Re: Multi-domain DKIM signature with OpenSMTPd
On 3/19/20 5:06 AM, Graeme Lee wrote: > > > On 19/03/2020 8:45 am, Martijn van Duren wrote: >> On 3/18/20 8:41 PM, Matthieu wrote: >>> Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it > before ? > My first intention is to sign mails from different domains on a single > mail > server. So the > > OpenDKIM works with a socket and I don't know how and if it works with the > smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify > one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job or > not. > > Thx for any help. > Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. >>> Hi Hiltjo, >>> Currently I already use opensmtpd-filter-dkimsign, but I didn't >>> understand how to use it for multiple domains at once. >>> >>> I've seen the example in the man page : >>> https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign >>> >>> I thought was to be replaced by only one domain to sign. Is a >>> domain a table like Alias? If so, what is the format of the file? But I >>> doubt it since in the filter code it doesn't look like a list. >>> >>> static char *domain = NULL; >>> […] >>> box 'd': >>> domain = optarg; >>> […] >>> if (!dkim_signature_printf(message, >>> "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", >>> cryptalg, hashalg, >>> canonheader == CANON_SIMPLE ? "simple": "relaxed." >>> canonbody == CANON_SIMPLE ? "simple": "relaxed." >>> domain, selector)) >>> >>> Finally in the example given in this presentation it is indeed a single >>> domain: >>> https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf >>> >> That's because filter-dkimsign doesn't support multiple domains, and >> unless someone can give me a good reason to do so it probably is going >> to stay that way. > I'm using dkimproxy for this. I host multiple domain names. dkimproxy > is pretty easy to configure to sign outbound on a per domain basis. > > /etc/dkimproxy_out.conf > listen 127.0.0.1: > relay 127.0.0.1: > sender_map /etc/mail/dkim/sender_map > > /etc/dmail/dkim/sender_map > example.com > dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) > example.org > dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) > ... > > I can send the smtpdconf through if you're stuck. > > If the domain being relayed is not in the map, it isn't signed. > dkimproxy is not doing any inbound processing. It would be awesome to > pull this from a pgsql db source, which is how I manage what smtpd can > and cannot relay. > >> >> I know that some mail providers add an additional positive score to >> your spam rating if you have DKIM, but I reckon this is BS, because >> DKIM is nothing more than a glorified debugging tool to tell you which >> server butchered the content of your mail if every server in the chain >> adds a DKIM signature. To be precise: it only tells you that a >> particular domain owner (d-option) knows what server(s) a particular key >> (s-option) belongs to, so that if a signature fails it it could only >> have happened before the last server which has a valid signature. >> >> Could you explain why you (think you) need to have multiple domain >> support? > I own (and manage) multiple domains. Why would I not take advantage of > virtual domains on 1 host? I do to, but as far as I'm aware there's nothing in the spec that states that a mail domain should be signed with a key in its own domain; and I'd to think that I've be pretty thorough while reading it multiple times. If I want I can sign a mail with an @gmail.com sender on it with my personal imperialat.at DKIM key and recipients will properly validate it. So yes, I have multiple virtual hosts and only one key (domain+selector) per server. And if you were to look through your mailbox you'd find multiple vendors who also sign their mail with a different domain in their DKIM signature than is in the domain component of their from header; including office365. > > Graeme > >
Re: Multi-domain DKIM signature with OpenSMTPd
On 19/03/2020 8:45 am, Martijn van Duren wrote: On 3/18/20 8:41 PM, Matthieu wrote: Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I'm using dkimproxy for this. I host multiple domain names. dkimproxy is pretty easy to configure to sign outbound on a per domain basis. /etc/dkimproxy_out.conf listen 127.0.0.1: relay 127.0.0.1: sender_map /etc/mail/dkim/sender_map /etc/dmail/dkim/sender_map example.com dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) example.org dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) ... I can send the smtpdconf through if you're stuck. If the domain being relayed is not in the map, it isn't signed. dkimproxy is not doing any inbound processing. It would be awesome to pull this from a pgsql db source, which is how I manage what smtpd can and cannot relay. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? I own (and manage) multiple domains. Why would I not take advantage of virtual domains on 1 host? Graeme
Re: How to test for FORTIFY_SOURCE?
