Re: volatility or something like that in the future ?
Hey, Am 19.08.2023 um 12:05 schrieb whistlez: I honestly don't understand this hatred. I call it that because I refuse to accept that you didn't understand the question. Volatility has no plugin to interpret a ram dump on openbsd and so having only the dump is totally useless. If you really don't understand I'll paste the volatility help to show you that there are no plugins for openbsd but only for linux, windows and mac. just a simply suggestion here, as far as i can see this Tool/Application is written in python so as mention before make your own plugin then? Python should be available on openBSD, you can use the tools to dump information, you can start asking people who got a clue to interpret the dump to give you hints and pointers and then simply display it in your plugin as you please. That said you need of course to put in the effort to write the plugin and if you cant do it you might wanna as on github if people who can are willing to do the work mentioned above. At that point you might get your plugin done. And as clarification, I dont write that without any hatred just as a observer of the past few mails. Cheers -- Before you write me an email ... have you tried switching it off and on again ? Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227
Re: Allwinner D1 riscv64 mango pi SBC
tabs on Shivam, Mars, Brian, and Wenyan? Are they still interested in riscv64 after the initial port with yours and Dales guidance? I think I paid something like 30 EUR for a Mango Pi from AliExpress buying 4 would work but I can only do this when I have secured the job. Best Regards, -peter -- Over thirty years experience on Unix-like Operating Systems starting with QNX. -- Markus Rosjat mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Compatible
Hi, Am 22.02.2023 um 23:35 schrieb Iwil C: Is OpenSSH compatible with an Azure VM, Windows Server OS 2016 ? regarding to microsoft its offically supported for Windows Server 2019/2022 https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
Hi all, Just wanted to thank all you guys who posted suggestions, i got an openBSD now running on my XTM5. I will try the Graeme solution for flashing the the rom to unlock the BIOS and I will post my progress too. What worked for me was: - Installing miniroot70.img on a USB drive - Installing openBSD on a notebook with a SSD HDD - setting tty to com0 in /etc/boot.conf After pluging in the HDD in the XTM5 it booted like a charm. Thanks again you wonderful helpful people :) Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
Hi Lukas, Am 10.03.2022 um 10:23 schrieb Łukasz Moskała: Hi, From what I read, you can use SSD/HDD in these things. So basically, you have two ways which I think should work: - DD miniroot70.img to hdd, plug hdd in, boot from it, install to same hdd you booted from. You may need to create boot.conf in miniroot70.img to use serial instead of non-existent vga if "boot>" prompt does not show up to do that at boot time. - plug hdd to another computer, install openbsd to it, move hdd to watchguard. I will give it a shot , device is a XTM 5 . The second way I found here: https://www.reddit.com/r/PFSENSE/comments/rce3i6/howto_pfsense_252_on_watchguard_xtm_5/ I saw that already but the steps he took doesnt seem to work for me so far. Let us know how it goes. -- Łukasz Moskała Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
I already tried that on my XTM5 here but it isnt working so far , the problem seems to be a locked down bios and I fround some post that mentioned booting from the USB ports wasnt enabled. What i tried so far is: - booting from USB -> not working - booting from a CF Card -> not working the BISO Version of the WatchGuard is 1.3 Am 09.03.2022 um 17:21 schrieb Graeme Neilson: On the Watxhguard XTM5 you remove the compact flash, add a hard drive to the internal SATA port and boot from USB using the RJ45 serial console. I have a patched lcdproc for the small screen. Arch is amd64 and you can very cheaply upgrade the CPU and add up to 8Gb RAM. On 10/03/2022, at 00:01, Markus Rosjat wrote: Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD on WatchGuard devices
Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
Hi, for you output ... Am 26.03.2019 um 22:45 schrieb Jérôme FRGACIC: write track data: error after 552960 bytes cdrecord: A write error occured. cdrecord: Please properly read the error message above. cdrecord: Input/output error. test unit ready: scsi sendcmd: retryable error CDB: 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s test unit ready checks if the device is ready to do what you want it to do. cdrecord: Input/output error. flush cache: scsi sendcmd: retryable error CDB: 35 00 00 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 120s Trouble flushing the cache Writing time: 5.115s Average write speed 860.1x. Fixating... this cdb tries to sync the cache and it seems to have a prob here, the good status indecates that the cdb was recieved by the device after that it seems to get in trouble cdrecord: Input/output error. close track/session: scsi sendcmd: retryable error CDB: 5B 00 02 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.009s timeout 480s cmd finished after 0.009s timeout 480s this cdb tries to close the track session i dont know why you get a cmd finised twice here maybe its related to the cache problem. cdrecord: faio_wait_on_buffer for writer timed out. cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s here you have your cdb for removing the media again cdrecord: Cannot fixate disk. Fixating time: 466.776s cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s and once again because he could fixate it before i guess cdrecord: fifo had 77 puts and 10 gets. cdrecord: fifo was 0 times empty and 2 times full, min fill was 89%. so this is what happens by the log why it happend i cant tell by this output but again the trouble starts with syncing the cache i guess. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
sorry it might got a bit confusing Am 26.03.2019 um 15:41 schrieb Markus Rosjat: cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. it means the optcode does alllow or prevent media removal it depends on the prevent bits in the cdb but you basically just have a 00 for allow or a 01 for prevent in the cdb. Anyway since sense already told you the request is illegal you have to figure out what came befor the removal request so you might get a clue in what state the hardware is still. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
Hi, might not to much help but Am 26.03.2019 um 14:57 schrieb Maurice McCarthy: I never looked at your dmesg earlier. These lines cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. if you really want to figure out what the sense code or the check condition error means you have to read up sbc specification on t10.org i guess suggest the Openbsd system finds something wrong with your hardware. I'm not clever enough to speculate further. Sorry. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd acme-client renew multiple domains
Hi Mischa, if you like some python i got a small script for multiple domain cert renew on my github. I hope its ok to post the link here https://github.com/rosjat/scripts/blob/master/shell/OpenBSD/acme_renew its nothing fancy and you can modify it for your need or may make it better :) regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: python3 script not running as root
Hi Marc, Am 15.11.2018 um 14:05 schrieb Marc Espie: 6.4, or snapshot ? there was an unveil snafu with doas a few days ago. 6.4 release -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: python3 script not running as root
Hi Martin and Daniel, Am 15.11.2018 um 09:24 schrieb Martin Sukany: Hi, you'd fix this by defining PATH variable in your crontab, or specify the full path to python3 interpreter instead using env. as daniel also suggested I will try the the PATH crontab approach and this is because scripts with a full path in the shebang seem to run anymore on 6.4 regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
python3 script not running as root
Hi all, I have a python script to get some traffic stats from my machines and it is running without problems except for a new installed OpenBSD 6.4 machine. There I get following error: env: python3: No such file or directory This only happens when the cronjob is running when I run it from terminal with doas it works. That is kinda odd sice both root and my user have python3 and env in there $PATH at least the path to the executable. some hints would be appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
GAMIN question again
Hi all, so as far as I understand now gam_server should be started if a user login (like over imap) but it seems not to work. The Docs mentioned in the /etc/garmin/garminrc file is also not helpful because it only tells to look at fam docs or api refs but I dont want to use the api I want to configure gamin to start gam_server when a user logs in. so in the rc file you see something like fsset ffs none so I thought okay i might change that to fsset ffs notify but no changes, also fsset ffs poll 1 doesnt seem to have an effect so to all out there who are using gamin enligthen me how to configure it please regards -- Markus Rosjatfon: +49 351 8107224mail:ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent, Am 03.11.2018 um 07:22 schrieb vincent delft: Hello Markus, I cannot reproduce your problem. As you can see here under I can create a user "test1" on the command line, and, with the same userid, I can create it with python2 and python3 too. (I'm running 6.4) I see 2 possible cause : - your python script, - or maybe the userid for which your python script runs is not the one defined in doas.conf. i switch back to spawnl function and it worked with doas so I will stick with that since it's working. Maybe later I will revisit the problem and give it another try. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd.conf it's so confusing
