Re: php or nginx chroot?

[Hasse Hansson]

Hello.
This article was of great help to me when setting up nginx + php-fpm
http://it-karma.blogspot.se/2013/01/installing-and-configuring-nginx-and.html

All the best Hasse

On Sat, Mar 01, 2014 at 01:55:14PM -0500, Aaron wrote:
> Hi,
> 
> I've been using openbsd for a while now but just recently decided to
> use nginx to provide http services.  Currently I'm running OBSD 5.4
> stable on a HP dl360 g6.  I'm new to php-fpm and nginx but trying to
> work through it.  Previously I worked through the issues of having
> apache chrooted and made things work but I've been having a bit of
> difficulty with the new setup.  This is of course an subjective
> question but do the guru's here feel it's more important to chroot
> nginx or to use a chroot for php-fpm?
> 
> I've had a difficult time getting quite a few different php
> applications working with a chroot set with php-fpm, and of course
> since most of them (piwigo, modx, coppermine etc) seem to be
> developed for an apache2/mod_php environment, the forums there
> aren't a ton of help usually.
> 
> Since this isn't a specific issue I haven't provided any configs,
> but if someone would like, I certainly can.
> 
> Thanks,
> 
> Aaron

Re: Mapping pf syslog rule numbers to lines in pf.conf

[Hasse Hansson]

On Mon, Jan 26, 2015 at 03:42:22PM -0500, Alan McKay wrote:
> Hey folks,
> 
> This one seems to be difficult to google - not coming up with much.
> 
> I have some firewall blocks I want to investigate and of course they
> are reported as matching a specific rule number - but I am not sure
> how to map that back to a line in my pf.conf
> 
> Could someone enlighten me?
> 
> thanks,
> -Alan
> 
> -- 
> "Don't eat anything you've ever seen advertised on TV"
>  - Michael Pollan, author of "In Defense of Food"
> 
Don't know if this is what you're after, but it will list the rules by number.
pfctl -g -s rules | grep '@'

/Hasse

stuck on spamd

[Hasse Hansson]

Hello list

I have a problem with spamd. It just don't seem to grey list or block,
or do anything else either. I can receive and send mail as usual.

First I had spamlogd_flags="" in my rc.conf local, but then it immediatly
whitelisted every conection on port 25, even the spammer I try to tarpit,
so after some "googling" I changed it to spamlogd_flags="-I -i lo0"
but now it don't seem to do anything useful at all, just pass traffic.
"spamdb | sort" shows nothing. It's empty, and so is "smtp# pfctl -t 
spamd-white -T show"

The spammer I try to tarpit is showing up in the maillog with IP-address 
158.69.204.241
which also added to the file /etc/mail/spammers.txt
 
Below are som info on my setup and some logfiles.


smtp# uname -a
OpenBSD smtp.bara1.se 6.3 GENERIC.MP#0 amd64
-

smtp# cat /etc/rc.conf.local
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus
smtpd_flags=NO
spamd_black=NO
spamd_flags="-v -G 2:4:864"
spamlogd_flags="-I -i lo0"
unbound_flags=
---

smtp# cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"

table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }

table  persist
table  persist file "/etc/abusers"
table  persist
table  persist file "/etc/mail/nospamd"

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $ext_if int_if }

#pass in on egress inet proto tcp from any to any port smtp divert-to 127.0.0.1 
port spamd
pass in on egress inet proto tcp from any to any port $mail_services divert-to 
127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in log on egress proto tcp from  to any port smtp
pass out log on egress proto tcp to any port smtp

block in quick on egress from  to any
block return out quick on egress from any to 

block in quick log on egress from  to any label "abusers"

block all
pass out quick inet

pass in on { $ext_if } inet

pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state 
(max-src-conn 15, max-src-conn-rate 5/3, overload  flush global)
pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA 
keep state (max-src-conn 50, max-src-conn-rate 15/5, overload  
flush global)
pass log quick proto tcp from any to (egress) port $mail_services flags S/SA 
keep state (max-src-conn 50, max-src-conn-rate 25/5, overload  
flush global)

# pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 
192.168.1.2

pass inet proto tcp from { self, $localnet }

pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state

pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types


smtp# cat /etc/mail/spamd.conf
all:\
:nixspam:

# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz

ymer:\
:black:\
:msg="SPAM.  All spmmers get reported !
:method=file:\
:file=/etc/mail/spammers.txt
-

smtp# ps -aux | grep "_spamd"
_spamd   69313  0.0  0.0  9708  1552 ??  Ssp4:13PM0:00.07 spamd: (pf 
 update) (spamd)
_spamd   98521  0.0  0.1  9892  4880 ??  Sp 4:13PM0:00.03 spamd: [priv] 
(greylist) (spamd)
_spamd   73091  0.0  0.0  9652  1096 ??  Ip 4:13PM0:00.00 spamd: 
(/var/db/spamd update) (spamd)
_spamd   45365  0.0  0.0   592  1180 ??  Ssp4:13PM0:00.07 
/usr/libexec/spamlogd -I -i lo0
-

smtp# cat /var/log/spamd
Jun 11 12:10:33 smtp spamd[5122]: listening for incoming connections.
Jun 11 13:08:43 smtp spamd[83538]: listening for incoming connections.
Jun 11 13:17:57 smtp spamd[19498]: listening for incoming connections.
Jun 11 14:12:33 smtp spamd[56085]: listening for incoming connections.
Jun 11 15:01:20 smtp spamd[98811]: listening for incoming connections.
Jun 11 15:12:08 smtp spamd[93875]: listening for incoming connections.
Jun 11 16:07:36 smtp spamd[24550]: listening for incoming connections.
Jun 11 16:13:30 smtp spamd[98521]: listening for incoming connections.
Jun 11 19:39:54 smtp spamd[99504]: lis

Re: stuck on spamd

[Hasse Hansson]

Hello and thank you for your answer.
I've adjusted my settings according to your advice, but now it looks like
it just directly whitelist every connection without greylisting.

smtp$ sudo spamdb | sort
WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0
WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0
WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3
WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0
WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0
WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0
WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0
WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0
WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0
WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0
WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0

This is how my files look like now. spamd.conf is the original one.
 
smtp$ sudo cat /etc/rc.conf.local
httpd_flags=
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus 
mysqld php70_fpm
smtpd_flags=NO
unbound_flags=
spamd_flags="-v -G 2:4:864"
spamd_grey=YES
spamlogd_flags="-I"
-
smtp$ sudo cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"

table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }

table  persist
table  persist file "/etc/abusers"
table  persist
table  persist file "/etc/mail/nospamd"

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $ext_if int_if }

block in quick on egress from  to any
block return out quick on egress from any to 

block in quick log on egress from  to any label "abusers"

block all
pass out quick inet

pass in on egress inet proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in log on egress proto tcp from  to any port smtp
pass out log on egress proto tcp to any port smtp

pass in on { $ext_if } inet

pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $mail_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 25/5, overload  flush 
global)

pass in on egress inet proto tcp from any to (egress) port { 80 443 }

pass inet proto tcp from { self, $localnet }

pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state

pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types

Re: stuck on spamd (SOLVED)

[Hasse Hansson]

Thank you for your answer.
I made some adjustments to my pf.conf according to your advice,
and now it's working as I expected.

smtp$ cat spamd

Jun 14 11:30:39 smtp spamd[12751]: 185.234.216.204: disconnected after 12 
seconds.
Jun 14 11:30:46 smtp spamd[12751]: 91.121.119.198: connected (1/0)
Jun 14 11:30:49 smtp spamd[12751]: 91.121.119.198: disconnected after 3 seconds.
Jun 14 11:33:06 smtp spamd[12751]: 185.234.216.189: connected (1/0)
Jun 14 11:33:18 smtp spamd[12751]: 185.234.216.189: disconnected after 12 
seconds.
Jun 14 11:35:36 smtp spamd[12751]: 8.8.178.116: connected (1/0)
Jun 14 11:35:48 smtp spamd[12751]: (GREY) 8.8.178.116: 
 -> 
Jun 14 11:35:48 smtp spamd[12751]: 8.8.178.116: disconnected after 12 seconds.
Jun 14 11:41:38 smtp spamd[12751]: 8.8.178.116: connected (1/0)
Jun 14 11:41:49 smtp spamd[12751]: (GREY) 8.8.178.116: 
 -> 
Jun 14 11:41:50 smtp spamd[12751]: 8.8.178.116: disconnected after 12 seconds.
Jun 14 11:42:16 smtp spamd[12751]: 185.234.216.189: connected (1/0)
Jun 14 11:42:27 smtp spamd[12751]: 185.234.216.189: disconnected after 11 
seconds.
--