Wed, 18 Mar 2020 11:55:53 -0400 Jeffrey Walton > On Wed, Mar 18, 2020 at 11:25 AM Andreas Kusalananda Kähäri > wrote: > > > > On Wed, Mar 18, 2020 at 10:59:21AM -0400, Jeffrey Walton wrote: > > > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson > > > wrote: > > > > > > > > On 2020-03-18, Jeffrey Walton wrote: > > > > > According to > > > > > https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > > > > OpenBSD implements glibc bounds checking on certain functions. I am > > > > > trying to detect FORTIFY_SOURCE without looking up operating system > > > > > names and versions. > > > > > > > > That is a NetBSD manual page, it does not apply to OpenBSD. > > > > > > Thanks. > > > > > > I may be splitting hairs, but the pages title clearly says it is an > > > OpenBSD man page. > > > > I have no real connection to the OpenBSD project other than being a long > > time user, and I have an interest in documentation. > > > > It says, at the top of the page, it says "OpenBSD manual page server", > > i.e. it's a manual page server hosted by the OpenBSD project. The > > link that you mention contains the string "NetBSD-8.1" and the name > > of the manual that you're looking at is "security — NetBSD security > > features". Also, "NetBSD-8.1" is repeated in the page footer and the > > string "NetBSD" occurs many times throughout the page while "OpenBSD" > > really only occurs once. > > Hovering the mouse over the open tab says "security(7) - OpenBSD man > pages". I double checked it when I saw the references to NetBSD. > > Regarding the references to NetBSD, I thought your sed went sideways. > I assumed OpenBSD and NetBSD were collaborating and shared code and > docs in some places. > > Figuring out why the sed was broken was not my task at hand. I was on > the site to figure out why my test for FORTIFY_SOURCE was failing. The > admins can figure that out why the document conversion is not working > they notice it. > > Jeff > Hi Jeffrey, I find the ability to check other manual pages so valuable. People are aware when they make a mistake, it's theirs for not checking what they are actually looking at. Instead of blaming the service available for confusing them like it's so popular online these days. The confusion is yours, just please don't request service degradation for the rest of us because ot that. These online manual pages are useful, let's all keep our eyes open and honest about it ;-) Kind regards, Anton Lazarov MScEng EECSIT
Re: groups new
Hi Jan, Jan Prunk wrote on Wed, Mar 18, 2020 at 06:08:26PM +0100: > 0 > C Slovenia > P SI > T Ljubljana > F Irregular > O BSD User Group Slovenia > I Jan Prunk > M b...@groups.io > U https://bsdug.wordpress.com > N *BSD I suggest you resubmit when a few meetings have taken place. So far, i see no evidence of any activity. The website looks as if it is unchanged since September 6, 2018, and it says "Website is in a starting phase". The mailing list seems to have four members and two postings, both in December 2018 and both posted by the same person. Yours, Ingo
Re: Multi-domain DKIM signature with OpenSMTPd
On 3/18/20 8:41 PM, Matthieu wrote: > Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : >> On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: >>> Hi everybody >>> I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? >>> My first intention is to sign mails from different domains on a single mail >>> server. So the >>> >>> OpenDKIM works with a socket and I don't know how and if it works with the >>> smptd filter. >>> I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify >>> one domaine. >>> >>> Otherwise I'd be looking at the side of dkimproxy if it can do the job or >>> not. >>> >>> Thx for any help. >>> >> >> Hi, >> >> Theres an example described in the smtpd.conf(5) man page. >> >> opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign >> >> The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c >> It's relatively small and also privilege-separated. >> >> It has a parameter to set the domain name (-d). In smtpd.conf you can define >> multiple filters. See also the man page filter-dkimsign(8) for detailed >> information. >> >> I've replaced dkimproxy (Perl-based and complex) with >> opensmtpd-filter-dkimsign. It works well for my needs. >> > > Hi Hiltjo, > Currently I already use opensmtpd-filter-dkimsign, but I didn't > understand how to use it for multiple domains at once. > > I've seen the example in the man page : > https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign > > I thought was to be replaced by only one domain to sign. Is a > domain a table like Alias? If so, what is the format of the file? But I > doubt it since in the filter code it doesn't look like a list. > > static char *domain = NULL; > […] > box 'd': > domain = optarg; > […] > if (!dkim_signature_printf(message, > "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", > cryptalg, hashalg, > canonheader == CANON_SIMPLE ? "simple": "relaxed." > canonbody == CANON_SIMPLE ? "simple": "relaxed." > domain, selector)) > > Finally in the example given in this presentation it is indeed a single > domain: > https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf > > That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? > > Besides, I can't find the man page you're talking about: > https://man.openbsd.org/filter-dkimsign man.openbsd.org doesn't contain manpages for packages. But it should be installed with the package (man filter-dkimsign) > > Finally, I understand how to write multiple filters, but not how to > modify the "listen" directive to choose the right filter. > You (currently?) can't. If you want multiple conditions on different filters you would need to create multiple listening sockets (e.g. multiple ips or ports) and apply the correct match-rules based on the socket. martijn@
Re: How to test for FORTIFY_SOURCE?