Hi again, Am 02.11.2018 um 11:26 schrieb Markus Rosjat: .. but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all. this seems to be resolved and was more or less browser related -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd.conf it's so confusing
Hi all, I have a relayd running that inspects the Host header of incoming traffic and then makes a decision to which server it should relay the traffic. so far so good but a few things don't add up after a few changes. for example I have a protocol definition like so: http protocol "httpproxy" { match request quick header "Host" value "*domain1.tld" forward to match request quick header "Host" value "*domain2.tld" forward to } and a relays like: relay "www01proxy" { listen on $gateway port http protocol "httpproxy" forward to port http } relay "www02proxy" { listen on $gateway port http protocol "httpproxy" forward to port http } So this setup works but now it gets confusing if I add another protocol and relay to the above http protocol "differenthttpproxy" { match request quick header "Host" value "*domain3.tld" forward to } relay "www03proxy" { listen on $gateway port http protocol "differenthttpproxy" forward to port http } now my relays 1 and 2 stop working, no traffic reaches the hosts, the order of the relays is www03 www01 www02 in the config but it shouldn't be problem because the protocols used are diffrent. So coming to strange part two. I disabled the new relay and well the sites for relay 1 and 2 started to be reachable again but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all. what I did between the changes was checking sysntax and a rcctl reload relayd I am relucdent to do a restart because it happens to crash the VM. The VM is running 6.1 with all syspatches applied. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd rewiterules like apache
Hi, Am 01.11.2018 um 11:40 schrieb Tony Boston: You should definitely try the relayd(8) route here. that would be forwarding it to the ip like match request quick header "Host" value "*some.tld" forward to but that wouldnt solve something like RewriteRule ^(.*)http://some.tld/someotherdir/$1 [L,P] so a http://www.my.tld would go to http:/some.tld/something.http but woudnt http://some.tld/someotherdir/something.http or do I get it wrong? -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd rewiterules like apache
Hi all, I was wondering if it is possible to do like a proxy rewrite like with Apache rewrite mod? RewriteRule ^(.*) http://some.tld/$1 [L,P] So here the P Flag should preserver the original domain in the url and just proxy the request to the other location (not on the same machine!) Since there is redirection I can do this but then the url gets of course replaced in a block directive block return 301 "http://dome.tld$REQUEST_URI; I read that there is rewrite support but as far as I figured it's just for location on the filesystem ? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Bruno, Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger: On 31.10.18 10:42, Markus Rosjat wrote: Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno thank you for the attitude! Now I learned even more it's better not to share mistakes and keep them to yourself so the real pros are not bored by your findings because they are to simple to be made. I appreciate it! -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Am 31.10.2018 um 10:52 schrieb Consus: Well, that's why we have sudoedit. With doas your are forced to $ doas cp -p /etc/doas.conf /etc/doas.conf.new $ doas vi /etc/doas.conf.new $ doas -C /etc/doas.conf.new $ doas mv /etc/doas.conf.new /etc/doas.conf yeah and by default there is no sudo package installed or is it (at least it isnt in the 6.x releases if I remember right)?! Just try a sudoedit on a fresh install and see if it works. As fas as I understand the doas approach its there to provide a simple way of archiving things like sudo /do/this/cmd because 99% of the time you only need root priv to do something like that. So some very nice guy, I think is name is Ted, thought "hey lets simplify it and skip all the heavy stuff that sudo brings along". At least I imagine he thought something like that :) regard -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
syntax error and doas.conf
Hi all, just something I notice while trying out stuff with doas and my python scripts. If you do a mistake and have a syntax error in the doas.conf file you can easily look you self out from root privilages :( consider a a case where your root has no pw, you are the guy in the wheel group and of course you have only this line permit persist keepenv :wheel so far everything is peachy ok we are going to add a new line permit nopass foo as root cmt /root/scripts/dosomething and we save it ... ups we did a mistake an like to fix it, no worries we can ... or cant we? doas vi /etc/doas.conf doas: syntax error at line 15 at this point you are a bit screwed because you cant edit the doas.conf you cant reboot you only way seems to be a switch off. Ok maybe there other was but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in single user mode, make a fsck because , mount the patritions, export the TERM var so yu get a vi. Well seems we are back in business but no we cant edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple to /etc and be done with it. At that point 5 to 10 min of your life is wasted with silly stuff but you may have learn at least one thing ... read again what you just wrote before you save it :) Have a nice day list :) and happy helloween -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent Am 30.10.2018 um 16:03 schrieb Vincent Legoll: Maybe you should try like the following: cmd = ['doas', 'useradd', '-u', user_id, '-g', '=uid', '-s', '/sbin/nologin', '-d', mb_parent_dir, user_name] exit = subprocess.check_call(cmd) this doesn't solve the problem, if I try like that check_call complains that it need a string as user_id. If I do make something like u_id = '%s' %user_id and plug u_id as the arg I'm back to square one. So it seems this seems a doas related issue and needs some adjustment in doas.conf. If this isnt resolvable I will just install sudo package using the "pointing a cannon at a sparrow" approach :( regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi, as I stated before on a cmd is no problem, Im using 6.4 release Am 30.10.2018 um 12:56 schrieb Solene Rapenne: Markus Rosjat wrote: hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards hi what openbsd version are you using? did you try the command outside of python? There were issues with doas a few days ago in snapshots. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate python script from sudo to doas
hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: 6.4 doas gives "command not found" if no #!/bin/sh up top
Hi all, Derek wrote: Adding a "#!/bin/sh" at the top of the scripts made them all work again. it seems this is also happening with python scripts even you have shebang. To solve this you should change lines like #!/usr/local/bin/python to #!/usr/bin/env python after this change was made doas worked as expected with the script regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
cyrus-sasl/openldap question
Hi there, it seems to get sasl working with ldap is a lifetime task. Sad thing I had it working but only after adding/deleting packages of the specific versions of cyrus-sasl and I dont know which you really need to get it working in a "clean" setup. So to all the people out there who are running service like sendmail, courier with openldap and sasl could you point to the proper package to use or do in need to really install one package then replace it with another so that just the proper libs are present somewere on the system (this seems kind bad)? And docs on cyrus-sasl are a big fk^ in my opinion but thats another story. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
Hi Julian, Am 22.10.2018 um 01:26 schrieb Julian Suschlik: FAM/gamin execute programs when parts of the filesystem change AFAIK. My goto program for this is entr (http://entrproject.org/) available as port under sysutils/entr (http://ports.su/sysutils/entr) I still don't get what you trying to tell me. I simply need to know how to start gamin as a background process since FAM package isnt arround anymore. Usally there would be some kind of rc script in rc.d somewere but there isnt. There isnt a man page to be found so I'm lost how to get things running. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
hi Julian, Am 20.10.2018 um 01:01 schrieb Julian Suschlik: Would sysutils/entr help? canyou be more specific? thank you -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd smtp traffic
Hi all, once again a silly question (but maybe someone is willing to answer) about relayd. Is it spossible to determine the domain of the recipient and depending on this redirect the traffic to da specific server behind the relayd machine? What I try to do is setup a test mailserver and just redirect mailtraffic for a domain to this machine. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
FAM Question
