class)
> 2.60 GHz
> cpu26:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
> cpu27 at mainbus0: apid 39 (application processor)
> cpu27: Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz ("GenuineIntel" 686-class)
> 2.60 GHz
> cpu27:
> 

Question about pf tables and limitation of addresses 0.0.0.0/0 or 0/0

[Donald Clark Jackson]

The FAQ (https://www.openbsd.org/faq/pf/tables.html#addr 
) states:

One limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will 
not work in tables.

Is this (still) correct?

I have tried this and it seems to be working fine, AFAICT.

I am having trouble reconciling the stated limitation with my seemingly working 
ruleset below

Here is what I tried:

table  const { !10/8 !172.16/12 !192.168/16 0/0 }
guest_hq_if = "em3"
guest_hq_net = $guest_hq_if:network
pass log (matches) from $guest_hq_net to  keep state

and elsewhere in my ruleset:

match out log (matches) on $external_if inet from $guest_hq_net nat-to 
($external_if)

For background, what I am trying to do is to provide access to the Internet 
from a guest network through my pf firewall/router, and not let this guest
traffic leak into other internal private/rfc1918 networks

The machine I tested this on is running OpenBSD 5.8/amd64 (yes I will be 
updating to 6.1 shortly...)

Re: Best way to monitor battery status on laptop

[Carlos Cardenas]

Awesome.

Looks like I overlooked apm(8).  That does the job indeed.

Thanks Jan and Manuel.

On 2017-07-27 02:40, Jan Stary wrote:
> On Jul 26 17:11:02, cardena...@gmail.com wrote:
>> Been using my toughbook with OpenBSD more and more and one of the things
>> that I seem to be missing is simple battery status (percent remaining,
>> if it's being charged, etc...) in my tmux(1) or wmii(1) session.
> 
> Here is a two-line ~/.tmux.conf which uses apm(8)
> to display the battery status:
> 
> set -g status-interval 60
> set -g status-right '#h | #(test `apm -b` -lt 4 && echo "`apm -l`%% | ")%H:%M'
> 

+--+
Carlos

Re: Using queueing on asynchronous interface

[Stuart Henderson]

On 2017-07-26, Kaya Saman  wrote:
>
> [snip]
>> I'm finding that I don't really need much in the way of "downstream"
>> queueing though. It might be needed in special cases but using mikeb's
>> shiny new fq-codel code in -current, one single queue definition on the
>> upstream interface is keeping traffic flowing nicely.
>>
>> queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 
>> qlimit 1000 default
>
> Is fq_codel already implemented in -current yet?

Yes.

> I just grabbed the latest snapshot but can't find the files in the 
> sys/net directory??
>
> https://github.com/openbsd/src/tree/master/sys/net

https://github.com/openbsd/src/commits/master/sys/net/fq_codel.c
(and other files).

Re: stub-addr in unbound.conf & unbound man page wording

[Stuart Henderson]

On 2017-07-26, Damian McGuckin  wrote:
>
> Theo,
>
> On Wed, 26 Jul 2017, Theo de Raadt wrote:
>
>> This is due to the socket pledge code, with SOCK_DNS.  This area was
>> damaged during the transition to pledge, and hasn't been repaired.

/usr/bin/dig is certainly restricted by pledge. Compare with one of the
alternatives from packages - drill, kdig (in the knot package),
/usr/local/bin/dig (isc-bind). The latter does also use pledge but
a weaker one than /usr/bin/dig which still allows normal DNS admin
operations.

> I am not convinced it is. But I can always be proven wrong and often am.
>
> I think my problem is purely an issue with unbound or maybe the way I am 
> using/configuring it.

You don't show a complete unbound.conf so I can't be sure, but my first guess
would be that you have left do-not-query-localhost at the default.

Re: Some questions about vmm and xorg

[Josh Grosse]

On 2017-07-27 11:30, G wrote:

Hello.

Some questions about vmm
Does vmm (on openbsd current) support running xorg?


I'll restate this question, because the X11 Windows System uses a 
client/server model,

and X.Org software includes both clients and servers.

   * X11 Clients are the graphical applications.
   * X11 Servers are the X display devices.

So, "What part of the X11 Windows System is available for vmm(4) guests" 
is a better question,

and one that I can answer.

X client applications works fine from within a vmm(4) guest, as they do 
from any server that
does not have a graphics display.  The typical communication path 
between the application
and a workstation display (the X Server) is with ssh(1) X11 Forwarding.  
See sshd_config(5),

ssh_config(5), and ssh(1) man pages for details.

If a user wanted to operate a window manager for the vmm() guest and its 
various X clients,

Xephyr(1) or Xnest(1) are both available.

Some questions about vmm and xorg

[G]

Hello.

Some questions about vmm
Does vmm (on openbsd current) support running xorg?
if not are there any plans for it?

thanks!

Need help securing SMTP (thunderbird says it's not encrypted)

[Paul Covello]

I have an OpenBSD 6.1 box set up with OpenSMTPD and Dovecot on Vultr (a 
VPS provider).

This machine is intended for use as my primary mail server.  I have a Let’s 
Encrypt certificate installed and declared in the smtpd.conf file like so:

#   $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# pki setup (Define TLS Certificates for host names)

pki pfc-consulting.com certificate "/etc/ssl/pfc-consulting.com.crt"
pki pfc-consulting.com key "/etc/ssl/private/pfc-consulting.com.key"

# tables setup

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals

# To accept external mail, replace with: listen on all
#
# listen on lo0

# listen ports setup

listen on lo0
listen on egress port 25 tls-require pki pfc-consulting.com auth 
listen on egress port 587 tls-require pki pfc-consulting.com auth 

# special case for gmail to avoid ipv6 here
limit mta for domain gmail.com inet4

# allow local messages
accept from local for local alias  deliver to lmtp "/var/dovecot/lmtp" 
rcpt-to

# allow virtual domains
accept from any for domain  virtual  deliver to lmtp 
"/var/dovecot/lmtp" rcpt-to

# allow outgoing mails
accept from local for any relay

I have the system set up for IMAP only (no POP3) and I have sent and received 
email from my computer at home to this machine.

(as an aside, I have MX and spf records defined in DNS)

I can send and receive mail ok using Apple Mail on my mac.  Thunderbird is 
another story…  I am warned when I set up the account that SMTP is NOT 
encrypted.

This has driven me batty all week.  My Google-Foo fails me and reading through 
my Dovecot book and smtpd man pages have not enlightened me as to why this is 
not using TLS.

When I telnet to the machine on port 587 and issue the EHLO command, STARTTLS 
does appear in the response.  Also, OpenSMTPD shows when I type the help 
command.

issuing a Mail command comes back with the response that STARTTLS must be done 
first.

Can someone clue me in on what I might be missing?

Thanks in advance for your help!

— Paul.

Re: Best way to monitor battery status on laptop

[Jan Stary]

On Jul 26 17:11:02, cardena...@gmail.com wrote:
> Been using my toughbook with OpenBSD more and more and one of the things
> that I seem to be missing is simple battery status (percent remaining,
> if it's being charged, etc...) in my tmux(1) or wmii(1) session.

Here is a two-line ~/.tmux.conf which uses apm(8)
to display the battery status:

set -g status-interval 60
set -g status-right '#h | #(test `apm -b` -lt 4 && echo "`apm -l`%% | ")%H:%M'

Re: diff exit status

[Ibrahim Khalifa]

On Wed, Jul 26, 2017 at 11:06:02PM -0400, Ted Unangst wrote:

> Ibrahim Khalifa wrote:
> > Hi,
> > 
> > If you run diff against two directories where you have file(s) and the
> > only difference is that you have file(s) that only exists in one of the
> > directories, diff will exit with 0. If you use -N och -P it will however
> > exit with 1.
> > 
> > Reading through the man-page, I can???t find any reference that this would
> > be intentionally. Rather I expected it to exit with 1, since there is a
> > difference found. The only other diff I have access to is GNU diff, which
> > seems to exit with 1 in the same scenario.
> > 
> > If the behavior is intentionally, I think the man-page should also reflect
> > this. Otherwise diff should be changed to exit with 1 even if -N or -P
> > isn't used.
> > 
> > Both changes are trivial and I can provide a patch if there is some
> > consensus on which behavior is the best.
> 
> it's probably an oversight. the exit code should be 1.

Great. The attached patch changes the exit code to 1.

//Ibo
? diff-direxit.patch
Index: diffdir.c
===
RCS file: /cvs/src/usr.bin/diff/diffdir.c,v
retrieving revision 1.45
diff -u -p -r1.45 diffdir.c
--- diffdir.c   5 Oct 2015 20:15:00 -   1.45
+++ diffdir.c   27 Jul 2017 09:00:48 -
@@ -132,16 +132,20 @@ diffdir(char *p1, char *p2, int flags)
if (Nflag)
diffit(dent1, path1, dirlen1, path2, dirlen2,
flags);
-   else
+   else {
print_only(path1, dirlen1, dent1->d_name);
+   status |= 1;
+   }
dp1++;
} else {
/* file only in second dir, only diff if -N or -P */
if (Nflag || Pflag)
diffit(dent2, path1, dirlen1, path2, dirlen2,
flags);
-   else
+   else {
print_only(path2, dirlen2, dent2->d_name);
+   status |= 1;
+   }
dp2++;
}
}

Sai cosè l'Article marketing?

[CheapADV]