On 03-18 20:29, Ingo Schwarze wrote: > I have definitely collaborated with at least these NetBSD developers > in the past: And a lame but sincere thanks to Ingo, Theo, and everyone else, for the impressive work freely given, and for patiently tolerating the rest of us.
Re: Multi-domain DKIM signature with OpenSMTPd
Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf Besides, I can't find the man page you're talking about: https://man.openbsd.org/filter-dkimsign Finally, I understand how to write multiple filters, but not how to modify the "listen" directive to choose the right filter.
Re: How to test for FORTIFY_SOURCE?
Hi, Theo de Raadt wrote on Wed, Mar 18, 2020 at 12:44:03PM -0600: > Ingo Schwarze wrote: >> Jeffrey Walton wrote on Wed, Mar 18, 2020 at 11:55:53AM -0400: >>> I assumed OpenBSD and NetBSD were collaborating and shared code >>> and docs in some places. >> To a limited extent, that is true. > To a limited extent, it is true that birds and fish are friends. > > In other words, it is untrue. There isn't collaboration. I have definitely collaborated with at least these NetBSD developers in the past: * Joerg Sonnenberger (joerg@) * Thomas Klausner (wiz@) * Christos Zoulas (christos@) "Collaboration" in the sense that there was consistent working together on joint projects for months, with Joerg even for years. Besides, Sevan Janiyan (sevan@) has been one of the most prolific mandoc release testers for four years now, to the point that i might call that collaboration. Eight other NetBSD developers have provided minor contributions over the years, the overall effect of which also feels like systematic collaboration to me. Similar effects exist for FreeBSD (bapt@) and Debian (stapelberg@) and to a lesser degree for Illumos (Yuri Pankov) and Void Linux (Leah Neukirchen). I even attended a mini-hackathon organized by a NetBSD developer in the past, and the code both the NetBSD developer and i wrote there is still part of both OpenBSD and NetBSD. That is certainly worth being called collaboration. > And there isn't sharing. At best there is freely given stuff which > is sometimes taken. I propose not using the word "share" since people > may believe it is one of the stronger meanings of the word. At best > it is the weakest meaning. It seems true that "freely give" is not as easily misunderstood as "share". Yours, Ingo
Re: How to test for FORTIFY_SOURCE?
On 03-18 19:22, Ingo Schwarze wrote: > > Ingo -- I think using man.openbsd.org as a "testbed for all possible > > man page hierarchies" incorrect. > > It was never a testbed, but a production service with several parts > provided nowhere else (well, at least until FreeBSD followed our > lead and started providing something very similar). > > For example, for DragonFly, Illumos, and NetBSD, semantic searching > is neither supported by their native apropos(1) on the command line > nor by their own websites. > > But since you have a point that such services hardly belong > on *.openbsd.org, they are now on *.bsd.lv, where misunderstandings > like the one witnessed above are unlikely to happen. Providing a simple link from the man.openbsd.org page to the services on *.bsd.lv might help those who are used to looking in the old location, while avoiding possible "which bsd" confusion (maybe called "Some other systems' manuals", or such). Especially for those not reading this thread. Just a thought. -- Luke Call My thoughts: http://lukecall.net (updated 2020-03-13)
Re: How to test for FORTIFY_SOURCE?
