from:"Craig"

Re: many serial ports

2024-02-08 Thread Craig Skinner

Hi Jan,

A Moxa PCI card, either 4 or 8 ports:


puc0 at pci0 dev 18 function 0 "Moxa C168H" rev 0x01: ports: 8 com
com4 at puc0 port 0 irq 9: ns16550a, 16 byte fifo
com5 at puc0 port 1 irq 9: ns16550a, 16 byte fifo
com6 at puc0 port 2 irq 9: ns16550a, 16 byte fifo
com7 at puc0 port 3 irq 9: ns16550a, 16 byte fifo
com8 at puc0 port 4 irq 9: ns16550a, 16 byte fifo
com9 at puc0 port 5 irq 9: ns16550a, 16 byte fifo
com10 at puc0 port 6 irq 9: ns16550a, 16 byte fifo
com11 at puc0 port 7 irq 9: ns16550a, 16 byte fifo
puc1 at pci0 dev 20 function 0 "AT/Lucent Venus Modem" rev 0x00: ports: 1 com
com12 at puc1 port 0 irq 5: ns16550a, 16 byte fifo
com12: probed fifo depth: 0 bytes


Make sure to get the octopus cable with it!

The turquoise RJ11 to serial cables connect to Sun LOM ports.

Cheers,
Craig.

Re: openbsd.org DNS problems

2023-11-15 Thread Craig Skinner

Hello,

OpenBSD's root A record was deliberately removed about 5-10 years ago.

The website is http://www.openbsd.org, not http://openbsd.org

I can't find the thread of complaints from the time it changed.

Cheers,
Craig.

Re: PF rules to block out every IP from a given country

2022-12-06 Thread Craig Schulz

Take a look at PF-Badhost.

Here is a decent write-up:

https://undeadly.org/cgi?action=article;sid=20210119113425

Craig

> On Dec 6, 2022, at 18:28, Damian McGuckin  wrote:
> 
> 
> Has anybody created rules such as this and if so, do you have an example?
> 
> Stay safe - Damian
> 
> Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
> Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
> Views & opinions here are mine and not those of any past or present employer
> 



signature.asc
Description: Message signed with OpenPGP

Re: spamd IPv6 listener 6.9amd64

2021-05-19 Thread Craig Skinner

Hi Martin,

On Wed, 12 May 2021 13:24:29 + Martin wrote:
> I can't find in spamd(8) how to enable IPv6 listener ...

I thought there was an unofficial patch put up somewhere several years
ago, but I can't find it now. This is the nearest my searching got:

https://undeadly.org/cgi?action=article=20131022072601

https://twitter.com/phessler/status/626312742367068160?lang=en

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223203



Not IpV6, but there is this well tested patch:
https://github.com/bdijkstra82/OpenBSD-spamlogd


Cheers,
Craig.

Re: mailing list management software

2020-10-27 Thread Craig Skinner

Hi Gregory,

On Thu, 22 Oct 2020 17:12:42 +0300 Gregory Edigarov wrote:
> is there any mailing list software which naturally supports virtual
> domains?

I've found MLMMJ rather good for multiple non-canonical domains:

http://MLMMJ.Org/

The configuration files are different for each domain.

Symlinks can be used to a default setup.

Perl's Template Toolkit can produce config files.

Cheers,
Craig.

Re: sysupgrade with latest snapshot: The directory '/home/_sysupgrade/' does not exist.

2020-09-28 Thread Craig Skinner

On Sun, 27 Sep 2020 23:27:34 +0200 li...@y42.org wrote:
> I subsequently added a 2nd disk to provide more space, for my /home.

/home can be mounted on another disk without a symlink to the OS disk.

Edit /etc/fstab with the actual mount point of /home

Likewise for many other directories on other partitions of other disks.

Such as a large web server could be mounted as /var/www on another disk.

Cheers,
Craig.

Re: dump LOB status

2020-09-25 Thread Craig Skinner

On Thu, 24 Sep 2020 18:04:15 +0300 Juha Erkkilä wrote:
> 
> I tested this with 0.5 terabytes and approximately 70 thousand files,
> with level 0 and 1 dumps, doing some additions/deletions/moves between
> dumps (no inplace modifications to files, though).
>
> It appears both dump and restore worked correctly. I did not check
> all file contents though, but compared path listings and did contents
> check to some randomly sampled files.
> 

FYI: http://www.CoreDumps.De/doc/dump/zwicky/testdump.doc.html

Re: nsd Will Not Start At Boot

2020-07-08 Thread Craig Skinner

G'day Ken,

On Tue, 7 Jul 2020 19:28:23 + Ken Hendrickson wrote:
> 
> I have NSD working now, serving up my local DNS names.
> Unbound is still not working.
> 
> I have a hunch, but cannot find it in the man pages,
> that somehow they have to talk to each other. Is this true?


Depends on what you want unbound & NSD to do!


To have NSD be a zone's authoritative server on a server's public
address, with unbound being the recursive resolver on the same server's
private address & proxying NSD's zones to the LAN, this sort of
configuration could help get you going:-


# /var/unbound/etc/unbound.conf

server:
interface: 127.0.0.1
interface: 192.168.some.thing
# If you have NSD listening on all 53 ports,
# unbound can't also listen on all 53 ports!
# Limit your interfaces.

do-ip6: no

access-control: ::0/0 refuse
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.blah.0/24 allow

# private networks:
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 172.16.0.0/12
private-address: 192.0.0.0/29
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
# example source code & documentation:
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
# subnet, autoconfiguration between two hosts on a single link:
private-address: 169.254.0.0/16
# reserved for multicast assignments:
private-address: 224.0.0.0/4
# reserved for future use:
private-address: 240.0.0.0/4

private-domain: 'internal'
# or localdomain, or private, or home.ARPA

do-not-query-localhost: no

local-zone: 'blah.168.192.in-addr.ARPA' typetransparent 


remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock


stub-zone:
name: 'internal'
stub-addr: 127.0.0.1@42 # <--- NSD needs to be listening here
# Port 42 is defunct,
# so use it for NSD to serve zones on the loopback to unbound.

stub-zone:
name: 'blah.168.192.in-addr.ARPA'
stub-addr: 127.0.0.1@42

stub-zone:
name:'Britvault.Co.UK'
stub-addr: 127.0.0.1@42

stub-zone:




Cheers,
Craig.

Birthday wishes Theo

2020-05-19 Thread Craig Skinner

Happy birthday Theo!

On your 22nd anniversary of releasing OpenBSD 2.3

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: RCS file ownership?

2020-04-30 Thread Craig Skinner

G'day Adam/all,

On Wed, 29 Apr 2020 12:43:42 -0500 Adam Thompson wrote:
> When I use co(1) with "-l" to check out a file (and/or "ci -l") is
> there any way to preserve file ownership and *not* have it reset to
> the user running co(1) or ci(1)?


Attached is a script I've used for years to work around this issue.

No licence, do what you want with it.

Rather rubbish to do this in the shell


cop = check out, permissions
cip = check in, permissions


$ ls -ltrhF /usr/local/bin/c* | fgrep ciop
-r-xr-xr-x  1 root  bin 1.8K Jun 29  2013 /usr/local/bin/ciop*
lrwxr-xr-x  1 root  wheel 4B Apr 13  2015 /usr/local/bin/cop@ -> ciop
lrwxr-xr-x  1 root  wheel 4B Apr 13  2015 /usr/local/bin/cip@ -> ciop


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7


ciop
Description: Binary data

Re: What do you use to generate invoices on OpenBSD?

2019-12-23 Thread Craig Skinner

On Sat, 21 Dec 2019 23:57:07 + Mikolaj Kucharski wrote:
> Do you generate invoices on OpenBSD?

Yes Mikolaj, only about 1~2 some weeks.

> What do you recommend?

LibreOffice.

Then I export the .odt as a .pdf, which is emailed with comments.

Low volume, so good enough for me!

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Fwd: [EdLUG] Old Thinkpad collector? Somebody wants to talk to you...

2019-12-17 Thread Craig Skinner

Begin forwarded message:

From: Tai Kedzierski
To: Edinburgh Linux Users Group

I got a message through the Girl Geeks network as per the below - a TV
production company wants to talk to people who used / collect / own old
ThinkPads for a documentary

If you can help please get in touch with Vicki Watson directly:
vicki.wat...@tvi-ltd.co.uk

***

We're currently making a documentary for the BBC about Silicon Glen,
the area of Scotland which once boasted many big electronics
companies. One of the main focuses will be on IBM, which had a huge
base in the town of Greenock. We'll be speaking to former workers and
looking at the social history of the company in Greenock and the story
of the electronics industry in Scotland too.

We'll be looking at some of the products manufactured in Greenock over
the years - 1 of those being the IBM ThinkPad. (Before it was later
taken over by Lenovo). The ThinkPad, and especially the earlier IBM
versions, seems to have attracted a cult following.

We're currently on the lookout for any individuals, companies or
enthusiasts who still use or collect the early IBM ThinkPad models.

I wondered if anybody in your group does, or could point us in the
right direction. Any help would be greatly appreciated.

I'd be grateful if you could help to circulate this message around the
group. I can be reached on 0141 573 0552 or via email at
vicki.wat...@tvi-ltd.co.uk if anybody can help.

***

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: problems running an LUA script from crontab

2019-05-29 Thread Craig Skinner

On Tue, 28 May 2019 15:14:58 -0500 Carlos Aguilar wrote:
> I am having lots of problems to execute a shell script at boot time.

What problems Carlos??

Does the script work properly when you are logged in?

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Modern browser for OpenBSD powerpc

2019-05-23 Thread Craig Skinner

On Thu, 23 May 2019 11:25:12 +0200 ropers wrote:
> OP has a Gmail address, 

Which works with an IMAP client, such as claws-mail.

Web is not mail.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Duplicity & /etc/daily.local

2019-05-21 Thread Craig Skinner

Hi Noth,

On Mon, 20 May 2019 23:50:13 +0200 Noth wrote:
> /root/duplicity-hostname.sh

Does this script work properly when you're logged in as root?

> 
> #!/bin/ksh
> PASSPHRASE=mypassword

try: export PASSPHRASE='mypassword'

> Can daily.local even handle this or is the environment too limited?

daily is run by root's crontab.

To get root's cron environment mailed out, add a temp root cron job:

[next 5 mins] [this hour]  *  *   *  logname; umask; pwd; printenv | sort

If your script works well when logged in as root, but not from cron,
add the missing environment elements to daily.local/script/root's crontab.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: When will be created a great desktop experience for OpenBSD?

2019-05-09 Thread Craig Skinner

On Wed, 8 May 2019 00:23:09 +0200 ropers wrote:
> Tangentially related: Does anyone here routinely use the default fvwm?

Yep - daily.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: 6.5 auto_install fails due to custom /var/tmp?

2019-05-02 Thread Craig Skinner

On Tue, 30 Apr 2019 13:29:47 -0700 Lyndon Nerenberg wrote:
> > But I should be able to accomplish what I need using rc.firsttime
> > and a tiny bit of hackery.  
> 
> Sadly, no :-(

How about partition as /var/temp/ & autoinstall Lyndon?

Then in rc.firsttime:-
*) umount /var/temp/
*) check /var/tmp is a symlink &&
  *) rm it
  *) mv /var/temp /var/tmp
  *) chmod/own /var/tmp as req'd
  *) mount /var/tmp

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: 6.5 auto_install fails due to custom /var/tmp?

2019-04-30 Thread Craig Skinner

On Mon, 29 Apr 2019 21:18:04 -0400 Nick Holland wrote:
> normally, /var/tmp is a symlink to /tmp.
> It can't make the link. No surprise.

Since 5.7: 
http://openbsd-archive.7691.n7.nabble.com/5-7-installer-tar-Unable-to-remove-directory-td277040.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Fwd: [EdLUG] UK Open Source Awards - Open for Nominations - Do come along

2019-03-27 Thread Craig Skinner

Begin forwarded message:

Date: Tue, 26 Mar 2019 23:08:45 +
From: Jonathan Riddell
To: Edinburgh Linux Users Group

https://OpenSourceAwards.Org/

The UK Open Source Awards will be a day of celebration of all things
Free and open with software. Open Source is now essential in how the
world works. It creates freedom (that's the Free Software side),
helps education (I only learnt how to program from reading source code
to KDE apps), allows cooperation across industries, gives a
competitive advantage, encourages sharing and reuse, improves security
and builds community. So it's worth a day of celebration and
recognition.

This is the 6th UK Open Source Awards and it takes place in
Edinburgh on Wednesday 12 June 2019. There will be talks, a panel, a
keynote from Frank Karlitscheck and then the award ceremony.

Nominations are now open for the awards, please consider which people
or organisations based in the UK deserve special recognition. The
categories are:

Individual Award

A person who has helped improve the world through contributions to
free and open source software

Company

For a commercial business which has created a successful business
while contributing to open source projects, leading open source
projects and spreading freedom and empowerment for users.

Public Sector and Third Sector

For a public sector or charitable organisation which has developed its
software in an open source method or made innovative use of open
source software or opened up data

Student

A university, college, school student or modern apprentice who has
created beautiful and novel software as part of their course
(dissertation, thesis etc) which is licensed as free and open source
software and has curated participation in an open collaborative
manner.

This award comes with a bursary of £1,500 which is to be spent on
furthering the recipients education and contributions to open source
for example buying a new laptop or expenses for attending conferences.

Diversity

For an open source project which has successfully encouraged
contributions from people in under-represented groups, or a
university, organisation or business which has broken the mould in
bringing minorities to participate in open source.

I'm heading a panel of judges with Allison Randal and Dawn Foster and
we’ll be looking for incredible work being done in the name of
freedom, innovation and impressiveness.

