Re: spamd: being careful with Chinese IPs
2006. November 26. 04:09, Jacob Yocom-Piatt: i've finally begun to receive enough spam at a domain of mine that i'm ready to implement spamd. one of our contacts in is china and it's critical that we not block or unduly defer his emails. i expect that there is a way to ensure appropriate behavior in spamd. the MX record for our contact's company is in the 222.73.0.0/16 netblock and spamd's china list includes that block in the 222.64.0.0/11 netblock. this means that the default pf.conf spamd rdrs won't quite cut it since IPs in spamd will always go to spamd and never deliver. preceding the usual rdr pass on $ext_if proto tcp from spamd to port smtp \ - 127.0.0.1 port spamd rdr pass on $ext_if proto tcp from !spamd-white to port smtp \ - 127.0.0.1 port spamd with a spamd-white rdr like rdr pass on $ext_if proto tcp from spamd-white to port smtp \ - $mail port smtp should, in conjunction with greylisting, allow MTAs from the spamd table that attempt redelivery to get onto the spamd-white table and then get mail through, right? if the answer to the above question is no or this will not work, alternate suggestions are appreciated. cheers, jake Hi! You can always use /etc/spamd.conf to implement whitelists. You can block china with it, and then cut the required addresses from the list. HTH, Daniel -- LeVA
Re: Building from scratch (4.0 stable) failed on i386...
2006. November 26. 01:56, Alvaro Mantilla Gimenez: Hi, After follow the instructions from the FAQ 5.3.5 the system returns: # *rm -rf /usr/obj/** # *cd /usr/src* # *make obj *# *cd /usr/src/etc env DESTDIR=/ make distrib-dirs *# *cd /usr/src* # make build cd /usr/src/share/mk exec make install [...] *** The command '/usr/bin/gcc -o conftest -g -O2 conftest.c' failed. *** You must set the environment variable CC to a working compiler. *** Error code 1 Stop in /usr/src/gnu/usr.bin/binutils. *** Error code 1 Stop in /usr/src/include (line 82 of Makefile). *** Error code 1 Stop in /usr/src (line 73 of Makefile). Any ideas? Thanks in advance, Alvaro This is just a guess, but do you have the comp40.tgz fileset installed? Daniel -- LeVA
new postgresql in ports
Hi! There was a commit today which updates postgresql to version 8.1.5. This fix made it to the stable branch too, so will there be a package for it, or I have to compile it from ports? I don't really understand how this updating process work yet, so just forgive (but not ignore :) me, if I'm writing foolish things. Thanks! Daniel -- LeVA
Re: new postgresql in ports
2006. October 29. 22:30, viq: On 29/10/06, LeVA [EMAIL PROTECTED] wrote: Hi! There was a commit today which updates postgresql to version 8.1.5. This fix made it to the stable branch too, so will there be a package for it, or I have to compile it from ports? I don't really understand how this updating process work yet, so just forgive (but not ignore :) me, if I'm writing foolish things. From what I've seen, for current the packages are usually built something like once or twice a month, for most arches. For stable, from the discussions here I understand packages are (re)built if they are updated, but pretty much only for i386. So if you don't want to wait, or are on a different architecture, you need to build it from ports. I'm using -stable and i386. I can wait, and I want to, if I only knew how long... (at least approximately; 1 week | 2 months?). I see that screen still hasn't got an updated package, altough there was a security update for it a few days (maybe 1 week?) ago. Daniel -- LeVA
need help in dealing with a simple thing (file permissions)
Hi! I know this is a rather simple problem, but I would like to hear the advices. I'm using a piped Custom- and ErrorLog in apache, it pipes the output to cronolog (the log files are rotated per 24hour). The log files are created with 644 permissions, and this is what I try to avoid, and force the new logfile to have 640 permissions. So far I thought of a cron line which would be `chmod -R o= /var/www/logs/`. Then the umask command came to my mind, but then I would have to make a script, which contains the umask line, and after that call cronolog, and pipe the logs to this script. Would someone please hint me with a more simple and elegant solution? Thanks! Daniel -- LeVA
Re: need help in dealing with a simple thing (file permissions)
2006. October 21. 16:23, Han Boetes: Read /etc/newsyslog and man newsyslog. # Han Thanks, but newsyslog can not help me, because it can not reload my apache when the rotation happening (it is chrooted and has to load external modules). Daniel -- LeVA
can not compile the new kernel
Hi! I've applied the patches from the errata page, and now I'm trying to recompile the kernel. /usr/src/sys/arch/i386/conf $ config GENERIC Don't forget to run make depend /usr/src/sys/arch/i386/conf $ cd ../compile/GENERIC /usr/src/sys/arch/i386/compile/GENERIC $ make clean depend Makefile, line 65: Could not find c /usr/src/sys/arch/i386/compile/GENERIC/../../../../lib/libkern/Makefile.inc Makefile, line 73: Could not find c /usr/src/sys/arch/i386/compile/GENERIC/../../../../compat/common/Makefile.inc Fatal errors encountered -- cannot continue Would someone help me with this? Thanks! Daniel -- LeVA
security updates
