Re: spamd: being careful with Chinese IPs

2006-11-26 Thread LeVA 
2006. November 26. 04:09, Jacob Yocom-Piatt:
 i've finally begun to receive enough spam at a domain of mine that
 i'm ready to implement spamd. one of our contacts in is china and
 it's critical that we not block or unduly defer his emails. i expect
 that there is a way to ensure appropriate behavior in spamd.

 the MX record for our contact's company is in the 222.73.0.0/16
 netblock and spamd's china list includes that block in the
 222.64.0.0/11 netblock. this means that the default pf.conf spamd
 rdrs won't quite cut it since IPs in spamd will always go to spamd
 and never deliver. preceding the usual

 rdr pass on $ext_if proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
 rdr pass on $ext_if proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd

 with a spamd-white rdr like

 rdr pass on $ext_if proto tcp from spamd-white to port smtp \
- $mail port smtp

 should, in conjunction with greylisting, allow MTAs from the spamd
 table that attempt redelivery to get onto the spamd-white table and
 then get mail through, right?

 if the answer to the above question is no or this will not work,
 alternate suggestions are appreciated.

 cheers,
 jake
Hi!

You can always use /etc/spamd.conf to implement whitelists. You can 
block china with it, and then cut the required addresses from the list.

HTH,
Daniel

-- 
LeVA

Re: Building from scratch (4.0 stable) failed on i386...

2006-11-26 Thread LeVA 
2006. November 26. 01:56, Alvaro Mantilla Gimenez:
 Hi,

  After follow the instructions from the FAQ 5.3.5 the system returns:

 # *rm -rf /usr/obj/**
 # *cd /usr/src*
 # *make obj
 *# *cd /usr/src/etc  env DESTDIR=/ make distrib-dirs
 *# *cd /usr/src*
 # make build

 cd /usr/src/share/mk  exec  make install
[...]
 *** The command '/usr/bin/gcc -o conftest -g -O2   conftest.c'
 failed. *** You must set the environment variable CC to a working
 compiler. *** Error code 1

 Stop in /usr/src/gnu/usr.bin/binutils.
 *** Error code 1

 Stop in /usr/src/include (line 82 of Makefile).
 *** Error code 1

 Stop in /usr/src (line 73 of Makefile).



 Any ideas?


   Thanks in advance,

  Alvaro
This is just a guess, but do you have the comp40.tgz fileset installed?

Daniel

-- 
LeVA

new postgresql in ports

2006-10-29 Thread LeVA 
Hi!

There was a commit today which updates postgresql to version 8.1.5. This 
fix made it to the stable branch too, so will there be a package for 
it, or I have to compile it from ports?
I don't really understand how this updating process work yet, so just 
forgive (but not ignore :) me, if I'm writing foolish things.

Thanks!

Daniel

-- 
LeVA

Re: new postgresql in ports

2006-10-29 Thread LeVA 
2006. October 29. 22:30, viq:
 On 29/10/06, LeVA [EMAIL PROTECTED] wrote:
  Hi!
 
  There was a commit today which updates postgresql to version 8.1.5.
  This fix made it to the stable branch too, so will there be a
  package for it, or I have to compile it from ports?
  I don't really understand how this updating process work yet, so
  just forgive (but not ignore :) me, if I'm writing foolish things.

 From what I've seen, for current the packages are usually built
 something like once or twice a month, for most arches. For stable,
 from the discussions here I understand packages are (re)built if they
 are updated, but pretty much only for i386. So if you don't want to
 wait, or are on a different architecture, you need to build it from
 ports.
I'm using -stable and i386. I can wait, and I want to, if I only knew 
how long... (at least approximately; 1 week | 2 months?). I see that 
screen still hasn't got an updated package, altough there was a 
security update for it a few days (maybe 1 week?) ago.

Daniel

-- 
LeVA

need help in dealing with a simple thing (file permissions)

2006-10-21 Thread LeVA 
Hi!

I know this is a rather simple problem, but I would like to hear the 
advices.

I'm using a piped Custom- and ErrorLog in apache, it pipes the output to 
cronolog (the log files are rotated per 24hour). The log files are 
created with 644 permissions, and this is what I try to avoid, and 
force the new logfile to have 640 permissions.
So far I thought of a cron line which would be `chmod -R 
o= /var/www/logs/`.
Then the umask command came to my mind, but then I would have to make a 
script, which contains the umask line, and after that call cronolog, 
and pipe the logs to this script.
Would someone please hint me with a more simple and elegant solution?

Thanks!

Daniel

-- 
LeVA

Re: need help in dealing with a simple thing (file permissions)

2006-10-21 Thread LeVA 
2006. October 21. 16:23, Han Boetes:
 Read /etc/newsyslog and man newsyslog.


 # Han
Thanks, but newsyslog can not help me, because it can not reload my 
apache when the rotation happening (it is chrooted and has to load 
external modules).

Daniel

-- 
LeVA

can not compile the new kernel

2006-10-08 Thread LeVA 
Hi!

I've applied the patches from the errata page, and now I'm trying to 
recompile the kernel.

/usr/src/sys/arch/i386/conf $ config GENERIC
Don't forget to run make depend
/usr/src/sys/arch/i386/conf $ cd ../compile/GENERIC
/usr/src/sys/arch/i386/compile/GENERIC $ make clean depend
Makefile, line 65: Could not find 
c /usr/src/sys/arch/i386/compile/GENERIC/../../../../lib/libkern/Makefile.inc
Makefile, line 73: Could not find 
c /usr/src/sys/arch/i386/compile/GENERIC/../../../../compat/common/Makefile.inc
Fatal errors encountered -- cannot continue

Would someone help me with this?

Thanks!

