(bug?) relayd forward to directives interfering

[Vladimir Nikishkin]

Hello, everyon

I have a super simple (sanitised) relayd.conf

```
$ext_ip = 192.168.1.1
table   { 127.0.0.1 }
table  { 127.0.0.1 }

http protocol "p-https" {
tls session tickets
tls keypair domain.example
tls ca file "/etc/ssl/cert.pem"
http websockets
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block
pass request path log "/http*"  forward to 
pass request path log "/https*" forward to 
pass response
}


relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "p-https"
forward to  port 81
forward with tls to  port 82
}
```

The the problem is with the second-to-last line.

If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports
`curl: (52) Empty reply from server`. 

However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs:
`SSL routines:ST_CONNECT:tlsv1 alert protocol version`,
`TLS handshake error: handshake failed:`.

There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.

Could someone verify that this is the case?
Is there anything I am missing here?

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Re: Transferring ownership of SSH connection from process A to B, letting A quit nicely?

[mid]

On Monday, August 9th, 2021 at 5:36 AM, Philip Guenther  
wrote:

> If you're 100% sure you have it right, then it should be easy to provide a
> program that demonstrates
> 1.  passing an fd between processes
> 2.  using it successfully in the receiving process
> 3.  the sending process exiting
> 4.  attempts to us it failing the receiving process

Not 100%, but I'm out of ideas, so here goes nothing.

client.c (process A):

#include
#include
#include
#include
#include

int sendfd(int sock, int fd) {
  struct msghdr msg;
  struct iovec iov[1];
  struct cmsghdr *cmsg = NULL;
  char ctrl_buf[CMSG_SPACE(sizeof(int))];
  char data[1];

  memset(&msg, 0, sizeof(struct msghdr));
  memset(ctrl_buf, 0, CMSG_SPACE(sizeof(int)));

  data[0] = ' ';
  iov[0].iov_base = data;
  iov[0].iov_len = sizeof(data);

  msg.msg_name = NULL;
  msg.msg_namelen = 0;
  msg.msg_iov = iov;
  msg.msg_iovlen = 1;
  msg.msg_controllen = CMSG_SPACE(sizeof(int));
  msg.msg_control = ctrl_buf;

  cmsg = CMSG_FIRSTHDR(&msg);
  cmsg->cmsg_level = SOL_SOCKET;
  cmsg->cmsg_type = SCM_RIGHTS;
  cmsg->cmsg_len = CMSG_LEN(sizeof(int));

  *((int*) CMSG_DATA(cmsg)) = fd;

  return sendmsg(sock, &msg, 0);
}

int main(int argc, char **argv) {
  int c = socket(AF_UNIX, SOCK_STREAM, 0);
  assert(c != -1);

  struct sockaddr_un a;
  a.sun_family = AF_UNIX;
  strcpy(a.sun_path, "/service/sock");

  assert(connect(c, (struct sockaddr*) &a, sizeof(a)) != -1);

  sendfd(c, 0);
  sendfd(c, 1);

  close(c);

  /* The SSH conn should stay after returning, but it doesn't. */
}

server.c (process B):

#include
#include
#include
#include
#include
#include
#include

int recvfd(int socket) {
  int len;
  int fd;
  char buf[1];
  struct iovec iov;
  struct msghdr msg;
  struct cmsghdr *cmsg;
  char cms[CMSG_SPACE(sizeof(int))];

  iov.iov_base = buf;
  iov.iov_len = sizeof(buf);

  msg.msg_name = 0;
  msg.msg_namelen = 0;
  msg.msg_iov = &iov;
  msg.msg_iovlen = 1;
  msg.msg_flags = 0;
  msg.msg_control = (caddr_t) cms;
  msg.msg_controllen = sizeof(cms);

  len = recvmsg(socket, &msg, 0);

  if(len <= 0) {
return -1;
  }

  cmsg = CMSG_FIRSTHDR(&msg);
  memmove(&fd, CMSG_DATA(cmsg), sizeof(int));