Hi there, it seems there is no FAM package anymore but there is a gamin package so is this a replacement for FAM? And following up on that how the heck do I get gamin to work, there seems to be no rc script for it but if it works like FAM there should be a process running right? The docs or pkgconfig doesnt say anything regarding this so Im kinda lost here. So if someone hast som information about that share please. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate users from old system
hi all, what is the right way to do a migration of users from one system to another? I did the following but it seems to get some problems with permissions on the files and directories. 1. copy passwd, group, master.passwd to new machine 2. clean up files (some users doent exist anymore) 3. use pwd_mkdb to create a new db this gave no errors but after migrating some files with rsync to the new machine it seems that some directories not read- /writeable (for example by openLDAP) even all the permissions are set correct. So I wonder if it might has to do with the user accounts themself. Any advice would be helpful. Regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: CARP on Hyper-V VM
Hi Ricardo, You must set the VM's network adapter to 'Enable MAC address spoofing' under 'Advanced Features'. nope this isn't solving the problem. I can only ping the virtual ip from the local machine still. It might need the NDIS Extention enabled on the vSwitch too but I did't changed that because of the probable network disconnection. I will give it a shot later. regards MArkus -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
CARP on Hyper-V VM
Hi there, i just have a question to CARP on Hyper-V VMs. It seems there was a problemwith the virtual IP not be reachable from somewere else then the machine itself. Since I try to set up CARP on such a VM an noticed the same behaviour on a OpenBSD 6.1 I wonder if this issue is resolved in 6.3? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OT: how do you write your tools /scripts for everyday tasks
Hi all, this is more a post to get an overview how the pros (not me ... you guys) put there tools together. I can write simple shell scripts and this is ok but I do a little python coding once in a while and noticed I'm going to write my tools in python. Sure its a little overhead and most of the time you ending up using subprocess to call a existing tool that you would use on a cmd anyway. So what you guys using these days, is it shellscripts, c programs, perl or? Would be cool to get some feedback on that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd index directive confusion
hi Paco, Am 30.05.2018 um 13:31 schrieb Paco Esteban: On Wed, 30 May 2018, Markus Rosjat wrote: so I Configure my Location in httpd.conf like this location "/admin/*" { root "/path/to/my/site/admin" root strip 1 directory index index.php fastcgi socket "/run/php-fpm.sock" authenticate with "/users/me/mysite_passwd" } have you tried to put "index.php" (in double quotes) ? I may be wrong, but I think I had a similar issue in the past. Cheers, Paco. I tried both it didn't help. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd index directive confusion
Hi there, i hope someone can sort this out for me but I dont get it. I get a nice "Primary Script unknown" message when I try to reach a defined location. I try reach https://UrlToMySite.tld/admin/ and in thsi location is a index.php file so I Configure my Location in httpd.conf like this location "/admin/*" { root "/path/to/my/site/admin" root strip 1 directory index index.php fastcgi socket "/run/php-fpm.sock" authenticate with "/users/me/mysite_passwd" } in my opinion this should show me the generated index.php but instead I get file not found. When I call the index.php explicitly like https://UrlToMySite.tld/admin/index.php it works. so where do I go wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Hi again, Am 04.04.2018 um 15:34 schrieb Christophe Simon: Yes, that should do the trick. The only problem that you could face is the certificate validation in PHPMailer: if you connect to `locahost` using a TLS connection, unless your certificate presents `localhost` as a CN (or a SAN), there's chances that the client refuses to establish the connection (I don't remember if certificate validation is enabled by default in PHPMailer). If you don't want to bypass certificate validation, one possible way to overcome this issue is to set an entry in your chroot's `/etc/hosts` pointing your certificate's CN to `127.0.0.1`, or include `localhost` in your certificate SANs. And if your certificate is self signed, you'll have to manually accept it. I will give it a try , thank you for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Hi, I will answer in the text below :) Am 04.04.2018 um 13:52 schrieb Christophe Simon: Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. no we don't want to use binary in chroot, that somehow feels just wrong :) If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). since it will be WP (i know ...) it has PHPMailer and it should be able to send with SMTP Protocol. It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I have set up the local smtpd to relay mails from local connections so it's only listen on lo0 but hey PHPMailer will connect on lo0 and can be abused still if the WP arround it allows it. I basically force the user to use something like recaptcha but even then I would like to do something with authentication thought. for me I short example would be helpful for now I basically let a script run once an hour to check if the maillog shows somewhat strange traffic to the relay. is enabling auth on lo0 simply this ? pki hostname /path/to/cert pki hostname /path/to/key table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 port submission tls auth accept for any relay via tls+auth://relaycred@relayhost:587 auth And then I can just setup the PHPMailer to use submission port on localhost with some credentials? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd.conf path substitution
Am 04.04.2018 um 00:05 schrieb Michael Hekeler: Am Thu, 29 Mar 2018 17:13:10 +0200 schrieb Michael Hekeler <mich...@hekeler.com>: Ah - I see what you try to do... But SNI doesn´t mean one single certificate for multiple hostnames (this you can do with multiple entries in the certificate subject alt name). SNI means to server multiple hostnames on ONE ip address jepp thats what it is SNI is an extension by which a client (e.g. a webbrowser) indicates (hence the name: server name INDICATION) one of these multiple hostnames to be in the TLS handshake. Then the server can choose the right certifificate to present to the client. I know So if you want to serve domain1, domain2 and domain3 each on https then you need cert1 for domain1 and cert2 for domain2 and cert3 for domain3 I have that basically but some Domains belong, in a way, together and could be served with one cert. If every domain has its own ip then you don´t need SNI. But if all domains share the same ip, then the client and the server must be SNI compatible. When the client requests domain2 the server will be able to present cert2. Of course you can issue a single cert with domain1, domain2 and domain3 in certificate´s subject name and configure the server to present this cert on every request. But that´s no SNI. it only presents this cert for the specific virtual hosts Anyway I'm okay with the fact to hardcode the path to the cert into the virtual host definition. I was just wondering if I did something wrong or it's simply not supported. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Using stmp auth for local account with PHP scripts
Hi there, There are simple ways of relaying local mails(connection on lo0 on port 25) to a other mailserver. This is oky for logs and stuff but what's about mails created by a php on the local webserver? His do I get smtpd to still do a auth with username and pwd on lo0? Is it possible or do I need to configure the "external" addr too for this purpose? Regards Markus
httpd.conf path substitution
Hi there, its not really an issue but I noticed if I want to substitute a path for the tls key or cert I get a syntax error from httpd -n So is there some special syntax for this or is it simply not possible to do something like tls_key ="/path/to/key" tls_cert ="/path/to/cert" server "domain.tld" { tls { key $tls_key certificate $tls_cert } } regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd / acme-client confusion
Hi, acme-client can only validate an authorization that way. but for a forced renewal for something that's already active, there's likely to already be a validated authorization on the letsencrypt account, in which case it wouldn't need to revalidate. I did a forced renew after I got a valid certificate and stoped the httpd before I did the forced renew if you really stopped httpd and there is still something listening then there is another webserver process running. You can check locally with netstat(1) or 'ps -aux' there was no other process running since I checked that before I did the forced renew. I will do the suggested changes to the config and keep an eye on it. My main problem was with the block statement the other thing I just noticed as I did testing with the config and started forcing the renew of the certificate regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd / acme-client confusion