$sudo spamdb | sort
GREY|91.136.10.242|mail37c50.megamailservers.eu|||1528971077|1528985477|1528985477|1|0
GREY|91.136.10.246|mail56c50.megamailservers.eu|<||1528971015|1528985415|1528985415|1|0
GREY|91.136.10.248|mail56c50.megamailservers.eu|||1528970741|1528971075|1528985141|2|0
WHITE|209.85.213.47|||1528970463|1528970663|1532081115|2|0
WHITE|8.8.178.116|||1528968948|1528969309|1532080298|2|1
WHITE|91.136.10.240|||1528970713|1528971017|1532081475|2|0
WHITE|91.136.10.248|||1528970741|1528971075|1532081535|2|0

--

localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
#mail_services = "{ smtp, smtps, submission }"
mail_services = "{ smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"

table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }

table  persist
table  persist file "/etc/abusers"
table  persist
table  persist file "/etc/mail/nospamd"

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $ext_if int_if }

block in quick on egress from  to any
block return out quick on egress from any to 

block in quick log on egress from  to any label "abusers"

block all
#pass out quick inet

pass in on egress inet proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in log on egress proto tcp from  to any port smtp
pass out log on egress proto tcp to any port smtp

#pass in on { $ext_if } inet

pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload  flush 
global)

pass log quick proto tcp from any to (egress) port $mail_services flags S/SA 
keep state \
(max-src-conn 50, max-src-conn-rate 25/5, overload  flush 
global)

pass in on egress inet proto tcp from any to (egress) port { 80 443 }

pass inet proto tcp from { self, $localnet }

pass log inet proto tcp to port $tcp_services keep state
pass log inet proto tcp to port $mail_services keep state

pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types

Re: stuck on spamd (SOLVED)

[Hasse Hansson]

On Thu, Jun 14, 2018 at 11:42:12AM +0100, Craig Skinner wrote:
> Hej hej Hasse,
> 
> On Wed, 13 Jun 2018 22:05:29 +0200 Hasse Hansson wrote:
> > I've adjusted my settings according to your advice, but now it looks
> > like it just directly whitelist every connection without greylisting.
> > 
> > .
> > 
> > ...
> > 
> > This is how my files look like now. spamd.conf is the original one.
> 
> Your spamd.conf file was missing a line terminator. Double quotes are
> opened, but not closed. Could this confuse spamd? Fix & restart spamd.
> 
> Next, check your syslogs for spamd, spamlogd & spamd-setup activity.
> 
> If that doesn't provide the answer, try removing all quick words from
> pf.conf. Block everything, then progressively pass traffic down the
> file. Reload your new rules & check spam* syslog entries.
> 
> Cheers,
> -- 
> Craig Skinner | http://linkd.in/yGqkv7
>
Hello and thank you for answering.
Yes, the problem was with my pf.conf :-)
after adjusting the rules, and using the original spamd.conf,
it's now working as I expected.
TY for all help.
/Hasse 

Re: httpd acme-client renew multiple domains

[Hasse Hansson]