  return fd;
}

int main(int argc, char **argv) {
  unlink("/service/sock");

  int s = socket(AF_UNIX, SOCK_STREAM, 0);
  assert(s != -1);

  struct sockaddr_un a;
  a.sun_family = AF_UNIX;
  strcpy(a.sun_path, "/service/sock");
  assert(bind(s, (struct sockaddr*) &a, sizeof(a)) != -1);

  assert(chmod("/service/sock", 0777) != -1); /* Quick workaround. */

  assert(listen(s, 20) != -1);

  while(1) {
puts("Waiting..");

int c = accept(s, NULL, NULL);
assert(c != -1);

puts("Accepted");

int in = recvfd(c);
int out = recvfd(c);

printf("Received: in=%i out=%i\n", in, out);

char *outstr = "Hello from the Server\n";
assert(write(out, outstr, strlen(outstr)) != -1);

assert(close(c) != -1);

/* Intentionally leaking SSH FDs */
  }
}

Compiled with:
  cc -std=c99 -o server server.c
  cc -std=c99 -o client client.c

`client` is also the shell of the user, but the results are the same if
I call it from within a "real" shell, too.

The server receives the correct FDs, and prints
"Hello from the Server\n" correctly, too. But as soon as `client`
exits, the SSH connection goes with it, instead of staying (as in,
I get "Connection to localhost closed").

Re: ssh authlog: Failed none for invalid user

[Jordan Geoghegan]

On 8/10/21 1:30 AM, Darren Tucker wrote:
> On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan  > wrote:
>
> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I 
> have a number of entries in my /var/log/authlog file that look like this:
>
>     Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I 
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?
>
>
> It's the attempted authentication method, and it's normal behaviour.
>
> The SSH protocol has a number of authentication methods, for example 
> "password" and "publickey".    The client sends a message that says "I'd like 
> to authenticate via password using the password 'hunter2'" and the server 
> replies with either "yes that worked", or "nope" and a list of authentication 
> methods that it might accept.  Publickey authentication has a couple of extra 
> steps but works in a similar way.
>
> The protocol also specifies a "none" [0] authentication method, which will 
> succeed if the server requires no further authentication (eg in OpenSSH, if 
> PermitEmptyPassword is set and the account does not have a password).  Many 
> SSH clients including OpenSSH's start by asking for "none" authentication 
> then, if that doesn't work, use the list of possible authentication methods 
> to decide what to do next.  This is what you're seeing.
>
> When I last looked, the bulk of the password guessing bots just sent a single 
> "password" auth method and if it doesn't work, disconnect.  Apparently the 
> bots you're seeing behave a bit more like other clients.
>
> [0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2 
> 
>
> -- 
> Darren Tucker (dtucker at dtucker.net )
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

Hi Darren,

Thank you for that excellent, detailed answer - much appreciated!

Regards,

Jordan

Re: SHA256 FAIL for miniroot69.img on ftp2.eu.openbsd.org

[Mihai Popescu]

It's snapshots/amd64

Re: SHA256 FAIL for miniroot69.img on ftp2.eu.openbsd.org

[Theo de Raadt]

Stuart Henderson  wrote:

> I think it's most likely just that the mirror updated at an inconvenient
> time, it happens fairly often with snapshots.

I could slow down the pace of snapshot building.

Like How about every two weeks?

/sarc

Re: SHA256 FAIL for miniroot69.img on ftp2.eu.openbsd.org

[Stuart Henderson]

On 2021-08-10, Mihai Popescu  wrote:
> I did some download from [1] and the SHA256 for miniroot69.img is FAIL.
> The files with _obsd trails are from [2] and they are verified OK.
> Build date: 1628609840 - Tue Aug 10 15:37:20 UTC 2021
>
> [1] https://ftp2.eu.openbsd.org/
> [2] https://ftp.openbsd.org/pub/OpenBSD/

Would be helpful to say which directory so we don't need to guess
between 6.9/snapshots and which arch.