Hi, thanks for the samples I will give it a try but wondering why acme-client still works even httpd is not serving any kind of location for a challenge exchange? Like I said I stoped httpd intirely and still got a new certificate with acme-client. But if it works as expected after a apply the suggested changes Im okay with it :) regards Markus Am 16.03.2018 um 08:42 schrieb Florian Obser: this works for me: server "tlakh.xyz" { listen on 0.0.0.0 tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/tlakh.xyz.crt" tls key "/etc/ssl/private/tlakh.xyz.key" hsts location "/shop.6.html" { block return 402 } location "/coffee.6.html" { block return 418 } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } server "tlakh.xyz" { listen on 0.0.0.0 port 80 listen on :: port 80 hsts block return 302 "https://$HTTP_HOST$REQUEST_URI; } On Thu, Mar 15, 2018 at 11:01:42AM +0100, Markus Rosjat wrote: Hi there, Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple httpd.conf with a definition for a http server and a https server so far so good, I figured I need to have a http server so acme-client can talk to let's encrypt an issue certificate requests also no big problem but now it get confusing. I tried to automate the certificate renew and as far as I understand the docs httpd.conf get evaluated to to bottom with first matching rule found. So this would mean a definition like: $ext_addr ="*" # its just one nic with one external ip on that vm server "mydomain.tld" { listen on $ext_addr port http location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 directory no auto index } block return 302 "https://$HTTP_HOST$REQUEST_URI; } should enable acme-client to renew certificates but redirect other traffic to the https server. Well it doesn't ! So I need to comment out the block request to renew the certificate. That's a thing I could live with and just invent some script that loads a different conf file just for the renew and when the certificate is obtained just load the normal httpd.conf and restart httpd. I was playing arround and stumbled over the fact that acme-client suddenly can renew certificates even without running httpd in the first place o.O Thats just wrong since there isn't support that does dns-01 challenges right? I stoped httpd to checked the site wasn't reachable and did a acme-client -vvF mydomain.tld it gave me a new certificate from let's encrypt ... anyway can someone who has the insight please tell me whats goin on here and maybe post a config example that works for a basic https redirect? Or is it really the case that I need to load a config that hasn't a blok return statement in the http server definition? One last note, I did a syspatch today and don't know if this changed something in the behaviour of the components involved. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd / acme-client confusion
Hi there, Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple httpd.conf with a definition for a http server and a https server so far so good, I figured I need to have a http server so acme-client can talk to let's encrypt an issue certificate requests also no big problem but now it get confusing. I tried to automate the certificate renew and as far as I understand the docs httpd.conf get evaluated to to bottom with first matching rule found. So this would mean a definition like: $ext_addr ="*" # its just one nic with one external ip on that vm server "mydomain.tld" { listen on $ext_addr port http location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 directory no auto index } block return 302 "https://$HTTP_HOST$REQUEST_URI; } should enable acme-client to renew certificates but redirect other traffic to the https server. Well it doesn't ! So I need to comment out the block request to renew the certificate. That's a thing I could live with and just invent some script that loads a different conf file just for the renew and when the certificate is obtained just load the normal httpd.conf and restart httpd. I was playing arround and stumbled over the fact that acme-client suddenly can renew certificates even without running httpd in the first place o.O Thats just wrong since there isn't support that does dns-01 challenges right? I stoped httpd to checked the site wasn't reachable and did a acme-client -vvF mydomain.tld it gave me a new certificate from let's encrypt ... anyway can someone who has the insight please tell me whats goin on here and maybe post a config example that works for a basic https redirect? Or is it really the case that I need to load a config that hasn't a blok return statement in the http server definition? One last note, I did a syspatch today and don't know if this changed something in the behaviour of the components involved. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
board ord boards with case for a router firewall
Hi there, we use mostly soekris for ourt router/firewall solution with openBSD but since there seems to be not much of development and they are kinda expensive still... I was wondering if you guys could give some suggestions on other Hardware for this usecase? Also Boards with more then 4 nic would be interesting, so if someone likes to share his experiences it would be much appreciated regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi again, I looked further and notice not the syslogd was the cause but somehow spamd died while talking to a server. Could something in the body screw up spamd? here are my logs on that: - the spamd log file part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" <osze...@sobainon.co.ua> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: <sb.gorb...@awo-sonnenstein.de> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: This is a multi-part message in MIME format. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0006_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: multipart/alternative; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: boundary="=_NextPart_000_0007_01D349CD.8A885470" Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0007_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: text/plain; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: charset="windows-1251" 2017-10-22T06:00:01.101Z heimdal newsyslog[25423]: logfile turned over - and the daemon log part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" <osze...@sobainon.co.ua> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: <sb.gorb...@awo-sonnenstein.de> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Am 22.10.2017 um 12:59 schrieb Markus Rosjat: Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, as far as I understud the whole thing Am 20.10.2017 um 15:09 schrieb Michael Hekeler: pass on hvn0 inet proto icmp all icmp-type echoreq just to be curious: what is the effect of "on" in your rules "pass on ..." As to pf.conf(5) there are only "in" or "out" this should allow traffic in and out on a given nic but I might be wrong here. This is basically a training exercise for me so I dont do to much harm if some rules don't work right away as expected. and this rule is valid even it if its not working as expected but after I activated it I could ping from the host and to the host. Without the rule I couldn't. On a host with just one nic it might be redundant but if you have more the one nic this might be a valid choice. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi Michael, as far as pfctl -sr goes a block return expands to block return all but since I got it working now here is the ruleset that does what it suppose to do :) ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass on $ext_if inet proto {tcp udp} to port domain pass on $ext_if inet proto icmp icmp-type echoreq pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh pass in on $ext_if inet proto tcp from any to ($ext_if) port 443 pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission } $ doas pfctl -sr block return all block drop inet6 all pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA pass on hvn0 inet proto tcp from any to any port = 53 flags S/SA pass on hvn0 inet proto udp from any to any port = 53 pass on hvn0 inet proto icmp all icmp-type echoreq as you may notice I added the ping and the dns to the ruleset since this was blocked in the original set of rules. regards Am 20.10.2017 um 14:27 schrieb Michael Hekeler: On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote: ... block return# block stateless traffic Hi Markus, here´s another hint: no matter if you want to drop silently or send a return for the dropped packet, you have to tell **on which packet the block action should react** block drop all -or- block return all -or- block all If you have this in your pf.conf and load this ruleset then 'pfctl -sr' will give you a line like: block drop all (or whatever you have in pf.conf) -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi again, okay big time PEBKAC ... if you do the the -d you should at some point do the -e ... haha anyway always fun to brainstorm with you guys this list rocks !!! Am 20.10.2017 um 14:11 schrieb Markus Rosjat: Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make it all clean. I tried ssh m...@domain.tld from the machine with the ruleset. this works with the given rules but it shouldnt in my opinion. and yes there is no dns traffic allowed in the rules. Maybe its really the flush that makes it all work. I will try that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make it all clean. I tried ssh m...@domain.tld from the machine with the ruleset. this works with the given rules but it shouldnt in my opinion. and yes there is no dns traffic allowed in the rules. Maybe its really the flush that makes it all work. I will try that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, Am 20.10.2017 um 13:11 schrieb Bryan Harris: I don't know the answer but I'm curious. What does "pfctl -sr" command show? Can you do dns lookups? PS - my rules have the "pass out all" rule at the bottom. V/r, Bryan sure I can give the output: $ doas pfctl -sr doas (m...@my.own) password: block return all block drop inet6 all pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA I dont have a pass out all rule this would match every outgoing traffic then but maybe match is the key here :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
