Re: The ultimate OpenBSD email server
Le 19 août 2012 à 14:15, Stuart Henderson a écrit : On 2012-08-16, Joel Carnat j...@carnat.net wrote: - roundcube and suhosin don't play well together ; there is no general problem with roundcube and suhosin playing together, you just have to follow the documentation about disabling session encryption (clearly documented in the installation guide, and checked for by the installer). yep, that's what I meant: you have to disable encryption to have them work together...
Re: The ultimate OpenBSD email server
Le 15 août 2012 à 16:16, L. V. Lammert a écrit : On Wed, 15 Aug 2012, Mikkel Bang wrote: But with so many people recommending so many different tools, it gets hard to come to a conclusion. Looks like I'm finally arriving at this though: postfix (postfix-anti-UCE.txt) + dspam - what do you guys think? Take a look at mailserv, https://github.com/mailserv. The admin interface is nice, and all components are integrated. This looked interesting so I had a look at it for a few hours. My (2 cents) conclusions are: - it has a pretty interface indeed ; - it has a few configuration bugs (php modules are not enabled and it expects 5.2, not 5.3) ; - it is supposed to use sqlgrey but it seems it isn't linked to postfix ; - why isn't it using spamd(8) ; - it stores clear passwords ; - roundcube and suhosin don't play well together ; - it has to be installed with its own mysql db. no way to use external (if not using the console). I have written a quick review on my WordPress instance. Just PM for the URL if you wish to read more. Regards, Jo
About `ldapctl stats` metrics
Hi, I've setup some RRDtool magic to graph ldapd(8) metrics (OpenBSD 5.1/i386). Using `ldapctl stats`, I was expecting: requests = search requests + bind requests + modify requests But after a few ldapsearch/ldapadd/ldapdelete testings, it seems requests grows faster than the sum of * requests. A simple ldapsearch increments search and bind by 1 but increments requests by 3. An ldapadd increments bind and modify by 1 but increments requests by 3. The ldapdelete (to suppress the previous entry) increments bind, search and modify by 1 but requests is incremented by 4. What does requests counts that doesn't appear in other metrics? TIA, Jo
Re: Q: username policy in install and in adduser
AFAIK, there is every likelihood that a third-party software (like Web or Mail server) will not be case-sensitive and will mix data for Foo and foO users. Le 13 août 2012 à 15:20, Eike Lantzsch a écrit : The choice of usernames during OBSD install is more restrictive than adduser. For example install does not allow capital letters in usernames. I read up the facts but I'd like to know the reasons. I do not seem to find an answer to my question: What benefit is there in not using capital letters in usernames? 1) usability-wise (I can imagine) 2) security-wise? 3) administration-wise 4) programming reasons of the installer? Thank you for your time Eike
Re: kvm and Openbsd 5.1
Hi, Le 20 juil. 2012 à 19:29, Alessandro Baggi a écrit : Hi list, today I've installed OpenBSD 5.1 amd64 on a kvm (linux slackware) kvm version is 1.0.1. Starting machine with 4 core, and bsd.mp it crash. Disabling mpbios see only one core and not smp. Then, I've updated kvm to 1.1.1 but the results are the same. There is someone that has started obsd on kvm and avoid this problem? This problem is kvm related? Another, someone has tried obsd 5.1 on ESX? I have 5.0 and 5.1 working well, with 2 vCPU, on my ESXi 5. Cheers, Jo
smtpd, virtual users/domains and maildir creation
Hi,
I am playing with OpenSMTPD and am configuring a virtual domains and users
configuration.
In smtpd.conf.local, I have set:
map vdomains { source db /etc/mail/vdomains.db }
accept for virtual vdomains deliver to maildir /home/vmail/%d/%a/
In /etc/mail/vdomains, I have set:
tumfatig.net: true
carnat.net: true
pt...@tumfatig.net vmail
j...@carnat.net vmail
So far, the mails are accepted but I face an error when the first mail is
received ;
when the full home directory does not exist yet:
Jun 15 15:12:36 openbsd smtpd[6293]: dcd4684048255931: to=j...@carnat.net,
\
delay=0, stat=Error (cannot mkdir maildir: No such file or directory)
When this error occurs, /home/vmail already exists and is own by
vmail:vmail.
Now, if I run:
# mkdir /home/vmail/carnat.net
# chown vmail:vmail /home/vmail/carnat.net
And send the same mail (to j...@carnat.net), it is received correctly and
the remaining vmail/new directory tree is created.
Is there some parameters to set so that smtpd creates the whole directory
tree
itself or is this an expected behaviour ?
TIA,
Jo
Re: smtpd, virtual users/domains and maildir creation
Le 15 juin 2012 à 17:03, Gilles Chehade a écrit :
On Fri, Jun 15, 2012 at 03:28:42PM +0200, Joel Carnat wrote:
Hi,
Hi,
I am playing with OpenSMTPD and am configuring a virtual domains and users
configuration.
In smtpd.conf.local, I have set:
map vdomains { source db /etc/mail/vdomains.db }
accept for virtual vdomains deliver to maildir /home/vmail/%d/%a/
reads ok, except that you should remove '{' and '}', they were required but
I
made them optional to ease transition as I will remove them next release.
ok, I'll correct my config, thanks.