> $ sha256 -C SHA256 miniroot69.img
> (SHA256) miniroot69.img: FAILED
> c$ signify -Cp /etc/signify/openbsd-69-base.pub -x SHA256.sig
> miniroot69.img
> Signature Verified
> miniroot69.img: FAIL
>
> $ cmp SHA256_obsd SHA256
>
> $ cmp SHA256_obsd.sig  SHA256.sig
> $ cmp miniroot69_obsd.img miniroot69.img
>
> miniroot69_obsd.img miniroot69.img differ: char 32808, line 6
> $ diff SHA256_obsd SHA256
> $ diff SHA256_obsd.sig  SHA256.sig
> $ diff miniroot69_obsd.img miniroot69.img
> Binary files miniroot69_obsd.img and miniroot69.img differ
>
> Tried other parameters for cmp and diff, but the list is huge for the first.
> $ cmp -l miniroot69_obsd.img miniroot69.img
>  32808  11 374
>  32809  21  34
>  32810 146 252
>  32811 357 267
>  33306 100  40
>  33308   0  23
>  33309 360 100
>  33310 377   1
>  33311  25 377
>  33312 140  17
>  33313   1   0
>  33314  27   0
>  33315 200   0
>  33316   1   0
>  33317  31   0
>  33318 240   0
>  33319   1   0
>  33320  33   0
>  33321 300   0
>  33322   1   0
>  33323  35 377
>  33324 340  17
> [ more displayed, output cut ]
>
> If somebody else can test this, please.
>
> Thanks.
>

You don't show the actual hash so it may have changed since you fetched,
but currently if I fetch snapshots/amd64/miniroot69.img from ftp2.eu 
the hash doesn't match the SHA256 file in that directory, but it does match
the SHA256 file that I fetched on my local mirror earlier today.

I think it's most likely just that the mirror updated at an inconvenient
time, it happens fairly often with snapshots.

-- 
Please keep replies on the mailing list.

SHA256 FAIL for miniroot69.img on ftp2.eu.openbsd.org

[Mihai Popescu]

I did some download from [1] and the SHA256 for miniroot69.img is FAIL.
The files with _obsd trails are from [2] and they are verified OK.
Build date: 1628609840 - Tue Aug 10 15:37:20 UTC 2021

[1] https://ftp2.eu.openbsd.org/
[2] https://ftp.openbsd.org/pub/OpenBSD/

$ sha256 -C SHA256 miniroot69.img
(SHA256) miniroot69.img: FAILED
c$ signify -Cp /etc/signify/openbsd-69-base.pub -x SHA256.sig
miniroot69.img
Signature Verified
miniroot69.img: FAIL

$ cmp SHA256_obsd SHA256

$ cmp SHA256_obsd.sig  SHA256.sig
$ cmp miniroot69_obsd.img miniroot69.img

miniroot69_obsd.img miniroot69.img differ: char 32808, line 6
$ diff SHA256_obsd SHA256
$ diff SHA256_obsd.sig  SHA256.sig
$ diff miniroot69_obsd.img miniroot69.img
Binary files miniroot69_obsd.img and miniroot69.img differ

Tried other parameters for cmp and diff, but the list is huge for the first.
$ cmp -l miniroot69_obsd.img miniroot69.img
 32808  11 374
 32809  21  34
 32810 146 252
 32811 357 267
 33306 100  40
 33308   0  23
 33309 360 100
 33310 377   1
 33311  25 377
 33312 140  17
 33313   1   0
 33314  27   0
 33315 200   0
 33316   1   0
 33317  31   0
 33318 240   0
 33319   1   0
 33320  33   0
 33321 300   0
 33322   1   0
 33323  35 377
 33324 340  17
[ more displayed, output cut ]

If somebody else can test this, please.

Thanks.

