Re: VLAN-tagging, how?
Thank you all very much for the setup examples, very helpful!
subscribe
subscribe
Re: New filters auth and sign
On Sat, 01 Jun 2024 00:34:41 +0100, Kirill A. Korinsky wrote: > > Greetings, > > I'd like to announce a two new filters for OpenSMTD which better to use > together: auth and sign. > Oops, wrong list. It should be m...@opensmtpd.org. Sorry for nosy. -- wbr, Kirill
New filters auth and sign
Greetings, I'd like to announce a two new filters for OpenSMTD which better to use together: auth and sign. auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds Authentication-Results header or ARC-Authentication-Results. sign is a filter which adds DKMI or ARC signature, or ARC seal. For example, I run configuration: filter "auth" proc-exec "filter-auth" listen on egress port smtp ... filter { admdscrub, "auth", dnsbl } filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D /etc/mail/domains \ -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user _dkimsign group _dkimsign filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_auth proc-exec "filter-auth -A" filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal } listen on egress port submission ... filter sign Here all incomming messages is autorised by adding Authentication-Results, and all outcomming messages: - signed by two DKMI signature with correct domain (list in /etc/mail/domains) - signed by one ARC signature with domain mx.catap.net - seal by one ARC seal with domain mx.catap.net Yeah, it is possible to use different selectors for ARC signature and seal, but I haven't tested it. The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD. Man pages for both filters are updated. Thus, sign filter is drop-in replacment for filter-dkimsign. Code available here: - https://github.com/catap/opensmtpd-filter-auth - https://github.com/catap/opensmtpd-filter-sign I also attached ports for OpenBSD which I used to run it. How stable it is? Well, enough to share and ask for feedback. It may contains bugs, but it should be fine to use. Produced signature was tested against gmail, yahoo, icloud.com and dkimpy and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or 47 (what does it mean?) and produced invalid signature as the next in ARC chain (tested by dkimpy). Thus, this email were sent via server which uses that filters, so, headers from this email a good example. -- wbr, Kirill filters.tgz Description: Binary data
Re: vim editor with TERM
:0 I can start using EDITOR instead of VISUAL and start removing: $ set -o vi; in my .profiles On Fri, May 31, 2024 at 3:17 PM Nathaniel Griswold wrote: > There is also the VISUAL param which overrides what is inferred from > EDITOR. > > On Fri, May 31, 2024, at 2:23 PM, Stuart Henderson wrote: > > On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> > wrote: > > Hi all, > > > > I use the following terminal: > > > > echo $TERM > > xterm-256color > > > > when in my ~/.profile I do: > > > > export EDITOR=nano > > > > everything works well. > > > > However, if I do > > > > export EDITOR=vim > > > > then when I ssh into the machine, up and down arrow in the terminal do > not work anymore (it does not give me access to previous commands entered). > > It's an extremely annoying misfeature in ksh. > > If $EDITOR starts with the letters "vi" then it defaults to vi-style > command line editing. You can use "set -o emacs" to override that, but > then if you sudo/doas to root it will reset to vi-style editing because > of the exported EDITOR variable. > > On some machines I got fed up enough with this to symlink > "emacs-notreally" to vim and set EDITOR=emacs-notreally... > > > > >
Re: vim editor with TERM
There is also the VISUAL param which overrides what is inferred from EDITOR. On Fri, May 31, 2024, at 2:23 PM, Stuart Henderson wrote: > On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> > wrote: > > Hi all, > > > > I use the following terminal: > > > > echo $TERM > > xterm-256color > > > > when in my ~/.profile I do: > > > > export EDITOR=nano > > > > everything works well. > > > > However, if I do > > > > export EDITOR=vim > > > > then when I ssh into the machine, up and down arrow in the terminal do not > > work anymore (it does not give me access to previous commands entered). > > It's an extremely annoying misfeature in ksh. > > If $EDITOR starts with the letters "vi" then it defaults to vi-style > command line editing. You can use "set -o emacs" to override that, but > then if you sudo/doas to root it will reset to vi-style editing because > of the exported EDITOR variable. > > On some machines I got fed up enough with this to symlink > "emacs-notreally" to vim and set EDITOR=emacs-notreally... > > >
Re: mounting audio cd
MIZSEI Zoltán [31/05/2024 20.15]: Interestingly BeOS and Haiku lets you to mount an audio cd, it generates a vfs from the toc and shows the tracks as wav or flac (fixme), it does an automatic conversion behind the courtains if you copy a file from an audio cd. Linux also had such a thing in the past - I can't remember the name of the file-system. -- Hilsen Harald
Re: vim editor with TERM
On 2024-05-31, 04-psyche.tot...@icloud.com <04-psyche.tot...@icloud.com> wrote: > Hi all, > > I use the following terminal: > > echo $TERM > xterm-256color > > when in my ~/.profile I do: > > export EDITOR=nano > > everything works well. > > However, if I do > > export EDITOR=vim > > then when I ssh into the machine, up and down arrow in the terminal do not > work anymore (it does not give me access to previous commands entered). It's an extremely annoying misfeature in ksh. If $EDITOR starts with the letters "vi" then it defaults to vi-style command line editing. You can use "set -o emacs" to override that, but then if you sudo/doas to root it will reset to vi-style editing because of the exported EDITOR variable. On some machines I got fed up enough with this to symlink "emacs-notreally" to vim and set EDITOR=emacs-notreally...