a pf question maybe asked a 1000 times
Hi there, I was wondering, after reading mr hansteens excelent book about pf and the man pages, if I got it all wrong :) so here is my example pf.conf ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh pass in on $ext_if inet proto tcp from any to ($ext_if) port 443 pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission } and what I expect is the following: - traffic ipv4 and ipv6 gets blocked -> general deny - I let enter ssh traffic - I let enter https traffic - I let out treffic on https und submission port - I should not be able to establish a ssh connection from this host to another machine but should connect to be able to connect to this machine what I notice is I can initiate a ssh connection from this machine. So there are three possible answers to this: - 1st with allowing ssh traffic in the first place ssh port will be considered passable from both sites of the nic. Which would somehow makes no sense to me at all because its a explicit in rule - 2nd the ssh connection initiated is somehow considered coming fom lo and for that not passed to the following rules - 3rd my rules are just wrong :) So for all the more skilled human beings out there can you help me with it? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamd pf rule question
Hi there, it's a quiet simple question :) I have a rule like this pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to 127.0.0.1 port spamd and was wondering if it's better to use pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp divert-to 127.0.0.1 port spamd the mailserver isn't the same machine. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: php-fpm and OpenBSD 6.2
Hi Peter, thank you for the hint :) In the end I would simply try to run a php script and see if it works ;) regards Markus Am 12.10.2017 um 10:20 schrieb Peter Faiman: On Oct 12, 2017, at 00:39, Markus Rosjat <ros...@ghweb.de> wrote: Hi there, I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. Is this the new php-fpm naming convention starting with 6.2 or do I get this wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT There is no php-fpm package, fpm is built in the plain php package. There is an effort to split php into more granular packages, including a php-fpm package, but it didn’t make it into 6.2. You can read more about the repackaging effort on the ports mailing list; the thread was updated just yesterday. I believe php-fastcgi is a legacy module of some kind, and fpm is the preferred way to run php. So you just need the plain php package that comes with fpm. Peter -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
php-fpm and OpenBSD 6.2
Hi there, I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. Is this the new php-fpm naming convention starting with 6.2 or do I get this wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate .htaccess conent to httpd.conf
Hi, Am 05.10.2017 um 12:53 schrieb Michael Hekeler: I don't need them I have them on a older system were apache 1.3 was the standard webserver for openbsd still. So I simply want to migrate the content to a system with a new standard webserver httpd. Okay But keep in mind that httpd is not Apache and converting complicated htaccess stuff is not always possible... ;-) sure no problem so this would mean if I have 20 files spread over 10 directories I need for all of them a location statement to block or otherwise auth befor someone could access it? :-) No, of course not You can do thinks like: location "/.ht*" { block } and with Lua's pattern matching you can do really cool things. See patterns(7) and httpd.conf(5) I'll check it out Thank you -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate .htaccess conent to httpd.conf
Hi, Am 05.10.2017 um 10:11 schrieb Michael Hekeler: And 2nd question would be how to give the user a way to implement something like it on there own? I was thinking of a simply standard include in the server definition but this might mess things up if you need directory specific and user define-able override files like those .htaccess then why not use Apache? I don't need them I have them on a older system were apache 1.3 was the standard webserver for openbsd still. So I simply want to migrate the content to a system with a new standard webserver httpd. Don´t get me wrong: I don´t want to vote for Apache but I think it´s better to use "Tool X" when you need the features of "Tool X" than to bend "Tool Y" that it acts like "Tool X" ;-) I understand :) To your 1st question: location "/filename" { block } so this would mean if I have 20 files spread over 10 directories I need for all of them a location statement to block or otherwise auth befor someone could access it? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi, thank you all for the helpful input on that subject. I have one last thing to ask about it. What would be a good approach to implementing rspamd? I start greylisting on the firewall and thats ok but should I implement a dedicated system for rspamd and relay the "ok-Mails" from there to the mailsystem or simply run rspamd on the mailsystem und plug it front of the mailserver like postfix? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi Leo, Am 29.09.2017 um 16:57 schrieb Leo Unglaub: Hey, On 09/29/17 15:06, Markus Rosjat wrote: my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine i assume that your boss is not an engineer and also not very familiar with how emails work. Greylisting it clearly NOT out of date at all. Greylisting simply makes use of stuff that is defined in the SMTP RFC. Every email server is allowed to temporary deny the delivery of an email and ask the sending server for another try. well we use greylisting and I gave MS a free pass but sometimes it doesn't seem to work anyway but that's ok for me. The problem in this case is clearly Microsoft who has no idea how email is supposed to work. You have two options here. the customer will always complain no matter how often you explain the real problem :) A: Simply don't care about Microsoft and just send customers to a website where you describe the problem and tell them to contact Microsoft in order to fix there stuff. This works very well, my Company hosts around 2,3 Million mailboxes and we use Greylisting and customers are okay with it. B: You exclude the outlook.com outgoing servers from greylisting. Microsoft provides a list of IP addresses that they use for delivery: https://mail.live.com/mail/ipspace.aspx 65.54.190.0/26 65.54.190.64/26 65.54.190.128/26 65.54.190.192/26 65.55.116.0/26 65.55.111.64/26 65.55.116.64/26 65.55.111.128/26 65.55.34.0/26 65.55.34.64/26 65.55.34.128/26 65.55.34.192/26 65.55.90.0/26 65.55.90.64/26 65.55.90.128/26 65.55.90.192/26 65.54.51.64/26 65.54.61.64/26 207.46.66.0/28 157.55.0.192/26 157.55.1.128/26 157.55.2.0/26 157.55.2.64/26 Greetings Leo I also check the spf record files of MS and added them too so we will see what's going to happen. I need to move to a more up to date setup so I just check my options what's used these days and yes greylisting works for me as long as no office 365 is involved but a lot of business partners of our customers moving to 365 and the email solution so it becomes a problem for me too. It's just fustrating to see a mail greylisted from 40 different ips ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi, Am 29.09.2017 um 15:39 schrieb Larry Hynes: Markus Rosjat <ros...@ghweb.de> wrote: my boss is getting on my nerves It may be mutual. of course but well :) that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. Specifically in relation to rspamd: If you spend some time reading the documentation on the rspamd website you might find that: 1. the weight of rules which classify messages as 'ham' or 'spam' i.e. those rules which rely on the 'training' of messages, does not have to be, in the overall context, critical. rspamd deploys a boatload of 'tests', by default, and even more can be enabled, and each of those can be assigned a score. hamminess or spamminess is just one 'test'. 2. That the rspamd website specifically links to 'pre-built' ham and spam databases which you are free to download and use. I'll check this out ! Thank you for the hint !!! regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
the whole greylisting, spam filtering thing
Hi there, my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. So my question is, is there some source that you could use to train these kind of tools (like a database that you could connect to for training conntent ) or is every one here, that uses these tools, lucky enough to have a shit load of users that do the training for your systems? some informations about this would be helpful regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: routing problem with wordpress and external and internal traffic