Re: smtpd only Mail Server

[latincom]

> On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote:
>> > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
>> > > > - smtpd had its first commit in 2008 and back then was far from
>> > > >   production ready: So are you using base smtpd, or sendmail, or
>> > > >   something else?
>> > >
>> > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember
>> correctly;
>> > > but my question is:
>> > >
>> > > "Could someone please point me to specific openbsd place to look for
>> > > it?"
>> >
>> > To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
>> > there's a dkim example right there.
>>
>> Jay in this case it looks out of context, because it is a question after
>> the explanation! Look for understandable (my level) information related
>> to
>> dkim, dmarc, and spf! My field is agriculture!
>>
>> >
>> > > > - I assume it's related to outbound mail, but even that is not
>> > > >   completely clear to me.
>> > >
>> > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10
>> at
>> > > this page: https://www.mail-tester.com/ and yes, i can receive
>> mail, but
>> > > mine is considered spam!
>> >
>> > The fact that and arbitrary third site "tester" gives you this score
>> > or another can mean a lot of things. Nobody has seen your DNS or a
>> > single line of your conig yet, so it's hard to help you really.
>> >
>>
>> Well, i never said that it is the last word! I am asking for clear
>> information for dkim, dmarc, spf, and now dkimproxy and anything related
>> to send mail correctly; where correctly means "NO qualify my mail as
>> spam"
>>
>> > > > - Did you just put a dkim txt record in DNS without any additional
>> > > >   configuration on your mailserver?
>> > >
>> > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at
>> the
>> > > same
>> > > web page, not a problem; 2. vultr managed by their dns app, here i
>> am
>> > > not
>> > > able to make it work correctly. What should be the additional
>> > > configuration on the mail server please?
>> >
>> > What mail server?
>> > What "additional" configuration?
>>
>> This server:
>> > > > - Did you just put a dkim txt record in DNS without any additional
>> > > >   configuration on your mailserver?
>>
>> >
>> > If you want help with a mail config,
>> > you need to show your mail config.
>> >
>>
>> No problem:
>> I am used to use only the base system.
>>
>> #       $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles
>> Exp $
>>
>> # This is the smtpd server system-wide configuration file.
>> # See smtpd.conf(5) for more information.
>>
>> table aliases file:/etc/mail/aliases
>>
>> listen on socket
>>
>> # To accept external mail, replace with: listen on all
>> #
>> listen on all filter "dkimsign"
>>
>> action "local_mail" mbox alias 
>> action "outbound" relay
>>
>> # Uncomment the following to accept external mail for domain
>> "example.org"
>> #
>> # match from any for domain "example.org" action "local_mail"
>> match from any for domain "agroena.org" action "local_mail"
>> match from local for local action "local_mail"
>> match from local for any action "outbound"
>>
>> # dkim
>> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
>> /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
>>
>>
> So assuming that you actually installed opensmtpd-filter-dkimsign and
> everything starts okay, you haven't put the public key in the DNS like
> you claimed in your original e-mail.
> $ dig +short txt s1._domainkey.agroena.org
> $
>

I am not sure if it is a problem, but the selector is: mail.

$ dig +short txt mail._domainkey.agroena.org
"k=rsa; t=s; h=sha256;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOGOPbZVPidt2KCGqb38+OOD/cIZZnkpMY67oUPAfjVzP7vjJnxeTUOYtuQPTYv3whE6dwRSDwdw96DELKTjbaJ8DMEDFxbeqZxFl4EivuxuIwRSJVZQ36ed+TnfrPxLQowcno3kIh9je3t2VQ7GfD4WJfPD2GzfVljcTmJP3gNQIDAQAB"

Re: OpenCV on 6.9 can't open camera

[Jeff Ross]

On 8/10/21 6:22 AM, Karsten Pedersen wrote:

I'd appreciate anyone's thoughts on fixing this!

Not sure if this is a solution for you (unless you want to faff
with creating some minimal Python bindings) but I hacked at the OpenBSD
/usr/X11R6/bin/video source code to create a quick standalone C API
to be used as a library.