Please do come along on the day, it's free to attend and all are
welcome, I hope to see you there.

https://OpenSourceAwards.Org/

-- 
EdLUG mailing list
ed...@lists.edlug.org.uk
https://lists.EdLUG.Org.UK/mailman/listinfo/edlug

Re: spamd and low priority MX

2019-03-02 Thread Craig Skinner

Hi Thuban,

On Sat, 2 Mar 2019 09:20:42 +0100 Thuban wrote:
> On the server with the highest priority (lower MX), I must set "-M
> nn.nn.nn.nn" where nn.nn.nn.nn is the IP of a lower priority MX?

Where nn.nn.nn.nn is the public IP of a fake backup MX server,
which *DOES* have an SMTP daemon running,
which 450/451 soft defers _ALL_ mail.

> If there is more than 1 backup MX (lower priority), does the -M
> flag can be called more than once?

Just once, e.g:

$ dig Britvault.Co.UK MX +short
12 smtp.Britvault.Co.UK.  <--- real primary MX
144 mx-backup.smtp.Britvault.Co.UK.   <--- real backup MX
666 highlisting.smtp.Britvault.Co.UK. <--- fake backup MX

The fake's public IP address needs to be another IP address,
on a real MX machine (an alias or another network port).

This sort of fake DNS MX record is called highlisting.
(Works well with greylisting.)

Having a fake primary DNS MX record is called nolisting.
(Practically has to be on the real primary MX server.
Doesn't work great with greylisting.)

Greylisting is in between no & high listing. But it doesn't need more
DNS records, more public IP addresses, a deferring daemon, nor TCP
rejection on port 25. Yet it does introduce delays.

There is also unlisting...

All these tricks reduce spam, and all have operational problems.

Nolisting + highlisting is a viable alternative to greylisting:

Primary MX only:57%  (DNSBL:98%)
MX backup only: 20%  (DNSBL:90%)

Nolisting + multiple fake highlisters killed 98% of spam for this bloke:
http://blog.whitesites.com/Stop-Spam-with-fake-MX-records__633764658986714568_blog.htm

Some articles to read:-

http://wiki.apache.org/spamassassin/OtherTricks
http://wiki.junkemailfilter.com/index.php/Project_tarbaby
http://nolisting.org/
https://en.wikipedia.org/wiki/Nolisting
http://www.junkemailfilter.com/spam/how_it_works.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: setup authoritative DNS for myself with nsd + unbound

2019-01-19 Thread Craig Skinner

Congratulations Chris on starting to learn the trade of a hostmaster.

Being a hostmaster is a specialist skill, like being a webmaster, or
sysadmin, or postmaster - each is a vastly different skill set.

On Fri, 18 Jan 2019 10:38:12 -0800 Chris Bennett wrote:
> I have had problems with setting up DNS for myself and I need it to be
> authoritative.

Configure NSD.

> I have my domains registered with Godaddy and they do not support for
> domains not hosted on their servers.

Move the domains to a different registrar.

> I have been using their DNS without big problems, except that I'm
> not getting proper results with regards to email.

Eh

> I've got a pretty bad problem with spam.

Eh? DNS is not SMTP. For postmaster problems, learn spamd, etc.

> I now have 2 servers, each with a different company.
> 
> Will that then solve the problems with PTR, DKIM and DMARC?

Have you taken the time to learn about these records, then create them?

> I also particularly hate the web GUI that Godaddy uses

Move the domains to a different registrar.

> and its SOA record is much too long timewise.

A hostmaster creates the SOA record however he likes.

> Should I set it up with just one of my servers or both?

Create the zone files on your master NSD server,
and have your slave NSD server(s) AXFR the zones over.

> One is in Los Angeles and the other is in Miami.

Cool.

> Do I need to use a different one to cover the other server or can I
> just use the same one to cover the email stuff like DKIM and DMARC?

Eh Dask sa9ik 2pw0xsl ald0damdn doa. OK? Ace!

> 
> Since I'm having problems from the ground up, this seems like a good
> idea to start at.
> 

Reading at least 1 book about DNS and learning seems way better to me.

For a beginner hostmaster, the book "DNS and BIND" by Nicolai Langfeldt
is a good place to start the subject.

On from there, "DNS and BIND" by Cricket Liu & Paul Albitz is a good
next read.

Zytrax publish their DNS book online: http://www.Zytrax.Com/books/dns/

As you'll be using NSD, translate the ideas into NSD's configuration
style. You need to step back from implementation details and learn why
before how. Learn the difference between masters and slaves and their
transfers, A records and CNAMES, and why a hostmaster would use each
for various circumstances - before getting into DKIM & DMARC.

Cheers!
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Vacation with smtpd doesn't work in 6.4

2018-11-16 Thread Craig Skinner

Martin, your mail server is badly configured (broken):-




Begin forwarded message:


From: mailer-dae...@britvault.co.uk (Mail Delivery System)
To: skin...@britvault.co.uk
Subject: Undelivered Mail Returned to Sender
Date: Fri, 16 Nov 2018 12:17:13 + (GMT)

This is the mail system at host teak.britvault.co.uk.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: host server.sukany.cz[89.221.217.40] said: 530 5.5.1
Invalid command: Must issue a STARTTLS command first (in reply to MAIL FROM 
command)

From: Craig Skinner 
To: Martin Sukany 
Subject: Re: Vacation with smtpd doesn't work in 6.4
Date: Fri, 16 Nov 2018 11:31:52 +


Try the OpenSMTPd list Martin.

http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7
Reporting-MTA: dns; teak.britvault.co.uk
X-Postfix-Queue-ID: 42xGL107FCzVd
X-Postfix-Sender: rfc822; Skinner@Britvault.Co.UK
Arrival-Date: Fri, 16 Nov 2018 11:32:23 + (GMT)

Final-Recipient: rfc822; martin@sukany.cz
Original-Recipient: rfc822;martin@sukany.cz
Action: failed
Status: 5.5.1
Remote-MTA: dns; server.sukany.cz
Diagnostic-Code: smtp; 530 5.5.1 Invalid command: Must issue a STARTTLS command
first
--- Begin Message ---
Try the OpenSMTPd list Martin.

http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7
--- End Message ---

Re: spamd and google smtp ips

2018-10-31 Thread Craig Skinner

On Tue, 30 Oct 2018 18:54:43 + Chris Narkiewicz wrote:
> Are there any solutions get around this problem? Ideally I'd like
> to just whitelist reputable mail providers ...

Yes Chris, see: http://web.Britvault.Co.UK/products/ungrey-robins/

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: find the process that heavily uses a disc

2018-10-27 Thread Craig Skinner

On Tue, 16 Oct 2018 14:22:16 +0200 Rudolf Sykora wrote:
> please, how can I monitor disk usage and tell
> what process is using it heavily?
> 

accton(8) & sa(8) might give you some clues Ruda.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-27 Thread Craig Skinner

On Wed, 26 Sep 2018 16:32:35 +0200 Aham Brahmasmi wrote:
> 1) Could you please suggest some script/mechanism that performs
> these DNS PTR == SMTP HELO, envelope-address-from-domains-have-MX et
> al checks with OpenSMTPD as the MTA?

Sorry Aham, I don't know of any.

OpenSMTPd's filter interface is not yet usable (last update 12/2014):
http://www.poolp.org/posts/2014-12-12/the-state-of-filters/

> I may be wrong here, but I could not see options to perform these
> useful checks in smtpd(8)/smtpd.conf(5) man pages.

About 2.5 years ago I evaluated changing my front line MTAs from
Postfix to OpenSMTPd, but found too much functionality missing then:

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

No client ((r)DNS) client hostname restrictions:

smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

smtpd_client_restrictions =
reject_unknown_client_hostname

smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unlisted_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unknown_recipient_domain

Postfix can reject (5XX) or defer (4XX) connections based on many DNS
parameters. See: http://www.Postfix.Org/postconf.5.html

Hack: modify greyscanner to handle white & black lists
Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse 
& tag)

After failing to pass greylisting, bad DNS is the primary sign of spam.

Because DNS checks can be done at connection (before the DATA stage and
mail acceptance), they are very much faster and lighter weight than
shoving the entire mail through a heavy spam detection engine.

Running Unbound on each mail server, and having each mail server's
Unbound daemon refer to another upstream Unbound instance, is extremely
effective in caching the DNS lookups. This is in contrast to EVERY mail
being parsed by a spam detection engine... way too resource intensive!

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

No DNSBL weighting - http://www.Postfix.Org/postscreen.8.html

Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse 
& tag)

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Missing strict RFC checks (spam often doesn't conform to RFCs):

strict_7bit_headers = yes
strict_8bitmime = yes
strict_8bitmime_body = yes
strict_mime_encoding_domain = yes
strict_rfc821_envelopes = yes

Hack: SpamAssassin + relaydb (can't reject at SMTP CONNECT, must accept, parse 
& tag)

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

No connection rate limiting:

smtpd_client_connection_count_limit = XX
smtpd_client_connection_rate_limit = XXX

Hack: pf

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

No submission user authentication via Dovecot (e.g: CRAM-MD5):

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth # chroot
smtpd_sasl_security_options = noanonymous, noplaintext

Hack: POP/IMAP before SMTP

# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

> In case greyscanner does this, please disregard this question. I came
> to know about greyscanner in this thread, but struggle with
> understanding perl.

I heavily modified greyscanner to do a lot of the DNS checks. I found
the script's current maintainer extremely reluctant to implement even
very small bug fixes & general improvements, so I didn't even bother
presenting the vast bulk of my mods. But I stopped using greyscanner
about 5 years ago after setting spamd to be extremely aggressive, and
deploying Postfix's new postscreen (written in C).

> 2) Is IPv6 support in spamd essential?

I've not even begun to use IPv6 at all, for anything. I'm IPv4 only.

I hope to use OpenSMTPd on external mail servers some day.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: hijack client DNS query to localhost cache in the router

2018-09-24 Thread Craig Skinner

On Sun, 23 Sep 2018 12:21:36 +0800 Fung wrote:
> simple router build with OpenBSD
> Wan a.b.c.d
> Lan 192.168.0.1/24
> Unbound run for DNS cache in 127.0.0.1
> 
> 
> we want:
> no mater a client pc set dns to any address (  8.8.8.8 or 9.9.9.9 )
> all clients' dns query are redirect to the localhost cache in the
> router 
> 
> 
> Can we achieve using pf.conf?

Yes Fung;- block everything in & out, then permit only what you want:

ext_if="blah"
lan_if="blah"


set skip on lo
set block-policy drop


match in all scrub ( random-id reassemble tcp )


match out on $ext_if inet \
from $lan_if:network \
to any \
nat-to $ext_if


block in all
block in log on $ext_if
block return in on $lan_if
block return out

# DNS:

# Notify/query:
pass out on $ext_if inet proto {udp, tcp} \
from $ext_if port > 1023 \
to any port domain \
user {_nsd, _unbound}


# Let LAN clients query us:
pass in on $lan_if inet proto {udp, tcp} \
from $lan_if:network port > 1023 \
to $lan_if port domain \
user root \
modulate state


# debug:
pass out inet proto {udp, tcp} \
from any port > 1023 \
to any port domain \
group hostmasters


block in from no-route
block in from $bogon
block return out to $bogon
block on ! lo inet6

antispoof for {lo0, $lan_if, $ext_if} inet


Configure 'domain-name-servers' in dhcpd.conf(5).


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-19 Thread Craig Skinner

On Tue, 18 Sep 2018 15:56:43 +0100 Zé Loff wrote:
> On Tue, Sep 18, 2018 at 03:01:45PM +0100, Craig Skinner wrote:
> > Webmail is dead junk.
> 
> Until the day your gadget's battery runs out,

Charge it Zé Solved.

> you don't have your laptop with you and you need to borrow

Have your friend install PuTTY or use Mac's xterm. Solved.

> Plus, I'm a terminal+mutt guy and roundcube is still the easiest way
> I found to configure sieve filters, although in all honesty that's
> pretty much all I use it for. (Honest question: do you by any chance
> know a simple method to handle them?)

As each mail user has their own UNIX account, their sieve scripts are
owned by them and in a directory they own, the simple files can be
edited by their favourite $EDITOR on the command line.

Otherwise, some mail clients have sieve plugins - Thunderbird has a
pretty pretty sieve remote script editor widget. There are other sieve
clients too.

> Incidentally I also find thunderbird to be insanely
> resource-consuming, especially if managing multiple accounts, and
> macOS's Mail is even worse.

Firefox, Safari and Internet Explorer are far worse at resource usage!!

> If you have multiple users using multiple shared machines it might be
> easier to just send them to a more or less friendly web UI than to
> manage a multitude of configurations on a lot of machines

No.

Most mail clients auto guess new account configurations based on
standard DNS entries. By plopping in a new address like
user@example.provider, the mail client searches standard DNS entries
for hostnames, such as imap.example.provider, smtp.example.provider,
mail.example.provider. If found it connects to the standard ports for
IMAP, POP & SMTP submission (587), collects a list of authentication
methods and presents the details for the user to click the 'OK' button.

If the standard DNS hostnames are not found, the mail client then looks
for SRV DNS entries, and picks out the IMAP, POP & SMTP hostnames &
ports for the user to hit the 'OK' button.

See RFCs 6186, 2782 & wotnot:
https://tools.ietf.org/html/rfc6186
https://tools.ietf.org/html/rfc2782
https://en.wikipedia.org/wiki/SRV_record
http://blog.returnpath.com/srv/

As I wrote earlier, the postmaster needs to work closely with their
hostmaster as mail relies extensively on DNS. MX & SPF records being the
most obvious.