hi, Am 27.09.2017 um 15:59 schrieb x9p: I am supposing its Apache because you did not said so. no it's of course a httpd from OpenBSD You are right, httpd. my bad. I am used to Linux world. the problem here is the for internal traffic to somehow rewirite the url to a internal ip with some lines in the server part of the httpd.conf (dont know if this is possible) We know packets are being changed by pf rules when coming from outside world. From inside network, there is a URL transformation that represents the problem are facing . well if I do stuff on the internal nic I could do things to these packages too but this should be the smaller problem here. where is the URL rewrite being done? .htaccess or in another part? I believe this is the first step to search for. If it is in the .htaccess, that is the simpler solution in my point of view. well since .htaccess has nothing to do with httpd of Openbsd rewrites could be possible in relayd (maybe) od as I stated maybe in the sever definition in httpd.conf. or to somehow get the traffic rerouted wen it hits the firewall in a pf rule or rules I believe mix routing/pf rules with URL rewriting makes the problem complex, should be a simple solution. cheers. x9p regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: routing problem with wordpress and external and internal traffic
Hi, Am 27.09.2017 um 13:33 schrieb x9p: Hi there, Hi I have a small problem getting a wordpress instance, that works with ips in the url, to work from the internal net. So here ist the setup a webserver for some application behind a Openbsd Firewall (webbserver is openBSD 6.0) I have a static ip for my external nic and the wordpress I am supposing its Apache because you did not said so. no it's of course a httpd from OpenBSD So question now is, is it possible to route the way from inside to the outside and back without inventing the wheel new or is it simpler just to let the webserver listen to the diffrent port too? I hope it makes sense to someone to give me a push in the right direction I think its lacking some information, but supposing your wordpress installation is redirecting based on .htaccess rules under httpd I would include a rule to not rewrite the URL based on source IP (if internal, do not apply .htaccess rule of URL rewrite) the problem here is the for internal traffic to somehow rewirite the url to a internal ip with some lines in the server part of the httpd.conf (dont know if this is possible) or to somehow get the traffic rerouted wen it hits the firewall in a pf rule or rules something like: https://unix.stackexchange.com/questions/44129/conditional-directoryindex-based-on-ip-address-using-htaccess cheers. x9p regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
routing problem with wordpress and external and internal traffic
Hi there, I have a small problem getting a wordpress instance, that works with ips in the url, to work from the internal net. So here ist the setup a webserver for some application behind a Openbsd Firewall (webbserver is openBSD 6.0) I have a static ip for my external nic and the wordpress instance uses the external ip in the site url. Additionally I have to use a diffrent port then https because there is a proxy server listining for some other application. While reaching the site from the outsite world is no problem because its simple redirect to the webserver and the wordpress instance has the url saved it becomes kinda tricky to reach the wordpress instance from the inside. in the internal net the webserver is listens on port 80 and 443 so I can reach it from the inside but then the wordpress instance is rewiriting the url to a port that isnt 443 becuase from the outsideworld it expects a diffrent port. So question now is, is it possible to route the way from inside to the outside and back without inventing the wheel new or is it simpler just to let the webserver listen to the diffrent port too? I hope it makes sense to someone to give me a push in the right direction regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: maybe misc can help even it's not openbsd related
thanks all for the suggetions I will take a look at it and come back with some kind of config output thought. sorry for less usefull input but I'm trying to put pieces together in a way I can work with and this work is in progress and in a very early stage. And once again this list is at least willing to responde to a dummy like me so thumbs up guys !!! regards markus Am 24.08.2017 um 21:43 schrieb Mike Coddington: On Thu, Aug 24, 2017 at 11:49:19AM +0200, Markus Rosjat wrote: so here is my problem, I konfigured postfix and dkimproxy to work together. So far so good because it works for outgoing mail. The problem i face is with local mails. Postfix somehow rewrites the reciepent from the mail adress to u...@domain.tld and then the lookup im my ldap directory fails. So the real question is, can I configure postfix to ignore the forwarding to dkimproxy for local delivery ? Without seeing your configuration files, it's hard to tell. However, my guess is that you've got dkimproxy set to process all of your mail rather than having it only attached to the smtpd part of it. Check your master.cf and make sure that you're only referring to dkimproxy there, as opposed to calling it in main.cf somewhere. For example, I have SpamAssassin in my pipeline but only for external mail. I set it up that way by doing this with master.cf (among other things): smtpd pass - - y - - smtpd -o smtpd_client_restrictions=$client_restrictions -o content_filter=spamassassin By including the content_filter there, I'm able to have it only affect mail that originates from external hosts. I assume dkimproxy is called in a similar fashion. DKIM's too much of a pain in the butt for me though so I don't have first-hand experience with it. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
maybe misc can help even it's not openbsd related
Hi there, since I know ppl on this list are always willing to help even it's not a real openbsd problem I will give it a try. I tried to ask this on the postfix list but after a week without any response and resending the mail I gave up. so here is my problem, I konfigured postfix and dkimproxy to work together. So far so good because it works for outgoing mail. The problem i face is with local mails. Postfix somehow rewrites the reciepent from the mail adress to u...@domain.tld and then the lookup im my ldap directory fails. So the real question is, can I configure postfix to ignore the forwarding to dkimproxy for local delivery ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
maildrop-postfix question
Hi there, I try to get maildrop to work with postfix so I installed the maildrop-postfix package and did the config in the main.cf strange part is that maildrop still try to use authdeamon ... well I thought okay install courier-utils because it seems both things are related and I get all the authtools but they dont work because authdeamon isn't there still. so the basic question here is, what to enable with rcctl to get authdeamon up and running or if this isnt the way to go with maildrop and postfix, what is it to get rid of logs like Command output: ERR: authdaemon: s_connect() failed: No such file or directory /usr/local/bin/maildrop: Temporary authentication failure. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSDI 6.1 some Warnings when using OpenLDAP Tools
Hi there, this is more an info then a problem though since it seems to work. When I use the slap tool like slapcat I get a size mismatch warning like this slapcat:/usr/local/lib/libicuuc.so.12.0: /usr/local/lib/libicudata.so.12.0 : WARNING: symbol(icudt58_dat) size mismatch, relink your program It's a fresh install from the ports so some of the maintainers might like to know that. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Opensmtpd-extras documentation
ok turns out it's not a LDAP problem at all ... since openSMTPD doesn't authenticate with a plain password at all it will always fail. regards markus Am 31.07.2017 um 17:44 schrieb Markus Rosjat: Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Opensmtpd-extras documentation
Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet.
Re: OpenSMTP and OpenLDAP
Hey hendrik, This was a hint I was looking for thought! I will check that out :) Regards Markus Ursprüngliche Nachricht Von: Henrik Friedrichsen <hen...@diff.cc> Datum: 25.07.17 19:15 (GMT+01:00) An: misc@openbsd.org Cc: ros...@ghweb.de Betreff: Re: OpenSMTP and OpenLDAP Hey, On Tue, Jul 25, 2017 at 10:50:32AM +0200, Markus Rosjat wrote: > I was just wondering if does two work together at all? I saw examples with > ldapd that ships with the OS but not with OpenLDAP. Since I try to get my > user table defined, and the man only has options for db and file, whats the > way to go here if there is a way at all? The OpenSMTPD-extras package should have an LDAP filter. I have no experience with it and whether it works with OpenLDAP, but it might be starting point: https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/master/extras/tables/table-ldap
Re: OpenSMTP and OpenLDAP
well it seems no one has an answer to that so while you see always examples for ldapd I confused still since man smtpd.conf states you should use file:/ or db:/ to define a table and not any other otion like ldap:/ is mentioned at all. So lets refine the question ... Is LDAP supported in OpenSMTP at all? And if so, where to find a piece of information how to configure it? regards MArkus Am 25.07.2017 um 10:50 schrieb Markus Rosjat: Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenSMTP and OpenLDAP
Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
guidelines for migration openldap directory to ldapd ?