In /etc/mail/vdomains, I have set:
tumfatig.net: true
carnat.net: true
pt...@tumfatig.net vmail
j...@carnat.net vmail
reads ok
So far, the mails are accepted but I face an error when the first mail is
received ;
when the full home directory does not exist yet:
Jun 15 15:12:36 openbsd smtpd[6293]: dcd4684048255931:
to=j...@carnat.net,
\
delay=0, stat=Error (cannot mkdir maildir: No such file or directory)
When this error occurs, /home/vmail already exists and is own by
vmail:vmail.
Now, if I run:
# mkdir /home/vmail/carnat.net
# chown vmail:vmail /home/vmail/carnat.net
And send the same mail (to j...@carnat.net), it is received correctly and
the remaining vmail/new directory tree is created.
Is there some parameters to set so that smtpd creates the whole directory
tree
itself or is this an expected behaviour ?
OpenSMTPD only creates the Maildir itself so you need to make sure you
create a directory for each of the domains you plan to handle if you are
using the domain as part of the path.
Should we have an option to let it create all directories in the path ?
I dunno, it's pretty easy to pre-create them and let the code be as strict
as it is right now :-)
right ; like know what you are doing :)
I was just surprised as my actual Postfix / Dovecot configuration did the
mkdir -p themselves.
I'll just keep the create the directories step in my notes ;-)
While I'm there, I ended filling my /etc/mail/vdomains with such
directives:
carnat.net accept
j...@carnat.net vmail
r...@carnat.net j...@carnat.net
ab...@carnat.netr...@carnat.net
hostmas...@carnat.net r...@carnat.net
postmas...@carnat.net r...@carnat.net
webmas...@carnat.netr...@carnat.net
This does works and allows virtual aliases to be defined. And all my test
mails went to my user account.
I'm not just sure if this is the right way to do it as I didn't find such
mapping described in the docs.
But I found using one map aliases (...) per virtual domain not very
practical.
What's the proper way to host virtual aliases for virtual domains ?
TIA,
Jo
Re: smtpd, virtual users/domains and maildir creation
Le 15 juin 2012 à 17:37, Gilles Chehade a écrit : snip What's the proper way to host virtual aliases for virtual domains ? The proper way is the one you're using ;-) Also, one thing you could do is create a fallback address: @carnat.net r...@carnat.net if you want to also catch every user of the @carnat.net domain that does not have its own key: carnat.net whatever # enable vdomain @carnat.netr...@carnat.net# any user w/out key j...@carnat.netvmail r...@carnat.netj...@carnat.net great! thanks a lot. Jo
filtering recipients for a secondary mx using smtpd
Hi,
Using OpenBSD 5.1, I have configured OpenSMTPD to act as a secondary MX.
I have configured this, in smtpd.conf:
# secondary mx
map v2mx { source db /etc/mail/v2mx.db }
accept from all for virtual v2mx relay
And this, in /etc/mail/v2mx:
hotmail.com accept
The smtpd can now relay properly for that particular domain (which I don't
really aim to use but this is just a test:). But I would like smtpd to filter
the acceptable RCPT ; so that I don't get my mail queue filled with junk
recipients.
Can I, and how, tell smtpd to only accept joel.car...@hotmail.com for such
secondary mx.
TIA,
Jo
PHP issue with native Apache and ProxyPass
Hello, I have an OpenBSD 5.0 server, running the native Apache and providing a local WordPress instance which works great. The Apache also proxyfies simple websites (only HTML/CSS/JS, like xymon, munin, sogo) using the ProxyPass/ProxyPassReverse directives. I wanted to proxyfy another WordPress instance, running on a remote OpenBSD 5.1 installation. So far, the remote installation works like a charm. But when I configure the reverse-proxy, URL with PHP files and variables aren't managed properly. The remote website is located on http://192.168.0.28:80/ (DocumentRoot is /var/www/htdocs). The proxy directives I set up are: ProxyPass /test/ http://192.168.0.28:80/ ProxyPassReverse /test/ http://192.168.0.28:80/ (I modified WordPress so that it publishes itself as https://www.tumfatig.net/test/) Working URLs look like: https://www.tumfatig.net/test/wp-content/themes/twentyeleven/style.css https://www.tumfatig.net/test/wp-includes/css/admin-bar.css?ver=20111209 https://www.tumfatig.net/test/wp-includes/wlwmanifest.xml https://www.tumfatig.net/test/xmlrpc.php Any such URL doesn't work: https://www.tumfatig.net/test/xmlrpc.php?rsd The proxy log says: [Wed Jun 6 10:58:31 2012] [error] [client 82.241.119.38] File does not exist: proxy:http://192.168.0.28/xmlrpc.php?rsd The Web navigator says: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN HTMLHEAD TITLE404 Not Found/TITLE /HEADBODY H1Not Found/H1 The requested URL /test/xmlrpc.php was not found on this server.P /BODY/HTML But, from the LAN and the proxy server itself, running `ftp http://192.168.0.28/xmlrpc.php?rsd` gets the file properly from the 5.1 server... Anyone gets why only PHP files with variable passed are not translated properly by my configuration ? Thanks a lot. Jo
Acceleration for Qemu ?