Re: vim editor with TERM
On Fri, May 31, 2024 at 04:52:29PM +0100, 04-psyche.tot...@icloud.com wrote: > > export EDITOR=vim > > Does anyone have a clue as to what could cause this issue? > > Thanks, > Jake Your ksh is now using vi editing mode instead of emacs. You can verify this by hitting esc, then i and you can then type normally, but with some different conditions. If you want to keep this, hit esc and k for earlier commands, j for later commands. I use both vi and emacs editing modes (this has nothing to do with the actual editors. man ksh will help. vi editing mode has very similar commands to the vi editor. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
Re: mounting audio cd
Interestingly BeOS and Haiku lets you to mount an audio cd, it generates a vfs from the toc and shows the tracks as wav or flac (fixme), it does an automatic conversion behind the courtains if you copy a file from an audio cd.
vim editor with TERM
Hi all, I use the following terminal: echo $TERM xterm-256color when in my ~/.profile I do: export EDITOR=nano everything works well. However, if I do export EDITOR=vim then when I ssh into the machine, up and down arrow in the terminal do not work anymore (it does not give me access to previous commands entered). I have installed the following vim: $ pkg_info | grep vim vim-9.1.139-no_x11 vi clone, many additional features Does anyone have a clue as to what could cause this issue? Thanks, Jake
Re: Correct fdisk info for ext2fs?
Brian: Thanks so much. I ended up formatting it in OpenBSD 's ffs file system. Too many issues with Linux. If I need to transfer data from the Linux computer, then I will ssh into OpenBSD. On Thu, May 30, 2024 at 11:04 PM Brian Conway wrote: > > On Thu, May 30, 2024, at 6:02 PM, nisp1953 wrote: > > OpenBSD 7.5 GENERIC.MP#82 amd64 > > > > Hi all: > > > > I formatted a 2TB USB Hard Drive under Linux and get the following from > > fdisk: > > > > # fdisk sd1 > > Disk: sd1 geometry: 243201/255/63 [3907029167 Sectors] > > Offset: 0 Signature: 0x0 > > Starting Ending LBA Info: > > #: id C H S - C H S [ start:size ] > > --- > > 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused > > 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused > > 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused > > 3: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused > > > > I had to add a disklabel before I could mount it and use it on OpenBSD: > > # disklabel sd1 > > # /dev/rsd1c: > > type: SCSI > > disk: SCSI disk > > label: BUP Slim > > duid: 3cca86bd1e312e1f > > flags: > > bytes/sector: 512 > > sectors/track: 63 > > tracks/cylinder: 255 > > sectors/cylinder: 16065 > > cylinders: 243201 > > total sectors: 3907029167 > > boundstart: 0 > > boundend: 3907029167 > > > > 16 partitions: > > #size offset fstype [fsize bsize cpg] > > c: 39070291670 unused > > i: 39070291670 unknown > > > > It does have an signed DUID: > > # sysctl hw.disknames > > hw.disknames=sd0:c9251986e646484c,sd1:3cca86bd1e312e1f > > > > I have been using it for several days and I write to it both under > > Linux and OpenBSD. > > What am I doing wrong here that no partitions show un in fdisk? > > Here is the relevant dmesg info: > > scsibus4 at umass0: 2 targets, initiator 0 > > sd1 at scsibus4 targ 1 lun 0: > > serial.0bc2ac30NAEA4KVV > > sd1: 1907729MB, 512 bytes/sector, 3907029167 sectors > > /dev/sd1i: file system not clean; please fsck(8) > > > > Thanks in advance for any advice on this. > > It looks like you have formatted an entire drive without partitioning it > first. This isn't wrong *per se*, in the same way you might format certain > types of external media without partitioning them, but it's not expected and > could become a footgun if you go to perform an operation on the drive and > forget that it isn't a filesystem within a partition. As you've noted, it > does operate correctly. > > Brian Conway > Owner > RCE Software, LLC >
Re: mounting audio cd