> (especially when they start storing contacts locally, which obviously
> won't sync to the machine they'll be using tomorrow).

Many mail clients speak LDAP, which is the protocol designed to hold
user details. Shock! Horror! It has all been invented and implemented!

No need for webmail.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-19 Thread Craig Skinner

On Tue, 18 Sep 2018 15:25:20 + Tim Jones wrote:
> 
> > Webmail isn't worth bothering with at all. Too complicated.
> 
> Let me rephrase that for you.

No Tim, I wont let you speak for me.

How about you rewrite ntpd into ntpw and run your clock on port 80,
all because the Network Time Protocol isn't pretty enough for you?

Hey, then have a go at bgpd & submit your web version to the devs to
run it on port 80 too? Awesome dude! Kawabunga!

Why stop there (since you're on a roll), and convert dhcpd to run on
port 80 as dhcpw. Never mind that the Dynamic Host Configuration
Protocol works well.

Hey, convince Gilles & crew to rewrite OpenSMTPd to run on port 80 as
well & full webalise the whole mail thing!!! Ace! This is going to rock!

Next up, talk Theo & Co, into dumping sshd and developing sshw;-
a new non-privilege separated cluster fuck pile of web chroot busting
Python, JSON, NoSQL, NodeJS piece of server admin crap! Yay

Do you think he'll send you flowers & kisses for your "wonderful" idea?

Why ram every fucking thing down port 80's throat and give your server
syphilis via every XSS & SQL injection attack & other web transmitted
diseases?

Ask the devs to delete the 65,000 ports and have OpenBSD have only port 80!

Why worship web?

Why?

IMAP = Imternet Mail Access Protocol - an actual protocol that has been
designed and dedicated to the task of accessing mail across the Internet

SMTP = Simple Mail Transfer Protocol - to simply transfer mail!

With secure daemons skillfully written in C.

Get with it man!

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-18 Thread Craig Skinner

Hi postmasters,

On Mon, 17 Sep 2018 18:33:52 Mik J wrote:
> The only drawback I see is that roundcube is less sexy and less good
> than gmail.

Webmail isn't worth bothering with at all. Too complicated.

All desktops & mobile phones/tablets have various IMAP clients.

For computers, there are IMAP clients such as Thunderbird, Claws, mutt,
Mac Mail, MS Outlook, etc.

For mobile gadgets, there are the Andriod Gmail app iOS's Mac Mail,
Blackberry mail thing, etc, etc -> connect to other IMAP/POP servers.

Webmail is dead junk.

IMAP and POP are the mail access protocols - use them and save yourself
the complicated headache of any HTTP proxy to mail on disk junk.

If you keep any user data in SQL or LDAP, have cron scripts to dump the
relevant user data to flat files for your MTA to read. rdist(1) those
flat files out to your mail farm. SQL and LDAP are too slow and unreliable.

A -> B -> C
spamd -> MTA (with loads of DNS knobs) -> Dovecot (via LMTP) which writes mail 
to disk.

With a few scripts, that is enough to keep a postmaster productive & busy.

The DNS knobs enable such a high accuracy of spam rejection,
that no heavy weight spam scanning software is needed at all.

Well, that's my almost 20 years experience of mastering multiple OpenBSD
mail servers on the hostile Internet. Other people have other ideas.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-14 Thread Craig Skinner

On Thu, 13 Sep 2018 09:24:18 +0200 Peter N. M. Hansteen wrote:
> The part about getting a static IP address with correct reverse
> lookup is truly essential. 

Yes, this hostmaster work is more important for deliverability than the
*optional* TLS & DKIM stuff, which I still don't bother at all with...

Along with correct DNS PTR records (and matching SMTP HELO hostname),
basic SPF & DMARC DNS records are almost essential to send.

With almost all inbound connections being spam, fighting that is the
main task of the postmaster. Aggressive spamd settings are needed here.

After that, the MTA needs to be able to check the DNS validity of the
sender's SMTP HELO hostname, and check their DNS PTR record is valid,
and both the mail's envelope and address from domains have MX records.

Most spam is sent by infected consumer devices, which do not have valid
reverse DNS, nor a valid HELO hostname. After greylisting, bad DNS is
the biggest indicator of spam. An MTA needs a lot of DNS knobs to tweak.

Following that, the sender's IP address needs to be checked against
multiple reliable DNS black and lists, and a cumulative score being
totalled up to decide to reject or pass on to the next stage of tests.

TLS & DKIM have very little value. The postmaster instead needs to work
closely with the hostmaster and concentrate on good DNS practice/tests.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: nsd question

2018-09-12 Thread Craig Skinner

Hi Peter,

On Tue, 11 Sep 2018 16:12:48 +0200 Peter J. Philipp wrote:
> 
> If I'm correct, in order to pull the zones to disk on a slave nsd
> setup, one has to manually or crontab "nsd-control write
> example.com". Is this correct?

Sort of;- a slave NSD instance would XFER the zones from it's master
into memory and serve the changed zones authoritatively. But, it
wouldn't write the updated zones to it's slave files cached on disk.
On daemon restart, it would try to XFER them all again.

To reduce the flurry of XFERs and log messages after daemon restart or
machine reboot, I had a cron job to write the slave zones to disk,
run by my 'hostmaster' user (root wasn't needed).

When OpenBSD 5.9 was released, it included a newer version of NSD,
which done this itself via the new 'zonefiles-write' in nsd.conf

My cron job has been retired as NSD now caches its slave files itself.

Happy hostmastery!

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Running your own mail server

2018-09-10 Thread Craig Skinner

Hi Ken,

On Sat, 8 Sep 2018 11:23:35 -0400 Ken M wrote:
> Just curious how many of you use openbsd to run your own personal
> email server? Do you find it a hassle to manage in any way?

Being a postmaster (email server administrator) and hostmaster (DNS
server administrator) is fun, hectic, and takes about 5 years to learn.

OpenBSD is the best OS for both tasks (I've worked for an ISP doing both
roles, on other operating systems).

> Back story my family all has email addresses through the domain I
> have. Which basically will forward to a gmail account.

Save yourself the trouble and let them use their gMail
accounts/addresses directly. They'll soon be getting Android or Apple
phones, so let them use their Google/Apple accounts themselves.

> The kids  are getting old enough to use their own accounts for
> things and not just through the school which sets them up with google
> accounts to use through their chromebook.

Let them use their Google account themselves.

> So my wife really doesn't like the idea of setting them loose on
> their own email accounts, and I don't necessarily disagree with her,
> but I disagree on the way to do it. In a gmail point of view all I
> can think of is shared passwords for for the kids. I don't like that
> because first of all they could change it, second of all monitoring
> their email means literally reading their email.

What about their Google 'Hangout' instant messages?

Or their Messenger/Facebook messages?

Or their Twitter/Tumbler/Reddit/etc/etc/etc messages?

Why not let them grow up? They will soon mature and leave home anyway.
Are you going to be a permanent policeman/ISP in their adult lives??

If you want to become a hostnaster and postmaster for _yourself_, then
do it. By the time you're skilled, your children could have left home.

Forget the wife & kids - don't be a slave to them man!

Do what you want, for your own personal technical skills.

Are you more interested in being a sysadmin, webmaster, netadmin,
hostmaster or postmaster? What do *YOU* want to do with your time?

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Block TLD senders with opensmtpd

2018-08-31 Thread Craig Skinner

See this Scott:

http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: DNS (UNBOUND) + PF ISSUE

2018-08-30 Thread Craig Skinner

Hi NN,

On Wed, 29 Aug 2018 11:57:15 +0200 NN wrote:
> 
> here is my pf.conf on VM#1:
> 
>      int_if="{ vether0 re0 }"
>      set block-policy drop
>      set log interface egress
>      set skip on lo0
>      match in all scrub (no-df random-id max-mss 1440)
>      match out on egress inet from !(egress:network) to any nat-to (egress:0)
>  pass out quick inet pass in on $int_if inet
>  pass in on egress inet proto { tcp, udp } from any to (egress) port 53 
> rdr-to 192.168.50.2


Yuck.

Block everything:-


block in all
block in log on $ext_if
block return in on $int_if
block return out


Then only open up what is needed, e.g:


pass out on $ext_if inet proto {udp, tcp} \
from $ext_if port > 1023 \
to any port domain \
user {_nsd, _unbound}


pass in on $int_if inet proto {udp, tcp} \
from $int_if:network port > 1023 \
to $int_if port domain \
user root \
modulate state


Define your Unbound server in your DHCP daemon configuration.

> 
> *P.S: unbound.conf is here ...*
> 
> server:
>      # interface: 188.192.103.156

No no no no No No NO NO NO *NO* *NO* _NO_

NEVER run a recursive resolver on the Internet!!!



"Overview

A Domain Name Server (DNS) amplification attack is a popular form of
distributed denial of service (DDoS) that relies on the use of
publically accessible open DNS servers to overwhelm a victim system
with DNS response traffic.

"

https://www.us-cert.gov/ncas/alerts/TA13-088A






Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: X desktop environment & system bus

2018-07-25 Thread Craig Skinner

Hi Sobin,

On Wed, 25 Jul 2018 01:27:56 樊 少冰 wrote:
> ... no integrated graphical operating environment ...

FVWM is included, which is good enough, lightweight & zippy.

See the fvwm manual by typing 'man fvwm'

BTW, I fixed your subject line to be the subjects of your email...

Regards,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: disable fvwm screensaver?

2018-07-13 Thread Craig Skinner

Hi Jordan,

On Thu, 12 Jul 2018 23:56:31 -0700 Jordan Geoghegan wrote:
> 'xset s off && xset -dpms' seemed to do the trick. I popped it into
> my ~/.profile and am now off to the races!


Try removing xidle's timeout from your ~/.xinitrc file
or /etc/X11/xdm/Xsession


Or in your ~/.Xresources file, configure it with these parameters:

XIdle.timeout
XIdle.nice
XLock.mode
XLock.usefirst
XLock.lockdelay
XLock.nice


See xidle(1) and xlock(1)



Tweaks can also be done in your ~/.fvwmrc file
(Sample: /usr/X11R6/lib/X11/fvwm/.fvwmrc)



Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: OpenSMTPD and tls no-verify

2018-06-23 Thread Craig Skinner

On Sat, 23 Jun 2018 13:11:37 +0200 "Peter J. Philipp" wrote:
> This is more a question to the OpenSMTPD community. 

There's another mailing list Peter:

http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: virtual colocation? Amazon/cloud?

2018-06-15 Thread Craig Skinner

Hiya Steve,

On Thu, 14 Jun 2018 21:50:00 +0100 Steve Fairhead wrote:
> ... make the hardware somebody else's problem 

Have you considered dedicated hosting, where you rent a real server?

Various people have had success with these firms:

Pulsant (Edinburgh)
IOMart (Glasgow)
ByteMark (York)
Andrews & Arnold (Manchester)
Mythic Beasts (Cambridge)
Jump Networks Ltd (London)
Bogons Ltd (London)

Machines offered include i386s, Sun SPARC64 Netras, Mac Minis, Raspberry Pis, 
etc...

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: stuck on spamd

2018-06-14 Thread Craig Skinner

Hej hej Hasse,

On Wed, 13 Jun 2018 22:05:29 +0200 Hasse Hansson wrote:
> I've adjusted my settings according to your advice, but now it looks
> like it just directly whitelist every connection without greylisting.
> 
> .
> 
> ...
> 
> This is how my files look like now. spamd.conf is the original one.

Your spamd.conf file was missing a line terminator. Double quotes are
opened, but not closed. Could this confuse spamd? Fix & restart spamd.

Next, check your syslogs for spamd, spamlogd & spamd-setup activity.

If that doesn't provide the answer, try removing all quick words from
pf.conf. Block everything, then progressively pass traffic down the
file. Reload your new rules & check spam* syslog entries.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Theo's BOF at BSDcan

2018-06-14 Thread Craig Skinner

On Tue, 12 Jun 2018 14:22:35 -0600 Warner Losh wrote:
> ... I honestly don't recall using ... It was not my intent. ...

BBC documentary "Madness in the Fast Lane - Swedish Sisters (full)"

Bizarre behaviour in high speed traffic, on a British motorway.

https://www.youtube.com/watch?v=VTpFWiEx3eo

Abnormal....
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: stuck on spamd

2018-06-13 Thread Craig Skinner

Hi Hasse,

I see a few problems:

On Mon, 11 Jun 2018 20:36:12 +0200 Hasse Hansson wrote:
> smtp# cat /etc/rc.conf.local
> ...
> spamlogd_flags="-I -i lo0"

I'd remove the localhost interface then restart spamlogd.

> smtp# cat /etc/pf.conf
> ext_if = "em0"
> ...
> 
> 
> pass in log on egress proto tcp from  to any port smtp

This line follows spamd's man page, i.e. you log incoming traffic on
the egress interface (em0) for spamlogd - correct. But you have
configured spamlogd to listen on lo0 in /etc/rc.conf.local - no match.

> 
> ...
> block all

The block rules need to be above the pass rules, otherwise their
matched traffic is blocked. Move all the block rules up above the pass
rules and reload.

> smtp# cat /etc/mail/spamd.conf
> 
> ...
> :msg="SPAM.  All spmmers get reported !

This line is not closed. It needs ":\

Then restart spamd to invoke spamd-setup.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Fwd: [OT] EU copyright reform

2018-06-07 Thread Craig Skinner

Begin forwarded message:

Date: Wed, 06 Jun 2018 21:03:38 +
From: Greg Sutcliffe via Falkirk 
To: Falkirk User Group 
Subject: [Falkirk] EU copyright reform - links from my talk

Last night I gave a quick talk on the proposed EU Copyright Reform,
and the awful state it's in. 