Hi! Someone could please tell me how can I verify that these security bugs are fixed or not in openbsd-3.9-stable? PHP: CVE-2006-4020 [0] OpenSSL: CVE-2006-4339 [1] OpenSSL: I'm updating my source tree regurarly and didn't notice any changes to openssl's sources. PHP: I can verify that the php5-core sources from ports (-stable) doesn't contain the patch from the php bug tracker [2]. I think it means that my current php5 install is vulnerable to this flaw. Do I need to manually apply the patch, or there will be an update to this? Thanks! Daniel Links: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4020 [1] http://www.openssl.org/news/secadv_20060905.txt [2] http://bugs.php.net/bug.php?id=38322 -- LeVA
arplookup: unable to enter address for x.x.x.x
Hi! I'm getting this message in the messages log file: arplookup: unable to enter address for 193.x.x.x My ip is in the 212.x.x.x net, but the above ip also belongs to my ISP, and I can ping it and reach it. It is the ISP's mail server, and occasionly it forwards mails to my host, and I think this error(?) is happening then. The closest answer that I've found was this: http://archives.neohapsis.com/archives/openbsd/2004-08/0900.html But is this really the right solution? Anyhow, is this an error at all? Thanks! Daniel -- LeVA
questions about the ports tree and the stable branch
Hi! Yes I've read thru the docs under openbsd.org, and I don't think these are very difficult questions, so I would be grateful if someone would just post a quick response :) Also please note that this is my very first openbsd install, and the first post to this list ever. I've installed the 3.9 release, and I wish to follow the -stable (patch) branch. I've downloaded the src.tar.gz and the sys.tar.gz packages. I've extracted them under /usr/src. 1. Is it right if I'm thinking that I only need to rebuild a software in /usr/src if there is a security update for it (on the errata page)? For example there was a security update for httpd at 2006.07.30. 2. It is not clear for me that why can I find a package called 'dovecot-1.0.beta8.tgz' under ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/, and I can not find this package under my updated (from the -stable branch) /usr/ports tree. However, there is a 'dovecot-1.0.beta3.tgz' package which exists under both places. 3. I don't know what is the releationship between the ports.openbsd.nu site and the OpenBSD project, so this will maybe an OT question. I can find a dovecot-1.0.rc2p3 package on ports.openbsd.nu. Is that only in the -current ports tree, and that is why I can not find it under my -stable ports tree, or is that a totally different ports tree, and I must checkout from there, if I want to use that software. All this struggle because I must upgrade from dovecot-beta8 to beta9, because of a bug in the DIGEST-MD5 auth in beta8. Thanks for the answers! Daniel -- LeVA
Re: questions about the ports tree and the stable branch
2006. August 18. 15:33, Didier Wiroth: Hello, 1. Is it right if I'm thinking that I only need to rebuild a software in /usr/src if there is a security update for it (on the errata page)? For example there was a security update for httpd at 2006.07.30. You don't have to do an entire rebuild in /usr/src. When a new security patch is out, download the patch and read the first few lines of it. Try downloading the 004_httpd_patch and have a look at the first lines, it will describe what you have to do. Very nice, thank you! This is really simple and straightforward (if someone explains it :) 2. It is not clear for me that why can I find a package called 'dovecot-1.0.beta8.tgz' under ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/, and I can not find this package under my updated (from the -stable branch) /usr/ports tree. However, there is a 'dovecot-1.0.beta3.tgz' package which exists under both places. Hmm ... perhaps you did not correctly update your sources: http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/dovecot/Makefile?onl y_with_tag=OPENBSD_3_9 Totally my fault, sorry. I was searching for dovecot with 'make search key=dovecot', and I was not aware of the /usr/ports/INDEX file. I had to update it with 'make index', and now I can find it. Also, I've read in the ports(7) file that the 'make search' method is obsolescent. What is the preferred way instead of that? 3. I don't know what is the releationship between the ports.openbsd.nu site and the OpenBSD project, so this will maybe an OT question. I can find a dovecot-1.0.rc2p3 package on ports.openbsd.nu. Is that only in the -current ports tree, and that is why I can not find it under my -stable ports tree, or is that a totally different ports tree, and I must checkout from there, if I want to use that software. From the few visits to the site, the ports.openbsd.nu shows updates and new additions to the current ports tree. I think ports.openbsd.nu is a nice parallel project to openbsd. It is not really part of the project itself, some volunteers did this nice job and now we have a cool web interface so that we are able to see the latest port news. The actual current tree is the ports collection for the upcoming openbsd 4.0., you should not use it for the openbsd_3_9 stable branch. Perhaps 'dovecot-1.0.beta3.tgz' was updated to beta8 in the stable branch because of a security issue. Have a look here: http://www.openbsd.org/faq/faq15.html#PortsSecurity If 'dovecot-1.0.beta8.tgz is available you should use this version. I hope this helps Kind regards Didier Thanks again Didier for the explanations and the help. Really appreciated! Daniel -- LeVA