Hi, yes I run a GUI, you are right that that I cannot mount a audio CD. To rip a audio CD, I was transient in the operator group. That worked. Nevertheless thank you for the answer. Sorry for the mix up Manfred On 5/30/24 20:54, Ampie Niemand wrote: On Thu, May 30, 2024 at 06:43:13PM +0200, Manfred Koch wrote: Hi all, I have tried to mount an audio cd with the command: doas mount -t cd9660 /dev/cd0c /cdrom mount_cd9660: /dev/cd0c on /cdrom: Invalid argument You cannot mount it like that because its an audio CD and not a Data CD. If it was a data CD, you will only have access to the files, such as a file backup. The following website might have the answer for you: https://www.openbsdhandbook.com/multimedia/ Not sure if you run a GUI, but if you do, install vlcplayer and you should be able to just play it, but go read a bit on the website given above. Regards Ampie doas dmesg | grep cd shows me: cd0 at scsibus1 targ 0 lun 0: removable cd0(ahci0:0:0): Check Condition (error 0x70) on opcode 0x0 cd0 at scsibus1 targ 0 lun 0: removable cd0(ahci0:0:0): Check Condition (error 0x70) on opcode 0x0 cd0 at scsibus1 targ 0 lun 0: removable using 7.5 GENERIC.MP#82 amd64 Two weeks ago I could mount it with success. Forgive me, I'm a rookie. Does anyone have an idea? Manfred
Re: Call sysctl before sysctl.conf
Vào Th 6, 31 thg 5, 2024 vào lúc 05:05 <04-psyche.tot...@icloud.com> đã viết: > > Hi all, > > When openBSD runs my processor at 100%, it makes a noise. Interestingly, when > in bios, this noise does not appear. > I also heard the noise... but it seems quite when I plugged in my headphone. What's the noise you are referring to, from fan or from the speaker?
Re: VLAN-tagging, how?
On Fri, May 31, 2024 at 1:20 PM Zé Loff wrote: > On Thu, May 30, 2024 at 10:12:12PM +, Martin wrote: > > I am currently using a home made router with OpenBSD which is connected > > directly to my ISP's fiber router. The OpenBSD router is setup with a > > fixed IP on the WAN port and I do internal NAT etc. > > > > In about a month a new ISP is going to provide internet via the fiber > > and they are changing the equipment. > > > > What they have told me is that in order to use my own router, the > > router has to support VLAN tagging. > > > > The statement I got was: > > > > "We send traffic out on VLAN 100 so your router needs to be tagged to > > 100. Then all it has to do is to get an IP via DHCP." > > > > I have not done any VLAN stuff before and I am unsure exactly how to do > > this. > > > > Is this possible and how exactly is that done? > > > > Thanks. > > > > Keeping it simple (change re1 to whatever is relevant in your case): > > # cat /etc/hostname.re1 > up > > # cat /etc/hostname.vlan100 > vnetid 100 parent re1 > inet autoconf > up > > So, in summary, (1) make sure the physical interface comes up and (2) > create a VLAN interface, with 100 as the VLAN number, the physical > interface as its parent. The rest is the same as for any other > interface (inet autoconf and up). > > > > Incidentally, I am running this with an ISP that also provides VoIP over > VLAN 101, which I don't want to filter, rather sending it straight to > the VoIP phone they provided (which gets configured via DHCP). I > achieved this by > > (1) creating an interface on VLAN 101, with the external physical > interface as the parent: > > # cat /etc/hostname.vlan1010 <- the extra 0 at the end is not a typo > vnetid 101 parent re1 > up > > (2) creating another interface on the same VLAN, but with an internal > interface as the parent: > > # cat /etc/hostname.vlan1011 <- note the extra 1 at the end > vnetid 101 parent re2 > up > > (3) bridging them together > > # cat /etc/hostname.veb101 > add vlan1010 > add vlan1011 > up > @Zé Loff , This explanation is excellent. I was following this thread out of sheer curiosity :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
Re: amd64 bsd.rd for 7.0, 7.1, 7.2
On Fri, 31 May 2024 10:02:57 +0100, "Quentin Carbonneaux" wrote: > > I want to upgrade an amd64 system running 6.9. Following > the guide I would like to upgrade to 7.{0,1,2,3,4,5} > sequentially. However it looks like > > wget https://cdn.openbsd.org/pub/OpenBSD/7.{0,1,2}/amd64/bsd.rd > > returns 404 for all three queries. > > Where can I find the bsd.rd images for these versions? > > Thanks for your help. > Not all mirrors hosts old versions. For example https://mirror.leaseweb.com/pub/OpenBSD/ from europe has old versions, but it migth be different from your location. -- wbr, Kirill
Re: VLAN-tagging, how?