On Sat, Mar 23, 2019 at 07:05:53PM +0100, Mischa wrote:
> Hi Geir,
> 
> I have solved this with a little script.
> 
> ###
> #!/bin/sh
> OUT=2
> /usr/sbin/acme-client -v www.example.com
> if test  $? -eq 0
> then EXT=$?
> fi
> /usr/sbin/acme-client -v www.example1.com
> if test $? -eq 0
> then EXT=$?
> fi
> if test $EXT -eq 0
> then
> echo "New certificates installed."
> rcctl restart httpd
> else echo "No new certificates installed."
> fi
> ###
> 
> Added the following to cron:
> @daily  sleep $((RANDOM \% 2048)) && /home/mischa/bin/lets.sh
> 
> Hope this helps.
> 
> Mischa
> 
> 
> On 23 Mar at 16:39, Geir Svalland  wrote:
> > Hello
> > mtp$ uname -a
> > OpenBSD smtp.thorshammare.org 6.4 GENERIC.MP#8 amd64
> > 
> > I'm hosting and serving multiple domains, 5 of them, using httpd.
> > The domains are declared in /etc/acme-client.conf, and in my initial
> > setup I used the command "acme-client -vAD example.com" on every domain 
> > to create
> > the certs. All of this is working great, but my question is regarding 
> > updating.
> > 
> > I intend to use a cron job for this, "acme-client example.com && rcctl 
> > reload httpd"
> > but I'm not able to get this working for all of the domains in one 
> > single command.
> > 
> > Is that possible to do ?
> > Or do I have to use 5 differen lines with one domain name on each?
> > 
> > All the best
> > Geir Svalland
> > 
> 

Thank you very much for your answer Mischa.
I will use your solution.

/Geir

Re: httpd acme-client renew multiple domains

[Hasse Hansson]

On Mon, Mar 25, 2019 at 12:40:23AM -, Stuart Henderson wrote:
> On 2019-03-23, Mischa  wrote:
> > Hi Geir,
> >
> > I have solved this with a little script.
> >
> > ###
> > #!/bin/sh
> > OUT=2
> > /usr/sbin/acme-client -v www.example.com
> > if test  $? -eq 0
> > then EXT=$?
> > fi
> > /usr/sbin/acme-client -v www.example1.com
> > if test $? -eq 0
> > then EXT=$?
> > fi
> > if test $EXT -eq 0
> > then
> > echo "New certificates installed."
> > rcctl restart httpd
> > else echo "No new certificates installed."
> > fi
> > ###
> 
> Simpler:
> 
> for i in www.example.com www.example1.com; do
>   acme-client -v $i && reload=y
> done
> [[ -n $reload ]] && rcctl reload httpd
> 
>

Thanks a lot.
/Geir 

please ignore (greylisting)

[Hasse Hansson]

Test

Re: httpd acme-client renew multiple domains

[Hasse Hansson]

On Mon, Mar 25, 2019 at 02:49:01PM +0100, Solene Rapenne wrote:
> On Mon, Mar 25, 2019 at 02:27:19PM +0100, Mischa wrote:
> > 
> > 
> > > On 25 Mar 2019, at 01:40, Stuart Henderson  wrote:
> > > 
> > > On 2019-03-23, Mischa  wrote:
> > >> Hi Geir,
> > >> 
> > >> I have solved this with a little script.
> > >> 
> > >> ###
> > >> #!/bin/sh
> > >> OUT=2
> > >> /usr/sbin/acme-client -v www.example.com
> > >> if test  $? -eq 0
> > >> then EXT=$?
> > >> fi
> > >> /usr/sbin/acme-client -v www.example1.com
> > >> if test $? -eq 0
> > >> then EXT=$?
> > >> fi
> > >> if test $EXT -eq 0
> > >> then
> > >>echo "New certificates installed."
> > >>rcctl restart httpd
> > >> else echo "No new certificates installed."
> > >> fi
> > >> ###
> > > 
> > > Simpler:
> > > 
> > > for i in www.example.com www.example1.com; do
> > >  acme-client -v $i && reload=y
> > > done
> > > [[ -n $reload ]] && rcctl reload httpd
> > 
> > Nice!! I have a couple of more domains in there, so the 'for' becomes a 
> > little ugly, but I keep forgetting &&.
> > It's indeed not needed to use the actual exit code.
> > 
> > Mischa
> > 
> > 
> 
> One could easily write something like this:
> 
> #!/bin/sh
> 
> UPDATE=0
> for domain in $(awk '/^domain/ { print $2 }' /etc/acme-client.conf)
> do
>   acme-client $domain
>   if [ $? -eq 0 ]; then UPDATE=1 fi
> done
> 
> if [ $UPDATE -ne 0 ]; then
>   rcctl restart httpd dovecot smtpd
> fi
> 
> you could also handle the exit status per domain if you want more
> informations. I did write the script for this mail, it may contains
> errors.
> 
Thanks a lot, everybody, for helping.
Very nice solutions.
/Geir