Ingo Schwarze wrote: > Hi Jeffrey, > > Jeffrey Walton wrote on Wed, Mar 18, 2020 at 11:55:53AM -0400: > > > I assumed OpenBSD and NetBSD were collaborating and shared code and > > docs in some places. > > To a limited extent, that is true. To a limited extent, it is true that birds and fish are friends. In other words, it is untrue. There isn't collaboration. And there isn't sharing. At best there is freely given stuff which is sometimes taken. I propose not using the word "share" since people may believe it is one of the stronger meanings of the word. At best it is the weakest meaning.
Re: Multi-domain DKIM signature with OpenSMTPd
On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: > Hi everybody > I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? > My first intention is to sign mails from different domains on a single mail > server. So the > > OpenDKIM works with a socket and I don't know how and if it works with the > smptd filter. > I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify > one domaine. > > Otherwise I'd be looking at the side of dkimproxy if it can do the job or > not. > > Thx for any help. > Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. -- Kind regards, Hiltjo
Re: How to test for FORTIFY_SOURCE?
Hi Jeffrey, Jeffrey Walton wrote on Wed, Mar 18, 2020 at 11:55:53AM -0400: > I assumed OpenBSD and NetBSD were collaborating and shared code and > docs in some places. To a limited extent, that is true. For example, NetBSD includes mandoc(1) which is predominantly developed on OpenBSD while OpenBSD includes editline(7) which is predominantly developed on NetBSD. But that doesn't mean either system slavishly copies changes from the other, nor that components both contain work in exactly the same way. Developers of both systems use their own judgement to decide what to merge from the other system, and when. So please do use the documentation from the right system even for those components that are very similar on both, or you will sooner or later stumble over some subtle difference. Yours, Ingo
Multi-domain DKIM signature with OpenSMTPd
Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help.
Re: How to test for FORTIFY_SOURCE?
Hi Theo, Theo de Raadt wrote on Wed, Mar 18, 2020 at 09:06:25AM -0600: > Jeffrey Walton wrote: >> What is the purpose of supplying man pages for the wrong operating >> system? The purpose is to make it simpler to compare how different systems work without having to jump back and forth among different sites using different URI schemes and running different software. Also, the man.cgi(8) from the mandoc toolset is way better than the software running on netbsd.gw.com, leaf.dragonflybsd.org, illumos.org, and man7.org, which provide neither semantic searching nor tagging/deep linking of comparable quality. Note that www.freebsd.org now also runs the man.cgi(8) from the mandoc toolset - after several years hoping to switch to it, they finally did it. >> It wastes people's time and breaks search. This search does >> not produce expected results: >> https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org. Do not search the web for software documentation. That's a bad idea in the first place. You are likely to end up with documentation for the wrong version of the software in question, which is exactly what happened to you here. Use autoritative documentation for the system you are interested in, instead. >> If you really want to confuse folks, maybe OpenSD can supply >> Windows man pages. > I'm going to stand up and agree. You have a point that non-OpenBSD manual pages are better served from the *portable* mandoc site than from man.openbsd.org. So i just deleted the non-OpenBSD lines from manpath.conf on man.openbsd.org. For now, comparing different systems can be done here: https://mandoc.bsd.lv/cgi-bin/man.cgi/ That URI is quite ugly, i'll try to figure out whether i can move that to simply man.bsd.lv. > Ingo -- I think using man.openbsd.org as a "testbed for all possible > man page hierarchies" incorrect. It was never a testbed, but a production service with several parts provided nowhere else (well, at least until FreeBSD followed our lead and started providing something very similar). For example, for DragonFly, Illumos, and NetBSD, semantic searching is neither supported by their native apropos(1) on the command line nor by their own websites. But since you have a point that such services hardly belong on *.openbsd.org, they are now on *.bsd.lv, where misunderstandings like the one witnessed above are unlikely to happen. Yours, Ingo
groups new
0 C Slovenia P SI T Ljubljana F Irregular O BSD User Group Slovenia I Jan Prunk M b...@groups.io U https://bsdug.wordpress.com N *BSD
Re: Jitsi on OpenBSD
Although this is not the kind of response you are expecting... I have spent tremendous amount of time playing around with these voip hodge-podge softphones like Jitsi, Qualcom, Ekiga, Linphone etc etc. One is worst than the other, they are all full of bugs, their dev teams/community suck so before you would also waste a gigantic amount of time on ANY of these I recommend you that: A, Get a commercial product like Bria B, Get a hardware appliance You can thank me later... Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, March 16, 2020 11:59 AM, Edd Barrett wrote: > Hi, > > (CC people who may be knowledgable in this area) > > I was wondering if anyone has got the Jitsi (https://jitsi.org/) > web-client working on OpenBSD? > > It's open-source (and self-hostable) video conferencing. > > No prizes for guessing why I'm investigating this :P > > I've just (quickly) tried the browser client in firefox: > > - It recognises my microphone and my camera. > - Thumbnail shows local video feed OK. > - I can hear audio from an android participant. > - The android participant cannot hear the audio from the OpenBSD machine. > - The video is super-flaky on both ends. > > Did this, as per firefox README: > > - I have sysctl kern.audio.record=1. > - I chowned /dev/video0 to me. > > This evening I'm going to have a deeper play around (e.g. verify if mic > works in aucat), but if anyone has got this working before, I'd love to > hear what tweaks they had to do. > > Could be that the jitsi server is overloaded. > > Thanks > > -- > Best Regards > Edd Barrett > > http://www.theunixzoo.co.uk >
Re: How to test for FORTIFY_SOURCE?