Daniel

-- 
LeVA

security updates

2006-09-06 Thread LeVA 
Hi!

Someone could please tell me how can I verify that these security bugs 
are fixed or not in openbsd-3.9-stable? 

PHP: CVE-2006-4020 [0]
OpenSSL: CVE-2006-4339 [1]

OpenSSL:
I'm updating my source tree regurarly and didn't notice any changes to 
openssl's sources.

PHP:
I can verify that the php5-core sources from ports (-stable) doesn't 
contain the patch from the php bug tracker [2]. I think it means that 
my current php5 install is vulnerable to this flaw. Do I need to 
manually apply the patch, or there will be an update to this?

Thanks!

Daniel


Links:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4020
[1] http://www.openssl.org/news/secadv_20060905.txt
[2] http://bugs.php.net/bug.php?id=38322

-- 
LeVA

arplookup: unable to enter address for x.x.x.x

2006-08-29 Thread LeVA 
Hi!

I'm getting this message in the messages log file:
arplookup: unable to enter address for 193.x.x.x

My ip is in the 212.x.x.x net, but the above ip also belongs to my ISP, 
and I can ping it and reach it. It is the ISP's mail server, and 
occasionly it forwards mails to my host, and I think this error(?) is 
happening then.
The closest answer that I've found was this:

http://archives.neohapsis.com/archives/openbsd/2004-08/0900.html

But is this really the right solution? Anyhow, is this an error at all?

Thanks!

Daniel

-- 
LeVA

questions about the ports tree and the stable branch

2006-08-18 Thread LeVA 
Hi!

Yes I've read thru the docs under openbsd.org, and I don't think these 
are very difficult questions, so I would be grateful if someone would 
just post a quick response :)
Also please note that this is my very first openbsd install, and the 
first post to this list ever.

I've installed the 3.9 release, and I wish to follow the -stable (patch) 
branch. I've downloaded the src.tar.gz and the sys.tar.gz packages. 
I've extracted them under /usr/src.

1. Is it right if I'm thinking that I only need to rebuild a software 
in /usr/src if there is a security update for it (on the errata page)?
For example there was a security update for httpd at 2006.07.30.

2. It is not clear for me that why can I find a package 
called 'dovecot-1.0.beta8.tgz' under 
ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/, and I can not find this 
package under my updated (from the -stable branch) /usr/ports tree. 
However, there is a 'dovecot-1.0.beta3.tgz' package which exists under 
both places.

3. I don't know what is the releationship between the ports.openbsd.nu 
site and the OpenBSD project, so this will maybe an OT question. I can 
find a dovecot-1.0.rc2p3 package on ports.openbsd.nu. Is that only in 
the -current ports tree, and that is why I can not find it under 
my -stable ports tree, or is that a totally different ports tree, and I 
must checkout from there, if I want to use that software.


All this struggle because I must upgrade from dovecot-beta8 to beta9, 
because of a bug in the DIGEST-MD5 auth in beta8.

Thanks for the answers!

Daniel

-- 
LeVA

Re: questions about the ports tree and the stable branch

2006-08-18 Thread LeVA 
2006. August 18. 15:33, Didier Wiroth:
 Hello,

  1. Is it right if I'm thinking that I only need to rebuild a
  software in /usr/src if there is a security update for it (on
  the errata page)?
  For example there was a security update for httpd at 2006.07.30.

 You don't have to do an entire rebuild in /usr/src. When a new
 security patch is out, download the patch and read the first few
 lines of it. Try downloading the 004_httpd_patch and have a look at
 the first lines, it will describe what you have to do.
Very nice, thank you! This is really simple and straightforward (if 
someone explains it :)

  2. It is not clear for me that why can I find a package
  called 'dovecot-1.0.beta8.tgz' under
  ftp.openbsd.org/pub/OpenBSD/3.9/packages/i386/, and I can not
  find this package under my updated (from the -stable branch)
  /usr/ports tree.
  However, there is a 'dovecot-1.0.beta3.tgz' package which
  exists under both places.

 Hmm ... perhaps you did not correctly update your sources:
 http://www.openbsd.org/cgi-bin/cvsweb/ports/mail/dovecot/Makefile?onl
y_with_tag=OPENBSD_3_9
Totally my fault, sorry.
I was searching for dovecot with 'make search key=dovecot', and I was 
not aware of the /usr/ports/INDEX file. I had to update it with 'make 
index', and now I can find it. Also, I've read in the ports(7) file 
that the 'make search' method is obsolescent. What is the preferred 
way instead of that?

  3. I don't know what is the releationship between the
  ports.openbsd.nu site and the OpenBSD project, so this will
  maybe an OT question. I can find a dovecot-1.0.rc2p3 package
  on ports.openbsd.nu. Is that only in the -current ports tree,
  and that is why I can not find it under my -stable ports
  tree, or is that a totally different ports tree, and I must
  checkout from there, if I want to use that software.

 From the few visits to the site, the ports.openbsd.nu shows updates
 and new additions to the current ports tree. I think
 ports.openbsd.nu is a nice parallel project to openbsd. It is not
 really part of the project itself, some volunteers did this nice job
 and now we have a cool web interface so that we are able to see the
 latest port news.

 The actual current tree is the ports collection for the upcoming
 openbsd 4.0., you should not use it for the openbsd_3_9 stable
 branch.

 Perhaps 'dovecot-1.0.beta3.tgz' was updated to beta8 in the stable
 branch because of a security issue. Have a look here:
 http://www.openbsd.org/faq/faq15.html#PortsSecurity

 If 'dovecot-1.0.beta8.tgz is available you should use this version.

 I hope this helps
 Kind regards
 Didier
Thanks again Didier for the explanations and the help. Really 
appreciated!

Daniel

-- 
LeVA