Re: httpd acme-client renew multiple domains

[Hasse Hansson]

On Sat, Mar 23, 2019 at 07:05:53PM +0100, Mischa wrote:
> Hi Geir,
> 
> I have solved this with a little script.
> 
> ###
> #!/bin/sh
> OUT=2
> /usr/sbin/acme-client -v www.example.com
> if test  $? -eq 0
> then EXT=$?
> fi
> /usr/sbin/acme-client -v www.example1.com
> if test $? -eq 0
> then EXT=$?
> fi
> if test $EXT -eq 0
> then
> echo "New certificates installed."
> rcctl restart httpd
> else echo "No new certificates installed."
> fi
> ###
> 
> Added the following to cron:
> @daily  sleep $((RANDOM \% 2048)) && /home/mischa/bin/lets.sh
> 
> Hope this helps.
> 
> Mischa
> 
> 
> On 23 Mar at 16:39, Geir Svalland  wrote:
> > Hello
> > mtp$ uname -a
> > OpenBSD smtp.thorshammare.org 6.4 GENERIC.MP#8 amd64
> > 
> > I'm hosting and serving multiple domains, 5 of them, using httpd.
> > The domains are declared in /etc/acme-client.conf, and in my initial
> > setup I used the command "acme-client -vAD example.com" on every domain 
> > to create
> > the certs. All of this is working great, but my question is regarding 
> > updating.
> > 
> > I intend to use a cron job for this, "acme-client example.com && rcctl 
> > reload httpd"
> > but I'm not able to get this working for all of the domains in one 
> > single command.
> > 
> > Is that possible to do ?
> > Or do I have to use 5 differen lines with one domain name on each?
> > 
> > All the best
> > Geir Svalland
> > 
> 

Thank you very much Mischa.
Yes, this will do it for me. Very nice.

Have a nice weekend.

/Geir 

Re: Nobody said it yet...

[Hasse Hansson]

On Fri, Oct 18, 2019 at 08:03:04PM -0400, STeve Andre' wrote:
> Happy birthday to OpenBSD!
>Happy Birthday ! 

Re: I hate Spam

[Hasse Hansson]

-Oprindelig meddelelse-
Fra: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Pe vegne af
rancor
Sendt: den 11 maj 2011 21:33
Til: OpenBSD MailingList; misc@openbsd.org
Emne: Re: I hate Spam

I second that!

Some must live the perfect life if a couple of spam messages is considered
as a problem.

I often use a key on my keyboard named "Delete", takes no time at all and I
can sleep well at night.

// rancor

2011/5/11 Mikkel C. Simonsen 

> OpenBSD MailingList wrote:
>
>> and receive a lot of spam mail through the lists.
>>
>
> I only receive a couple a day - no problem at all.
>
>  Just wondering how other subscribers solving this mather ?
>>
>
> I use the messages that pass through for training bogofilter :)
>
> Best regards,
>
> Mikkel C. Simonsen

Thanks for the answers.
Apparently I didn't make myself clear enough.
I'm not complaining about a couple of spam-mails.
I posted this message to try to learn something from more experienced users.
Like tips & tricks on the mentioned spamd and spamassassin, hell yeah, even
sendmail.
So tips like the above, are especially valuable.


I often use a key on my keyboard named "Delete", takes no time at all and I
can sleep well at night.
>/snip>

All the best
/Hasse

Re: I hate Spam

[Hasse Hansson]

-Oprindelig meddelelse-
Fra: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Pe vegne af
Stuart Henderson
Sendt: den 11 maj 2011 21:11
Til: SpamTrap
Cc: misc@openbsd.org
Emne: Re: I hate Spam

In gmane.os.openbsd.misc, you wrote:
> I'm new to this list and to OpenBSD,  and currently signed up for misc,
> ports and www lists,
>
> and receive a lot of spam mail through the lists.