Yes, it is probably not so portable as OpenCV but it is much lighter
in terms of dependencies.

openbsd_cam.h [https://pastebin.com/1rDpFMR4]
openbsd_cam.c [https://pastebin.com/kuv3KhCX]

(Original program: https://cvsweb.openbsd.org/xenocara/app/video/video.c)

I also chucked in some decoding so it basically provides you now with
an array of bytes referring to RGB pixels.

Best regards,

Karsten


Hi Karsten,

Thanks for the reply.  This looks like an interesting project but I 
think adapting it to my needs is going to be way above my pay grade!


Jeff

Re: OpenCV on 6.9 can't open camera

[Jeff Ross]

On 8/10/21 1:14 AM, Kevin Lo wrote:

On Mon, Aug 09, 2021 at 11:56:36AM -0600, Jeff Ross wrote:

Hi,

OpenCV (installed from the package) doesn't seem to be able to open the
camera. The camera (in this case for testing a Logitech C910) can be
accessed no problem with ffplay, fswebcam and video(1).?? I also opened the
kern sysctls for both audio and video and chowned /dev/video to my user.


I'd appreciate anyone's thoughts on fixing this!

Hi, I encountered the same problem.  Just committed a fix:
https://marc.info/?l=openbsd-ports-cvs&m=162857744213080&w=2


Jeff Ross

Kevin


Thanks Kevin!  I'm building the new 4.5.2 version now.

Jeff

Re: smtpd only Mail Server

[Martijn van Duren]

On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote:
> > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
> > > > - smtpd had its first commit in 2008 and back then was far from
> > > >   production ready: So are you using base smtpd, or sendmail, or
> > > >   something else?
> > > 
> > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember correctly;
> > > but my question is:
> > > 
> > > "Could someone please point me to specific openbsd place to look for
> > > it?"
> > 
> > To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
> > there's a dkim example right there.
> 
> Jay in this case it looks out of context, because it is a question after
> the explanation! Look for understandable (my level) information related to
> dkim, dmarc, and spf! My field is agriculture!
> 
> > 
> > > > - I assume it's related to outbound mail, but even that is not
> > > >   completely clear to me.
> > > 
> > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 at
> > > this page: https://www.mail-tester.com/ and yes, i can receive mail, but
> > > mine is considered spam!
> > 
> > The fact that and arbitrary third site "tester" gives you this score
> > or another can mean a lot of things. Nobody has seen your DNS or a
> > single line of your conig yet, so it's hard to help you really.
> > 
> 
> Well, i never said that it is the last word! I am asking for clear
> information for dkim, dmarc, spf, and now dkimproxy and anything related
> to send mail correctly; where correctly means "NO qualify my mail as spam"
> 
> > > > - Did you just put a dkim txt record in DNS without any additional
> > > >   configuration on your mailserver?
> > > 
> > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at the
> > > same
> > > web page, not a problem; 2. vultr managed by their dns app, here i am
> > > not
> > > able to make it work correctly. What should be the additional
> > > configuration on the mail server please?
> > 
> > What mail server?
> > What "additional" configuration?
> 
> This server:
> > > > - Did you just put a dkim txt record in DNS without any additional
> > > >   configuration on your mailserver?
> 
> > 
> > If you want help with a mail config,
> > you need to show your mail config.
> > 
> 
> No problem:
> I am used to use only the base system.
> 
> #   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
> 
> # This is the smtpd server system-wide configuration file.
> # See smtpd.conf(5) for more information.
> 
> table aliases file:/etc/mail/aliases
> 
> listen on socket
> 
> # To accept external mail, replace with: listen on all
> #
> listen on all filter "dkimsign"
> 
> action "local_mail" mbox alias 
> action "outbound" relay
> 
> # Uncomment the following to accept external mail for domain "example.org"
> #
> # match from any for domain "example.org" action "local_mail"
> match from any for domain "agroena.org" action "local_mail"
> match from local for local action "local_mail"
> match from local for any action "outbound"
> 
> # dkim
> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
> /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
> 
> 
So assuming that you actually installed opensmtpd-filter-dkimsign and
everything starts okay, you haven't put the public key in the DNS like
you claimed in your original e-mail.
$ dig +short txt s1._domainkey.agroena.org
$

Re: OpenCV on 6.9 can't open camera

[Karsten Pedersen]

> I'd appreciate anyone's thoughts on fixing this!

Not sure if this is a solution for you (unless you want to faff
with creating some minimal Python bindings) but I hacked at the OpenBSD
/usr/X11R6/bin/video source code to create a quick standalone C API
to be used as a library.

Yes, it is probably not so portable as OpenCV but it is much lighter
in terms of dependencies.

openbsd_cam.h [https://pastebin.com/1rDpFMR4]
openbsd_cam.c [https://pastebin.com/kuv3KhCX]

(Original program: https://cvsweb.openbsd.org/xenocara/app/video/video.c)

I also chucked in some decoding so it basically provides you now with
an array of bytes referring to RGB pixels.

Best regards,

Karsten

Re: smtpd only Mail Server

[latincom]

> On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
>> > - smtpd had its first commit in 2008 and back then was far from
>> >   production ready: So are you using base smtpd, or sendmail, or
>> >   something else?
>>
>> Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember correctly;
>> but my question is:
>>
>> "Could someone please point me to specific openbsd place to look for
>> it?"
>
> To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
> there's a dkim example right there.

Jay in this case it looks out of context, because it is a question after
the explanation! Look for understandable (my level) information related to
dkim, dmarc, and spf! My field is agriculture!

>
>> > - I assume it's related to outbound mail, but even that is not
>> >   completely clear to me.
>>
>> No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 at
>> this page: https://www.mail-tester.com/ and yes, i can receive mail, but
>> mine is considered spam!
>
> The fact that and arbitrary third site "tester" gives you this score
> or another can mean a lot of things. Nobody has seen your DNS or a
> single line of your conig yet, so it's hard to help you really.
>

Well, i never said that it is the last word! I am asking for clear
information for dkim, dmarc, spf, and now dkimproxy and anything related
to send mail correctly; where correctly means "NO qualify my mail as spam"

>> > - Did you just put a dkim txt record in DNS without any additional
>> >   configuration on your mailserver?
>>
>> ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at the
>> same
>> web page, not a problem; 2. vultr managed by their dns app, here i am
>> not
>> able to make it work correctly. What should be the additional
>> configuration on the mail server please?
>
> What mail server?
> What "additional" configuration?

This server:
>> > - Did you just put a dkim txt record in DNS without any additional
>> >   configuration on your mailserver?

>
> If you want help with a mail config,
> you need to show your mail config.
>

No problem:
I am used to use only the base system.

#   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases

listen on socket

# To accept external mail, replace with: listen on all
#
listen on all filter "dkimsign"

action "local_mail" mbox alias 
action "outbound" relay

# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local_mail"
match from any for domain "agroena.org" action "local_mail"
match from local for local action "local_mail"
match from local for any action "outbound"

# dkim
filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k
/etc/mail/dkim/private.key" user _dkimsign group _dkimsign

Re: smtpd only Mail Server

[Jan Stary]

On Aug 10 01:52:57, latin...@vcn.bc.ca wrote:
> > - smtpd had its first commit in 2008 and back then was far from
> >   production ready: So are you using base smtpd, or sendmail, or
> >   something else?
> 
> Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember correctly;
> but my question is:
> 
> "Could someone please point me to specific openbsd place to look for it?"

To look for what? smtpd documentation? man smtpd, man spmtpd.conf,
there's a dkim example right there.

> > - I assume it's related to outbound mail, but even that is not
> >   completely clear to me.
> 
> No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 at
> this page: https://www.mail-tester.com/ and yes, i can receive mail, but
> mine is considered spam!

The fact that and arbitrary third site "tester" gives you this score
or another can mean a lot of things. Nobody has seen your DNS or a
single line of your conig yet, so it's hard to help you really.