On 2020/03/18 11:55, Jeffrey Walton wrote: > On Wed, Mar 18, 2020 at 11:25 AM Andreas Kusalananda Kähäri > wrote: > > > > On Wed, Mar 18, 2020 at 10:59:21AM -0400, Jeffrey Walton wrote: > > > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson > > > wrote: > > > > > > > > On 2020-03-18, Jeffrey Walton wrote: > > > > > According to > > > > > https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > > > > OpenBSD implements glibc bounds checking on certain functions. I am > > > > > trying to detect FORTIFY_SOURCE without looking up operating system > > > > > names and versions. > > > > > > > > That is a NetBSD manual page, it does not apply to OpenBSD. > > > > > > Thanks. > > > > > > I may be splitting hairs, but the pages title clearly says it is an > > > OpenBSD man page. > > > > I have no real connection to the OpenBSD project other than being a long > > time user, and I have an interest in documentation. > > > > It says, at the top of the page, it says "OpenBSD manual page server", > > i.e. it's a manual page server hosted by the OpenBSD project. The > > link that you mention contains the string "NetBSD-8.1" and the name > > of the manual that you're looking at is "security — NetBSD security > > features". Also, "NetBSD-8.1" is repeated in the page footer and the > > string "NetBSD" occurs many times throughout the page while "OpenBSD" > > really only occurs once. > > Hovering the mouse over the open tab says "security(7) - OpenBSD man > pages". I double checked it when I saw the references to NetBSD. > > Regarding the references to NetBSD, I thought your sed went sideways. > I assumed OpenBSD and NetBSD were collaborating and shared code and > docs in some places. > > Figuring out why the sed was broken was not my task at hand. I was on > the site to figure out why my test for FORTIFY_SOURCE was failing. The > admins can figure that out why the document conversion is not working > they notice it. > > Jeff Since OpenBSD does not have FORTIFY_SOURCE it is correct that your test for it is failing on OpenBSD.
Re: How to test for FORTIFY_SOURCE?