On Thu, May 30, 2024 at 10:12:12PM +, Martin wrote: > I am currently using a home made router with OpenBSD which is connected > directly to my ISP's fiber router. The OpenBSD router is setup with a > fixed IP on the WAN port and I do internal NAT etc. > > In about a month a new ISP is going to provide internet via the fiber > and they are changing the equipment. > > What they have told me is that in order to use my own router, the > router has to support VLAN tagging. > > The statement I got was: > > "We send traffic out on VLAN 100 so your router needs to be tagged to > 100. Then all it has to do is to get an IP via DHCP." > > I have not done any VLAN stuff before and I am unsure exactly how to do > this. > > Is this possible and how exactly is that done? > > Thanks. > Keeping it simple (change re1 to whatever is relevant in your case): # cat /etc/hostname.re1 up # cat /etc/hostname.vlan100 vnetid 100 parent re1 inet autoconf up So, in summary, (1) make sure the physical interface comes up and (2) create a VLAN interface, with 100 as the VLAN number, the physical interface as its parent. The rest is the same as for any other interface (inet autoconf and up). Incidentally, I am running this with an ISP that also provides VoIP over VLAN 101, which I don't want to filter, rather sending it straight to the VoIP phone they provided (which gets configured via DHCP). I achieved this by (1) creating an interface on VLAN 101, with the external physical interface as the parent: # cat /etc/hostname.vlan1010 <- the extra 0 at the end is not a typo vnetid 101 parent re1 up (2) creating another interface on the same VLAN, but with an internal interface as the parent: # cat /etc/hostname.vlan1011 <- note the extra 1 at the end vnetid 101 parent re2 up (3) bridging them together # cat /etc/hostname.veb101 add vlan1010 add vlan1011 up
Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover
On 2024-05-30, Radek wrote: > Thank you all for your replies. > > Actually, I did not know that providing seamless switching VPN solutions is > so problematic. If it can't be done in a simple way, then it doesn't have to > be seamless at any cost. Users will manually reconnect to this VPN when CARP > does switchover and there will be no drama. > > I am currently using IPSEC/L2TP, but I do not insist on switching to > wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I > switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't > cope with updating it to get a VPN back to work. It was a pandemic, and > everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to > allow users to work remotely again, and so it remains to this day. Maybe it's > time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of > CARP deployment. IKEv2 with certs signed by a publically trusted CA is fairly easy to work with on the client side. The server side is a bit fiddly on OpenBSD; iked can send the necessary intermediate certs now but it's not obvious which file they need to go in (and I forgot the details..) > I also need to assign to users static IP addresses per user - if I remember > that IKEv2 assigned to users random addresses from the entire VPN pool and I > couldn't cope with IP/user assignment. IKEv2 certainly can, it depends on the software. The in-tree version of iked doesn't have a way to do it yet, but the patches at https://marc.info/?l=openbsd-tech=170895540813042=2 allow doing that via RADIUS config.
amd64 bsd.rd for 7.0, 7.1, 7.2
Hi, I want to upgrade an amd64 system running 6.9. Following the guide I would like to upgrade to 7.{0,1,2,3,4,5} sequentially. However it looks like wget https://cdn.openbsd.org/pub/OpenBSD/7.{0,1,2}/amd64/bsd.rd returns 404 for all three queries. Where can I find the bsd.rd images for these versions? Thanks for your help.
Re: umount raid volume before shutdown?
On Thu, May 30, 2024 at 08:17:27PM +0100, 04-psyche.tot...@icloud.com wrote: > From my reading of /etc/rc, it seems that at shutdown or reboot, the OS will > automatically unmount everything. > > So that will unmount my encrypted partition. > > However, it does not run bioctl -d sd* for the pseudo-device. > > So I guess the question become, is it a problem to exit the system without > detaching the softraid volume via bioctl? Don't worry, the reboot code in the kernel makes sure that disks are properly unmounted and stopped. This includes softraid. If you want to look then check out vfs_shutdown() and sr_quiesce() in the source code. > Thanks! > > > > > Hi all, > > > > on my main hard drive, I have a partition `p` that I have encrypted in the > > following way: > > > > $bioctl -c C -l sd0p softraid0 > > > > -> This created the sd1 pseudo-device, on which I ran the following: > > > > $fdisk -g sd1 > > > > $disklabel -E sd1 # created partition i, to take all the space. This is the > > unique partition on this > > > > $newfs sd1a > > > > I then mount this via: > > > > $mount /dev/sd1i /decrypt > > > > > > I have two questions: > > > > - I don't want to have to unmount /decrypt before I shutdown or restart the > > computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down? > > > > - what should I do with the encrypted sd0p ? Should I remove it from my > > /etc/fstab and not even mount it? Or is it fine to keep it mounted? > > > > Thanks! > > > > Jake > -- :wq Claudio