> > - Did you just put a dkim txt record in DNS without any additional
> >   configuration on your mailserver?
> 
> ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at the same
> web page, not a problem; 2. vultr managed by their dns app, here i am not
> able to make it work correctly. What should be the additional
> configuration on the mail server please?

What mail server?
What "additional" configuration?

If you want help with a mail config,
you need to show your mail config.

Re: smtpd only Mail Server

[latincom]

> On Mon, 2021-08-09 at 20:02 -0700, latin...@vcn.bc.ca wrote:
>> Hello
>>
>> i have had a smtpd only mail server for 21 years; but now i have a big
>> problem related to dkim, dmarc, and spf. First, there is not man page,
>> archives are not clear for me, google is confusing; but i have added the
>> corresponding dns records, with the result that dkim is not signing
>> mail!
>>
>> Could someone please point me to specific openbsd place to look for it?
>>
>> thanks
>>
>
> Your information is far from complete, so don't expect anything
> useful from this mail, but:

This is the main OpenBSD list for users, i almost always got useful answers!

> - smtpd had its first commit in 2008 and back then was far from
>   production ready: So are you using base smtpd, or sendmail, or
>   something else?

Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember correctly;
but my question is:

"Could someone please point me to specific openbsd place to look for it?"

> - I assume it's related to outbound mail, but even that is not
>   completely clear to me.

No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 at
this page: https://www.mail-tester.com/ and yes, i can receive mail, but
mine is considered spam!

> - Did you just put a dkim txt record in DNS without any additional
>   configuration on your mailserver?

ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at the same
web page, not a problem; 2. vultr managed by their dns app, here i am not
able to make it work correctly. What should be the additional
configuration on the mail server please?

> - If you did configure something, what do you use? (e.g.
>   filter-dkimsign, rspamd, dkimproxy, ...)
> - What kind of errors do you see?

Well, now that you mention it; my first step was pkg_add dkimproxy, and
minutes after, pkg_delete dkimproxy. It was all.

>
> So if I'm taking a blind guess I'd say smtpd, without additional
> configuration on outbound mail. In that case I suggest you install
> opensmtpd-filter-dkimsign from ports and read the readme:
> /usr/local/share/doc/pkg-readmes/opensmtpd-filter-dkimsign and
> filter-dkimsign(8).

Are you saying that i am in need of installing something that is not in
the system? i use only the base system, which for me has been enough.

>
> martijn@

Well at tha end you gave me a lot of information, thanks for that.

Re: ssh authlog: Failed none for invalid user

[Darren Tucker]

On Tue, 10 Aug 2021 at 09:06, Jordan Geoghegan  wrote:

> Hello,
>
> I was hoping somebody could set me straight here. On one of my machines I
> have a number of entries in my /var/log/authlog file that look like this:
>
> Failed none for invalid user admin from 14.239.50.255 port 51796
>
> The machine has been being hammered with SSH bruteforce attempts and I
> noticed that "Failed none" entry popping up frequently.
>
> What exactly does "Failed none" mean here in this in this context?


It's the attempted authentication method, and it's normal behaviour.

The SSH protocol has a number of authentication methods, for example
"password" and "publickey".The client sends a message that says "I'd
like to authenticate via password using the password 'hunter2'" and the
server replies with either "yes that worked", or "nope" and a list of
authentication methods that it might accept.  Publickey authentication has
a couple of extra steps but works in a similar way.

The protocol also specifies a "none" [0] authentication method, which will
succeed if the server requires no further authentication (eg in OpenSSH, if
PermitEmptyPassword is set and the account does not have a password).  Many
SSH clients including OpenSSH's start by asking for "none" authentication
then, if that doesn't work, use the list of possible authentication methods
to decide what to do next.  This is what you're seeing.

When I last looked, the bulk of the password guessing bots just sent a
single "password" auth method and if it doesn't work, disconnect.
Apparently the bots you're seeing behave a bit more like other clients.