Hi there, I was wondering if there is something like that for migration an exisiting openLDAP directory to ldapd? I took a look at he config files and some stuff was basically the same information with diffrent syntax. The aim ist to make working with ldap authentication and opensmtp as simple as possible. So since ldapd and smtpd bothe ship with the system I thought this would be the way to go. Since I dont have much experience with both tools I was looking for some advice from all the gurus out there :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
thanks for the info, the read only would be rw but it's at least worth looking at even its hackish :-P But I also figured, since I dont need a shell for these users I can simply force them in a sftp chroot somewere else but this is something I have to refine more though on my testmachine I have a kinda weird setup right now: - normal system user with home in /home/username - forced in a chroot with sshd_config somewere in /var/www/htdocs/chrootdir I have to wait an see if this is a solution to go with but then again as long as it does what it is supose to do I'm okay with it. So lets wait for the crybabies to complain about all the things they can't do without asking for permission first. Regards MArkus Am 14.06.2017 um 20:53 schrieb Ville Valkonen: On 14 June 2017 at 11:33, Markus Rosjat <ros...@ghweb.de> wrote: Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT Hi, here's the NFS solution you were after: $ grep 127.0.0.1 /etc/exports /home/store/music -ro -mapall=extuser1 127.0.0.1 /home/store/not_sorted -ro -mapall=extuser1 127.0.0.1 and chroot /home/$user as usual. Now the extuser1 has an read only access to certain shares. Hackish? Definitely. Use at your own risk. -- Regards, Ville -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Am 14.06.2017 um 16:31 schrieb Chris M: Some hosts chroot users into a specific web dir because they have multiple vhosts on the same server, and they dont want all sftp or ssh users to be able to browse into other vhosts, even to look around. They might also want to give developers access to specific subdirs without seeing the entire vhost root. Yes this is the aim here, the user has no shell at all. He gets access to the webcontent folder only. I am running SFTP-only chroot file exchange server where a very small group of users have the access to the same chroot without full shell access for the purpose of sharing/exchanging data. I want to seperate every user, no peaking up the ladder :) I could imagine situation in which it is desirable to give users chrooted SFTP-only access to their web data. It seems to me that one could create virtual host per user and give them sftp-only access to the root directory of their virtual server. they will all get virtual hosts in httpd and get there sftp root set to the root of the virtual host. Somebody help me. What would be other good use case scenarios for chrooted sftp-only user access? Annoying colleagues without a wheel :-p ... just kinding regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Am 14.06.2017 um 15:53 schrieb Markus Rosjat: Am 14.06.2017 um 13:42 schrieb Jiri B: On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: Je 2017-06-14 13:02, Bryan Harris skribis: On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. This is not possible on OpenBSD, mount will tell "device is busy". On linux you should use mount --bind to bind a folder on another instead of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly the same thing as --bind, but OpenBSD doesn't have any of this. Do you build a shell server or you just want to give SFTP access to users' web data? If the latter, why don't you just chroot them directly into their user dir inside web root? Or, just define their home to be inside web chroot... j. like I stated bevor I know I can simply give them there webcontent folder as home and chroot this for sftp but then again how to handle the .ssh or other . folders and files? I read somthing about placing it outside the home dir and define the location over sshd_config but not sure if this is proper solution. okay I tried to set the chroot in the sshd_config to the www dir of the user and it seems to work so far. Since this is a dev machine it's okay for now. So there is still time to sort out the kinks -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
Am 14.06.2017 um 13:42 schrieb Jiri B: On Wed, Jun 14, 2017 at 01:09:47PM +0200, Solne Rapenne wrote: Je 2017-06-14 13:02, Bryan Harris skribis: On Linux I have mounted another fs inside the user's home folder (it is mounted twice). I don't know if OpenBSD has that feature. This is not possible on OpenBSD, mount will tell "device is busy". On linux you should use mount --bind to bind a folder on another instead of mounting twice the mountpoint. FreeBSD has mount_nullfs to do exactly the same thing as --bind, but OpenBSD doesn't have any of this. Do you build a shell server or you just want to give SFTP access to users' web data? If the latter, why don't you just chroot them directly into their user dir inside web root? Or, just define their home to be inside web chroot... j. like I stated bevor I know I can simply give them there webcontent folder as home and chroot this for sftp but then again how to handle the .ssh or other . folders and files? I read somthing about placing it outside the home dir and define the location over sshd_config but not sure if this is proper solution. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
sftp chroot
Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd and phpyMyAdmin
Am 13.06.2017 um 23:56 schrieb Stuart Henderson: On 2017-06-13, Markus Rosjat <ros...@ghweb.de> wrote: would like to get opinions on securing the whole thing ...still :) Deleting phpmyadmin would be a good start :-) yeah but I'm not the boss :( besides this is a dev machine I don't let that in the wild though ... -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd and phpyMyAdmin
heads up on the 403 error fixed it by put diffrent locations for php and other files in the server config. would like to get opinions on securing the whole thing ...still :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd and phpyMyAdmin
Hi there, I need to setup phpMyAdmin for some webdesign folks and I got somehow something working ... I still cant figure out why all the images css and js file get a 403 error. so if someone has a phpmyadmin running he might can give me some advice on the httpd.conf ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
sshd and key auth problem
Hi there, I have very strange behaviour here with my sshd setup. I run a 6.1 release to test some stuff for sftp. I created my user and created a ssh key pair, generated a ppk for a putty session all no problem. Then I created a 2nd user for a sftp group and did the same as above. All worked well and I statrted to alter the permissions to test sftp and there sshd started to refuse my key for the 2nd user. Ok so I changed all permissons back to the 2nd user but sshd still tells me it cant read the authorized_keys file. I checked twice ownership and permissions with my user and it should work but its seems I still miss something here. Any advice is appreciated Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: bgp-spamd added 192.43.244.163
just a short head up, 192.43.244.163 got added to the 666 community again if anyone ist wondering why mails from the list dont show up. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD and Zope2
Hi there, does someone has a Zope2 4.0a5 or 4.0a6 running out there. The last time I came in contact with zope was around 2012 and version 2.10.x and this seems to be a bit outdated or not supported at all anymore. Im aware that lot has changed in Zope2 since then but befor I skip it totally I wanted to check it out but even I get the instance up and running I dont cant connect to it. I know its not really a OpenBSD Question but since we are on misc I might get lucky :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
bgp-spamd added 192.43.244.163
hi there, just had some strange encounter, I was wondering why I don't get mail from this list for a while. So I did some digging and found that even 192.43.244.163 was whitelisted with like 32k mails delivered there are also GREY entries for this ip. so I checked my blacklists, nothing to find and then I thought okay check the list from the bgp-spamd project and to my surprise I found 192.43.244.163 in the table. I deleted it and my mails from this list coming in again. since I didnt do anything lately on my setup I wonder if someone else had this encounter. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd and wordpress
Hi there, well if it would be up to me I would skip wordpress for good but well it's not my decition. So I was wondering if there is some recommendations on what to block in the httpd.conf and what file permissions to use. For now I have: - like wordpress suggest 0755 on dirs and 0644 on files - wp-config.php setting to 0400 is not going to work at all I need at least a 0644 or nothing shows up - in http.conf I blocked /wp_content , /wp-content /uploads/*.php, /wp-includes, /wp-includes/*.php and /wp-admin so if there is something I can do further to harden things just let me know :) advice is most apreciated Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
rspamd or spamassasin
Hi there, I'm going to build a new mailserver with openSMTP and Dovecot and I was wondering what is used for additional spamfiltering for this kind of setup. I looked around and saw that rspamd is somewhat in favor but since I'm new to the openSMTP thing (had courier befor) I was wondering which of the tools mentions is the best fit. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD on Synology devices
Hi there, has someone ever done it and if so could he share some knowledge about it :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
pf route-to only with multipath enabled?