We *all* need to care about this - in it's current form it's going to
wreck the internet as we know it, and I don't sling phrases like that
about lightly.

You can read more about the issues with the reform on Julia Reda's
blog[1] and the Open Rights Group have a post on it as well[2]. Both
contain links to speaking with your MEP, but I'd suggest hitting up
https://www.TheyWorkForYou.com/ and getting in touch with your MP as
well - member states get a say in this as well as the MEP parties.

This is looking like a very tight vote (currently just 1 vote in favour
of it). Let's change that.

Thanks
Greg

[1] https://juliareda.eu/2018/06/saveyourinternet/
[2] 
https://www.openrightsgroup.org/blog/2018/filters-are-for-coffee-and-water-not-copyright

Re: Trouble with OpenSMTPD - always getting 550 Invalid recipient

2018-04-19 Thread Craig Skinner

On Wed, 18 Apr 2018 23:48:22 -0400 Implausibility wrote:
> 

OpenSMTPd has a mailing list for this sort of query:
http://www.OpenSMTPd.Org/list.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Fwd: [EdLUG] FLOSSUK Conference later this month

2018-04-11 Thread Craig Skinner

Hi folks,


"FLOSSUK is the UK's primary support organisation for Free/Libre Open
Source Systems (FLOSS) supporting Free and Open Technology.

Our Spring Conference is the UK's longest running event supporting
systems and network administrators. But as FLOSSUK has evolved to
support open networks, software, hardware and data, so our primary
conference now also covers these areas.

This year we are visiting Edinburgh,
Scotland’s historic, beautiful capital city."





Begin forwarded message:

Date: Wed, 11 Apr 2018 08:43:55 +0100
To: Edinburgh Linux Users Group 


Hi,

The FLOSSUK (formerly UKUUG) annual conference is taking place in
Edinburgh later this month:




...

Heavily discounted tickets are available for students and those in
financial hardship e.g. unemployed.


Mark
-- 
/

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk
PGP: 0x435A9621

***/

The University of Edinburgh is a charitable body,
registered in Scotland, with registration number SC005336.

-- 
EdLUG mailing list
ed...@lists.edlug.org.uk
https://lists.edlug.org.uk/mailman/listinfo/edlug

Re: unbound reload crashes the server

2018-03-23 Thread Craig Skinner

Hi Rupert,

On Thu, 22 Mar 2018 15:49:55 -0400 Rupert Gallagher wrote:
> Why reaching to /etc/unbound.conf when the binary was compiled
> for /var/unbound/etc/unbound.conf?

Yep;- it uses the default, so nothing needs setting. Removing the
config file from /etc/rc.conf* & /etc/rc.d/unbound works OK - since 5.6.

<hostmaster@palm:~ 0>$ fgrep 'unbound.conf' /etc/rc.conf* /etc/rc.d/unbound
[nothing]

<hostmaster@palm:~ 0>$ fgrep unbound /etc/rc.conf* 
/etc/rc.conf:unbound_flags=NO
/etc/rc.conf.local:unbound_flags=''

<hostmaster@palm:~ 0>$ fgrep 'daemon_flags=' /etc/rc.d/unbound
[nothing]


The daemon reloads just fine.


Regards,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: OpenSMTPd maillist "compatible" manager Majordomo or what?

2018-03-22 Thread Craig Skinner

Hi Denis,

On Thu, 22 Mar 2018 09:41:31 +0300 Denis wrote:
> ... how to add/remove mail list users by email commands ...?

Send emails to:-
  list-name+subscr...@domain.name
  list-name+unsubscr...@domain.name

See:-
http://www.OpenSMTPd.Org/list.html (actually join the misc@ list there!!)
http://mlmmj.org/lists (there is a discussion list there - join it!!! - see the 
archive!)
http://mlmmj.org/docs/readme-listtexts/

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: OpenSMTPd maillist "compatible" manager Majordomo or what?

2018-03-20 Thread Craig Skinner

Hi Denis,

The OpenSMTPd mailing lists are mlmmj powered.

http://www.OpenSMTPd.Org/list.html

Join OpenSMTPd's misc@ list and ask OpenSMTPd questions there.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Unexpected security(8) output

2018-02-01 Thread Craig Skinner

Hi folks,

On Fri, 26 Jan 2018 11:30:56 -0700 Andrew Hewus Fresh wrote:
> ...
> You could add your home directory to the SUIDSKIP environment variable
> in /etc/daily.local to avoid searching there if this message keeps
> annoying you and you don't care about devices and suid changes there.
> 
> http://man.openbsd.org/security#SUIDSKIP

Thanks Andrew.


The daily disk I/O might be reduced by having a look at the output of:-

$ mount | awk '/nosuid/ { print $3 }'

$ awk '/nosuid/ { print $2 }' /etc/fstab


This is something I put in /etc/daily.local

SUIDSKIP=$(mount | awk '/nosuid/ { print $3 }')



Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: no valid ntpd peers

2018-01-10 Thread Craig Skinner

Hi Maximilian,

On Wed, 10 Jan 2018 18:10:37 +0700 Maximilian Pichler wrote:
> Indeed, the ISP was to blame here. Mac OS couldn't get the time
> either. Once I switched to my phone's internet connection everything
> was fine.

Perhaps the ISP has an NTP/date/time server for customers to sync from?

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: pkg_info fails for non-installed packages when PKG_CACHE is set to a directory the current user can't write to

2017-11-02 Thread Craig Skinner

Hi Lari/Marc/all,

On Thu, 2 Nov 2017 00:21:08 +0200 Lari Rasku wrote:
> Oh, it's a ports tree mechanism? I only use packages, so I've been 
> using it for a fast reinstall/lookup cache in case I come to second 
> thoughts about some package:

Likewise, I have:

$ printenv | fgrep PKG_
PKG_CACHE=/var/cache/pkg
PKG_PATH=$PKG_CACHE:http://mirror.

/var/cache/pkg/ is group writable by wheel, so unpriv sysadmins can
do pkg_add -n to download & cache items, for root to install later.

I thought the cache was to reduce remote package server/network load.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: OT: Upload and Download to/from an OpenBSD host

2017-10-31 Thread Craig Skinner

Hi Mihai

On Mon, 30 Oct 2017 21:23:51 +0200 Mihai Popescu wrote:
> I am trying to setup a solution on an OpenBSD computer, where i want
> to upload and then download large volume of data. I was using ftpd
> daemon to do this, but I wonder if there is another way to do this,
> regarding speed of transfer.
>

If on a trustworthy private network or via a cross over network cable,
netcat can be quiet fast, e.g:

# I started netcat listening on a host with spare space:

<operator@torana:tmp 0>$ umask 077; nc -l 5 | dd 
of=/mnt/kingswood/_home.dump

# On the cramped host, I unmounted & disk dumped to netcat:

<operator@kingswood:tmp 0>$ mktemp
/tmp/operator/tmp.UZEOHQyzDH
<operator@kingswood:tmp 0>$ dump -0anu -f - /dev/rwd1f 
2>/tmp/operator/tmp.UZEOHQyzDH |
  nc -N -w 15 torana.internal 5

  DUMP: Date of this level 0 dump: Fri Aug 21 12:56:36 2015
  DUMP: Date of last level 0 dump: the epoch
  DUMP: Dumping /dev/rwd1f (/home) to standard output
  DUMP: mapping (Pass I) [regular files]
  DUMP: mapping (Pass II) [directories]
  DUMP: estimated 190840212 tape blocks.
  DUMP: Volume 1 started at: Fri Aug 21 12:56:48 2015
  DUMP: dumping (Pass III) [directories]
  DUMP: dumping (Pass IV) [regular files]
  DUMP: 0.80% done, finished in 10:21
  DUMP: 1.62% done, finished in 10:06
  DUMP: 2.44% done, finished in 9:59
  DUMP: 3.26% done, finished in 9:52
  DUMP: 4.08% done, finished in 9:47
  DUMP: 4.91% done, finished in 9:40
  .

  ...
  DUMP: 97.54% done, finished in 0:15
  DUMP: 98.35% done, finished in 0:10
  DUMP: 99.17% done, finished in 0:05
  DUMP: 99.99% done, finished in 0:00
  DUMP: 190837578 tape blocks
  DUMP: Date of this level 0 dump: Fri Aug 21 12:56:36 2015
  DUMP: Volume 1 completed at: Fri Aug 21 23:06:51 2015
  DUMP: Volume 1 took 10:10:03
  DUMP: Volume 1 transfer rate: 5213 KB/s
  DUMP: Date this dump completed:  Fri Aug 21 23:06:51 2015
  DUMP: Average transfer rate: 5213 KB/s
  DUMP: level 0 dump on Fri Aug 21 12:56:36 2015
  DUMP: DUMP IS DONE

# Netcat to dd on the spacious host logged:
314140569+87238623 records in
381675140+0 records out
195417671680 bytes transferred in 37251.937 secs (5245839 bytes/sec)

<operator@torana:tmp 0>$ df -h /mnt/kingswood
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd1g  210G182G   17.5G91%/mnt/kingswood
<operator@torana:tmp 0>$ ls -lh /mnt/kingswood/
total 381722816
-rw---  1 operator  operator   182G Aug 21 23:06 _home.dump

...

# After rejigging the disks on the cramped host, newfs, etc, I restored:

<root@kingswood:/home 0># nc -l 5 | restore -ryvf - > 
restore.output.$RANDOM 2>&1

# Transfer the dump back to the previously cramped host, via netcat:

<operator@torana:tmp 0>$ dd if=/mnt/kingswood/_home.dump |
  nc -v -N -w 15 kingswood.internal 5
Connection to kingswood.internal 5 port [tcp/*] succeeded!
381675140+0 records in
381675140+0 records out
195417671680 bytes transferred in 29107.667 secs (6713615 bytes/sec)

<root@kingswood:/home 0># less /home/restore.output.569
Level 0 dump of /home on kingswood.internal:/dev/wd1f
Label: none
Verify tape and initialize maps
Dump   date: Fri Aug 21 12:56:36 2015
Dumped from: the epoch
Begin level 0 restore
Initialize symbol table.
Extract directories from tape
Calculate extraction list.
Make node ..

<operator@kingswood:tmp 0>$ df -h /home
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd1d  299G182G102G64%/home

182G was restored on the newly formatted and enlarged partition
(now 'd' instead of 'f'), via netcat, from another host.

As well as disk partitions, dump(8) works on files & directories too.

Everything needed is in base OpenBSD.

Ace!
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: DMCA Free OpenBSD VPS Hosting, multiple payment methods

2017-10-20 Thread Craig Skinner

On Thu, 19 Oct 2017 16:27:26 -0200 x9p wrote:
> .. .but of course need to act upon receiving a court order.

Which was raised by solicitors ("lawyers" is USA speak) in the hosting
country, in a court room, in the hosting country, and legally authorised
by the government of the hosting country, for sheriffs/bailiffs/police
of the hosting country to enforce.

USA subpoenas have no legal validity outside the USA, which is why
British Spamhaus refused to comply with a US Federal District court:

"The Illinois ruling shows how spammers can game US courts with ease,
as no proof or due process is required in certain US courts in order to
obtain default judgments over clearly foreign entities with no ties to
the US. .. judgments from United States courts are not recognised
in the United Kingdom. A Plaintiff seeking to have a US default order
enforced in the United Kingdom has no choice but to re-file the case in
a British court of law and fully prove jurisdiction as well as the
merits of the case under British law."

https://www.spamhaus.org/organization/statement/003/case-answer-e360insight-vs.-the-spamhaus-project
https://en.wikipedia.org/wiki/Spamhaus.org#e360_Lawsuit

The US legal system is slack, has low legal standards and procedures,
and it's judges pridefully think they rule the world.AKA ego.

"OpenBSD is developed and released from Canada and due to Canadian law
it is legal to export crypto to the world"USA law is not valid in
Canada.

http://www.openbsd.org/goals.html

Re: Guess what today is

2017-10-19 Thread Craig Skinner

On Wed, 18 Oct 2017 06:16:09 -0400 STeve Andre' wrote:
> Happy birthday to OpenBSD--22 years old!

Congratulations to all the contributors - what proud parents you are!

Re: the whole greylisting, spam filtering thing

2017-09-30 Thread Craig Skinner

Hi Markus/all,

On Fri, 29 Sep 2017 15:06:29 +0200 Markus Rosjat wrote:
> ... greylisting ... like outlook.com and mails ending up delayed
> for ever 

The 'ungrey-robins' tool automatically solves this problem for
round-robin sending servers (Google, Outlook, Amazon, Yahoo, BT, etc.)

Start with the README & see the logs directory for evidence:
http://web.Britvault.Co.UK/products/ungrey-robins/





Otherwise;- simply set spamd's greylisting expire time to 4 days, not 4
hours. I ran servers this way for years - the mail does come through...



Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: gmail and hotmail blocking mail sent from my IP

2017-08-12 Thread Craig Skinner

Hi Rui,

On Fri, 11 Aug 2017 12:36:34 +0100 Rui Ribeiro wrote:
> There were even customized ports of Qmail in the past that had
> options that could be easily be enabled to downright refuse email
> from emails hosts not matching A/PTR or HELO

Postfix has these types of filters built in by default.

Similar to spamd's standard greylisting & stuttering options,
these lightweight DNS tests are simply superb spam nukers.

Why? Zombies can't set a machine's (r)DNS, nor make them match.

These Postfix options kill spam (be careful about using on port 587):

smtpd_client_restrictions =
reject_unknown_client_hostname

smtpd_helo_restrictions =
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname

smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unlisted_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_unknown_recipient_domain

For testing, each can be prefixed with 'warn_if_reject'.
Warnings are logged while the session continues as usual.

There are other more and less aggressive (RFC derived) settings.
See http://www.Postfix.Org/postconf.5.html

Cool,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: maildrop-postfix question

2017-08-11 Thread Craig Skinner

Hi Markus,

On Thu, 10 Aug 2017 17:06:17 +0200 Markus Rosjat wrote:
> I try to get maildrop to work with postfix so I installed the 
> maildrop-postfix package and did the config in the main.cf

Postfix has a built in maildrop program called local(8), which aliases,
forwards, delimits and delivers to mboxes or maildirs in various places:
http://www.postfix.org/local.8.html


But it is better to pass mail via LMTP to the IMAP daemon for storage,
via either local chrooted UNIX sockets, or TCP to other machines:
https://en.wikipedia.org/wiki/Local_Mail_Transfer_Protocol
https://wiki2.dovecot.org/HowTo/PostfixDovecotLMTP
http://www.postfix.org/lmtp.8.html

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: gmail and hotmail blocking mail sent from my IP

2017-08-11 Thread Craig Skinner

On Thu, 10 Aug 2017 17:18:45 Stuart Henderson wrote:
> You can't expect to reliably deliver email unless you have a PTR
> record and an A/ record (at least within the same domain, though
> in some cases the full hostname needs to match).

Yes - matching DNS PTR/A records, and HELO hostname generally seem to be
ranked higher for delivery than the SPF/DMARC/DKIM/etc optional extras.

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: gmail and hotmail blocking mail sent from my IP

2017-08-08 Thread Craig Skinner

Hi Walter:

On Sun, 6 Aug 2017 19:45:22 +0200 Walter Alejandro Iglesias wrote:
> What determines those "ranges", who regulates that?

Some ISPs submit IP blocks to various blacklists. e.g:
https://www.Spamhaus.Org/faq/section/Spamhaus%20PBL#242
http://www.Sorbs.Net/faq/dul.shtml

Asking your ISP to exclude your addresses might help.

Regards,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Split zone DNS?

2017-07-29 Thread Craig Skinner

On Fri, 28 Jul 2017 07:58:25 -0600 Steve Williams wrote:
> 
> I would like to run a local resolver on my internal network that will 
> resolve all my hosts on my local network to IP addresses on my local 
> network(s) rather than resolving to their public IP addresses.
> 
> I believe it's called a "split zone" DNS, where my domain is resolved 
> locally, but everyone else is resolved using normal resolution
> processes.
> 

Yes Steve.

A split horizon DNS zone is where different data is served for the same
zone above & below the horizon (a gateway between the Internet & LAN).

So hosts like printer.example.not.uk resolve internally only. In the
dark, below the public light of the sun's horizon.

Also hosts like mail.example.not.uk have a private LAN IP address
internally, and have a pubic IP address when queried from the Internet.
(which is like poisoning the internal edition of the zone.)

> I set this up at one of my previous jobs using BIND, but that was 7 
> years ago. I've never gone to the trouble of doing it at home, but I 
> would like to exercise my brain a bit as well as having my home
> network set up "better".
> 

Yes, I used to operate BIND as a split horizon server on OpenBSD too.

> What is the best tool to accomplish this these days?  Is NSD the 
> "modern" tool to be using on OpenBSD?
> 

When OpenBSD changed from BIND to NSD & Unbound, I found it simpler to
serve the private domain '.internal' on the LAN;-

To serve a split horizon zone, there needs to be 2 NSD daemons, serving
different zone files. Either on different machines, or different ports.

Or,... Unbound can serve data for simple private zones,
while leaving NSD to serve public zones.

Unbound can stub (i.e. proxy) zones from NSD served zone files.

This thread is a couple of years old, but could help you get going:
http://marc.info/?l=openbsd-misc=141113669300630=2

A master NSD server can notify a slave NSD server, which will auto
transfer the zone & serve new data when the zone is updated.

So I have 2 NSD servers on my LAN, which 2 Unbound resolvers stub
their .internal domain from. (No need to cron rdist unbound.conf files
between servers & restart unbound.) I can shutdown & upgrade 1 gateway
machine, while everything on the LAN keeps working as normal.

For internal domain name thoughts, see:
http://marc.info/?l=openbsd-misc=145639578710637=2

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: DUMP: Invalid argument: [block -60912738518]

2017-07-22 Thread Craig Skinner

On Fri, 21 Jul 2017 14:45:01 +0200 Jan Stary wrote:
> If nothing is happening on the filesystem, it dumps OK;

Cool. That is probably your answer Jan.

> it does not matter that it's mounted.

True.

Unmounting massively reduces the chance of unexpected modifications
during dumping. Such as cron/at/batch jobs, etc

When a machine is shutdown(8) to single user mode, even
/var/log, /var and /usr can be unmounted for a clean dump, newfs &
(partial) restore.

/home and many other parts of /var can be umnounted once the relevant
daemons are stopped, and isn't too troublesome to script & cron.

> At any rate, the negative block numbers seem wrong.

Perhaps that's something for the tech@ people to investigate?

Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: DUMP: Invalid argument: [block -60912738518]

2017-07-20 Thread Craig Skinner

Hi Jan,

On Tue, 18 Jul 2017 21:53:03 +0200 Jan Stary wrote:
> ... During the dump, there was some activity on the filesystem ...

Try altering your scripts stop relevant daemons, then umount the
partition before dumping & see if the problem persists.

See sections '5.0 Conclusions' and '2.0 Active Tests' of Elizabeth D.
Zwicky's paper "Torture-testing Backup and Archive Programs: Things You
Ought to Know But Probably Would Rather Not".

http://www.CoreDumps.De/doc/dump/zwicky/testdump.doc.html



Specifically for /home;- also see '/etc/nologin' in login(1), which file
I've found to be usefully created & nuked by my dump driving scripts.


Cheers,
-- 
Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7

Re: Rsnapshot configuration

2017-06-17 Thread Craig Skinner

On Sat, 17 Jun 2017 11:05:41 Craig Skinner wrote:
> On Fri, 16 Jun 2017 10:21:10 -0500 Branden Harper wrote:
> > I use the built in dump/restore tools for ufs/ffs.  
> 
> Same here Brandon. These tools are written and audited by skilled
> OpenBSD developers, _for_ OpenBSD's file system. Sweet.

dump(8) also honours the file system's nodump flag (configurable level),
so no need for any exclude complicated lists.

chflags(1) can set this flag recursively, which is very useful on /var/

Very simple, reliable & quality audited code, built beautifully in base.

Ace,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Rsnapshot configuration

2017-06-17 Thread Craig Skinner

On Fri, 16 Jun 2017 10:21:10 -0500 Branden Harper wrote:
> I use the built in dump/restore tools for ufs/ffs.

Same here Brandon. These tools are written and audited by skilled
OpenBSD developers, _for_ OpenBSD's file system. Sweet.

> I have never been lead astray there.

They work very well + in single user mode /var & /usr can be unmounted.

Never hit the rsync "too many files" problems either.

> You can script around it to make sure disks are there (or to push
> across the network).

My scripts do Tower of Hanoi incremental backups nightly, encrypting
the raw dumps, then scp duplicate the encrypted dumps off site too.

http://en.wikipedia.org/wiki/Backup_rotation_scheme#Tower_of_Hanoi

All done with standard quality tools included in base.

Nice,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: smtpd doesn't start

2017-05-31 Thread Craig Skinner

Hi Peter,

On Tue, 30 May 2017 12:32:35 +0200 Peter Hessler wrote:
> On 2017 May 30 (Tue) at 10:37:37 +0100 (+0100), Craig Skinner wrote:
> :.localdomain (.local interferes with iStuff, avoid it)
> :.internal
> :.private
> :.priv
> :.lan
> 
> NO NO NO NO NO NO NO NO NO
> 
> All of those domains may (or have been) issued by ICANN, and can be
> used for real.


RFC 2606 (& 6761, section 6) reserves the following TLDs for private testing:
.test
.example
.invalid
.localhost
(These were created for testing, not for production.)

http://en.wikipedia.org/wiki/.test
http://en.wikipedia.org/wiki/.example
http://en.wikipedia.org/wiki/.invalid
http://en.wikipedia.org/wiki/.localhost


'.local' is reserved as a pseudo-TLD for link-local hostnames that can
be resolved via Multicast DNS http://en.wikipedia.org/wiki/.local


Similar to 'localhost', '.localdomain' is "reserved" for internal usage.

Hence the traditional default 'localhost.localdomain' on new installs.

Also regarded as "reserved" are the other pseudo-TLDs mentioned.

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: smtpd doesn't start

2017-05-30 Thread Craig Skinner

Hello,

On Mon, 29 May 2017 13:04:03 -0400 Choose a display name wrote:
> If I understand correct, the problem is that my DNS server on
> 192.168.1.1 can't lookup an IP address for "mypcname", which is not a
> registered domain name, just cooked-up hostname of the machine
> running smtpd.
> 
> Honestly, I don't know how it could be fixed. Could anybody help me?

Serve a DNS domain on your network, with an A record for that machine.

Some domain names commonly used for private networks include:

.localdomain (.local interferes with iStuff, avoid it)
.internal
.private
.priv
.lan

This can be done directly in Unbound, or stubbed to NSD.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Happy birthday Theo!

2017-05-19 Thread Craig Skinner

Best wishes.

Re: spamd and outlook.com

2017-04-21 Thread Craig Skinner

Hello Peter/all,

On Fri, 21 Apr 2017 11:59:20 +0200 "Peter N. M. Hansteen" wrote:
> 
> start with
> 
> $ host -ttxt outlook.com
> 
> and follow the includes to the very end. Then weep.
> 

In February 2015 Paul de Weerd calculated Google published 217,088 IPv4
addresses, and 29,710,560,942,849,126,597,578,981,376 IPv6 addresses as
valid SMTP servers. See:
http://marc.info/?l=openbsd-misc=142478407909186

It would be reasonable to state Google (and others) have populated SPF
with LIES.

Boudewijn Dijkstra wrote: "SPF was never meant for making accept/reject
decisions on arbitrary domains. If you don't trust the sending domain,
then SPF evaluation is pointless."
http://marc.info/?l=openbsd-misc=148232868408696

Regards,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd and outlook.com

2017-04-21 Thread Craig Skinner

Hi Markus,

On Fri, 21 Apr 2017 11:25:14 +0200 Markus Rosjat wrote:
> so if you have spamd in place in greylisting mode and you have
> customers that work with people who use Office365 as a service you
> will get calls that emails are delayed for a freaking long time

Email is not instant messaging.

Customers need educated to that fact.

> 
> So  what are the strategies out there to handle this kind of
> situation? Do you let them all pass and trust that microsoft is
> protecting there service enough to stop spamming from hijacked
> machines that use office365 ?
> 

http://web.britvault.co.uk/products/ungrey-robins/logs/outlook.txt

The ungrey-robins tool, with patterns for Outlook, Google, Amazon, etc:
http://web.britvault.co.uk/products/ungrey-robins/


> 
> Just curious here I had a case where you could dig the mx for a
> domain and it was a outlook.com server.

No. DNS MX records are used for sending mail _TO_ a domain.

Inbound mail routing doesn't apply to outbound mail.

Domains may relay out via other domains (e.g. their ISP's mail farm).

When sending, many domains SMTP HELO with google, outlook, etc...

The ungrey-robins tool looks at the HELO hostname, not the FROM domain.


See the misc@ thread "spamd and network whitelisting"
http://marc.info/?t=14818982922


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Topics for revised PF and networking tutorial

2017-04-07 Thread Craig Skinner

On Fri, 7 Apr 2017 07:25:58 +0300 li...@wrant.com wrote:
> Thank you ALL for the hard work over the years to complement OpenBSD.

Yes.

Fwd: [EdLUG] Conference: FLOSS UK Spring 2017, Manchester

2017-03-04 Thread Craig Skinner

Formerly known as UKUUG (United Kingdom Unix User Group)

Keynote: Distributed Policy Enforcement with OpenSSH Certificates


- Forwarded message from Edinburgh Linux Users Group 
 -

Date: Fri, 03 Mar 2017 14:47:27 +
From: Edinburgh Linux Users Group 
To: ed...@mailman.lug.org.uk
Subject: [EdLUG] Conference: FLOSSUK Spring 2017 Manchester

Given this is relatively local, quite a few Edinburgh folk go along each
year and a couple of EdLUG members are helping organise it, I thought
I'd advertise it here.

Spring 2017 - 14th, 15th and 16th March 2017

Venue:  The Studio, Manchester
UKUUG - FLOSS UK has just announced the 3 day schedule.

Details of the provisional list of workshops & talks can be found here:
https://www.flossuk.org/talks-workshops-and-events-2017/

On-line booking is available. Book your place now!

Cheers,
Kenny.
-- 
The University of Edinburgh is a charitable body,
registered in Scotland, with registration number SC005336.
EdLUG mailing list
ed...@lists.edlug.org.uk
https://lists.edlug.org.uk/mailman/listinfo/edlug

- End forwarded message -

Re: serial port expansion card

2017-03-04 Thread Craig Skinner

Hello,

On 2017-03-04 Sat 11:13 AM |, Damian McGuckin wrote:
> Maybe we need a list of recommended serial port add-on cards

The Moxa C168H 8 port PCI card works well on this "console server":
 o the hosts defined in /etc/remote(5) don't jump about
 o no problems known with reboots of any box, in any sequence
 o it came with an octopus cable, which connects to:
   o PC com ports through gender changers
   o SPARC console ports via common Cisco turqoise rollover cables

Moxa also makes 4 port PCI console cards too.