Most of it is on www@ (because the address is at the bottom of
many of the web pages), unsubscribe from that and you'll see a big
reduction.

> Just wondering how other subscribers solving this mather ?

Personally I read these lists on gmane.org via NNTP, using slrn
with decent killfiles which get rid of a lot of the junk (and
even better, can killfile a thread or an annoying person with
about 3 keypresses, which saves way more time than the spam
filtering).


Thank you for your answer.

Yes, looks like you're right about www.
Think I will drop that list. Not because of the spam, but it don't seem to
be very productive anyway.

This far, the mail I receive from the OpenBSD lists, approximately 25% is
spam, ( subscribed for 3 days )
and that made me a bit curious, because I'm also subscribed to several list
at FreeBSD but don't see this pattern there.

The main reason for me bringing up this subject, is to try to get a grip on
the 3 tools I'm using. Spamd, spamassassin and procmail.

The relevant part of my sendmail.cf :
dnl
FEATURE(local_procmail)dnl
MAILER(procmail)dnl
MAILER(smtp)dnl
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/clamav/clmilter.sock, F=,
T=S:4m;R:4m')dnl
Dnl

Spamd : enabled greylisting

Spamassassin : edited local.cf and manually added blacklist_from entries.

Procmail : my procmailrc looks like this:
DROPPRIVS=yes
:0fw
| /usr/local/bin/spamc
:0:
* ^X-Spam-Status: Yes
in-x-spam

I suspect the key to success is to configure procmailrc in a proper way ?

Open for all suggestions, pointers in the right direction etc.

And yes, I have tried googling and reading man pages, but off course missed
the point :-)

/Hasse

Re: dump -L

[Hasse Hansson]

O... So sorry... I forgot

"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."

:-)  Hasse


-Oprindelig meddelelse-
Fra: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Pe vegne af
ropers
Sendt: den 8 september 2011 21:06
Til: Admin ValhallaProjectet
Cc: misc@openbsd.org
Emne: Re: dump -L

On 8 September 2011 17:59, Admin ValhallaProjectet
 wrote:
>
> I intend to use dump for backups, but got a bit confused about the lack of
> the "-L" switch
>
> I would usually issue a command like " /sbin/dump -0Lauf "  to make a
> snapshot of a living file system to back up.

I'm not sure why you want to use the -L, given that your above command
line doesn't include a label (and that's what the -L is for, cf.
). Uncritical copypasta?

The -L parameter is something available in this version of dump:

Note that it says there (emphasis added):

> This is the home page of the **Linux** Ext2 filesystem dump/restore
utilities.

Philosophy-wise, the thousands of different parts that Linux OSes
consist of tend to be developed in a thousand different places -- and
then pulled from those places by Linux distro makers who assemble
their particular brand of Linux from those many pieces (or from others
who make a similar flavour and have already done some pulling and
assembling). These Linux dump/restore utils are one such piece.

*BSDs don't tend to do that. *BSDs tend to be monolithic. The parts
that *BSDs consist of are generally "not sold separately", and are all
in the (main code-) base tree and maintained there. As is the dump
that comes with OpenBSD. Even where (as here) the license is the same
on the *BSD and Linux side, *BSD commands are not always or not
typically the same as their Linux counterparts.

An important philosophical difference is that on the Linux side,
commands and utilities (particularly GNU ones) tend to have more knobs
and buttons than on the *BSD side. And that is the case here. The -L
doesn't exist in OpenBSD's dump(8)
. The rationale for
the fewer knobs is that less is more -- and often more POSIX-conform
(though dump/restore aren't in the POSIX spec anyway, so whatever
).
Seeing that both the Linux dump and OpenBSD's dump are BSD licensed,
it *might* be possible to write a diff and add that feature to
OpenBSD's dump -- however, you'd probably have to have a pretty good
reason for adding another knob to OpenBSD's dump, and I reckon getting
a diff that does do that accepted into base might be an uphill battle,
as it might be seen to run counter to *BSD philosophy. But hey, I
don't make the rules, I don't even write ANY of the code, so don't let
my outside-looking-in observations put you off.

regards,
--ropers

PS:

AHA!

http://www.freebsd.org/cgi/man.cgi?query=dump

You little rogue and rascally scoundrel! ;-P Gotcha! ;-D
'Figured it out about your use of -L!