[0] https://datatracker.ietf.org/doc/html/rfc4252#section-5.2

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: smtpd only Mail Server

[artsi0m]

Hello!
>smtpd only mail server for 21 years.
Why not use fdm ? As i know it is developed by OpenBSD members.
>There is no man page for dkim, dmark and spf
OpenBSD developers maintain man pages for base system mostly.
I've never heard about ports maintainers editing port man page.
>google is confusing
I think, you should use more of apropos(1) and read other systems
man pages too.
>specific openbsd place
I've heard about hackathon's being a real thing, also solene@ can advice
you which irc client to use and by the way Stallman advised to solve
similar tasks with the help of people from install fests.

Best regards, Artyom.
‐‐‐ Original Message ‐‐‐

вторник, 10 августа 2021 г., 6:02 ДП,  написал(а):

> Hello
>
> i have had a smtpd only mail server for 21 years; but now i have a big
>
> problem related to dkim, dmarc, and spf. First, there is not man page,
>
> archives are not clear for me, google is confusing; but i have added the
>
> corresponding dns records, with the result that dkim is not signing mail!
>
> Could someone please point me to specific openbsd place to look for it?
>
> thanks

Re: OpenCV on 6.9 can't open camera

[Kevin Lo]

On Mon, Aug 09, 2021 at 11:56:36AM -0600, Jeff Ross wrote:
> 
> Hi,
> 
> I'm porting a python3 program I wrote for capturing jpegs from a USB based
> webcam, using OpenCV for capture and post-processing.?? I was running this
> on a RaspberryPi 3B+ under linux but I'm sick of battling crappy hardware
> and linux so I bought a Mini PC stick and installed 6.9.?? (dmesg follows)
> 
> OpenCV (installed from the package) doesn't seem to be able to open the
> camera. The camera (in this case for testing a Logitech C910) can be
> accessed no problem with ffplay, fswebcam and video(1).?? I also opened the
> kern sysctls for both audio and video and chowned /dev/video to my user.
> 
> jross@aurora-cam:/home/jross $ fswebcam?? -d v4l2:/dev/video0 -F3 --save
> test2.jpg
> --- Opening v4l2:/dev/video0...
> /dev/video0 opened.
> No input was specified, using the first.
> Adjusting resolution from 384x288 to 432x240.
> --- Capturing 3 frames...
> Captured 3 frames in 0.06 seconds. (46 fps)
> --- Processing captured image...
> Writing JPEG image to 'test2.jpg'.
> 
> OpenCV not so much though:
> 
> jross@aurora-cam:/home/jross $ cat open_test.py
> import cv2 as cv
> import subprocess
> 
> cap = cv.VideoCapture(0, cv.CAP_V4L2)
> print(cap)
> if not cap.isOpened():
> ?? print("Open Failed!")
> elif cap.isOpened():
> ?? print("Open Succeeded!")
> 
> height = cap.get(cv.CAP_PROP_FRAME_HEIGHT)
> width = cap.get(cv.CAP_PROP_FRAME_WIDTH)
> exposure = cap.get(cv.CAP_PROP_AUTO_EXPOSURE)
> 
> print(height,width,exposure)
> frame = []
> try:
> ?? ret, temp_frame = cap.read()
> ?? print(ret)
> except Exception as e:
> ?? print(e)
> ?? #kill anything else using the camera
> ?? pid = subprocess.check_output("fuser -k
> /dev/video0",stderr=subprocess.STDOUT, shell=True)[:-1].decode('utf-8')
> ?? print("Exception caught! %s" % (e))
> frame.append(temp_frame)
> print(frame)
> 
> jross@aurora-cam:/home/jross $ python3 open_test.py
> 
> Open Failed!
> 0.0 0.0 0.0
> False
> [None]
> 
> I'd appreciate anyone's thoughts on fixing this!

Hi, I encountered the same problem.  Just committed a fix:
https://marc.info/?l=openbsd-ports-cvs&m=162857744213080&w=2

> Jeff Ross

Kevin