OpenBSD 6.0 (GENERIC) #1917: Tue Jul 26 12:48:33 MDT 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF
real mem  = 267849728 (255MB)
avail mem = 250064896 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/06/99, BIOS32 rev. 0 @ 0xfd861, SMBIOS rev. 2.1 @ 
0xf7de5 (32 entries)
bios0: vendor IBM version "PDKT25AUK" date 06/06/99
bios0: IBM 6275540
acpi0 at bios0: rev 0### AML PARSE ERROR (0x57): Undefined name: OPT\^T
error in acpi_parse_aml

acpi0: sleep states
acpi0: tables DSDT FACP
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpicpu0 at acpi0: C1(@1 halt!)
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x02
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xec00, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 "S3 Trio3D AGP" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpcib0 at pci0 dev 2 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 2 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 308921MB, 632672208 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 2 function 2 "Intel 82371AB USB" rev 0x01: irq 10
piixpm0 at pci0 dev 2 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC100CL3
spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC100CL3
spdmem3 at iic0 addr 0x55: 448MB DDR2 SDRAM PC2-2500CL5
em0 at pci0 dev 16 function 0 "Intel 82546GB" rev 0x03: irq 11, address 
00:04:23:a8:92:0e
em1 at pci0 dev 16 function 1 "Intel 82546GB" rev 0x03: irq 10, address 
00:04:23:a8:92:0f
puc0 at pci0 dev 18 function 0 "Moxa C168H" rev 0x01: ports: 8 com
com4 at puc0 port 0 irq 9: ns16550a, 16 byte fifo
com5 at puc0 port 1 irq 9: ns16550a, 16 byte fifo
com6 at puc0 port 2 irq 9: ns16550a, 16 byte fifo
com7 at puc0 port 3 irq 9: ns16550a, 16 byte fifo
com8 at puc0 port 4 irq 9: ns16550a, 16 byte fifo
com9 at puc0 port 5 irq 9: ns16550a, 16 byte fifo
com10 at puc0 port 6 irq 9: ns16550a, 16 byte fifo
com11 at puc0 port 7 irq 9: ns16550a, 16 byte fifo
puc1 at pci0 dev 20 function 0 "AT/Lucent Venus Modem" rev 0x00: ports: 1 com
com12 at puc1 port 0 irq 5: ns16550a, 16 byte fifo
com12: probed fifo depth: 0 bytes
isa0 at piixpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt1 at isa0 port 0x278/4: polled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (364eb89ee13fc5c7.a) swap on wd0b dump on wd0b

Re: Three questions about login classes: Use for setting up memory quotas, and do they have anything to do with escalated privileges?

2017-02-03 Thread Craig Skinner

Hi Tinker,

On Fri, 03 Feb 2017 15:19:27 +0800 Tinker <ti...@openmailbox.org> wrote:
> I see there's a unix group by the name "staff" too.

The 'staff' group could define people who are employees.
The 'users' group could define people who are customers.
The 'guest' group could define people who've not yet subscribed.

You get to choose.

It is easy enough to add groups and login classes.

See groupinfo(8), groupadd(8), useradd(8) & usermod(8) -G + -g flags,..

Perhaps you'd like to create a '_big_daemon' group & login class for
your processes?

Several companies I've worked for had a unique UNIX group for each
team of 5-20 people (e.g. jd3185), even when the company had 30,000+
employees. The umask was set so non-technical people in each team could
easily share files in team directories. The group name was used on job
sheets & time sheets for billing, etc.

You get to decide.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-28 Thread Craig Skinner

Hi Markus,

On 2017-01-27 Fri 12:24 PM |, Markus Rosjat wrote:
> I dont like the idea of one single virtual user handling all the traffic to
> the maildirectories.

Me neither.

Here, all users have proper shell accounts & SSH access, for mutt, etc.

Stop Dovecot, unmount /var/mail (where mail stays), dump(1). No SQL "spool".

There is no LDAP nor SQL, it is all simple stuff;-

*) The MTA delivers via LMTP to Dovecot - which sieves mail.
   (Thunderbird & other mail clients have a sieve plugin.)

*) Users IMAP/POP/SMTP auth via an individual passwd file,
   which they change via a script (which calls pwqcheck(1) in ports).
   /etc/passwd is _NOT_ used for mail authentication.
   (MTA SMTP submission port auth relaying is validated by Dovecot too.)

No webmail; everybody is expected to have their own IMAP/POP/SSH device.

<postmaster@box:~ 0>$ doveconf -n
# 2.2.24 (a82c823): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.14 (099a97c)
# OS: OpenBSD 6.0 i386  ffs
auth_mechanisms = cram-md5 apop
auth_username_format = %Ln
first_valid_uid = 1000
listen = *
mail_location = maildir:/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Archive {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Templates {
auto = subscribe
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CRAM-MD5
  driver = passwd-file
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CLEAR
  driver = passwd-file
  skip = authenticated
}
plugin {
  sieve = file:/var/mail/%u/sieve/;active=active.sieve
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = _postfix
mode = 0660
user = _postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = _postfix
mode = 0660
user = _postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
}
ssl = no
userdb {
  args = blocking=no
  driver = passwd
  result_failure = return-fail
}
protocol lmtp {
  mail_plugins = " sieve"
  postmaster_address = postmaster
}


In the future I hope to be able to deploy OpenSMTPd,
when the filtering & other work has stabilised.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: lastcomm doesn't filter with arguments?

2017-01-19 Thread Craig Skinner

Hi Jiri

On Wed, 18 Jan 2017 10:37:51 -0500 Jiri B wrote:
> it seems `lastcomm' doesn't filter if it gets arguments

>From what I see here, it filters multiple commands OR multiple users.


$ uname -mrsv
OpenBSD 6.0 GENERIC#1917 i386


$ lastcomm cp
cp -   sysadmin __ 0.00 secs Thu
Jan 19 06:38 (0:00:00.02)
cp -   operator __ 0.00 secs Thu
Jan 19 05:15 (0:00:00.00)


$ lastcomm cp cut
cp -   sysadmin __ 0.00 secs Thu
Jan 19 06:38 (0:00:00.02)
cp -   operator __ 0.00 secs Thu
Jan 19 05:15 (0:00:00.00)
cut-   operator __ 0.00 secs Thu
Jan 19 04:00 (0:00:00.91)
cut-S  root __ 0.02 secs Thu
Jan 19 01:30 (0:00:00.02)



$ lastcomm cp cut operator | tail
sh -S  operator __ 0.00 secs Thu
Jan 19 02:15 (0:00:00.05)
logger -   operator __ 0.00 secs Thu
Jan 19 02:15 (0:00:00.02)
uptime -   operator __ 0.00 secs Thu
Jan 19 02:15 (0:00:00.00)
sh -S  operator __ 0.00 secs Thu
Jan 19 02:00 (0:00:00.09)
logger -   operator __ 0.00 secs Thu
Jan 19 02:00 (0:00:00.05)
uptime -   operator __ 0.00 secs Thu
Jan 19 02:00 (0:00:00.03)
sh -S  operator __ 0.02 secs Thu
Jan 19 01:45 (0:00:00.05)
logger -   operator __ 0.02 secs Thu
Jan 19 01:45 (0:00:00.02)
uptime -   operator __ 0.00 secs Thu
Jan 19 01:45 (0:00:00.00)
cut-S  root __ 0.02 secs Thu
Jan 19 01:30 (0:00:00.02)


> or am I reading wrongly man page?

I don't think so.
--
Craig Skinner | http://linkd.in/yGqkv7

A couple of password pointers to avoid failed login(1) via cu(1)

2017-01-17 Thread Craig Skinner

Hiya,

FYI;- some things I found which can stop logging in over serial lines:

1) using non-ASCII password characters may not work reliably, e.g:
   a) Scandinavian/German/etc extra alphabet characters
   b) other currency characters;- Euro, British pound, Japanese Yen,..
   c) extra maths symbols like 1/4, 1/3, 1/2, 3/4, 2/3, infinity, 

2) passwords starting with a symbol can cause problems, especially '~'

Onward!
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: dig/nslookup limitations - can only do NSLOOKUPs using port 53

2017-01-16 Thread Craig Skinner

Hello all,

On Mon, 16 Jan 2017 00:38:16 -0700 Theo de Raadt wrote:
> dig (host, nslookup, etc) use this horrible ISC library

Could NLnetLab's libldns & drill totally replace all this?

(Both are already ported & built.)

https://nlnetlabs.nl/projects/ldns/

"A lot of DNS debugging is done with dig, but as dig is made with the
same libraries as BIND8/9 (the most used DNS server out there), what
are you actually debugging/testing? Drill has nothing in common with
either NSD nor BIND. During the development process we are actually
uncovering obscure bugs in NSD and BIND (and in drill itself)."

Re: usermod: Invalid password: `*'

2017-01-06 Thread Craig Skinner

On Thu, 05 Jan 2017 08:22:04 -0700 Todd C. Miller wrote:
> This works in -current.  I've verified that it works with rev 1.112
> of user.c but OpenBSD 6.0 has user.c rev 1.111.
> 

Thanks Todd.

Superb the super devs have swiftly solved it!

(This operation ran fine from my rc.firsttime script up to 5.9.)

Do you think there would be an errata about this for 6.0?

Personally, I've only a few more machines to install 6.0 on, so I'll
script this (which works):

# usermod -L daemon -s /bin/ksh operator

and after install manually vipw(8) operator's password to 13 stars.

(Here, operator runs dump(8) scripts & related rdist cron jobs, etc.)

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

usermod: Invalid password: `*'

2017-01-04 Thread Craig Skinner

Happy Hogmanay/New Year/etc...,

My rc.firsttime script highlighted a change on 6.0's usermod:

<root@oak:tmp 0># fgrep operator /etc/master.passwd
operator:*:2:5::0:0:System &:/operator:/sbin/nologin
<root@oak:tmp 0># usermod -L daemon -p '*' -s /bin/ksh operator
usermod: Invalid password: `*'
<root@oak:tmp 0> (1) # uname -a
OpenBSD oak.britvault.co.uk 6.0 GENERIC#1917 i386
<root@oak:tmp 0># pkg_info -I passwdqc
passwdqc-1.3.0p1complexity checker for passwd(1) and password generator


Could this be related to commit 112 of user.c?

Remove the encrypted password length check.  The admin should be
able to put whatever they like in the encrypted password field,
regardless of whether it can be matched or not.  Having this check
just makes it harder to add new encrypted password functions.
This also fixes "usermode -Z" which was the impetus for the change.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/user/user.c.diff?r1=1.111=1.112=h

Or do I need to do it differently now?

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Colour man pages via ssh + tmux on OpenBSD 6.0

2016-12-26 Thread Craig Skinner

Hiya folks,

Similar to what I done on 5.9 (http://marc.info/?t=14706856923),
here's how I've done it less intrusively on OpenBSD 6.0:


$ cat ~/.terminfo/Makefile
#
#   $Id: Makefile,v 1.18 2016/12/26 15:53:13 craig Exp $
#
#   Public domain
#   (You're free to boil it, bake it, burn it, bin it, whatever)
#

TERMINFO=   /usr/share/terminfo
DIR!=   print ${TERM} | cut -c 1


all:${DIR}/${TERM}-less


clean:
rm ${TERM}-less.ti ${DIR}/${TERM}-less
-rmdir ${DIR}


${DIR}/${TERM}-less:${@F}.ti
tic ${@F}.ti


.SILENT:


${TERM}-less.ti:${TERMINFO}/${DIR}/${TERM}
print "${@:R}," > $@
put=$$(tput blink && tput setaf 1) && print "\tblink=$${put}," >> $@
put=$$(tput bold && tput setaf 2) && print "\tbold=$${put}," >> $@
-put=$$(tput dim && tput setaf 5) && print "\tdim=$${put}," >> $@
put=$$(tput smso && tput setaf 3) && print "\tsmso=$${put}," >> $@
put=$$(tput rmso && tput setaf 7) && print "\trmso=$${put}," >> $@
put=$$(tput smul && tput setaf 6) && print "\tsmul=$${put}," >> $@
put=$$(tput rmul && tput setaf 7) && print "\trmul=$${put}," >> $@
print "\tuse=${TERM}," >> $@


.PHONY: all clean

# EOF



<me@puffy:.terminfo 0>$ find ~/.terminfo
/home/me/.terminfo
/home/me/.terminfo/Makefile
/home/me/.terminfo/Makefile,v

<me@puffy:.terminfo 0>$ for t in screen xterm xterm-new xterm-color tmux putty
> do
> export TERM=$t
> make
> done
tic screen-less.ti
tic xterm-less.ti
tic xterm-new-less.ti
tput: Unknown terminfo capability `dim'
*** Error 4 in target 'xterm-color-less.ti' (ignored)
tic xterm-color-less.ti
tic tmux-less.ti
tput: Unknown terminfo capability `dim'
*** Error 4 in target 'putty-less.ti' (ignored)
tic putty-less.ti

<me@puffy:.terminfo 0>$ find . | sort
.
./Makefile
./Makefile,v
./p
./p/putty-less
./putty-less.ti
./s
./s/screen-less
./screen-less.ti
./t
./t/tmux-less
./tmux-less.ti
./x
./x/xterm-color-less
./x/xterm-less
./x/xterm-new-less
./xterm-color-less.ti
./xterm-less.ti
./xterm-new-less.ti


Put these 2 lines in /etc/profile:
$ alias man='TERM=${TERM}-less man'
$ alias less='TERM=${TERM}-less less'


Then test for each terminal in screen xterm xterm-new xterm-color tmux putty:
$ export TERM=blah
$ man ls# See colours in headings, options, files, etc.
$ less /var/log/messages# Search for bsd & see coloured highlighting.

Seems OK.