Hi, I was planning on using qemu to run several instances on various OSes on my OpenBSD 5.0/amd64 server. As a first try, I ran an OpenBSD 5.0/i386 instance using qemu-0.14.1p4: # ifconfig tun0 link0 # ifconfig bridge0 add tun0 add bge0 up # qemu -nographic -m 128 -net nic -net tap,ifname=tun0 -no-fd-bootchk -hda /home/vm/monitoring.img Then I configured munin-server in the vm to poll the amd64 server and the local munin-node. On the virtual machine side, I get: # top -o cpu -n 1 load averages: 2.77, 3.35, 2.13monitoring.tumfatig.net 22:54:30 42 processes: 2 running, 39 idle, 1 on processor CPU states: 17.6% user, 33.1% nice, 8.8% system, 0.1% interrupt, 40.4% idle Memory: Real: 31M/72M act/tot Free: 44M Cache: 22M Swap: 0K/259M PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 568 _munin84 10 6396K 5268K run - 0:57 48.68% perl On the server side, I get: # top -o cpu -n 1 load averages: 2.28, 1.72, 1.40bagheera.tumfatig.net 22:55:16 96 processes: 93 idle, 1 zombie, 2 on processor CPU0 states: 11.7% user, 1.2% nice, 2.3% system, 0.1% interrupt, 84.7% idle CPU1 states: 11.2% user, 1.1% nice, 2.2% system, 0.0% interrupt, 85.4% idle Memory: Real: 421M/1140M act/tot Free: 6811M Cache: 611M Swap: 0K/512K PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 5764 root 640 207M 156M onproc/1 -13:43 84.38% qemu I read that kqemu is not available anymore but wondered if there were some tricks to accelerate the Qemu instances ? TIA, Jo
Re: I don't get where the load comes from
Le 31 mai 2011 ` 00:15, Paul de Weerd a icrit : On Mon, May 30, 2011 at 11:44:29PM +0200, Joel Carnat wrote: | Hi, | | I am running a personal Mail+Web system on a Core2Duo 2GHz using Speedstep. | It is mostly doing nothing but still has a high load average. Wait, what ? ~1 is 'a high load average' now ? What are that database and webserver doing on your machine 'doing nothing' ? What other processes do you have running ? Note that you don't have to use lots of CPU to get a (really) high load... well, compared to my previous box, running NetBSD/xen, the same services and showing about 0.3-0.6 of load ; I thought a load of 1.21 was quite much. Do you see a lot of interrupts perhaps ? Try `systat -s1 vm` or `vmstat -i`. # vmstat -i interrupt total rate irq0/clock9709553 199 irq0/ipi 1291416 26 irq144/acpi010 irq145/inteldrm090 irq96/uhci0 1170 irq98/ehci0 20 irq97/azalia0 10 irq101/wpi0 10 irq101/bge03666157 irq96/ehci1200 irq101/ahci0 3323496 irq147/pckbc0 60 irq148/pckbc0 380 Total11700128 240 Paul 'WEiRD' de Weerd | I've check various stat tools but didn't find the reason for the load. | | Anyone has ideas? | | TIA, | Jo | | PS: here are some of the results I checked. | | # uname -a | OpenBSD bagheera.tumfatig.net 4.9 GENERIC.MP#819 amd64 | | # sysctl hw | hw.machine=amd64 | hw.model=Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz | hw.ncpu=2 | hw.byteorder=1234 | hw.pagesize=4096 | hw.disknames=cd0:,sd0:01d3664288919ae7 | hw.diskcount=2 | hw.sensors.cpu0.temp0=45.00 degC | hw.sensors.cpu1.temp0=45.00 degC | hw.sensors.acpitz0.temp0=45.50 degC (zone temperature) | hw.sensors.acpiac0.indicator0=On (power supply) | hw.sensors.acpibat0.volt0=11.10 VDC (voltage) | hw.sensors.acpibat0.volt1=12.71 VDC (current voltage) | hw.sensors.acpibat0.amphour0=4.61 Ah (last full capacity) | hw.sensors.acpibat0.amphour1=0.52 Ah (warning capacity) | hw.sensors.acpibat0.amphour2=0.16 Ah (low capacity) | hw.sensors.acpibat0.amphour3=5.20 Ah (remaining capacity), OK | hw.sensors.acpibat0.raw0=0 (battery full), OK | hw.sensors.acpibat0.raw1=1 (rate) | hw.cpuspeed=800 | hw.setperf=0 | hw.vendor=Dell Inc. | hw.product=XPS M1330 | hw.serialno=CK0W33J | hw.uuid=44454c4c-4b00-1030-8057-c3c04f4a | hw.physmem=3747008512 | hw.usermem=3734933504 | hw.ncpufound=2 | | # top -n -o cpu -T | load averages: 1.19, 1.14, 0.99bagheera.tumfatig.net 23:39:09 | 78 processes: 77 idle, 1 on processor | CPU0 states: 1.8% user, 0.0% nice, 0.7% system, 0.1% interrupt, 97.4% | idle | CPU1 states: 2.4% user, 0.0% nice, 0.8% system, 0.0% interrupt, 96.8% | idle | Memory: Real: 238M/656M act/tot Free: 2809M Swap: 0K/8197M used/tot | | PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND | 3230 root 20 2156K 3152K sleep/1 netio 0:00 0.20% sshd | 1867 sshd 20 2148K 2368K sleep/0 select0:00 0.05% sshd | 19650 www 140 5640K 30M sleep/0 semwait 0:59 0.00% httpd | 4225 www 140 5984K 42M sleep/1 semwait 0:58 0.00% httpd | 3624 www 140 5644K 30M sleep/1 semwait 0:53 0.00% httpd | 24875 www 140 5740K 32M sleep/1 semwait 0:52 0.00% httpd | 22848 www 140 5724K 30M sleep/1 semwait 0:50 0.00% httpd | 13508 www 140 5832K 31M sleep/1 semwait 0:48 0.00% httpd | 24210 www 140 5652K 30M