Now, repeat after me:

"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."

Re: dump -L

[Hasse Hansson]

LOL !
Yup, you realy got me.
I'm coming from FreeBSD.
And, yes, I'am little bit confused, and some time totally out in the wild
:-)
That's why it's so nice to have someone to lean on.
Thanks for your answer.
/Hasse.

-Oprindelig meddelelse-
Fra: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Pe vegne af
ropers
Sendt: den 8 september 2011 21:06
Til: Admin ValhallaProjectet
Cc: misc@openbsd.org
Emne: Re: dump -L

On 8 September 2011 17:59, Admin ValhallaProjectet
 wrote:
>
> I intend to use dump for backups, but got a bit confused about the lack of
> the "-L" switch
>
> I would usually issue a command like " /sbin/dump -0Lauf "  to make a
> snapshot of a living file system to back up.

I'm not sure why you want to use the -L, given that your above command
line doesn't include a label (and that's what the -L is for, cf.
). Uncritical copypasta?

The -L parameter is something available in this version of dump:

Note that it says there (emphasis added):

> This is the home page of the **Linux** Ext2 filesystem dump/restore
utilities.

Philosophy-wise, the thousands of different parts that Linux OSes
consist of tend to be developed in a thousand different places -- and
then pulled from those places by Linux distro makers who assemble
their particular brand of Linux from those many pieces (or from others
who make a similar flavour and have already done some pulling and
assembling). These Linux dump/restore utils are one such piece.

*BSDs don't tend to do that. *BSDs tend to be monolithic. The parts
that *BSDs consist of are generally "not sold separately", and are all
in the (main code-) base tree and maintained there. As is the dump
that comes with OpenBSD. Even where (as here) the license is the same
on the *BSD and Linux side, *BSD commands are not always or not
typically the same as their Linux counterparts.

An important philosophical difference is that on the Linux side,
commands and utilities (particularly GNU ones) tend to have more knobs
and buttons than on the *BSD side. And that is the case here. The -L
doesn't exist in OpenBSD's dump(8)
. The rationale for
the fewer knobs is that less is more -- and often more POSIX-conform
(though dump/restore aren't in the POSIX spec anyway, so whatever
).
Seeing that both the Linux dump and OpenBSD's dump are BSD licensed,
it *might* be possible to write a diff and add that feature to
OpenBSD's dump -- however, you'd probably have to have a pretty good
reason for adding another knob to OpenBSD's dump, and I reckon getting
a diff that does do that accepted into base might be an uphill battle,
as it might be seen to run counter to *BSD philosophy. But hey, I
don't make the rules, I don't even write ANY of the code, so don't let
my outside-looking-in observations put you off.

regards,
--ropers

PS:

AHA!

http://www.freebsd.org/cgi/man.cgi?query=dump

You little rogue and rascally scoundrel! ;-P Gotcha! ;-D
'Figured it out about your use of -L!

Now, repeat after me:

"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."
"I will not use FreeBSD documentation for OpenBSD."

Problems starting mysql-server-5.1.62

[Hasse Hansson]

"Googling" the problem and the error messages didn't get me much further.

I have to admit, this is a bit over my head. aka "I don't have a clue what
I'm doing"

 

# uname -a

OpenBSD odin.thorshammare.org 5.1 GENERIC#160 i386

 

When I run : /usr/local/bin/mysql_install_db

I get the following errormessage :

Installing MySQL system tables...

120412  8:04:10 [Warning] '--skip-locking' is deprecated and will be removed
in a future release. Please use '--skip-external-locking' instead.