To install the made terminfo files for everybody:
$ cd /usr/share/terminfo
$ find . -mindepth 2 -type f -name "*-less*"
[nowt]

$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/t/tmux-less 
t/tmux-less
$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/s/screen-less 
s/screen-less
$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/x/xterm-less 
x/xterm-less
$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/x/xterm-new-less 
x/xterm-new-less
$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/x/xterm-color-less 
x/xterm-color-less
$ sudo install -b -S -p -o root -g bin -m 444 ~me/.terminfo/p/putty-less 
p/putty-less


Disable my local overrides:

$ mv ~/.terminfo ~/.terminfo~
$ man ls# and run the other tests above again.


Cheers!
-- 
Yoda & Luke have a bad day with the Seagull Empire striking back
in full song with a funky lip reading band
http://www.youtube.com/watch?v=U9t-slLl30E

Re: carp and squid

2016-12-22 Thread Craig Skinner

Hi Frank,

On Wed, 21 Dec 2016 12:41:43 +0100 Frank White wrote:
> Does 2 nodes clustered openbsd firewall work with squid?
> Is there any specific configuration?
> 

carp may not be needed as:
*) PAC files can list multiple proxies
*) A DNS entry can have multiple IP addresses

See the Squid FAQ:
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Redundant_Proxy_Auto-Configuration
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatic_Configuration

Also: http://FindProxyForURL.com/example-pac-file/

Symlink a proxy.pac file as wpad.dat

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd and network whitelisting

2016-12-20 Thread Craig Skinner

Hello Clint,

On Fri, 16 Dec 2016 07:21:47 -0700 Clint Pachl wrote:
> I would like to share my 45-day experience with running spamd and my 
> observations and how I'm allowing mail from SMTP clusters to bypass 
> spamd. Feedback and discussion would be greatly appreciated.
> 

spamd in greylisting mode is indeed truly awesome!

With over 10 years real world experience running this way,
with several domains, I've tried a lot of ideas & scripts too...

The original design is very good and doesn't need much assistance.

To solve the clustered round robin senders (Gmail, etc.) simply bump
the -G:greyexp: time from 4 hours to 4+ days - 100 hours is good.
Job done! No scripts needed.

When configured like this, most gmails come through in around 6 hours
to 1.5 days, with some a bit longer. The more inbound gmails, the
shorter the delay, down to a few minutes as volume increases.
Same for Outlook, Amazon, (which are both worse than Gmail) etc,

Bumping the -G :whiteexp time to 40 days helps a bit too.

Aggressive stuttering and a shrunk window foils almost all zombies.

Add in a fake highlisting -M to the mix, and it is game over for the
zombies, which love to target a backup MX box, so give them a trap.
(This needs a constantly deferring MTA on that IP address too.)

spamd_flags='-G 25:100:960 -S 90 -s 5 -w 1 -M  -y  -Y ... -Y ... -Y ...'
spamlogd_flags='-I -W 960 -Y ... -Y ... -Y ...'

(AOL only retries for 25 minutes (not the RFC 4 days), so if you
want to receive from AOL, the -G passtime: needs to be ~10 minutes.)

Some pf rate limiting kills off those zombies that understand the 'try
again later' SMTP code, then start hammering the server all at once:

The 2nd rule blocks (after almost 2 days) badly setup M$ Extrange
servers, which retry every minute

set block-policy drop

# Normal & highlisting Internet inbound operation via spamd:
pass in on $ext_if inet proto tcp \
from any port > 1023 \
to {$ext_if:0, $ext_if:2} port smtp \
divert-to localhost port spamd \
keep state \
(max-src-conn 30, max-src-conn-rate 50/9, \
overload  flush global)

pass in log on $ext_if inet proto tcp \
from  port > 1023 \
to {$ext_if:0, $ext_if:2} port smtp \
user root \
modulate state \
(max-src-conn 80, max-src-conn-rate 150/15000, \
overload  flush global)

block in log from 

EASY! SIMPLE! Nothing to break.

No special domain lookups or exception lists. No maintenance labour.

Bob's other tool I deployed for many years was his greyscanner (in
ports). Over the years, I modified this to do aggregate DNS black &
white listing too. When I realised that it was very rare for spam to
pass the extended stuttering, I stopped running greyscanner.

Reverting to the default -G flags (4 hours grey expire), and help
promote round robin senders faster from grey to white, I wrote this
simple script. It runs unprivileged once every 4 hours from cron.

No pf tables/lists, no doas/sudo rules. No SPF checks.

It operates on an fgrep pattern of spamd HELO hostnames, as Gmail,
Outlook, etc. relay for many domains, but HELO from Google/Outlook.

The decision to upgrade from grey to whitelisted status is based on
an accumulated sliding score of multiple DNS list lookups.

See http://web.Britvault.Co.UK/products/ungrey-robins/ & logs there.

Also try Boudewijn's patch (see his continued blocking graph):
https://github.com/bdijkstra82/OpenBSD-spamlogd

> 
> Thanks to all the developers who made spamd; an amazing, simple,
> clever tool.
> 

Aye!
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: How to make spamd more annoying ?

2016-12-14 Thread Craig Skinner

Hi Mik,

On Tue, 13 Dec 2016 18:29:00 + (UTC) Mik J wrote:
> I use spamlogd so that every outgoing mail adds the remote mx IP in
> my whitelist.

As with many domains, large mail services deploy/out source separate
inbound & outbound clusters, so spamlogd'ing outbound mail wont help.

These spamlogd flags seem to work best here:

spamlogd_flags='-I -Y ... -Y ... -Y '

> 
> I'm not sure I understood what this patch does.
> It's used to give some additional statistics?
> 

spamd expires trapped IP addresses after 24 hours.

Boudewijn's patch keeps them trapped while they continue to spam.
His stats prove it works.

> 
> I read somewhere that gmail servers change their IPs when they retry
> to send the mails.

This tool helps to auto white list silly round robin senders:
http://web.Britvault.Co.UK/products/ungrey-robins/

(SPF lists are often not trustworthy.)

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: How to make spamd more annoying ?

2016-12-13 Thread Craig Skinner

Hi Mik,

On Mon, 12 Dec 2016 23:21:51 +0100 Peter Hessler wrote:
> On 2016 Dec 12 (Mon) at 21:31:25 + (+), Mik J wrote:
> > I notice that this spammer lost 387 seconds so 6 minutes.
> > Is there a way to make them loose more time ?
> > # grep spamd /etc/rc.conf
> > spamd_flags="-5 -v -l 127.0.0.1 -h mymx.mydomain.com -n Somestring"
> 
> Don't use -5, but use the default -4.  550 is "permanent failure", 450
> is "temp fail, try again later".
> 
> Also look at the -S and -s options.  -w is also fun.
> 

These flags work really REALLY well:

spamd_flags='-S 90 -s 5 -w 1 -y  -Y ... -Y  -Y '


Another trick I found to work well when unsubscribing from a service:
1) change my subscribed address to pig.meat@real.domain
2) unsubscribe
3) add pig.meat@real.domain as a SPAMTRAP address (spamdb -T -a )


Also try Boudewijn's patch (see his continued blocking graph):
https://github.com/bdijkstra82/OpenBSD-spamlogd


Regards,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Is using dkim really worth?

2016-12-10 Thread Craig Skinner

Hi Walter,

On Sat, 10 Dec 2016 11:51:34 +0100 Walter Alejandro Iglesias wrote:
> So, in general and based on your experience, do you think using dkim
> (that implies daemon, port redirections, etc.) is really worth?

In terms of delivery to popular free mail providers, it sees to me that
reverse DNS that matches forward DNS & HELO host name are worth more.

Strict SPF breaks with forwarding (mailing lists) so it it must be
vague (~all), which is a little value.

Any empty DMARC ("v=DMARC1\; p=none") record may help a tiny bit too.

All these extras try to change the Simple Mail Transfer Protocol in to
a Complicated Mail Transfer Protocol,.. because of the spam problem...

A few responsible ISPs block outbound access to port 25, forcing their
dynamic customers to authenticate through their port 587 relay servers.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: 350MHz IBM Intel Pentium II runs 5.9 fine

2016-12-02 Thread Craig Skinner

Hello again,

On Thu, 1 Dec 2016 16:08:16 -0800 sombody wrote:
> Looks like something is misinterpreting ID numbers form the EEPROM on 
> the memory modules.  But I'd like to see what is physically there
> before making a call on what is going wrong, if you have any photos
> of the system's motherboard.
> 

These are IBM "Personal Computer 300GL"
Model No. 6275-500
Machine type: 6275
Model: 500

They are used without X as small servers (DHCP, NTP, spamd SMTP
gateways, Squid proxy, package mirror, print server, console server,...)

As with the quarter rack of Sun Netras vertically Ikea racked above them,
they were all made locally in Scotland, so may differ from foreign boxes.

See here: http://web.Britvault.Co.UK/tmp/2016/06-rack/

I'm simply stoked OpenBSD is so solid!

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: 350MHz IBM Intel Pentium II runs 5.9 fine

2016-12-01 Thread Craig Skinner

Hi,

On Wed, 30 Nov 2016 17:09:13 +0100 butresin wrote:
> On 16.11.29Tue 14:12, Craig Skinner wrote:
> > 
> > real mem  = 200740864 (191MB)
> > avail mem = 184385536 (175MB)
> ...
> > spdmem0 at iic0 addr 0x50: 64MB SDRAM non-parity PC100CL3
> > spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
> > spdmem2 at iic0 addr 0x52: 64MB SDRAM ECC PC100CL2
> > spdmem3 at iic0 addr 0x55: 1GB DDR2 SDRAM PC2-5000CL5
> 
> This is odd.
> 

None of these IBM Pentium II machines have DDR memory installed.
I don't think it was invented in 1999. The 3 slots are old DIMM.

The other dmesg:

spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC100CL3
spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC100CL3
spdmem3 at iic0 addr 0x55: 448MB DDR2 SDRAM PC2-2500CL5

Another identical machine, but with only 2 DIMM slots filled:

spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2
spdmem1 at iic0 addr 0x51: 256MB SDRAM non-parity PC133CL2
spdmem2 at iic0 addr 0x55: 1GB DDR2 SDRAM PC2-6500CL5

Being an ordinary user, I dunno what that means, but the boxes run fine.

Cheers!
-- 
Craig Skinner | http://linkd.in/yGqkv7

350MHz IBM Intel Pentium II with 8 port Moxa serial card runs 5.9 fine

2016-11-29 Thread Craig Skinner

This box also runs fine for me 24*7, for around 15 years - Ace!

5.7 dumped & 5.9 installed on 22nd July:

OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF
real mem  = 267849728 (255MB)
avail mem = 250195968 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/06/99, BIOS32 rev. 0 @ 0xfd861, SMBIOS rev. 2.1 @ 
0xf7de5 (32 entries)
bios0: vendor IBM version "PDKT25AUK" date 06/06/99
bios0: IBM 6275540
acpi0 at bios0: rev 0### AML PARSE ERROR (0x57): Undefined name: OPT\^T
error in acpi_parse_aml

acpi0: sleep states
acpi0: tables DSDT FACP
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpicpu0 at acpi0: C1(@1 halt!)
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x02
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xec00, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 "S3 Trio3D AGP" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpcib0 at pci0 dev 2 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 2 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 308921MB, 632672208 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 2 function 2 "Intel 82371AB USB" rev 0x01: irq 10
piixpm0 at pci0 dev 2 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC100CL3
spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC100CL3
spdmem3 at iic0 addr 0x55: 448MB DDR2 SDRAM PC2-2500CL5
em0 at pci0 dev 16 function 0 "Intel 82546GB" rev 0x03: irq 11, address 
00:04:23:a8:92:0e
em1 at pci0 dev 16 function 1 "Intel 82546GB" rev 0x03: irq 10, address 
00:04:23:a8:92:0f
puc0 at pci0 dev 18 function 0 "Moxa C168H" rev 0x01: ports: 8 com
com4 at puc0 port 0 irq 9: ns16550a, 16 byte fifo
com5 at puc0 port 1 irq 9: ns16550a, 16 byte fifo
com6 at puc0 port 2 irq 9: ns16550a, 16 byte fifo
com7 at puc0 port 3 irq 9: ns16550a, 16 byte fifo
com8 at puc0 port 4 irq 9: ns16550a, 16 byte fifo
com9 at puc0 port 5 irq 9: ns16550a, 16 byte fifo
com10 at puc0 port 6 irq 9: ns16550a, 16 byte fifo
com11 at puc0 port 7 irq 9: ns16550a, 16 byte fifo
puc1 at pci0 dev 20 function 0 "AT/Lucent Venus Modem" rev 0x00: ports: 1 com
com12 at puc1 port 0 irq 5: ns16550a, 16 byte fifo
com12: probed fifo depth: 0 bytes
isa0 at piixpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt1 at isa0 port 0x278/4: polled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (364eb89ee13fc5c7.a) swap on wd0b dump on wd0b

# sysctl hw.sensors

# pcidump
Domain /dev/pci0:
 0:0:0: Intel 82443BX AGP
 0:1:0: Intel 82443BX AGP
 0:2:0: Intel 82371AB PIIX4 ISA
 0:2:1: Intel 82371AB IDE
 0:2:2: Intel 82371AB USB
 0:2:3: Intel 82371AB Power
 0:16:0: Intel 82546GB
 0:16:1: Intel 82546GB
 0:18:0: Moxa C168H
 0:20:0: AT/Lucent Venus Modem
 1:1:0: S3 Trio3D AGP

# acpidump -o acpidump; cat acpidump.headers

RSD PTR: Checksum=29, OEMID=IBM, RsdtAddress=0x0ffeff80


RSDT: Length=40, Revision=1, Checksum=229,
OEMID=IBM, OEM Table ID=CDTPWSPD, OEM Revision=0x1000,
Creator ID=IBM, Creator Revision=0x0


Entries={ 0x0ffeff00 }


DSDT=0xffeda00
INT_MODEL=PIC
SCI_INT=9
SMI_CMD=0xb2, ACPI_ENABLE=0xf0, ACPI_DISABLE=0xf1, S4BIOS_REQ=0x0
PM1a_EVT_BLK=0xfd00-0xfd03
PM1a_CNT_BLK=0xfd04-0xfd05

350MHz IBM Intel Pentium II runs 5.9 fine

2016-11-29 Thread Craig Skinner

Runs fine for me 24*7, for about 15 years. OpenBSD is SUPERB!

5.7 dumped & 5.9 installed on 22nd October:

OpenBSD 5.9 (GENERIC) #1561: Fri Feb 26 01:22:37 MST 2016
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF
real mem  = 200740864 (191MB)
avail mem = 184385536 (175MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 07/19/99, BIOS32 rev. 0 @ 0xfd861, SMBIOS rev. 2.1 @ 
0xf7d95 (32 entries)
bios0: vendor IBM version "PDKT27AUS" date 07/19/99
bios0: IBM 6275500
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP
acpi0: wakeup devices PCI0(S5) PS2K(S1) PS2M(S1) COM1(S5) COM2(S5) USB0(S1)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xec00, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 "S3 Trio3D AGP" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
piixpcib0 at pci0 dev 2 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 2 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 3079MB, 6306048 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA, 3079MB, 6306048 sectors
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom removable
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 2 function 2 "Intel 82371AB USB" rev 0x01: irq 9
piixpm0 at pci0 dev 2 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 64MB SDRAM non-parity PC100CL3
spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
spdmem2 at iic0 addr 0x52: 64MB SDRAM ECC PC100CL2
spdmem3 at iic0 addr 0x55: 1GB DDR2 SDRAM PC2-5000CL5
xl0 at pci0 dev 16 function 0 "3Com 3c905B 100Base-TX" rev 0x64: irq 11, 
address 00:50:04:62:35:f8
bmtphy0 at xl0 phy 24: 3C905B internal PHY, rev. 0
xl1 at pci0 dev 18 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 10, 
address 00:10:5a:f1:9d:b1
exphy0 at xl1 phy 24: 3Com internal media interface
isa0 at piixpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (868fd5d94428712f.a) swap on wd0b dump on wd0b

# sysctl hw.sensors

# pcidump
Domain /dev/pci0:
 0:0:0: Intel 82443BX AGP
 0:1:0: Intel 82443BX AGP
 0:2:0: Intel 82371AB PIIX4 ISA
 0:2:1: Intel 82371AB IDE
 0:2:2: Intel 82371AB USB
 0:2:3: Intel 82371AB Power
 0:16:0: 3Com 3c905B 100Base-TX
 0:18:0: 3Com 3c905B 100Base-TX
 1:1:0: S3 Trio3D AGP

# acpidump -o acpidump; cat acpidump.headers

RSD PTR: Checksum=33, OEMID=IBM, RsdtAddress=0x0bfeff80


RSDT: Length=40, Revision=1, Checksum=233,
OEMID=IBM, OEM Table ID=CDTPWSPD, OEM Revision=0x1000,
Creator ID=IBM, Creator Revision=0x0


Entries={ 0x0bfeff00 }


DSDT=0xbfed980
INT_MODEL=PIC
SCI_INT=9
SMI_CMD=0xb2, ACPI_ENABLE=0xf0, ACPI_DISABLE=0xf1, S4BIOS_REQ=0x0
PM1a_EVT_BLK=0xfd00-0xfd03
PM1a_CNT_BLK=0xfd04-0xfd05
PM2_TMR_BLK=0xfd08-0xfd0b
PM2_GPE0_BLK=0xfd0c-0xfd0f
P_LVL2_LAT=101ms, P_LVL3_LAT=1001ms
FLUSH_SIZE=0, FLUSH_STRIDE=0
DUTY_OFFSET=0, DUTY_WIDTH=0
DAY_ALRM=13, MON_ALRM=0, CENTURY=0
Flags={WBINVD,PROC_C1,SLP_BUTTON,RTC_S4}


DSDT: Length=9450, Revision=1, Checksum=15,
OEMID=IBM, OEM Table ID=CDTPWSPD, OEM Revision=0x1000,
Creator ID=MSFT, Creator Revision=0x107

# usbdevs -dv
Controller /dev/usb0:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00
  uhub0

OT Fwd: Alertbox: Distribution of Users' Computer Skills: Worse Than You Think

2016-11-15 Thread Craig Skinner

Begin forwarded message:

Across 33 rich countries, only 5% of the population has high
computer-related abilities, and only a third of people can complete
medium-complexity tasks:
https://www.nngroup.com/articles/computer-skill-levels/


Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Failure to get unbound to talk to nsd on the same server

2016-10-12 Thread Craig Skinner

Hiya Johan,

On Tue, 11 Oct 2016 23:50:20 +0200 Johan Mellberg wrote:
> There is something weird here that I don't quite see/understand so I
> very much appreciate the input so far. 

DNS is fun to run! 

The skilled OpenBSD devs have given us well set up separated daemons.

Paul, I & others have been successfully running both NSD & unbound
together on OpenBSD servers for several years, since BIND removal.

After various attempts, what we've independently found to work is:
*) both daemons listening on localhost
*) NSD on a nonstandard port (on localhost only)
*) unbound using both of these directives:
   *) do-not-query-localhost: no (which you have)
   *) local-zone:   (see unbound.conf(5))

Also see 'private-domain: ' in unbound.conf(5).

Perhaps you could get them working together this way too,
and then alter single settings to establish what breaks?

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Craig Skinner

Hi Johan,

On Mon, 10 Oct 2016 23:42:16 +0200 Johan Mellberg wrote:
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict.

For unbound to be the machine's resolver, it needs to listen on lo0.

> 
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91

Remove the lookup line, and change the nameserver line to:
nameserver 127.0.0.1

> 
> # cat /etc/myname
> dns03.my.domain
> 
> # cat /etc/hosts
> 127.0.0.1   localhost
> ::1 localhost
> 192.168.x.91   dns03.my.domain dns03
> 
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
> 
> server:
> interface: 192.168.x.91
> interface: ::1
  # Add this line:
  interface: 127.0.0.1
> do-not-query-localhost: no
> 
> access-control: 192.168.x.64/24 allow
> access-control: 127.0.0.0/8 allow
> access-control: 0.0.0.0/0 refuse
> access-control: ::0/0 refuse
> access-control: ::1 allow
> 
> hide-identity: yes
> hide-version: yes
> 
> # Uncomment to enable DNSSEC validation.
> #
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> 
> root-hints: /var/unbound/etc/root.hints
> 
  # Add these lines:
  private-address: 192.168.0.0/16
  private-domain: 'my.domain'
  local-zone: 'x.168.192.in-addr.arpa' typetransparent


> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
> 
> stub-zone:
> name: "my.domain"
> stub-addr: 127.0.0.1
  # Add port 42 here:-
  # The ARPA Host Name Server Protocol (NAMESERVER)
  # is an obsolete network protocol > unused low port
  # http://en.wikipedia.org/wiki/ARPA_Host_Name_Server_Protocol
  stub-addr: 127.0.0.1@42
> stub-zone:
> name: "x.168.192.in-addr.arpa"
> stub-addr: 127.0.0.1
  # Again, add port 42 to the above line:
  stub-addr: 127.0.0.1@42
> 
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
> 
> server:
> hide-version: yes
> verbosity: 1
> database: "" # disable database
> 
> ## bind to a specific address/port
> ip-address: 127.0.0.1
  # Again, add port 42 to the above line:
  ip-address: 127.0.0.1@42
> 
> remote-control:
> control-enable: yes
> 
> zone:
> name: "my.domain"
> zonefile: "master/my.domain"
> zone:
> name: "x.168.192.in-addr.arpa"
> zonefile: "master/192.168.x.rev"
> 

Hopefully those minor tweaks should get you going!

(As you had set 'do-not-query-localhost', probably the missing
companion typetransparent local-zone simply caught you out.)

While this post is 2 years old, the address and ports stuff is much the
same: http://marc.info/?l=openbsd-misc=141113669300630=2

While I've not tried it, another method could be instead of having NSD
listen on 127.0.0.1@42, have it listen on 127.0.0.53, which would
require another an /etc/hostname.lo53, pf rules, etc...

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: unbound and truly multihomed setup

2016-09-30 Thread Craig Skinner

Hi Gregory,

On Thu, 29 Sep 2016 14:30:05 +0300 Gregory Edigarov wrote:
> $ dig openbsd.org @127.0.0.1
> ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> openbsd.org @127.0.0.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached

Debian isn't OpenBSD..




This means unbound isn't listening on localhost.

e.g:

<hostmaster@palm:~ 0>$ dig openbsd.org @127.1.2.7 

; <<>> DiG 9.4.2-P2 <<>> openbsd.org @127.1.2.7
;; global options:  printcmd
;; connection timed out; no servers could be reached


On OpenBSD, unbound's listening ports can be found with:

<hostmaster@palm:~ 0>$ fstat -u _unbound | fgrep internet
_unbound unbound151333* internet dgram udp 127.0.0.1:53
_unbound unbound151334* internet stream tcp 0x0 127.0.0.1:53
_unbound unbound151335* internet dgram udp 10.11.12.13:53
_unbound unbound151336* internet stream tcp 0x0 10.11.12.13:53

Ah dinnae ken aboot Debian.
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: unbound and truly multihomed setup

2016-09-30 Thread Craig Skinner

Hi Gregory,

On Thu, 29 Sep 2016 14:06:28 +0300 Gregory Edigarov wrote:
> I cannot use interfaces em1 and em2, it's where nsd is listening.

On OpenBSD, NSD listens on port 53,
and unbound sends queries out from various ports > 1023

On OpenBSD, there's no conflict.

An 'outgoing-interface: ' is not a listening 'interface: ...'

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: rc.d script with functions won't run

2016-09-30 Thread Craig Skinner

Hi Murk,

On Thu, 29 Sep 2016 21:50:44 +0200 Murk Fletcher wrote:
> I got this startup script for my app:
> https://gist.github.com/anonymous/c0339b1dae3eeff3a461b8787824838b
> ... but in debugging I see these functions can't be found.

>From rc.subr(8), put your overrides inside the proper function, e.g:

rc_check()
{
cd ${app_home} || return
${daemon} status
}

Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7

Re: unbound and truly multihomed setup

2016-09-29 Thread Craig Skinner

Hi Gregory,

On Thu, 29 Sep 2016 10:48:37 +0300 Gregory Edigarov wrote:
> em0 (xxx.yyy,zzz.1/24),
> em1, em2 - looking at uplinks
> ...
> 
>  outgoing-interface: 0.0.0.0

Removing the outgoing-interface line would probably resolve it.

Adding this private-addres line might help too:

private-address: xxx.yyy.zzz.0/24

Multiple outgoing-interface lines can be put in,
for each of your em1 & em2 interfaces,
and separate lines for IPv4 & IPv6 too, for each interface.

The default is 'all', so its a bit pointless to manually list all your
external interfaces.

See /usr/src/usr.sbin/unbound/doc/example.conf.in
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/unbound/doc/example.conf.in

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: usb disk dirty after every reboot

2016-09-20 Thread Craig Skinner

Hi Jan,

On Mon, 19 Sep 2016 18:22:37 +0200 Jan Stary wrote:
> 
> 9d24108772d1158c.a /backup ffs rw,softdep,noatime,nodev,noexec
> 

With softdep everywhere, would this help in /etc/rc.shutdown?

for i in 4 3 2 1
do  
sync
sleep ${i}  
done

Re: spamd question

2016-09-09 Thread Craig Skinner

Hi Kasper,

On Thu, 8 Sep 2016 17:51:45 +0200 Kasper Haitsma wrote:
> >> 5.9 -> 5.9 nothing at all
> >
> > Fix this problem first.
> 
> if this is fixed, I trust, all is fixed.

Hopefully it's on to happy days then!!!

As you've got spamd_flags=" -y bge1 & -Y bge1"

Try changing the bge1 to ipv4 addresses & restarting spamd.

If that works, then change back to bge1 and check if you also have
'multicast=YES' in /etc/rc.conf.local?

In older versions, it the rc parameter was called 'multicast_host', but
the '_host' bit got dropped: http://www.openbsd.org/faq/upgrade59.html

Enabling that would need either a root 'sh /etc/netstart' or reboot.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd question

2016-09-08 Thread Craig Skinner

Hi Kasper,

On 2016-09-07 Wed 15:07 PM |, Kasper Haitsma wrote:
> 5.9 -> 5.9 nothing at all

Fix this problem first.

> 
> pf.conf is the same on all 4 boxes

spamd's pf rules changed in 5.8:
http://www.openbsd.org/faq/upgrade58.html

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: spamd question

2016-09-06 Thread Craig Skinner

Hi Kasper,

On 2016-09-05 Mon 17:26 PM |, Kasper Haitsma wrote:
> spamd-sync packages arrive at the 5.9 box, but 

You've got 2 5.0 machines syncing.

Can you get 2 5.9 machines syncing?

[Job] Senior Firewall Technician in Edinburgh, Scotland

2016-08-15 Thread Craig Skinner

I've no connection, but thought it might be of interest to others:

http://www.JobServe.Co.UK/Ep1qJ

British jobs are often 37hours/wk, ~30 days paid holiday & monthly pay.

1 2 3 4 5 6 7 >

1 - 100 of 631 matches

Mail list logo