On Wed, Mar 18, 2020 at 11:25 AM Andreas Kusalananda Kähäri wrote: > > On Wed, Mar 18, 2020 at 10:59:21AM -0400, Jeffrey Walton wrote: > > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson > > wrote: > > > > > > On 2020-03-18, Jeffrey Walton wrote: > > > > According to > > > > https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > > > OpenBSD implements glibc bounds checking on certain functions. I am > > > > trying to detect FORTIFY_SOURCE without looking up operating system > > > > names and versions. > > > > > > That is a NetBSD manual page, it does not apply to OpenBSD. > > > > Thanks. > > > > I may be splitting hairs, but the pages title clearly says it is an > > OpenBSD man page. > > I have no real connection to the OpenBSD project other than being a long > time user, and I have an interest in documentation. > > It says, at the top of the page, it says "OpenBSD manual page server", > i.e. it's a manual page server hosted by the OpenBSD project. The > link that you mention contains the string "NetBSD-8.1" and the name > of the manual that you're looking at is "security — NetBSD security > features". Also, "NetBSD-8.1" is repeated in the page footer and the > string "NetBSD" occurs many times throughout the page while "OpenBSD" > really only occurs once. Hovering the mouse over the open tab says "security(7) - OpenBSD man pages". I double checked it when I saw the references to NetBSD. Regarding the references to NetBSD, I thought your sed went sideways. I assumed OpenBSD and NetBSD were collaborating and shared code and docs in some places. Figuring out why the sed was broken was not my task at hand. I was on the site to figure out why my test for FORTIFY_SOURCE was failing. The admins can figure that out why the document conversion is not working they notice it. Jeff
Re: Jitsi on OpenBSD
Hi all, On Mon, Mar 16, 2020 at 02:08:10PM +0100, Alexandre Ratchov wrote: > I haven't used jitsi yet, but other video-converencing web sites > properly work in firefox. Jitsi claim they support chrome only, but > according to the settings window's microphone level meter, it's > properly recording. Just to update this thread. I got jitsi working on my desktop machine using a USB headset, but failed to get it working on my Thinkpad X1 5th gen (with either the built-in mic, or using a headset in the audio jack). On my desktop: - kern.audio.record=1 - sndiod_flags="-f rsnd/0 -f rsnd/1" in rc.conf.local. (rsnd/1 is the headset) - then in your shell rc: "alias jitsi='AUDIODEVICE=snd/1 firefox -p jitsi https://meet.jit.si/'" Note it's snd/1 not rsnd/1 in the above. I used a new firefox instance so that only calls go via the headset. As for video, in firefox, other people can see my video stream, but I don't see theirs. If I try the same in chrome, I see other people's video, but they don't see mine. Another thing to note is that mouse-overing the firefox window causes jitsi to fade in a toolbar. That animation causes the audio to skip. I wish I could kill it! Nonetheless, that's enough for simple audio calls. -- Best Regards Edd Barrett http://www.theunixzoo.co.uk
Re: How to test for FORTIFY_SOURCE?
On Wed, Mar 18, 2020 at 10:59:21AM -0400, Jeffrey Walton wrote: > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson wrote: > > > > On 2020-03-18, Jeffrey Walton wrote: > > > According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > > OpenBSD implements glibc bounds checking on certain functions. I am > > > trying to detect FORTIFY_SOURCE without looking up operating system > > > names and versions. > > > > That is a NetBSD manual page, it does not apply to OpenBSD. > > Thanks. > > I may be splitting hairs, but the pages title clearly says it is an > OpenBSD man page. I have no real connection to the OpenBSD project other than being a long time user, and I have an interest in documentation. It says, at the top of the page, it says "OpenBSD manual page server", i.e. it's a manual page server hosted by the OpenBSD project. The link that you mention contains the string "NetBSD-8.1" and the name of the manual that you're looking at is "security — NetBSD security features". Also, "NetBSD-8.1" is repeated in the page footer and the string "NetBSD" occurs many times throughout the page while "OpenBSD" really only occurs once. > > What is the purpose of supplying man pages for the wrong operating > system? It wastes people's time and breaks search. This search does > not produce expected results: > https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org. > > If you really want to confuse folks, maybe OpenSD can supply Windows man > pages. > > Jeff It's debatable whether the manuals for systems other than OpenBSD should be hosted at man.openbsd.org, but citing "confusion" is probably not a reason to stop providing these. If you want uptodate manuals for the system that you're using, I hope that you're using the man(1) command on the command line and taht you don't rely on the correctness of manuals found on the web. I don't think Windows has manuals in man or mandoc format that are free to host. -- Andreas (Kusalananda) Kähäri SciLifeLab, NBIS, ICM Uppsala University, Sweden .
Re: How to test for FORTIFY_SOURCE?