sleep/1 semwait 0:48 0.00% httpd | 510 www 140 5660K 30M sleep/1 semwait 0:46 0.00% httpd | 20258 www20 5536K 32M sleep/0 select0:46 0.00% httpd | 6543 www 140 5772K 32M sleep/0 semwait 0:43 0.00% httpd | 9783 _mysql 20 55M 30M sleep/1 poll 0:20 0.00% mysqld | 19071 root 20 640K 1416K sleep/1 select0:09 0.00% sshd | 10389 root 20 3376K 2824K sleep/0 poll 0:07 0.00% monit | 21695 _sogo 20 7288K 18M sleep/1 poll 0:05 0.00% sogod | 1888 named 20 20M 21M sleep/1 select0:05 0.00% named | 18781 _sogo 20 15M 29M sleep/1 poll 0:04 0.00% sogod | | # iostat -c 10 -w 1 | ttycd0 sd0 cpu | tin tout KB/t t/s MB/s KB/t t/s MB/s us ni sy in id |07 0.00 0 0.00 20.64 7 0.14 2 0 1 0 97 |0 174 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 |0 57 0.00 0 0.00 0.00 0 0.00 1 0 2 0 97 |0 57 0.00 0 0.00 32.00 17 0.53
Re: I don't get where the load comes from
Le 31 mai 2011 ` 02:19, Gonzalo L. R. a icrit : Take a look of this http://undeadly.org/cgi?action=articlesid=20090715034920 I found this article before posting. But one thing that didn't convinced me is that, if I shutdown apmd and configure hw.setperf=100, the load drops down to 0.30-0.20. I don't get how A high load is just that: high. It means you have a lot of processes that sometimes run. can show load variation depending on CPU speed only. El 05/30/11 18:44, Joel Carnat escribis: Hi, I am running a personal Mail+Web system on a Core2Duo 2GHz using Speedstep. It is mostly doing nothing but still has a high load average. I've check various stat tools but didn't find the reason for the load. Anyone has ideas? TIA, Jo PS: here are some of the results I checked. # uname -a OpenBSD bagheera.tumfatig.net 4.9 GENERIC.MP#819 amd64 # sysctl hw hw.machine=amd64 hw.model=Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=cd0:,sd0:01d3664288919ae7 hw.diskcount=2 hw.sensors.cpu0.temp0=45.00 degC hw.sensors.cpu1.temp0=45.00 degC hw.sensors.acpitz0.temp0=45.50 degC (zone temperature) hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.acpibat0.volt0=11.10 VDC (voltage) hw.sensors.acpibat0.volt1=12.71 VDC (current voltage) hw.sensors.acpibat0.amphour0=4.61 Ah (last full capacity) hw.sensors.acpibat0.amphour1=0.52 Ah (warning capacity) hw.sensors.acpibat0.amphour2=0.16 Ah (low capacity) hw.sensors.acpibat0.amphour3=5.20 Ah (remaining capacity), OK hw.sensors.acpibat0.raw0=0 (battery full), OK hw.sensors.acpibat0.raw1=1 (rate) hw.cpuspeed=800 hw.setperf=0 hw.vendor=Dell Inc. hw.product=XPS M1330 hw.serialno=CK0W33J hw.uuid=44454c4c-4b00-1030-8057-c3c04f4a hw.physmem=3747008512 hw.usermem=3734933504 hw.ncpufound=2 # top -n -o cpu -T load averages: 1.19, 1.14, 0.99bagheera.tumfatig.net 23:39:09 78 processes: 77 idle, 1 on processor CPU0 states: 1.8% user, 0.0% nice, 0.7% system, 0.1% interrupt, 97.4% idle CPU1 states: 2.4% user, 0.0% nice, 0.8% system, 0.0% interrupt, 96.8% idle Memory: Real: 238M/656M act/tot Free: 2809M Swap: 0K/8197M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 3230 root 20 2156K 3152K sleep/1 netio 0:00 0.20% sshd 1867 sshd 20 2148K 2368K sleep/0 select0:00 0.05% sshd 19650 www 140 5640K 30M sleep/0 semwait 0:59 0.00% httpd 4225 www 140 5984K 42M sleep/1 semwait 0:58 0.00% httpd 3624 www 140 5644K 30M sleep/1 semwait 0:53 0.00% httpd 24875 www 140 5740K 32M sleep/1 semwait 0:52 0.00% httpd 22848 www 140 5724K 30M sleep/1 semwait 0:50 0.00% httpd 13508 www 140 5832K 31M sleep/1 semwait 0:48 0.00% httpd 24210 www 140 5652K 30M sleep/1 semwait 0:48 0.00% httpd 510 www 140 5660K 30M sleep/1 semwait 0:46 0.00% httpd 20258 www20 5536K 32M sleep/0 select0:46 0.00% httpd 6543 www 140 5772K 32M sleep/0 semwait 0:43 0.00% httpd 9783 _mysql 20 55M 30M sleep/1 poll 0:20 0.00% mysqld 19071 root 20 640K 1416K sleep/1 select0:09 0.00% sshd 10389 root 20 3376K 2824K sleep/0 poll 0:07 0.00% monit 21695 _sogo 20 7288K 18M sleep/1 poll 0:05 0.00% sogod 1888 named 20 20M 21M sleep/1 select0:05 0.00% named 18781 _sogo 20 15M 29M sleep/1 poll 0:04 0.00% sogod # iostat -c 10 -w 1 ttycd0 sd0 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 07 0.00 0 0.00 20.64 7 0.14 2 0 1 0 97 0 174 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 57 0.00 0 0.00 0.00 0 0.00 1 0 2 0 97 0 57 0.00 0 0.00 32.00 17 0.53 1 0 1 0 98 0 58 0.00 0 0.00 0.00 0 0.00 7 0 7 0 86 0 57 0.00 0 0.00 0.00 0 0.00 1 0 1 0 98 0 57 0.00 0 0.00 0.00 0 0.00 1 0 1 0 98 0 57 0.00 0 0.00 0.00 0 0.00 2 0 0 0 98 0 57 0.00 0 0.00 4.00 1 0.00 0 0 1 0 99 0 58 0.00 0 0.00 0.00 0 0.00 1 0 0 1 98 # vmstat -c 10 -w 1 procsmemory pagediskstraps cpu r b wavm fre flt re pi po fr sr cd0 sd0 int sys cs us sy id 1 1 0 243420 2866736 655 0 0 0 0 0 0 1 15 1828 77 2 1 97 0 1 0 243636 2866336 234 0 0 0 0 0 0 0 10 540 47 0 1 99 0 1 0 243668 2866304 95 0 0 0 0 0 0 0 17 329 44 1 0 99 0 1 0 242848 2867552 644 0 0 0 0 0 0 08 1445 115 1 1 98 0 1 0 243612 2866352 1076 0 0 0 0 0 0 09 2436 44 0 2 98 0 1 0 243668 2866288 117 0 0 0 0 0 0
Re: I don't get where the load comes from
Le 31 mai 2011 ` 08:10, Tony Abernethy a icrit : Joel Carnat wrote well, compared to my previous box, running NetBSD/xen, the same services and showing about 0.3-0.6 of load ; I thought a load of 1.21 was quite much. Different systems will agree on the spelling of the word load. That is about as much agreement as you can expect. Does the 0.3-0.6 really mean 30-60 percent loaded? As far as I understood the counters on my previous nbsd box, 0.3 meant that the cpu was used at 30% of it's total capacity. Then, looking at the sys/user counters, I'd see what kind of things the system was doing. 1.21 tasks seems kinda low for a multi-tasking system. ok :)
I don't get where the load comes from
Hi, I am running a personal Mail+Web system on a Core2Duo 2GHz using Speedstep. It is mostly doing nothing but still has a high load average. I've check various stat tools but didn't find the reason for the load. Anyone has ideas? TIA, Jo PS: here are some of the results I checked. # uname -a OpenBSD bagheera.tumfatig.net 4.9 GENERIC.MP#819 amd64 # sysctl hw hw.machine=amd64 hw.model=Intel(R) Core(TM)2 Duo CPU T7300 @ 2.00GHz hw.ncpu=2 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=cd0:,sd0:01d3664288919ae7 hw.diskcount=2 hw.sensors.cpu0.temp0=45.00 degC hw.sensors.cpu1.temp0=45.00 degC hw.sensors.acpitz0.temp0=45.50 degC (zone temperature) hw.sensors.acpiac0.indicator0=On (power supply) hw.sensors.acpibat0.volt0=11.10 VDC (voltage) hw.sensors.acpibat0.volt1=12.71 VDC (current voltage) hw.sensors.acpibat0.amphour0=4.61 Ah (last full capacity) hw.sensors.acpibat0.amphour1=0.52 Ah (warning capacity) hw.sensors.acpibat0.amphour2=0.16 Ah (low capacity) hw.sensors.acpibat0.amphour3=5.20 Ah (remaining capacity), OK hw.sensors.acpibat0.raw0=0 (battery full), OK hw.sensors.acpibat0.raw1=1 (rate) hw.cpuspeed=800 hw.setperf=0 hw.vendor=Dell Inc. hw.product=XPS M1330 hw.serialno=CK0W33J hw.uuid=44454c4c-4b00-1030-8057-c3c04f4a hw.physmem=3747008512 hw.usermem=3734933504 hw.ncpufound=2 # top -n -o cpu -T load averages: 1.19, 1.14, 0.99bagheera.tumfatig.net 23:39:09 78 processes: 77 idle, 1 on processor CPU0 states: 1.8% user, 0.0% nice, 0.7% system, 0.1% interrupt, 97.4% idle CPU1 states: 2.4% user, 0.0% nice, 0.8% system, 0.0% interrupt, 96.8% idle Memory: Real: 238M/656M act/tot Free: 2809M Swap: 0K/8197M used/tot PID USERNAME PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 3230 root 20 2156K 3152K sleep/1 netio 0:00 0.20% sshd 1867 sshd 20 2148K 2368K sleep/0 select0:00 0.05% sshd 19650 www 140 5640K 30M sleep/0 semwait 0:59 0.00% httpd 4225 www 140 5984K 42M sleep/1 semwait 0:58 0.00% httpd 3624 www 140 5644K 30M sleep/1 semwait 0:53 0.00% httpd 24875 www 140 5740K 32M sleep/1 semwait 0:52 0.00% httpd 22848 www 140 5724K 30M sleep/1 semwait 0:50 0.00% httpd 13508 www 140 5832K 31M sleep/1 semwait 0:48 0.00% httpd 24210 www 140 5652K 30M sleep/1 semwait 0:48 0.00% httpd 510 www 140 5660K 30M sleep/1 semwait 0:46 0.00% httpd 20258 www20 5536K 32M sleep/0 select0:46 0.00% httpd 6543 www 140 5772K 32M sleep/0 semwait 0:43 0.00% httpd 9783 _mysql 20 55M 30M sleep/1 poll 0:20 0.00% mysqld 19071 root 20 640K 1416K sleep/1 select0:09 0.00% sshd 10389 root 20 3376K 2824K sleep/0 poll 0:07 0.00% monit 21695 _sogo 20 7288K 18M sleep/1 poll 0:05 0.00% sogod 1888 named 20 20M 21M sleep/1 select0:05 0.00% named 18781 _sogo 20 15M 29M sleep/1 poll 0:04 0.00% sogod # iostat -c 10 -w 1 ttycd0 sd0 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 07 0.00 0 0.00 20.64 7 0.14 2 0 1 0 97 0 174 0.00 0 0.00 0.00 0 0.00 0 0 0 0100 0 57 0.00 0 0.00 0.00 0 0.00 1 0 2 0 97 0 57 0.00 0 0.00 32.00 17 0.53 1 0 1 0 98 0 58 0.00 0 0.00 0.00 0 0.00 7 0 7 0 86 0 57 0.00 0 0.00 0.00 0 0.00 1 0 1 0 98 0 57 0.00 0 0.00 0.00 0 0.00 1 0 1 0 98 0 57 0.00 0 0.00 0.00 0 0.00 2 0 0 0 98 0 57 0.00 0 0.00 4.00 1 0.00 0 0 1 0 99 0 58 0.00 0 0.00 0.00 0 0.00 1 0 0 1 98 # vmstat -c 10 -w 1 procsmemory pagediskstraps cpu r b wavm fre flt re pi po fr sr cd0 sd0 int sys cs us sy id 1 1 0 243420 2866736 655 0 0 0 0 0 0 1 15 1828 77 2 1 97 0 1 0 243636 2866336 234 0 0 0 0 0 0 0 10 540 47 0 1 99 0 1 0 243668 2866304 95 0 0 0 0 0 0 0 17 329 44 1 0 99 0 1 0 242848 2867552 644 0 0 0 0 0 0 08 1445 115 1 1 98 0 1 0 243612 2866352 1076 0 0 0 0 0 0 09 2436 44 0 2 98 0 1 0 243668 2866288 117 0 0 0 0 0 0 07 369 46 1 1 98 0 1 0 243836 2866112 337 0 0 0 0 0 0 07 818 86 0 1 99 0 1 0 243428 2866728 1216 0 0 0 0 0 0 0 11 2920 69 1 2 97 0 1 0 243640 2866332 212 0 0 0 0 0 0 06 313 38 1 0 99 0 1 0 243684 2866284 96 0 0 0 0 0 0 08 334 48 1 0 99
pid file for ldapd(8)
Hi, Is there a way to tell ldapd(8) to write it's PID in /var/run ? TIA, Jo
ldapd and The Diffie Hellman prime sent by the server is not acceptable
Hello, On a Ubuntu Linux 8.04 machine, I can't query my OpenBSD 4.9 ldapd(8). It works from the local OpenBSD and from a remote NetBSD server. All machines have the CA file installed in the OpenSSL directory and the ldap.conf file configured to use that particular CA file. Here's what I get on the Linux box: $ ldapsearch -d 1 -x -H ldaps://ldap.tumfatig.net -D cn=email,dc=tumfatig,dc=net \ -W -b ou=users,dc=tumfatig,dc=net mail=j...@carnat.net ldap_url_parse_ext(ldaps://ldap.tumfatig.net) ldap_create ldap_url_parse_ext(ldaps://ldap.tumfatig.net:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.tumfatig.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.0.0.50:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: can't connect: The Diffie Hellman prime sent by the server is not acceptable \ (not long enough).. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Not sure if that matters, but the OpenBSD's openssl.cnf (which was used to generate and sign the CA and certificate files) contains: default_bits = 4096 Is there a way to tell ldapd(8) to use a bigger DH value ? TIA, Jo
ldapd and namespace access
Greetings, I would like to limit the access to my ldapd content. I've read ldapd.conf(5) but there are bits I don't get. The policy I would like to apply is: (1) allow anyone to authenticate (2) allow read access to all namespace by users that have been authenticated (3) allow write access to their own object to users that have been authenticated (4) deny any other access Right now, I configured (1) allow bind access by any (2) allow read access by self // how to replace self by any authenticated ? (3) allow write access by self (4) deny read access to any by any For the moment, I am able to authenticate but won't go further: result: 50 Insufficient access What would be the correct rules to implement my policy ? TIA, Jo
Re: ldapd and self-signed certificate
-Message initial- @: Joel Carnat j...@carnat.net; Cc: Philip Guenther guent...@gmail.com; misc@openbsd.org; De: Martin Hedenfalk mar...@bzero.se Envoyi: lun. 15-11-2010 11:44 Sujet: Re: ldapd and self-signed certificate 15 nov 2010 kl. 00.01 skrev Joel Carnat: -Message initial- @: Joel Carnat j...@carnat.net; Cc: misc@openbsd.org; De: Philip Guenther guent...@gmail.com Envoyi: dim. 14-11-2010 02:25 Sujet: Re: ldapd and self-signed certificate On Sat, Nov 13, 2010 at 12:02 PM, Joel Carnat j...@carnat.net wrote: I want to use LDAP to store postfix, apache and dovecot users. This sounds a quite simple need so I plan to use the native ldapd. ... Then I created a self-signed certificate in /etc/ldap/ using directions from starttls(8). The ldapd starts and listens to ldap and ldaps ports. But when I run: # ldapmodify -x -H ldaps://ldapd.tumfatig.local -D cn=admin,dc=tumfatig,dc=local -W -f /tmp/tumfatig I get: additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The ldapd (in debug mode) says: SSL library error: ssl_session_accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Can I use ldapd with self-signed certificate ? Did I miss a step ? There are two aspects to verifying a cert: 1) does it have a valid signature? 2) is the CA that signed this trustable at all? The point of this is to know whether you can trust the contents of the cert so that you're protected from Man-in-the-Middle attacks. If you accepted any self-signed cert then anyone could generate a cert that claimed to be your server, then splice your TCP connection and snoop and modify all your data. So, you need some way to know which certs to trust; that's where #1 and #2 come in. #1 validates that this cert can be traced back to a particular CA, while #2 is where you decide whether that CA is okay. #1 is done automatically by the OpenSSL code; #2 is done by putting all the CAs you want to trust in location(s) that OpenSSL checks. For a self-signed cert, step #1 is basically trivial, while #2 is done by either putting a link to the cert in /etc/ssl/certs/ with a name that's derived from a hash of the cert's subject, or adding the cert itself to /etc/ssl/cert.pem. The latter is easy but you may find it cluttered. To do the former, do something like: cert_file=/absolute/path/to/the/cert.pem ln -s $cert_file /etc/ssl/certs/`openssl x509 -noout -in $cert_file -subject_hash`.0 Note that /etc/ssl/cert* are the default trust paths for practically all openssl-based apps, so a cert added there will be trusted for lots of things. If you don't like that idea then you'll need to look at how to set the CA paths for the apps you want to trust that cert. That's fairly specific to the involved app. starttls(8) describes the settings for sendmail, ldap.conf(5) describes it for the OpenLDAP libldap and clients, etc. Philip Guenther Thank you for this detailed explanation. For the moment, I just testing things in a closed environment. This is why I used self-signed certificates. In a real environment, I would go with certificates signed by publicly known CA. I did try creating /etc/ssl/certs and linking my self-signed certificates as you describe. But that doesn't seem to work neither. I also took one of my certificates, signed by a publicly know CA but I still got the same message... I checked the certificate and it contains the path to the CA. But I still get the tlsv1 alert unknown ca error :( As Philip pointed out, you can specify the trusted CA certificate (or the certificate itself in case of self-signed certs) as specified in ldap.conf(5), provided you are using OpenLDAP. Try this in you ~/ldaprc: TLS_CACERT /path/to/ldapd.crt -martin That worked, thanks. In fact, the self-signed certificate I generated had a weird expire date. Now, having the certificate copied in /etc/ssl/certs/ and referenced in /etc/openldap/ldap.conf enables the SSL connection. Thanks a lot guys!
Re: ldapd and self-signed certificate
-Message initial- @: Joel Carnat j...@carnat.net; Cc: misc@openbsd.org; De: Philip Guenther guent...@gmail.com Envoyi: dim. 14-11-2010 02:25 Sujet: Re: ldapd and self-signed certificate On Sat, Nov 13, 2010 at 12:02 PM, Joel Carnat j...@carnat.net wrote: I want to use LDAP to store postfix, apache and dovecot users. This sounds a quite simple need so I plan to use the native ldapd. ... Then I created a self-signed certificate in /etc/ldap/ using directions from starttls(8). The ldapd starts and listens to ldap and ldaps ports. But when I run: # ldapmodify -x -H ldaps://ldapd.tumfatig.local -D cn=admin,dc=tumfatig,dc=local -W -f /tmp/tumfatig I get: additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The ldapd (in debug mode) says: SSL library error: ssl_session_accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Can I use ldapd with self-signed certificate ? Did I miss a step ? There are two aspects to verifying a cert: 1) does it have a valid signature? 2) is the CA that signed this trustable at all? The point of this is to know whether you can trust the contents of the cert so that you're protected from Man-in-the-Middle attacks. If you accepted any self-signed cert then anyone could generate a cert that claimed to be your server, then splice your TCP connection and snoop and modify all your data. So, you need some way to know which certs to trust; that's where #1 and #2 come in. #1 validates that this cert can be traced back to a particular CA, while #2 is where you decide whether that CA is okay. #1 is done automatically by the OpenSSL code; #2 is done by putting all the CAs you want to trust in location(s) that OpenSSL checks. For a self-signed cert, step #1 is basically trivial, while #2 is done by either putting a link to the cert in /etc/ssl/certs/ with a name that's derived from a hash of the cert's subject, or adding the cert itself to /etc/ssl/cert.pem. The latter is easy but you may find it cluttered. To do the former, do something like: cert_file=/absolute/path/to/the/cert.pem ln -s $cert_file /etc/ssl/certs/`openssl x509 -noout -in $cert_file -subject_hash`.0 Note that /etc/ssl/cert* are the default trust paths for practically all openssl-based apps, so a cert added there will be trusted for lots of things. If you don't like that idea then you'll need to look at how to set the CA paths for the apps you want to trust that cert. That's fairly specific to the involved app. starttls(8) describes the settings for sendmail, ldap.conf(5) describes it for the OpenLDAP libldap and clients, etc. Philip Guenther Thank you for this detailed explanation. For the moment, I just testing things in a closed environment. This is why I used self-signed certificates. In a real environment, I would go with certificates signed by publicly known CA. I did try creating /etc/ssl/certs and linking my self-signed certificates as you describe. But that doesn't seem to work neither. I also took one of my certificates, signed by a publicly know CA but I still got the same message... I checked the certificate and it contains the path to the CA. But I still get the tlsv1 alert unknown ca error :( Joel Carnat
ldapd and self-signed certificate
Greetings,
I want to use LDAP to store postfix, apache and dovecot users.
This sounds a quite simple need so I plan to use the native ldapd.
I have installed 4.8 GENERIC.MP#335 amd64 and configured ldapd as follow:
# $OpenBSD: ldapd.conf,v 1.2 2010/06/29 02:50:22 martinh Exp $
schema /etc/ldap/core.schema
schema /etc/ldap/inetorgperson.schema
schema /etc/ldap/nis.schema
schema /etc/ldap/courier.schema
listen on lo0
listen on lo0 ldaps certificate ldapd
listen on em0
listen on em0 ldaps certificate ldapd
listen on /var/run/ldapi
namespace dc=tumfatig,dc=local {
rootdn cn=admin,dc=tumfatig,dc=local
rootpw xxx
index sn
index givenName
index cn
index mail
}
Then I created a self-signed certificate in /etc/ldap/ using directions from
starttls(8).
The ldapd starts and listens to ldap and ldaps ports.
But when I run: # ldapmodify -x -H ldaps://ldapd.tumfatig.local -D
cn=admin,dc=tumfatig,dc=local -W -f /tmp/tumfatig
I get: additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The ldapd (in debug mode) says: SSL library error: ssl_session_accept:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Can I use ldapd with self-signed certificate ?
Did I miss a step ?
Thanks for your help.
Jo
HTC P3300 not recognised by uipaq
Hello, I read on uipaq(4) that HTC SmartPhone are supported. I plugued my HTC P3300, running Windows Mobile 6, on my Eee PC running 4.4/i386, but it does not attach to uipaq: ugen0 at uhub1 port 2 HTC Generic RNDIS rev 2.00/0.00 addr2 usbdevs says: port 2 addr 2: full speed, power 100mA, config 1, Generic RNDIS(0x0bce), HTC(0x0bb4), rev 0.00, iSerialNumber 210f0b17-58df-2103-b800-0050bf3f5173 Did I miss something ? TIA, Jo [demime 1.01d removed an attachment of type application/pgp-signature]
Re: [ landisk ] - install w/o the serial console
Le Mar 22 juillet 2008 14:05, Thomas Schoeller a icrit : hello, https://tiifp.org/landisk.html maybe this helps. Yeah ! Using the boot code from miniroot did the trick ! My Plextor PX-EH40L (hw.model=I-O DATA USL-5P) is now running 4.4-beta :-) Thanks a lot ! thomas On Thu, Jul 17, 2008 at 03:43:34PM +0200, Joel CARNAT wrote: Hello, I have a serial console on my Plextor PX-EH40L which seems to be broken now (no RX available). After quite a few testings of various OSes, the disk is now blanked. Until I get a new serial console, I'd like to try OpenBSD 4.4 on that disk. I couldn't find the procedure to manually install OpenBSD on it. I'm not talking about the disklabel/fdisk/newfs/tar part :) I can probably manage that one. I'm more concerned about making the installation bootable. Is the INSTALLBOOT(8) command enough to prepare the disk to boot the system ? Let's say I boot OpenBSD/i386 on my laptop. Prepare and untar /landisk binaries onto /mnt ; the disk being pluggued via an IDE/USB adapter and recognised as /dev/sd0. Would the following commands make the disk bootable ? # cp -p /mnt/usr/mdec/boot /mnt/boot # /usr/mdec/installboot -v /mnt/boot /mnt/usr/mdec/biosboot sd0 TIA, Jo
[ landisk ] - install w/o the serial console
Hello, I have a serial console on my Plextor PX-EH40L which seems to be broken now (no RX available). After quite a few testings of various OSes, the disk is now blanked. Until I get a new serial console, I'd like to try OpenBSD 4.4 on that disk. I couldn't find the procedure to manually install OpenBSD on it. I'm not talking about the disklabel/fdisk/newfs/tar part :) I can probably manage that one. I'm more concerned about making the installation bootable. Is the INSTALLBOOT(8) command enough to prepare the disk to boot the system ? Let's say I boot OpenBSD/i386 on my laptop. Prepare and untar /landisk binaries onto /mnt ; the disk being pluggued via an IDE/USB adapter and recognised as /dev/sd0. Would the following commands make the disk bootable ? # cp -p /mnt/usr/mdec/boot /mnt/boot # /usr/mdec/installboot -v /mnt/boot /mnt/usr/mdec/biosboot sd0 TIA, Jo
Re: use ifstated to modify pf/rdr
On Wed, May 25 2005 - 12:58, Jason Dixon wrote: On May 25, 2005, at 11:51 AM, Joel CARNAT wrote: I would like to use ifstated (OpenBSD 3.7/i386) in the http://www.openbsd.org/faq/pf/pools.html#incoming case (except I'll use SMTP server, not HTTP) to modify the $web_servers macros when one of the server if detected to be down (no SMTP response, or no ping, whatever is best). I found no such example on google and don't know where to start... Has anyone already done such a thing ? Anyone can provide me with the pf.conf part and ifstated.conf ? I've already use ftpsesame and play with the pf tags but I don't get how to produce them with ifstated... If you want to monitor servers and remove them from availability, use PF tables to store address lists. Then use your script (shell, perl, etc) to monitor them and delete them from the table if they become unavailable. When they come back to life, just add them to the table. well... I thought ifstated would do that automagically (and was meant to do such things). did I misunderstood it's use ? [demime 1.01d removed an attachment of type application/pgp-signature]