120412  8:04:10 [ERROR] Can't create interrupt-thread (error 91, errno: 91)

 

When I try to follow some recommendations from
http://dev.mysql.com/doc/mysql-linuxunix-excerpt/5.5/en/mysql-install-db-pro
blems.html

# /usr/local/bin/mysqld_safe --user=_mysql --skip-grant-tables &

[1] 3016

# 120412 08:48:38 mysqld_safe Logging to
'/var/mysql/odin.thorshammare.org.err'.

120412 08:48:38 mysqld_safe Starting mysqld daemon with databases from
/var/mysql

120412 08:48:38 mysqld_safe mysqld from pid file
/var/mysql/odin.thorshammare.org.pid ended

 

[1] + Done /usr/local/bin/mysqld_safe --user=_mysql --skip

 

And the logfile says :

120412 08:47:40 mysqld_safe Starting mysqld daemon with databases from
/var/mysql

120412  8:47:41 [Warning] '--skip-locking' is deprecated and will be removed
in a future release. Please use '--skip-external-locking' instead.

120412  8:47:41 [ERROR] Fatal error: Can't change to run as user 'mysql' ;
Please check that the user exists!

 

120412  8:47:41 [ERROR] Aborting

 

120412  8:47:41 [Note] /usr/local/libexec/mysqld: Shutdown complete

 

120412 08:47:41 mysqld_safe mysqld from pid file
/var/mysql/odin.thorshammare.org.pid ended

120412 08:48:38 mysqld_safe Starting mysqld daemon with databases from
/var/mysql

120412  8:48:38 [Warning] '--skip-locking' is deprecated and will be removed
in a future release. Please use '--skip-external-locking' instead.

120412  8:48:38 [Note] Plugin 'FEDERATED' is disabled.

120412  8:48:38  InnoDB: Initializing buffer pool, size = 8.0M

120412  8:48:38  InnoDB: Completed initialization of buffer pool

InnoDB: Error: pthread_create returned 91

120412 08:48:38 mysqld_safe mysqld from pid file
/var/mysql/odin.thorshammare.org.pid ended

 

Regards

Hasse

Re: Problems starting mysql-server-5.1.62

[Hasse Hansson]

-Oprindelig meddelelse-
Fra: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Pe vegne af
Stuart Henderson
Sendt: den 13 april 2012 01:13
Til: misc@openbsd.org
Emne: Re: Problems starting mysql-server-5.1.62

On 2012-04-12, Hasse Hansson  wrote:
> "Googling" the problem and the error messages didn't get me much further.

http://www.openbsd.org/faq/faq15.html#NoFun applies here.

> OpenBSD odin.thorshammare.org 5.1 GENERIC#160 i386
>
> 120412  8:04:10 [ERROR] Can't create interrupt-thread (error 91,
> errno: 91)
...
> InnoDB: Error: pthread_create returned 91

You are using packages (or at least a mysql package) built against the new
kernel-backed thread library with an older kernel that doesn't support it.

You might get somewhere if you install a new base OS snapshot and update to
new package snapshot (this means updating *all* packages, not picking and
mixing), but I'm not sure if the packages are currently in sync with base
snapshots (N.B. http://www.openbsd.org/images/hackathons/r2k12.gif
is currently taking place) so if this doesn't work out, wait a few days -
probably until at least after the weekend - and try updating again.
[>]

Thank you very much.
Will do.

/Hasse

Re: Upgrading OpenBSD

[Hasse Hansson]

-Ursprungligt meddelande-
Fren: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Fvr Eric Furman
Skickat: den 22 maj 2012 07:50
Till: Richards, Toby; OpenBSD Misc
Dmne: Re: Upgrading OpenBSD

On Mon, May 21, 2012, at 06:43 PM, Richards, Toby wrote:
> While my question involves other BSD's as well as Linux systems, I am
>  Respectfully Submitted,

Why do trolls always sign off this way? :) Or they open with,"I don't want
to start a fight, but...".

And why do they always get ALL them responses ?
/Hasse

sshguard

[Hasse Hansson]

Hello all.
# uname -a
OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386

sshguard-1.5
Are we not supposed to use the entry in /etc/syslog.conf any more ?
" auth.info;authpriv.info |/usr/local/sbin/sshguard "

I get a message on my console saying:
syslogd: unknown priority name "info|/usr/local/sbin/sshguard"

The info about the syslog.conf entry seems to be gone in the install
message too.

All the best
Hasse