On 3/18/20 3:59 PM, Jeffrey Walton wrote: > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson wrote: >> >> On 2020-03-18, Jeffrey Walton wrote: >>> According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE >>> OpenBSD implements glibc bounds checking on certain functions. I am >>> trying to detect FORTIFY_SOURCE without looking up operating system >>> names and versions. >> >> That is a NetBSD manual page, it does not apply to OpenBSD. > > Thanks. > > I may be splitting hairs, but the pages title clearly says it is an > OpenBSD man page. > > What is the purpose of supplying man pages for the wrong operating > system? It wastes people's time and breaks search. This search does > not produce expected results: > https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org. > > If you really want to confuse folks, maybe OpenSD can supply Windows man > pages. > > Jeff > What do you mean? Do you mean "OpenBSD manual page server", which clearly states OpenBSD's the just the server. >From the NAME section: "security — NetBSD security features" >From the DESCRIPTION section: "NetBSD supports a variety of security features" >From the footer: "May 21, 2016 NetBSD-8.1" On the entire page OpenBSD is only mentioned once, NetBSD 16 times, not including the drop down menu allowing you to select your operating system + version of choice. To me this feels similar to someone coming to the list and asking why they can't find snmpctl on their OpenBSD 6.6 machine, because some search engine send them to a 6.5 or older page.
Re: How to test for FORTIFY_SOURCE?
Jeffrey Walton wrote: > On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson wrote: > > > > On 2020-03-18, Jeffrey Walton wrote: > > > According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > > OpenBSD implements glibc bounds checking on certain functions. I am > > > trying to detect FORTIFY_SOURCE without looking up operating system > > > names and versions. > > > > That is a NetBSD manual page, it does not apply to OpenBSD. > > Thanks. > > I may be splitting hairs, but the pages title clearly says it is an > OpenBSD man page. > > What is the purpose of supplying man pages for the wrong operating > system? It wastes people's time and breaks search. This search does > not produce expected results: > https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org. > > If you really want to confuse folks, maybe OpenSD can supply Windows man > pages. I'm going to stand up and agree. Ingo -- I think using man.openbsd.org as a "testbed for all possible man page hierarchies" incorrect.
Re: How to test for FORTIFY_SOURCE?
On Wed, Mar 18, 2020 at 4:26 AM Stuart Henderson wrote: > > On 2020-03-18, Jeffrey Walton wrote: > > According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > > OpenBSD implements glibc bounds checking on certain functions. I am > > trying to detect FORTIFY_SOURCE without looking up operating system > > names and versions. > > That is a NetBSD manual page, it does not apply to OpenBSD. Thanks. I may be splitting hairs, but the pages title clearly says it is an OpenBSD man page. What is the purpose of supplying man pages for the wrong operating system? It wastes people's time and breaks search. This search does not produce expected results: https://www.google.com/search?q=FORTIFY_SOURCE+site%3Aopenbsd.org. If you really want to confuse folks, maybe OpenSD can supply Windows man pages. Jeff
Re: Hosting a CDN question
On 2020/03/19 00:55, tom ryan wrote: > On 2020-03-18 19:42, Stuart Henderson wrote: > > On 2020-03-17, Flipchan wrote: > >> Yeah the point with a cdn is to lower the latency of it so therefor you > >> what is needed is just not only a fast http server but a traffic > >> redirector depending on the end users origin > > > > Doing this via redirects does not lower latency, it increases it. > > > > It may reduce overall time to fetch objects if they are large enough > > that faster transfers speed things up enough to offset the higher > > latency from connecting to one server, requesting, being redirected, > > connecting to the second server, requesting, receiving content. > > This is equally true if there are many objects to fetch, especially if > they aren't all fetched at once - they don't need to be large for the > magic to help. It's faster than a cold connection, but "request from A, wait for reply, see that it's a redirect, request from B, wait for reply" is always going be higher latency before starting to receive the requested object directly from B. > > To reduce latency you need another way to direct users to a nearby > > server without doing redirects. Usually either geolocation-aware DNS > > that hands out an IP address close to the user's DNS resolver (this > > can have problems if the user uses a non-local resolver as is the case > > with some DNS privacy services, but is not usually too bad - look at > > thd geoip flavour of the isc-bind port, or gdnsd)), or BGP anycast with > > connections to other networks around the world (as well as BGP skills, > > you need an AS number, at least a /24 of address space that you can use > > for this purpose, and hosting providers that will allow you to make BGP > > announcements). > > I've never used this, but it definitely attempts to solve these issues: > https://trafficcontrol.apache.org/ > > IIRC it was developed at Comcast for VOD (ie many large objects), and is > built around Apache Traffic Server (ex Yahoo) > > It uses DNS to get as close as it can, then 302s the first HTTP request > based on source IP > > Alternatively the pages pulling in the content can do a dynamic > > lookup and use a local-to-the-user hostname when referencing > > the objects (
Re: Hosting a CDN question
On 2020-03-18 19:42, Stuart Henderson wrote: > On 2020-03-17, Flipchan wrote: >> Yeah the point with a cdn is to lower the latency of it so therefor you what >> is needed is just not only a fast http server but a traffic redirector >> depending on the end users origin > > Doing this via redirects does not lower latency, it increases it. > > It may reduce overall time to fetch objects if they are large enough > that faster transfers speed things up enough to offset the higher > latency from connecting to one server, requesting, being redirected, > connecting to the second server, requesting, receiving content. This is equally true if there are many objects to fetch, especially if they aren't all fetched at once - they don't need to be large for the magic to help. > To reduce latency you need another way to direct users to a nearby > server without doing redirects. Usually either geolocation-aware DNS > that hands out an IP address close to the user's DNS resolver (this > can have problems if the user uses a non-local resolver as is the case > with some DNS privacy services, but is not usually too bad - look at > thd geoip flavour of the isc-bind port, or gdnsd)), or BGP anycast with > connections to other networks around the world (as well as BGP skills, > you need an AS number, at least a /24 of address space that you can use > for this purpose, and hosting providers that will allow you to make BGP > announcements). I've never used this, but it definitely attempts to solve these issues: https://trafficcontrol.apache.org/ IIRC it was developed at Comcast for VOD (ie many large objects), and is built around Apache Traffic Server (ex Yahoo) It uses DNS to get as close as it can, then 302s the first HTTP request based on source IP > Alternatively the pages pulling in the content can do a dynamic > lookup and use a local-to-the-user hostname when referencing > the objects (
Re: Hosting a CDN question
On 2020-03-17, Flipchan wrote: > Yeah the point with a cdn is to lower the latency of it so therefor you what > is needed is just not only a fast http server but a traffic redirector > depending on the end users origin Doing this via redirects does not lower latency, it increases it. It may reduce overall time to fetch objects if they are large enough that faster transfers speed things up enough to offset the higher latency from connecting to one server, requesting, being redirected, connecting to the second server, requesting, receiving content. To reduce latency you need another way to direct users to a nearby server without doing redirects. Usually either geolocation-aware DNS that hands out an IP address close to the user's DNS resolver (this can have problems if the user uses a non-local resolver as is the case with some DNS privacy services, but is not usually too bad - look at thd geoip flavour of the isc-bind port, or gdnsd)), or BGP anycast with connections to other networks around the world (as well as BGP skills, you need an AS number, at least a /24 of address space that you can use for this purpose, and hosting providers that will allow you to make BGP announcements). Alternatively the pages pulling in the content can do a dynamic lookup and use a local-to-the-user hostname when referencing the objects (
Re: How to test for FORTIFY_SOURCE?
On 2020-03-18, Jeffrey Walton wrote: > According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE > OpenBSD implements glibc bounds checking on certain functions. I am > trying to detect FORTIFY_SOURCE without looking up operating system > names and versions. That is a NetBSD manual page, it does not apply to OpenBSD.
Re: Restart single iked connections
I sent a diff to tech@ that should solve your problem: https://marc.info/?l=openbsd-tech&m=158447623916319&w=2 On Sun, Jan 26, 2020 at 04:12:00PM +, Peter Müller wrote: > Hello openbsd-misc, > > I am strongly interested in this, too. > > Since the iked manpage does not mention this, I suppose it is not possible. > In combination with ifstated, however, this might result in a DoS scenario > if one peer becomes unreachable - on purpose or by chance - and any other > IPsec connections break down due to an iked restart, as Stephan already > pointed > out. > > So any advice on this is appreciated a lot. :-) > > Thanks, and best regards, > Peter Müller > > > > Hi *, > > > > I am in a situation where I've got hosts that handle IPsec connection > > with multiple endpoints. > > > > So I've wondered if it was possible to restart single connections > > without rebuilding the rest of the connections. > > For example Machine A has a tunnel to machine B and machine C. > > The Tunnel to C is up and running as intended but the tunnel to B is > > broken (icmp echos don't return -> for example). How do I rebuilt the > > tunnel to B > > without restarting iked for all connections and interrupting my tunnel to > > C? > > > > Thank you for your time. > > > > g Stephan > > >