Hi there, just to clarify this a rule in pf with the route-to keyword only works when multipath routing is enable in sysctl.conf? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: bgp-spamd question
Hi, I have something like bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/mail/spamd.black: in /etc/mail/spamd.conf and a cron job /bin/sh /etc/mail/bgp-spamd.black.sh which has #!/bin/sh AS=65066 bgpctl show rib community ${AS}:666 | sed -e '1,4d' -e 's/\/.*$//' -e 's/[ \*\>]*//' > /var/mail/spamd.black /usr/libexec/spamd-setup # EOF Just double checked and can see it is being updated. $ ls -l /var/mail/spamd.black -rw-r--r-- 1 root wheel 233006 May 8 05:20 /var/mail/spamd.black Hope this helps, Vijay I don't want to copy the results in a list for now I simply want to get any results at all :) so as long as bgpctl show rib community 65066:666 doesn't give any results I won't see any IP's in a spamlist file at all regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
bgp-spamd question
Hi there, I followed the example on http://bgp-spamd.net/client/bgpd.html an tried to setup bgpd. the daemon started without problem but when I try to fetch IPs it doesnt seem to work for me. $ doas bgpctl show rib community 65066:666 flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin $ I would expect a list of IPs here or did I missed a point somewere on the way? I simply enabled bgpd without some special flags. $ doas rcctl enable bgpd $ doas rcctl get bgpd bgpd_class=bgpd bgpd_flags= bgpd_rtable=0 bgpd_timeout=30 bgpd_user=root $ doas rcctl start bgpd bgpd(ok) here is the bgpd.conf #macros spam_rs1="64.142.121.62" # rs.bgp-spamd.net spam_rs2="217.31.80.170" # eu.bgp-spamd.net spamASN="65066" AS 65517 fib-update no # mandatory, to not update # the local routing table group "spam-bgp" { remote-as $spamASN multihop 64 announce none # Do not send any route updates neighbor $spam_rs1 neighbor $spam_rs2 } # 'match' is required, to remove entries when routes are withdrawn match from group "spam-bgp" community $spamASN:42 set pftable "bgp_spamd_bypass" match from group "spam-bgp" community $spamASN:666 set pftable "bgp_spamd" In my pf.conf I just have the tables defined without any rules for the tables. I can also ping the bgp-spamd servers. So any advice would be helpful here :) Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: What is "activity" on a relayed SSH connection? (Re: (solved) relayd splice timeout)
Am 02.05.2017 um 14:50 schrieb Andreas Kusalananda Kähäri: On Tue, May 02, 2017 at 12:35:22PM +0200, Markus Rosjat wrote: Hi Hiltjo, just to let you know seesion timeout did the try and works like a charm On a related note: What constitutes "activity" on a relayed SSH connection? I'm also using relayd on a router to relay SSH connections to an internal host, and it seems as if "relactl show sessions" will never say that "idle" is anything other than the same as "age". $ relayctl show sessions session 0:447 192.168.1.4:63327 -> 10.0.0.10:22 RUNNING age 01:13:47, idle 01:13:47, relay 1, pid 84257 Regards, Kusalananda I also noticed that the timeout seems to be fixed that even I do traffic over the relayed connection a timeout appears after the amound of seconds I defined in my relayd.conf There not reset in any way, like Andreas stated above. but thats a thing I could live with I just need a big enough value :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
(solved) relayd splice timeout
Hi Hiltjo, just to let you know seesion timeout did the try and works like a charm Regards Markus Am 28.04.2017 um 11:34 schrieb Hiltjo Posthuma: On Thu, Apr 27, 2017 at 07:11:56PM +0200, Markus Rosjat wrote: Hi there, I was playing arround wit relayd just to get a feeling for it. So I started with relaying a ssh connection to a machine behind my gateway. But it seems there is some kind of config value I miss because after like 8 minutes the open ssh connection gets suddenly closed. Running relayd in foreground shows a splice timeout. So question is, can I and if so where can I adjust the timeout value. SSH might be a bad example for relayd use but its the easiest starting point thought. Better to discover stuff befor a setup gets more complicated. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT Hey, Have you tried "session timeout"? They can be used for relays and redirections. See the RELAYS and REDIRECTIONS section in relayd.conf(5). -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd splice timeout
Ursprüngliche Nachricht Von: Hiltjo Posthuma <hil...@codemadness.org> Datum: 28.04.17 11:34 (GMT+01:00) An: Markus Rosjat <ros...@ghweb.de> Cc: misc@openbsd.org Betreff: Re: relayd splice timeout On Thu, Apr 27, 2017 at 07:11:56PM +0200, Markus Rosjat wrote: > Hi there, > > I was playing arround wit relayd just to get a feeling for it. So I started > with relaying a ssh connection to a machine behind my gateway. > > But it seems there is some kind of config value I miss because after like 8 > minutes the open ssh connection gets suddenly closed. Running relayd in > foreground shows a splice timeout. > > So question is, can I and if so where can I adjust the timeout value. > > SSH might be a bad example for relayd use but its the easiest starting point > thought. Better to discover stuff befor a setup gets more complicated. > > Regards > > -- > Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT > Hey, Have you tried "session timeout"? They can be used for relays and redirections. See the RELAYS and REDIRECTIONS section in relayd.conf(5). -- Kind regards, Hiltjo Hi, I'll will give it a try and check if it makes a difference. Thanks for the hint
relayd splice timeout
Hi there, I was playing arround wit relayd just to get a feeling for it. So I started with relaying a ssh connection to a machine behind my gateway. But it seems there is some kind of config value I miss because after like 8 minutes the open ssh connection gets suddenly closed. Running relayd in foreground shows a splice timeout. So question is, can I and if so where can I adjust the timeout value. SSH might be a bad example for relayd use but its the easiest starting point thought. Better to discover stuff befor a setup gets more complicated. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: torrent downloads
Hi, I think it's kinda pointless to have a torrent for this. You got enough good mirrors to download from anyway. And nowadays it's not a biggy to download a iso or so of somewhat 200mb. and yes I'm the proud owner of some awesome puffy shirts too (if someone is concerned about the download part :-P ) regards markus Am 27.04.2017 um 13:55 schrieb Thuban: Hello, I was wondering if there is any particular reason explaining why there is no torrent file to retrieve OpenBSD *.fs and *.iso. I've been looking on the list and only found this site that doesn't seems up to date [1]. If the reason is a lack of human ressources, I think I can handle it. Regards. [1] : http://openbsd.somedomain.net/ -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT