Re: Dilemma: between OpenBSD and NetBSD
But in the past couple of years, I see hangers on trying to show off by bullying new comers, and that's really distasteful Possibly what you are experiencing in part is bikeshedding http://en.wiktionary.org/wiki/bikeshedding http://en.wikipedia.org/wiki/Parkinson%27s_Law_of_Triviality I was guilty myself when I popped off an answer mentioning the FAQ, and guessing it would generate a lot of trivial responses... On a question like the one that started this thread, most any OpenBSD user knew enough to quickly point to the FAQ answer... And for a bully, well it was an easy one to pounce on.
mod_frontpage fopen fail for fpEXEC log after upgrade.
I have a legacy server, that supports some older frontpage website, yes I know.. but the customer wants it and the i886 still has mod_frontpage in ports. so I upgraded from i386 openbsd 4.6 to openbsd 4.8 and everything seemed to make it. it was brought to my attetion that while frontpage does log activity like couunter to fpEXEC log, /var/log/fpexec_log when a form is used, it does not log and as a cgi has a premature end. Anyone else out there still using mod_frontpage and on an openbsd 4.8, and if so does it still process forms? website log excerpt: failed to open fpEXEC log file fopen: Permission denied [Tue Jan 11 13:45:14 2011] [error] [client *.*.*.* ] Premature end of script headers: /usr/local/sbin/fpexec
mod_frontpage fopen problem on fpEXEC log after upgrade.
I have a legacy server, that supports some older frontpage website, yes I know.. but the customer wants it and the i886 still has mod_frontpage in ports. I upgraded from i386 openbsd 4.6 to openbsd 4.8 and everything seemed to make it.I got a call about frontpage it seems that while I see log activity to fpEXEC log, /var/log/fpexec_log when a form is used, it does not log and as a cgi does the premature end. Anyone else out there still using mod_frontpage and on an openbsd 4.8, and if so does it still process forms? website log... failed to open fpEXEC log file fopen: Permission denied [Tue Jan 11 13:45:14 2011] [error] [client 65.33.125.44] Premature end of script headers: /usr/local/sbin/fpexec
Re: mod_frontpage fopen fail for fpEXEC log after upgrade.
fixed... problem was that kernel no longer supports bsdi
Thank you for the observation by the other poster!
On 1/11/2011 9:04 AM, Paul Pruett wrote:
I upgraded from i386 openbsd 4.6 to openbsd 4.8
and everything seemed to make it. it was brought to my attention that
while frontpage does log activity like counter to fpEXEC log,
/var/log/fpexec_log
when a form is used, it does not log and as a cgi has a premature end.
Yes the issue was that the kernel for 4.8 did not support bsdos emulation
so the line kern.emul.bsdos=1 in /etc/sysctl.conf was not doing anything.
I don't know if a custom kernel will support emulating bsdos,
but the ports for emulating freebsd and linux appear to be adequately
supported.
solution, set /etc/sysctl.conf
kern.emul.freebsd=1
(either reboot or use sysctl to set that)
cd /usr/ports/emulators/freebsd_lib
make install
and then change binaries in /usr/local/frontpage to use freebsd flavor
instead... similar to pkg message, using freebsd instead of bsdi
ftp ftp://ftp.microsoft.com/products/frontpage/fp50.freebsd.tar.Z
cd /usr/local/frontpage/version5.0
dd if=/dev/arandom of=apache-fp/suidkey bs=129 count=1
sh set_default_perms.sh
find . -type f -perm -4000 -exec chmod u-s {} \;
observations
I would suggest a modification to the port
mod_frontpage package message,
to say bsdi is no no longer supported by the kernel by default.
and to pick a flavor of frontpage and emulation that may work...
This port is used by so few, and most know it well, so I would
not suggest modifying port to have a dependency to require emulation
for linux or freebsd... to much trouble, but at least have a warning
in the package message that bsdos or the bsdi flavor is no longer
supported by the default kernel. a clue would help others.
existing openbsd 4.8 package message:
# cat /usr/ports/www/mod_frontpage/pkg/MESSAGE
To finish the install, you need to enable the module using the following
command
${PREFIX}/sbin/${MODAPACHE_ENABLE}
If you already have Apache running on your machine, you should not use
apachectl restart - instead, you should fully stop and then restart
the server.
This package only includes the mod_frontpage module for Apache. It is
still necessary to download and install the server extensions from
Microsoft. They can be retrieved and installed using the following
instructions.
# ftp ftp://ftp.microsoft.com/products/frontpage/fp50.bsdi.tar.Z
# tar -C /usr/local -xzpvf fp50.bsdi.tar.Z
# cd /usr/local/frontpage/version5.0
# dd if=/dev/arandom of=apache-fp/suidkey bs=129 count=1
# sh set_default_perms.sh
# find . -type f -perm -4000 -exec chmod u-s {} \;
anyone tried the freebsd version of teamspeak3 with the freebsd emulation?
Was wondering if anyone else has recently tried the teamspeak3 server using the freesbsd (x86) beta server for download on an openbsd with freebsd kernel emulation? -tia.
mknod Invalid argument after upgrade.
Apologies, but so far suggestions have not worked. What things should I check to fix mknod, short of format hard drive? Situation, after possibly messing up using a wrong MAKDEV during upgrade to OBSD 4.3 (amd64) from beta, I fixed by making sure /dev was empty of all, then booting from stable 4.3 media and doing upgrade, which replaced and therefore repaired /dev HOWEVER, now mknod fails for making devices except when used as mkfifo (-p). So I don't dare do MAKEDEV again since it runs 'rm' first then tries to do mknod, leaving no drivers and no way short of booting cdrom to fix. This failure of mknod is true under /dev and other directories, and I am running it as root. And / is mounted without nodev as expected. # head -1 /etc/fstab /dev/wd0a / ffs rw 1 1 example: # cd /dev # whereis mknod /sbin/mknod # /sbin/mknod foo c 1 1 mknod: foo: Invalid argument # uname -a OpenBSD 4.3 GENERIC.MP#1582 amd64 # Fails also with GENERIC bsd. tia, your help appreciated, I will document finding and post for others ---
Re: mknod fails after wrong arch MAKEDEV
How does it fail? Try for example (manually): mkfifo foo mknod foo c 1 1 # cd / # mknod foo c 1 1 ksh: mknod: foo: Invalid argument FAILS with invalid argument. What *can* be an issue is that mknod inside a chroot is not allowed, as well as mknod as non-root (except for pipes, i.e. mknod path p, which is the same as mkfifo path). agreed, but I don't think I have / as a chroot, and I am doing it as root, not su I fear I some how messed up the userland or some kind of auditing when I accidently a month ago used the MAKEDEV for a i386, then had to boot off cdrom to redo /dev
Re: mknod fails after wrong arch MAKEDEV
Isn't /tmp mounted with option nodev, by chance? Would not explain it failing in /dev but a good thought. uhmm on this computer, /tmp is on the root partition, did not make a separate mount in fstab for it, ... yes, probably should have made a /tmp partition so as to be able to add options like nodev and nosuid against /tmp, but that is another story I looked at my /etc/fstab and / is not mounted with nodev either. So that is not it. I think upgrade from cdrom would fix the /dev folder... and replace /sbin/mknod, and replace the kernel and important userland. Then I ran the port mergemaster just in case I missed something in /etc... but the problem persists, so my question, does the operating system use some kind of protection (other than nodev in /etc/fstab) that might prevent mknod from creating devices? it can create fifos
Re: obsd 3.4 port of mysql may have error9 issue again...
OpenBSD 4.3, you mean. If I run mysqlcheck -A against a lot of databases... about the last database it comes back errors... Error: File './*_drupal/vocabulary_node_types.MYD' not found (Errcode: 9) Error: Got error9 from storage engine error: Corrupt No such issues there with OpenBSD 4.3. yes, 4.3 apologies on that typo. mysqlcheck is suppose to really exercise mysql, so I thought I'd best post in case someone else saw it, because the open file limit had been an issue in the past with version 3.* (possibly how my brain flipped the numbers...) The test computer has a new hard drive and hardware, amd64 with generic.mp I will also try a reboot with generic instead of generic.mp and see if it happens. Hopefully it is something in my.cnf that I setup and not the version of mysql.
obsd 3.4 port of mysql may have error9 issue again...
just a heads up, for mysql on new openbsd 3.4 just did the make build for src with OPENBSD_3_4 Tag and mysql port from anoncvs today because I was starting to see the infamous errorcode 9 with the beta port of mysql If I run mysqlcheck -A against a lot of databases... about the last database it comes back errors... Error: File './*_drupal/vocabulary_node_types.MYD' not found (Errcode: 9) Error: Got error9 from storage engine error: Corrupt If I run mysqlcheck only against the database(s) shown with errors then it is okay. If I keep doing it I lock up mysql and have to kill it... So I checked ports and saw mysql-server-5.0.51a and replaced 5.0.51 but unfortunately, still seeing it after updating package to yes I am starting mysql with a file limit It could be just a configuration issue on my side, but I recommend others look into looking at mysql port on 3.4 to see if they get the tmp 9 error when doing database optimizations and tests... btw, per some suggesions on http://www.openbsdsupport.org/mysql.htm here is how I am starting mysql in my /etc/rc.mysql su -c _mysql root -c '/usr/local/bin/mysqld_safe --open-files-limit=2048 --log-slow-queries ' /dev/null echo -n ' mysql' and I setup the mysql in login.conf and changed /etc/sysctl.conf
TRAP from? [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
I wanted to let you know that any emails from [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] ARE likely exploited computers, for several weeks we have been avalanced by returns to those addresses significantly more than any others... In my situation, I beleive I can not use spamd greytrapping because legitimate email servers are sending DAEMON messages to us. As I understand it, spamd greytrapping uses the TO address, not the FROM So unfortunately, others could not use these addresses for trapping either? If spamd could trap on the FROM address, I would recommend to all to add the three above addresses to your traps... ? - Also I posted the addresses on webengr.com to prove legit admin to webengr.com: http://www.webengr.com/spam/
Re: TRAP from? [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
From: Peter N. M. Hansteen [EMAIL PROTECTED] Oh, so they found your domain, then. It may be a bit overwhelming right now, but not to worry, spamd is your friend. .the bounces to go away, give it a week before you put any given address into the greytrap. No this is not new and yes I have domains from all the way back to NSF days, what was curious is that it is no longer dictionary spamming, it is just backscatter from only 3 emails on the domain used over and over and its taking about 6-24KB on three each secondary MX servers to REJECT legit servers, after spamd w/ grey on. Yea, I can live with it, but it is not a one week thing, its been several weeks and the pattern was different. Almost all the servers are legitimate and yes they should not DAEMON reply to the fake FROM, but they are... IN a real world I can not blacklist earthlink, att, aol, yahoo rr.com and so on. So as I understand spamd, I have to either for filtering by the FROM, I have to DISCARD or REJECT at the sendmail level, not firewall to spamd grey :( I have other mail servers that are not an MX for webengr.com and I can use sendmail rules and maybe relaydb or some after the firewall method to capture the IP of the mail relay..., but Id rather have spamd capture the IP trapping with ghe FROM, spamd is more efficient. So this thread could be more a discussion on features of spamd and grey. Do others think it would be feasible and a good feature if spamd could trap by the From in addition to trapping by the To ??? ?
spamd-setup and CBL list chokes on 5million+ address files
FYI - limits on spamd-setup when importing blacklists Playing around with 4.2, and although spamd in grey mode no longer uses spamd table, it still choked with a 'malloc' error when I used the CBL list as a file in /etc/mail/spamd.conf Since the CBL list is over 5 million lines, I used split to break it into 1 million line files, getting six files... Then in /etc/mail/spamd.conf I had it loaded as six different blacklists and after about 10 minutes it succeeded, and /var/log/daemon shows a heck of a lot of blacklist attempts, so it does have a lot of IPs that are hitting us... although I suspect the CBL list has a lot of legitimate email servers that were responding to a forged FROM that was a spam trap address retrieval notes for CBL: == /usr/local/bin/rsync rsync://rsync.cbl.abuseat.org/cbl/list.txt \ /tmp/cbl-list.txt.rsync sed -e '/^[0-9]/!d' /tmp/cbl-list.txt.rsync /tmp/cbl-list.txt wc -l /tmp/cbl-list.txt ===
Re: Google employment opportunity
OMG a Google employee was dumb enough to spam an entire mailing list to get to one person. WOW, I thought they hired really smart people. I was thinking it might be a troll too, but I checked the headers... About a year ago I got an employemnt opp email, and was flattered... I did call the recruiter and we talked, but the possible jobs would require relocation, no telecomute jobs...:( So they are 'googling' for unix sysadmins and will even consider bsd ;) As afore mentioned, with their growth they can no longer hire by word of mouth or referral, so yep, they are going to become like any other larger corp or govt. job .. cubicles and alll sad really.'
spamd for http?
spamd version for http? Instead of just grepping the logs and adding to the pf tables, and blocking, love to redirect to a fake webserver and waste their time also Guess I could redirect their http(s) requests to spamd, confuse the hell out their http client.. :) Getting tired of seeing the trolling in the weblogs like below: - 89.149.230.221 - - [20/May/2007:07:46:02 +] CONNECT mail.yahoo.com:443 HTTP/1.1 403 210 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 66.45.253.130 - - [20/May/2007:08:18:39 +] \x04\x01 403 - - - 222.122.12.234 - - [20/May/2007:03:25:16 +] CONNECT 207.97.245.101:25 HTTP/1.0 403 198 - -
Re: anyone using zoneminder.com on OpenBSD?
Is anyone using ZoneMinder, www.zoneminder.com on OpenBSD? fyi, It appears the answer is no, so here lies a trail blazing opportunity :( I received a few emails offline from others with interest, and an associate is going to lend some cameras to test with, so I may pursue this for awhile and join the zoneminder forums. I found some activity for zonemainder freebsd: http://www.zoneminder.com/forums/viewtopic.php?t=7862 and the beginnings of an unofficial freebsd port: http://catsspat.dyndns.org:2080/zoneminder/ http://catsspat.dyndns.org:2080/zoneminder/zoneminder-freebsd-port-1.22.3p4.tgz an interesting note in the unofficial freebsd port was files/patch-SharedMem.pm What this patch does is to hard-wire native size to 4 (32-bits). On FreeBSD, Perl is configured with -Duse64bitint by default and the method that is used by SharedMem.pm to determine architectural bit width incorrectly considers an i386 machine as 64-bit capable. I'm not a perl expert -- in fact, I hate perl -- and I really have no idea how to properly determine pointer size in Perl, so this patch exists. Obviously, if you are running FreeBSD-AMD64 (or Alpha or something, although I have no idea if this software would work on that architecture), you will want to get rid of this patch file. Just delete it _before_ you make.
Re: anyone using zoneminder.com on OpenBSD?
Is anyone using ZoneMinder, www.zoneminder.com on OpenBSD? the zoneminder shop links to some compatible video capture cards like a 16 port video capture card for $169 using the Connexant BT878a chipset http://store.bluecherry.net/16_port_video_capture_card_linux_bt878_p/pv-155.htm The man page on the bktr driver suggests that it may can support this chipset but I did not see bluecherry, but I think they resale the card from Provideo in Taiwan: http://www.provideo.com.tw/DVRCard_149P.htm Appears to be a low prices for a 16port capture card, has anyone tried the ProVideo series with OpenBSD?
Re: adding video cameras for cms on openbsd.
followup to my inquiry: An approach to security surveilliance is to use projects already maturing for recording television shows, DVR, digital video recorders, and implement a web interface. This port looks interesting: FFmpeg is a collection of free software that can record, convert and stream digital audio and video. http://ffmpeg.mplayerhq.hu/ And for a cms website to use it, a module for drupal that may be workable: The Media Mover module is a module which allows admins to setup a media move process which gathers files, processes them and stores them. Media Mover does little on its own- it calls a set of modules which implement the media_mover hook and plugs them together in to media mover scripts. http://drupal.org/project/media_mover Trying the above will have to wait for someother pending jobs, but if it is very promising on an OpenBSD platform, I'll report. Further digression for the misc openbsd list may be off subject. I will research this more with FFmpeg and Drupal lists/forums. p.s. thanks for the reply Joachim, it helped to see some of the posting by Feustel.
adding video cameras for cms on openbsd.
Any suggestions for opensource video survelliance applications on OpenBSD? I setup an openbsd server to support a condominium association, and it has been successful using cyrus-imap and drupal. Now I was asked if we could add video cameras and security using the openbsd server. The short answer is yes, the correct answer is maybe :) and what approach depends on coverage and budget I realize a practical discussion is way beyond the scope of this list with questions like, do the cameras do the video capture or have the CTV signal come back to server to capture, and how much done by hardware how much done by software, motion detection could switch from time lapse to full or from quadrant view to active camera?..., and so on, that said... Is anyone using some opensource project or the like on openbsd to coordinate the storage of video and retrieval through a web interface and if so how mature or suggestions? (and maybe embed in drupal or other cms if can) As afore I will do a summary report back to the list for others if I find enough snippets to suggest approaching building survielliance using openbsd and maybe apache/mysql/php or the like. Else a proprietary hardware solution may be considered, since I said emphatically no MSd0ze solution for something supporting 6 - 30 cameras with access to retrieve and view stored video upto several weeks or more. TIA.
Re: use OpenBSD to blacklist phone calls?
SUCCESS the package mgetty+sendfax can be used to intercept phone calls by callerID using fax answer after modification to port mgetty+sendfax --- notes --- I had ordered a generic modem for asterisk usage, but was warned that it may need Zaptel support by a subscriber, so that was a wasted $6 + $9 shipping, so I went back to the scrounge pile and found in an old external USR modem that supported callerID, AT#CID=1 After a modem relearning curve I got mgetty+sendfax running Some tips: # grep cua /etc/ttys cua00 /usr/local/sbin/mgettyvt100 on insecure #to pickup changes to /etc/ttys kill -1 1 #And you make config changes and want to make #sure mgetty picks them up you can kill the mgetty PID #and /sbin/init will restart it. HOWever... mgetty from the port package would ignore the configuration file /etc/mgetty+sendfax/dialin.config I discovered the port package needs to also uncomment a line in the default policy.h file the line to use dialin.config. If you look at the used policy.h files you will see /* #define CNDFILE dialin.config */ I found the existing patch that already touches the file, /usr/ports/comms/mgetty+sendfax/patches/patch-policy_h_dist And I edited out the comment on that line and remade the patch, diff -u and saved result over patch-polich_h_dist (also attached to this email) Then I removed the package, and port working directory and make package. IT WORKS now. I'll send an email to port maintainer about it. If someone see how this becomes a security issue to enable, please inform. ... So in conclusion I implemented this on OPENBSD 4.0, and if you want to use the callerID feature mgetty+sendfax... http://home.leo.org/~doering/mgetty/mgetty_15.html#SEC15 You will have to recompile after modifying policy.h I added none for UNKNOWN callerids and some recent pesty callerIDs and the !all at end of the dialin.config file and its so sweet to have the fax answer the telemarketers. It looks like mgetty.config has hooks and could use external resources to phonenumbers to block, so some of the jokes about using something like spamd-setup may be feasible :) but for now I can edit /etc/mgetty+sendfax/dialin.config and mgetty reads the text file changes w/o hangup signal or restarting the process. Enjoy. ps., be sure to verigy your modem has support for callerID, http://ftp.mtnsys.com/pages/howto/htmdmtst.htm --- policy.h-dist.orig Wed Feb 22 13:56:31 2006 +++ policy.h-dist Fri Mar 23 15:10:41 2007 @@ -48,7 +48,7 @@ * Normally, this is /bin/login, just a few systems put login * elsewhere (e.g. Free/NetBSD in /usr/bin/login). */ -#define DEFAULT_LOGIN_PROGRAM /bin/login +#define DEFAULT_LOGIN_PROGRAM /usr/bin/login /* FidoNet mailer support * @@ -85,7 +85,7 @@ * ZyXELs use S40.2=1. * If the path doesn't start with /, it's relative to CONFDIR. */ -/* #define CNDFILE dialin.config */ +#define CNDFILE dialin.config /* If you want to use /etc/gettydefs to set tty flags, define this @@ -114,7 +114,7 @@ /* group id that the device is chown()ed to. If not defined, the * primary group of DEVICE_OWNER is used. */ -#define DEVICE_GROUP modem +#define DEVICE_GROUP dialer /* access mode for the line while getty has it - it should be accessible * by uucp / uucp, but not by others (imagine someone dialing into your @@ -249,7 +249,7 @@ # ifdef linux # define LOCK /var/lock/LCK..%s # endif -# if defined(__FreeBSD__) || defined(__NetBSD__) +# if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) # define LOCK /var/spool/lock/LCK..%s # endif #endif @@ -564,7 +564,7 @@ #endif #ifndef MAILER -# define MAILER/usr/lib/sendmail +# define MAILER/usr/sbin/sendmail # define NEED_MAIL_HEADERS #endif
Re: use OpenBSD to blacklist phone calls?
mgetty might have something useful - see http://home.leo.org/~doering/mgetty/mgetty_15.html thanks. Hmm, maybe it can be as simple as setting up fax support for just the black list. From what I read on your link, it suggests the configuration can be set to only accept for specified numbers. That way the listed phone numbers for telemarkers could get a fax response which can be really annoying. The next step may be to send any fax responses to /dev/null I just ordered a Wildcard X100P card for $5.95 through googlebase and started the build for /usr/ports/comms/mgetty+sendfax Maybe late next week I can try this approach and report back.
use OpenBSD to blacklist phone calls?
OpenBSD spamd works great for blacklisting IPs, and maybe it could be use for our blacklisting telephone calls using callerID? Even though we are on the 'do not call' registry we still get 4-10 calls a day at home, and at work its just phone spam spam spam Thinking about adding a modem that recognizes callerID to my home openbsd firewall/server to have it also monitor the phones and intercept telemarketing calls between ring 1 and 2 and if a match then give a false fax signal, message or just hangup signal. Has anyone else setup an openbsd server to hangup phone calls by callerid? I looked through /usr/ports/comms and /usr/ports/telephony I think this could be done with the port package asterisk, but it does look complex and I wondered if another package was more appropriate than a VOIP package? I did google some notes for [EMAIL PROTECTED] but I did not read that it is the same as the port ASTERISK. -TIA.
Re: Wireless PCI card recommendation needed
If you can't find a card with the transmit power you want, you may be able to get the range you're looking for from antenna gain and type. Here is some info if you go the antenna route to improve gain. Note a directional antenna is the best, but then you have to be pointing in the direction... Omnidirectional antennas have less gain because the signal is 360, not focused. For customers needing an off the shelf solution I have ordered 14db and 16db antennas from these two companies and with the proper reverse polarity connector to connect to d-link cards and linksys routers: hyperlinktech in boca raton florida: http://www.hyperlinktech.com/web/antennas_2400_out_directional.php Pacific Wireless in Utah: http://www.pacwireless.com/products/vagi_series.shtml For less than $50 you may can get an antenna and get by with a watt for quite a distance, but you may also need to buy a 'pigtail' (cable with different connectors) to connect. For directional I've had a good gain with the 16db 'VAGI' antenna from Pacific Wireless, and a side benefit is that the average person thinks its a radio antenna and does not realize it is a wifi antenna. BTW, its suppose to have a polarity that changes by rotating 90 degrees, but I could tell no significant difference in signal strength ... In one situation I still had good gain after buying a 50 foot low noise cable with a reverse polarity sma connector to hook to a d-link ap900+ and a type N connector to the soupcan the customer already had. But if you get a long cable you may want to go for the low noise like a LMR 200, or thicker LMR400 ... The down side of the thick cables is that it takes more cable to make a corner (gain drop) and the tension could snap a small connector. In the past I ordered some 'pigtails' from http://www.hdcom.com/pigtails.html or http://www.rfmicrowavecable.com/ good luck !
yelp...bit screwed, cyrus-imap not starting after switch to 64bit
Okay, sorry to pester list, but I jumped and fell short on an active mail machine, about 6 hours ago. I knew doing this on a cyrus-imapd server was insane I Upgraded from i386 openbsd 4.0 to amd64 openbsd 4.0 So if someone experienced with cyrus-imapd on amd64 can send me some suggestions, can be off list, I would appreciate because I've getting stumped and tired and have users waiting. I have a real fear the dbd and cyrus database stuff may have squirreled going form i386 to amd64 - please tell me I am wrong... I promise to do a write up of the fubar for others who may need to google in the future... I had deleted all the ports prior, and added same ones back as amd64 after. THE database for openldap was toast, since I knew how to get that up faster, I used my backup ldiff to reload it... I have a fear that the berkeley dbd is different for amd64 than i386. with that experience.. so... I got sendmail to work with saslauthd and openldap to authenticate, and other parts... So now the authentication with ldap should be working, I can test it with testsaslautd but cyrus-imapd is not working yet. And the log is not even getting to authentication, so that is not the issue I think... from /var/log/imapd.log Mar 5 08:22:48 mail master[13640]: process started Mar 5 08:22:48 mail master[1831]: about to exec /usr/local/libexec/cyrus-imapd/ctl_cyrusdb Mar 5 08:22:48 mail master[13640]: process 1831 exited, signaled to death by 11 Mar 5 08:22:48 mail master[13640]: ready for work Mar 5 08:22:48 mail master[6753]: about to exec /usr/local/libexec/cyrus-imapd/ctl_cyrusdb Mar 5 08:23:21 mail master[19218]: about to exec /usr/local/libexec/cyrus-imapd/pop3d Mar 5 08:24:13 mail master[15189]: about to exec /usr/local/libexec/cyrus-imapd/imapd I see the bad message signaled to death by 11 And if I telnet to pop3 or imapd they just don't refuse, just never finish answering, Connected to localhost. Escape character is '^]' and it just will timeout... Perhaps I need to repair mailboxes? geez I am getting fuzzy here... may need to take a break even though the server is down. Crazy I am going through all the configuration files I can think of, I have an rsync of the i386 setup so I can look at files from yesterday and did remember to put back the /usr/local/lib/sasl2/Cyrus.conf I fear I am seeing trees, not the forest.. tia.
Re: yelp...bit screwed, cyrus-imap not starting after switch to 64bit
If you actually ran the upgrade from the install media to do this I have no idea what sort of cruft you've left messed up. Most of us on the list are probably shaking our heads My advice? get another box, start from scratch on i386 and see what you can salvage. My suspicion is it's pretty messed. Hope you've got some sort of backup on tape or elsewhere. -Bob YEP fools go where I had booted cdrom and used UPGRADE, and then redid ports and ran mergemaster afterards Actually other than the cyrus-imapd and openldap it seems to be running. php5/mysql was okay, so far Best I can tell everywhere I had a berkely db in use, I may be having problems., but I likely would have had problems on migrating the data to a new install, just less pressure and more time to figure. Yes thank god I have backups and an rsync of the important partitions. Fortunately my backup script included a command to create a plain text file for cyrus mboxlist and I am able something like young frankenstein... don't try this kiddies something like mv /var/imap /var/imap-fubar mkdir /var/imap sudo -u _cyrus /usr/local/share/examples/cyrus-imapd/tools/mkimap sudo -u _cyrus /usr/local/libexec/cyrus-imapd/ctl_mboxlist -u \ path-to-plaintextbackup-ofmbox/mboxlist.txt sudo -u _cyrus /usr/local/libexec/cyrus-imapd/reconstruct :( I am close, for squirrelmail we have to resubscribe to imap folders... and its working! its sort of working, pop3 is retrieving and so is imap... NOW LMAO its not working!!! the sendmail can't deliver to to the cyrus, my oh my mailq is showing a lot waiting CLOSE! maybe someting silly I think that even with a fresh install, I would have had a bitch with the imap migration, but more time to figure it out I'll document for other fools...
note - upgrading from i386 to amd64 sameversion.
Re: yelp...bit screwed, cyrus-imap not starting after switch to 64bit i am surprised that you didn't reinstall. seems easy enough provided you backup your mail directories, or, better yet, you move them to a different machine and then mount them via NFS until you're ready to migrate them back to the local machine, assuming that's where you want them. best of luck, jake thanks for pointers Steve and other I think I made it. WHOOT!, sleep tonite! As promised, a RECAP for other fools googling about upgrading existing computers from i386 to amd64 For OpenBSD 4.0 stable the OpenBSD upgrade from cdrom from i386 to amd64 was a success. The script knew to take care of the bootblock, and everything came up. Using the port mergemaster I did not see anything critical in /etc that was different from amd64 and i386. A few files needed updating, but I think that may be just that those etc files like disktab may have changed between BASE and STABLE. Of course all the i386 ports needed to be changed to amd64 ports, and to be safer I deleted ports before upgrade, then installed usint saved pkg_info list I made before deleting. The SNAFU was the data for some port packages, but that would likely be a problem migrating to a new install if you just copied the files over. The mysql server did not give issues, nor PHP5. I did not need a port like mod_frontpage that only emulates on 32bit, so that was good. Gotta check to make sure your ports are availabe on amd64 also. Ughs... The openldap server would not with same database after changing. Fortunately my backupscript does a ldiff, so I had reinstall use ldapad to import from the plain text backup file. (note I had to delete misc commands in the ldif before it would import...) The cyrus-imap server sould not run with same database. The logs hinted that the issue was when cyrus tried to recover the data, ctl_cyrusdb -r Having never had a serious cyrus-imapd failure, I panicked, and recreated doing the following inelegantly... # kill cyrus master if working mv /var/imap /var/imap-fubar mkdir /var/imap sudo -u _cyrus /usr/local/share/examples/cyrus-imapd/tools/mkimap sudo -u _cyrus /usr/local/libexec/cyrus-imapd/ctl_mboxlist -u mboxlist.txt sudo -u _cyrus /usr/local/libexec/cyrus-imapd/reconstruct #pray and restart cyrus master I am sure their maybe a better way to recontruct or avoid recontructing but the above worked for me, EXCEPT the imap folders for squirrelmail had to be resubscribed. -epilogue- I suspect that anywhere ad berkely datafile was created under i386 it may have problems being used under amd64 unless exported on i386 and imported on amd64? And I am extremely grateful to past admins in postings that advised adding these things to backups: /usr/local/sbin/slapcat -f /etc/openldap/slapd.conf \ | /usr/bin/gzip /var/openldap-data/backup.ldif.gz su - _cyrus -c /usr/local/libexec/cyrus-imapd/ctl_mboxlist -d \ /var/imap/mboxlist.txt And I close by sincerely hoping that the hangup/freezing some see with 4.0 i386 on K8ahtlons is gone for good, because using a current i386 on an older stable, was not stabe :) rock on.
Re: same version upgrade i386 to amd64 gotchas?
The fix was just to remove PAE support from the i386 kernel (until the bug is found). So, try copying the latest snapshot kernel to /bsd and reboot. Just grab it from the snapshots/i386 directory on the ftp server. I copied a current i386 kernel from this week , and it rebooted okay on the athlon64 platform. Now I wait a week and see if it freezes/hangs Umm, it frooze/hung up again at 5:08 am. about 23 hours after rebooting with the current 4.1 kernel on the i386 4.0 userland I was remote so I did not see the monitor for any panics, but reset using the apc power switch. I looked through the logs and the only thing I saw queer was that it created a file /var/log/mail with zero content just as it hung up. Weird, I used the kernel from current on stable i386 userland on a K8 cpu, which is something that I would normally not do, but since it was an simple test, we tried. Staying with i386 on a athlon64 K8 cpu has caused hangups/freezes about every day or two of note here is the log snips indicating when logging stopped --- from daemon Mar 3 05:05:38 mail dhcpd: DHCPDISCOVER from 00:18:39:f0:c8:be via rl0 Mar 3 05:05:38 mail dhcpd: DHCPOFFER on 172.16.254.224 to 00:18:39:f0:c8:be via rl0 Mar 3 08:08:56 mail named[14969]: starting BIND 9.3.2-P1 Mar 3 08:08:56 mail named[14969]: loading configuration from '/etc/named.conf' And here is a weird file that showed up in the /var/log/ at the apparent time of the hang: -rw-r--r-- 1 root wheel0 Mar 3 05:06 mail Yes it may be with enough effort we could find the culprit, and it may be an port or something else, but with less effort I could roll back to stable or upgrade to current amd64 instead of trying to make i386 not hang. ... My personal experience is that going forward I would strongly recommend to readers to use OpenBSD amd64 (not i386) on the AMD K8 platforms (athlon64).
Re: same version upgrade i386 to amd64 gotchas?
The fix was just to remove PAE support from the i386 kernel (until the bug is found). So, try copying the latest snapshot kernel to /bsd and reboot. Just grab it from the snapshots/i386 directory on the ftp server. Agreed, I did not see a easy one line change to kernel compile to remove PAE for openbsd 4.0 stable. So I did as suggested. I copied a current i386 kernel from this week , and it rebooted okay on the athlon64 platform. To test I did a make for /usr/ports/sytutils/cdrtools and it did not complain, so thats a small warm fuzzy. Now I wait a week and see if it freezes/hangs If the 4.1 kernel solves your problem (it probably will) then you should wait for a 4.1 cd and do a proper upgrade when you have the time and have gone over the documentation. Better yet, after you've decided how you want to handle the upgrade, try doing it on another machine first, unless this one is experimental. I been testing the i386 snapshots on 32bit athlons, and some of the portpackages I desire are not making yet, but it's a lot closer. Agreed, I unboxed my emergency spare power supply to put together a experiment computer with AMD K8 cpu to test with, and DOH, it had a 20pin not 24pin as marked. ... :( so yep, more power supplies are on order, and next time I'll open and verify the spares to before shelving. Thanks for the clarifications, now I know to google pae openbsd I see the notes in http://www.openbsd.org/plus40.html Implemented separate pmap for PAE i386 machines, allows for support for machines with more than 4G RAM. Not enabled by default. http://www.openbsd.org/plus.html Revert PAE pmap for now, stops freezes commonly seen on amd64 machines running in i386 mode.
same version upgrade i386 to amd64 gotchas?
After consideration and due to weird problems afore discussed, I will likely be upgrading an openbsd 4.0 i386 server to an openbsd 4.0 amd64. Yes in retrospect I should have used the amd64 build not the i386 build on an athlon64 cpu... But I now have a 'production ' cyrus-imapd/sendmail server that even after make builds, changing motherboard, cpu, memory still has a random lockup w/ no kernel fault displayed about once a week, ... and for that and I would prefer to have amd64 go forward, it is time to bite the bullet. I have upgraded version on i386 and on amd64, but never same version, different archtecture. I would think that the 'etc' files would be the same, but with cvs updated src, I do plan on running mergemaster again after the upgrade by cdrom. A gotcha I'd expect would be the ports. I also plan prior to upgrade to uninstall all the port packages, then reinstall using amd64 packages after. other? ps. I attached the dmesg for the headache server, note it is running a sempron right now, and the sempron like the athlon still hangs randomly. OpenBSD 4.0-stable (OPCA) #1: Sun Feb 11 18:00:48 EST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/OPCA cpu0: AMD Sempron(tm) Processor 2800+ (AuthenticAMD 686-class, 128KB L2 cache) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 real mem = 468987904 (457996K) avail mem = 419725312 (409888K) using 4256 buffers containing 23552000 bytes (23000K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 10/31/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0740 (50 entries) bios0: ASUSTeK Computer INC. M2V-MX apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf73a0/272 (15 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1106 product 0x3337 pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0x9200 0xc9800/0x2800! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor VIA, unknown product 0x0336 rev 0x00 pchb1 at pci0 dev 0 function 1 vendor VIA, unknown product 0x1336 rev 0x00 pchb2 at pci0 dev 0 function 2 vendor VIA, unknown product 0x2336 rev 0x00 pchb3 at pci0 dev 0 function 3 vendor VIA, unknown product 0x3336 rev 0x00 pchb4 at pci0 dev 0 function 4 vendor VIA, unknown product 0x4336 rev 0x00 vendor VIA, unknown product 0x5336 (class system subclass interrupt, rev 0x00) at pci0 dev 0 function 5 not configured pchb5 at pci0 dev 0 function 6 vendor VIA, unknown product 0x6290 rev 0x00 pchb6 at pci0 dev 0 function 7 vendor VIA, unknown product 0x7336 rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 vendor VIA, unknown product 0x3230 rev 0x11: aperture at 0xd000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 2 function 0 VIA K8T890 PCI-PCI rev 0x00 pci2 at ppb1 bus 2 ppb2 at pci0 dev 3 function 0 VIA K8T890 PCI-PCI rev 0x00 pci3 at ppb2 bus 3 pciide0 at pci3 dev 0 function 0 JMicron JMB363 IDE/SATA rev 0x02: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using irq 11 for native-PCI interrupt pciide0: channel 0 ignored (not responding; disabled or no drives?) pciide0: channel 1 ignored (not responding; disabled or no drives?) pciide1 at pci0 dev 15 function 0 VIA VT8237A SATA rev 0x80: DMA pciide1: using irq 5 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3320620AS wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: ST3320620AS wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x07: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide2 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX320E, NYK5 SCSI0 5/cdrom removable cd0(pciide2:0:0): using PIO mode 4, DMA mode 2 pciide2: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0xa0: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0xa0: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0xa0: irq 3 usb2 at uhci2:
Re: same version upgrade i386 to amd64 gotchas?
I have received several assurances that -current may have resolved some weirds for i386 on amd64 processors... With hesitation I could try jumping to current instead of stable amd64. I have used -current on productin before, but only after verifying the ports could make w/o fubars Either amd64 stable or i386 current I'll still should remake the ports to match, especially openldap and cyrus-imapd and verify. :(
cyrus squatter haning computer?
Has anyone else had a problem with cyrus-imap squatter causing the enire computer to hang? cyrus-imapd-2.2.13p0 OpenbBSD 4.0 I had /etc/cyrus.conf to do squatter at 06:00 and maybe after about five to seven days the computer would hang, either with the display frozen or no display, requiring a power reset to fix. This time I caught a process in a top display that may have been the reason, squatter. notes: HERE is the top that was on my ssh session when connection was lost: = load averages 1.54, 1.57, 1.66 52 processes: 1 running, 50 idle, 1 on processor CPU States: 39.6% user 0.0% nice 15.3% system, 0.3% interrupt, 44.9% idle Memory: Real: 236M/322M act/tot Free 112M Swap: 6440K/3072M used/tot PID USERNAME PRI NICE SIZE RES STATEWAIT TIMECPU COMMAND 831 _cyrus600 9052K 8200K run -0:26 31.69% squatter 30372 named 20 14M 14M sleepselect 6:23 0.34% named 32246 _clamav20 26M 27M sleeppoll18:43 0.00% clamd 1865 _mysql 20 301M 53M sleeppoll 3:20 0.00% mysqld 7718 _spamd 20 11M 6548K idle select 3:01 0.00% spamd Here is the imapd.log just before squatter hangs entire computer, I changed username and domainname to protect users in example: Feb 22 06:00:00 mail master[831]: about to exec /usr/local/libexec/cyrus-imapd/squatter Feb 22 06:00:00 mail squatter[831]: indexing mailboxes Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox user.x1.Sent [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:00 mail squatter[831]: indexing mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:04 mail squatter[831]: indexing mailbox [EMAIL PROTECTED] Feb 22 06:00:06 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:00:06 mail squatter[831]: skipping mailbox [EMAIL PROTECTED] Feb 22 06:[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@ [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@ [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@ [EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@[EMAIL PROTECTED]@ ... # pkg_info | grep cyrus cyrus-imapd-2.2.13p0 Cyrus IMAP server cyrus-imapd-perl-2.2.13 perl utils for the Cyrus IMAP server cyrus-sasl-2.1.21p2-ldap RFC SASL (Simple Authentication and Security Layer) # grep squatter /etc/cyrus.conf squattercmd=squatter -s at=0600
Re: pf rules
block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port
80
read also
http://www.openbsd.org/faq/pf/tables.html
another way to deal with negative in your pf.conf
is to use tables... maybe try a table with safeip combinations
like, but do test and read and try variations, this may be wrong also :)
table safeip {192.168.1.0/24, !192.168.1.200}
...
...
...
block in log quick on $ext_if proto {tcp,udp} from !safeip to any port
80
Re: OT: Domain Name Freedom
Please pardon the off topic post but last month some people on this list were wondering about Friendly Registrars after what happened to Fyodor (of nmap fame) with is seclists.org domain being shut down by godaddy. godaddy and registerfly have really cheap vale resaler possiblilites, and now you know why... I'd not trust them with anything that can not be replace, for instance I might by a one year ssl cert, but worse case that can be replaced, unlike a domain name in dispute Opensrs/Tucows has been around a long time, but their wholesale cost, $10.25, is more than retail by registerly/godaddys and all those others with questionable terms.. They have been very reputable in how they register and expire domains. (maybe because they are in canada...) But it appears to be worth spending the extra two bucks per year per domain even though with hundereds of domains it can add up, but several screwed customer can cost lots more. I know someone who used register.com which was not cheap, got their name sold to someone else before the expire date, and the domain speculator quoted a price just less than legal action to buy it back. so for even the more expensive registers some of the terms seem to be used to scam! Has anyone heard of excessive evil from opensrs? if not, and if you have a biz and maintain say, fifty or more domains, it may be worth doing all the forms and the $100 deposit to use them wholesale... else I am sure like me, there are many consultants who use openbsd who are also value added resalers for opensrs.
Re: spamd - SPEWS status
It seems like their soft started analyzing the return codes, and so they are resending their mail after a short while. So I think blacklisting is still in rule. -- Since greylisting has become more defacto, I have seen more successfull 411 like spam squeezing through legitimate email servers with free web emails and expecially the old excitenework, and then the scoring is low on spamassassin on our side even with SARES, because they craft the words better :( So you still need to block by content, but that's getting harder also. Since the need block by content scanning, the changes of errors are higher, thus the need to craft the 5.5.0 error message with someting like, call or fill out form on this website to get whitelisted... A while back I had posted a question about grey listing, and if it got answered I missed it Basically for spamd we can edit the /etc/spamd.conf so that black listings get a specific message when rejected, good... But what about greytrapping? When an email gets rejected due to greytrapping, what error message can be returned? how do you put that in /etc/spamd.conf Somehow occassionally a legit server sends an email to a poison address, maybe a spammer can use known poison emails and fake them as from, then they spam legit servers, they in return send email to the poison address and get greytrapped? ARGH
atactl smartstatus to email other than cron user
Using cron and atactl to email smartstatus errors to an email address other than cron user: - I was playing with the suggesion in the man page for atactl and smart status. After using rc.local to make sure smart is enabled, something like echo -n 'wd0: ' /sbin/atactl wd0 smartenable /sbin/atactl wd0 smartstatus Now to put someting in crontab to hourly check for errors, per suggestion of man page for atactl I could use: 0 * * * * /sbin/atactl /dev/wd0c smartstatus /dev/null And the error will email to root, or if the variable [EMAIL PROTECTED] Then all error messages from cron will go there :( I can see where I might want some tasks to email standard error messages to other than the cron user or MAILTO, like sending an email to a pager or other alert email box. Thus the question, how to edit cron task to send normal output to null but email error messages... Handling outputs if I rember and a quick google found a page that seems to confirm, http://ibmdocs.ncep.noaa.gov/userman/cron.html suggests 1 should be standard and 2 should be errors so we should be able to do something like 0 * * * * /sbin/atactl /dev/wd0c smartstatus 1/dev/null 2mail -s wd0 ERRORS on serverXYZ [EMAIL PROTECTED] Other than using up your pager allotment, does anyone see a problem doing it this way, please correct. If a server is not raid, and using cheaper ide/sata drives, this might be a useful way to be urgently notifed of a hard drive that may fail. - cheers
Re: docs for OpenLDAP and cyrus-imapd on OpenBSD?
I have it working a similar setup. All you need once the openldap side is runnning (and there are lots of docs about OpenLDAP for users authentication out there): Thanks, got openldap with bdb up using various example conf files... Getting the openldap side supporting a table or index or proper schema? that can be referenced by sendmail and cyrus and putting the username,realm,password into it is my stuck point now, and that is beyond the misc/openbsd list. I subscribed to the cyrus info and sasl email lists and if need be the openldap lists... I'll summarize my notes on a webpage when successful and post back to misc list the url. I think another part of the puzzle maybe that I need to copy sendmail schema and have that in slapd.conf cp /usr/src/gnu/usr.sbin/sendmail/cf/sendmail.schema /etc/openldap/schema/ # grep sendmail /etc/openldap/slapd.conf include /etc/openldap/schema/sendmail.schema ? You will need a sendmail compiled with SASL and ldap support, just add this to /etc/mk.conf: WANT_LDAP=yes WANT_SMTPAUTH=yes That was very helpful and something misc OpenBSD related, I knew about exporting WANT_SMTPAUTH prior to compiling sendmail, but I did realize that a value needed to be set for WANT_LDAP.
docs for OpenLDAP and cyrus-imapd on OpenBSD?
Looking for docs for OpenLDAP and cyrus-imapd on OpenBSD I am trying to implement cyrus-imap on OpenBSD sendmail for virtual hosting with support for pop3, imap (localhost), and smtp-auth. I've googled so much information with that just did not quite fit that it is daunting for those of us who are unfamiliar with ldap. I have made some progress like I had actually hacked cyrus-imap to use the mysql for authentication, got cyradm to work by modifying /etc/hosts and so on..., was making that progress till I found that saslauthd will not support SQL, so I could not go that way for smtp-auth with sendmail. After that endeavor I decided that I will need bite the bullet and become proficient with open-ldap because both sendmail and cyrus-imap appear to have mature support for LDAP, unlike mysql. (and yes I've read a thousand times that LDAP is more appropriate than SQL for non relational lookups..., I have also been told that I should give up sendmail and use postfix, but I have a lot of investment in labor on our sendmail milter setups...) THAT said, if someone has good documentation links, helpful suggestions, or would not mind filling in the gaps offline - I would appreciate it.
Re: docs for OpenLDAP and cyrus-imapd on OpenBSD?
If all you want about LDAP is to authenticate your users from LDAP, then Cyrus IMAPd will just do it from sasl interface. Be sure you have installed cyrus-sasl package with ldap flavor I think I need a little more than that, I am not even sure how best to insert the username realm and password and into which index.. and to that I am on a crash learn of ldap, so that is part of the picture I'll need to understand asap :( I figured the flavor thing out when I went down the mysql flavor method, Also we may need to use the -r option for pkg_add -r to get the flavor package loaded... Here is how to make flavors and -server for those who may google this on the lists: cd /usr/ports/mail/cyrus-imap make package cd /usr/ports/security/cyrus-sasl2 env FLAVOR=ldap make package cd /usr/ports/databases/openldap/ env SUBPACKAGE=ldap FLAVOR=bdb make package An example /etc/saslauthd.conf will look like this ldap_servers: ldap://127.0.0.1 ldap_search_base: dc=your,dc=base,dc=dn ldap_filter: ((uid=%u)(objectClass=inetOrgPerson)) ldap_auth_method: userPassword As you can guess, %u gets replaced with username. userPassword auth method means authentication will occur with binding. And related lines for /etc/imapd.conf sasl_mech_list: plain sasl_pwcheck_method:saslauthd sasl_saslauthd_path:/your/path/to/saslauthd/mux Good luck... I appreciate the above examples and will digest it asap. I saw several options for imapd.conf that dealt with ldap without the sasl_ prefix, and that may have mislead also. A note to other readers, any option in /etc/imapd.conf that is prefixed with sasl_ may overided the SASL configuration file, see the man page for imapd.conf and sasl_option BTW, I know I got off track when I tried settings from an example slapd.conf from a Linux Gazzette page: http://linuxgazette.net/124/pfeiffer.html http://linuxgazette.net/124/misc/pfeiffer/slapd.conf
smtp-vilter may not put IP into pf table if cannot resolve hostname
Anyone else using smtp-vilter.conf with the react on statment, like react on spam add to table vilterspam for 1 day And if so do you notice error messages when the hostname can not be resolved like: Oct 17 03:41:23 mail smtp-vilter[25288]: pftable_modify: can not resolve hostname [202.46.146.119] It seems that if the spammer does not have reverse dns lookup for the domain name then smtp-vilter does not add the IP to the pf table?
Re: can mixed case username receive email
good answer On Tue, 16 May 2006, Claus Assmann wrote: Date: Tue, 16 May 2006 13:08:43 -0700 From: Claus Assmann [EMAIL PROTECTED] Reply-To: misc@openbsd.org To: Paul Pruett [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: can mixed case username receive email On Tue, May 16, 2006, Paul Pruett wrote: Is there a way to deliver email to usernames with mixed case? See the FAQ for sendmail http://www.sendmail.org/faq/ + 4.17 How do I handle user names with upper-case characters?
can mixed case username receive email
Is there a way to deliver email to usernames with mixed case? looking at OpenBSD 3.8 w/ sendmail Per the man page for adduser it is recommended to use only lowercase, but it will take mixed case for a login and be case sensitive. So for example adduser EWhite but if after I try mail EWhite I get an error message. but if I rmuser and adduser ewhite I can mail ewhite Perhaps it is a setting issue, but it seems that while mixed usernames are supported upto 31 characters, the local mail transport is unable to deliver to a username with mixed case. Having always used lowercase names, I was blissfully unaware of that gotcha, until a user asked me specifically for a mixed case username. ?
Re: sftp and scp and chroot
there is better alternative w/o need to breaking ssh down: An alternative to jailkit is chrsh http://www.adg.us/computers/chrsh.html it also does not require changing any code in ssh, it is a chroot jail wrapper, invoked by setting user's shell to the wrapper. (warning - warning - if you include any setuid application like ping in the jail, the user can obtain root priviledges) (think carefully before trying to chroot an ssh/sftp/scp login) Ben Goren did an unofficial port that seems to not have been updated recently so it may not make with recent versions of OpenBSD without modification, we posted notes on misc about thatthis year. Ben's site: http://www.trumpetpower.com/pub/OpenBSD_ports/chrsh-1.0b2.tgz (i'd say google the notes, but for some reason I checked and google was not finding recent misc postings very well for chrsh, so I searched the MARC misc archives ...) recent postings to misc about chrsh http://marc.theaimsgroup.com/?l=openbsd-miscm=113570342808678w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=113570856221149w=2 http://marc.theaimsgroup.com/?l=openbsd-miscm=113934124611066w=2
Re: Recommendations for an OpenBSD-based Backup Solution
If you didn't already, try running rsync as a *server* on the Windows side (if you want SSH, forward the ports). There's a cygwin bug that bites rsync in some circumstances (when network buffers fill, iirc). rather than setting a standalone rsyn server listening to a port, you can try a minamilist approach have rsync installed w/ cygwin on windows, use ssh to run rsync on openbsd box, I know it works with openbsd 3.8 port of rsync. In your bat file on windoze you can use the -e option of rsync to call ssh, and the -i option of ssh to select the identity key NOTE the key has to be owned by the cygwin user and not group or other, for ssh security reasons, that is the typical gotcha. (its not uncommon on windows for the login name to actually be something different like default in the passwd file on windows cygwin) then you can use zip, dump or tar or other to backup the mirror or rather rsync file system. maybe doing a full backup weekly or monthly and using find to backup file changed daily... some notes here also: http://optics.ph.unimelb.edu.au/help/rsync/rsync_pc1.html
success - equifax signed cert for starttls and under us16.00
-- Musings on getting a CA signed cert for STARTTLS and other gotchas -- If you ask the companies who market SSL certs about sendmail, they will say that they don't support certs for mail, but for websites only. But maybe the help/support desks are wrong? I found a vendor that only charged $15.99 for a starterssl signed by geotrust/equifax and tried it with sendmail I post the following to misc-at-openbsd in the hope that others may benefit and/or correct. no flames please, if you see a glaring mistake, let me know offlist and I'll post an amendment or retraction if appropriate. -- Starting the notes off tangeant... If we want to use something other than our self signed cert for sendmail, we will have to have a file like web browsers that has a bundle of okay CA certs. Getting a file with recent information of somewhat trusted entity has of CA certificate signers to use applications... I'm sure there is a better way, and somewhere to get newer, but the file in the src appears to be from March CET 2000 head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep Last Modified ## Last Modified: Thu Mar 2 09:32:46 CET 2000 ?? Going way off course to get a newer bundle maybe... I googled several versions of scripts that promised to convert a Mozilla file certdata.txt to a ca-bundle that may be useable. So let us find certdata.txt in a recent mozilla project The below renders a file claiming a revision date of 2005/04/18 curl http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2 -o firefox-1.5.0.1-source.tar.bz2 bunzip2 firefox-1.5.0.1-source.tar.bz2 tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt tar -xvf firefox-1.5.0.1-source.tar mozilla/security/nss/lib/ckfw/builtins/certdata.txt We got it now for a tool to convert... curl http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl -o ca-bundle.pl now to do the covert /usr/bin/perl ca-bundle.pl ca-bundle.crt Note the ca-bundle.crt includes information in such a way we may can just use it as CAcert.pem for starttls. Can try copy or link ca-bundle.crt to CAcert.pem If you are fooling around with STARTTLS for sendmail, you really really would benefit by reading the man pages man starttls on towards pems for sendmail It is very possible the the following has mistakes or may not work or is wrong... could be done much more elegantly or has a security issue, so use with caution So we may now have a file we can use for CAcert.pem for STARTTLS to use that has most of the well known CA providers. But if we self sign our certificates that will not help unless we concatenate our cert to that Okay so how can you on the cheap setup a certificate signed bya Certificate Authority recognized by most applications?Geotrust is well known and cheaper than Thawte or Verisign... Froogle a vendor for Geotrust... found registerfly.com http://registerfly.com/ssl/ more on that latter... The following may work for us BUT, before trying the following and spending $$, you may want to review the instructions on man startssl and see if you can get sendmail working with a self-signed certificate. man startssl OBSERVATION: NOte that the man page for starttls can skip some steps, using one command to both tenerate a certificate and the private key. Because it is self signed we did not need a 'CSR' openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \ -out /etc/mail/certs/mycert.pem -keyout \ /etc/mail/certs/mykey.pem IF you did this more verbose... You may make your key then make a csr then sign the csr Something like this openssl genrsa -rand /dev/urandom \ -out /etc/mail/certs/mykey.pem 1024 chmod 400 /etc/mail/certs/mykey.pem Now you need a certificate request, CSR, to have geotrust or some CA use as input to sign and send you back a crt that hopefully will work after taking your money. openssl req -new -inform PEM -key \ /etc/mail/certs/mykey.pem -outform PEM \ -out /etc/mail/certs/mycsr.pem chmod 400 /etc/mail/certs/mycsr.pem YOu could self sign it, but then the above CAcert.pem that we extracted would not have you in it. openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \ -in /etc/mail/certs/mycsr.pem -req \ -out /etc/mail/certs/mycert.pem chmod 444 /etc/mail/certs/mycert.pem - BUT we may want to pay $$ (not $$$) to have a cert that Eudora/Microsoft and other email applications would not complain about. About the cheapest way I found to get a certificate for a website signed by geotrust/equifax is to go through the vendor http://registerfly.com/ssl/ You'll have to create and account and give the a minimum deposit of $25.00 Then you can by the cheapest
Re: success - equifax signed cert for starttls and under us16.00
if I remember correctly, the last time I tried Postfix on OpenBSD, I can use self-generated SSL cert. Hope it's helpful to you. self-signed certs can work with mail smtp servers postfix or sendmail, man starttls But when you used self-signed certificates, other servers or clients may at a minimum give warnings to users. also it is plausible that using a certificate signed by a recognized CA may help when sending to larger corporations or maybe not If you setup SMTP-AUTH, and have clients require TLS, the clients will likely get a warning message till they accept and store it. Thats okay for a a handfull, but for the non literate or commerce customers it will be an education pain and then most admins will donate $16 rather than have to explain to clients about accepting certificates not signed by trusted CA. thats my $0.02 on justifying $16 ;)
Re: chrsh unofficial w/ current 3.9 - nope
Date: Tue, 7 Feb 2006 07:34:06 -0500 From: Jeff Quast [EMAIL PROTECTED] i havn't looked at the code--but i've seen this before, try adding #include errno.h somewhere. For unofficial chrsh port with current (3.9) got the following with current grabbed this weekend, complaining about extra tokens at end of directives and a while loop chrsh.c:335: error: `errno' undeclared (first use in this function) chrsh.c:335: error: (Each undeclared identifier is reported only once chrsh.c:335: error: for each function it appears in.) Stop in /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh (line 4 of Makefile). Hell of a deal! Good reply jeff. That did it! Ben, if you revesion your unoffical port for chrsh, you need to add for patching, #include errno.h
chrsh unofficial w/ current 3.9 - nope
Just a heads up for the few that use Ben Goren's Trumpetpower port for chrsh, http://www.trumpetpower.com/OpenBSD/chrsh It may not work as is with OpenBSD 3.9, without tweaking. but the official ports for current is compiling nicely even kde so far! got the following with current grabbed this weekend, complaining about extra tokens at end of directives and a while loop using test on error return value... if anyone has a quick suggestion, I'll try it, else I will set it aside. # make === Checking files for chrsh-1.0b2 chrsh.c doesn't seem to exist on this system. Fetch http://www.aarongifford.com/computers/chrsh.c. 100% || 26266 00:00 No size recorded for /usr/ports/distfiles/chrsh.c No checksum file. === Extracting for chrsh-1.0b2 mkdir -p /usr/ports/chrsh/w-chrsh-1.0b2/chrsh cp /usr/ports/test/distfiles/chrsh.c /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ cp files/Makefile /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ === Patching for chrsh-1.0b2 === Configuring for chrsh-1.0b2 === Building for chrsh-1.0b2 cc -o chrsh chrsh.c chrsh.c:99:25: warning: extra tokens at end of #undef directive chrsh.c:186:8: warning: extra tokens at end of #endif directive chrsh.c: In function `main': chrsh.c:335: error: `errno' undeclared (first use in this function) chrsh.c:335: error: (Each undeclared identifier is reported only once chrsh.c:335: error: for each function it appears in.) *** Error code 1 Stop in /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh (line 4 of Makefile). *** Error code 1 Stop in /usr/ports/test/chrsh (line 1924 of /usr/ports/infrastructure/mk/bsd.port.mk). NOTES for chrsh.c Line 99: #undef LOG_USEFILE /var/log/chrsh.log Line 186: #endif DEBUG Line 335: while (close(i) != 0 errno == EINTR);
Re: smtp-vilter + spam filtering question
FYI, the version on the stable port is old, it is upto smtp-vilter-1.2.5 http://www.etc.msys.ch/software/smtp-vilter/ I was using monit to restart the port milter-spamd when it would die about one or two times a week, I downloaded 1.2.4 and did the make install - went non standard and set it to use same user as clamav and to not use sockets... and monit has never had to restart smtp-vitler ASLO: http://freshmeat.net/projects/smtp-vilter/?branch_id=45398release_id=214828 Changes: PF (packet filter) integration was improved. Reactions on spam, viruses, and unwanted content can now be specified with a timeout: react on virus add to table blacklist for 24 hours. Using smtp-vilter to harvest IP addresses to redirect bad servers to spamd. It is working, the maillog shows comments were it deletes IP addresses from the pf table after 24 hours. The pf table for my modest mail server seems to be around 1800 - 2400 Ip addresses. What I did also to take advantage of spamd-setup was to have cron a simple bourne shell script to save the vilter pf table to file, and have spamd.conf point to the file and use spamd-setup to put the vilter table into the spamd table so spamd would give a custom error message. - just in case a legitimate server gets on the spamassassin/smtp-vilter generated blacklist for the pf firewall. Openbsd 3.9 will likely include the newer version of smtp-vilter and that will give all another method of feeding spamd at 8025 :) ps - easy to confuse the spamassassn spamd with Theo's spamd :( man -s8 spamd versus man spamd
Login shell chroot implementation - unofficial chrsh openbsd port issues
This is in response to an email awhile back: http://www.monkey.org/openbsd/archive/misc/0208/msg00558.html Friday, July 19, 2002, 9:01:11 AM, you wrote: I have used many softwares like chrsh (Aaron Grifford) on a port from Ben Goren but didn't get it to work. I've done *everything* Aaron and Ben told me to do, but chrsh insisted to report me an error like: User='' (2000) Group='' (2000): Unable to obtain root permission in \ order to perform chroot() function. After several tryes, I finally quit it and decided to implement The reason you could not get Ben Goren's port of chrsh to work is that the port does not do everything for you, in particular two things that will prevent it from working on OpenBSD 3.8: It does not install setgid and setuid, and the settings in the compiled chrsh.c check for it to install /bin/chrsh but the package installs /usr/local/bin/chrsh And to be honest if we can't figure out that pare, we are likely to also put something in the jail that would allow a security break out... NOTE - DON't even try to use chroot to limit users accounts unless you understand it can be trivial to overcome: http://www.bpfh.net/simes/computing/chroot-break.html It is perhaps very dangerous to chroot ssh except in special situations, but the truth is a lot of servers try to do this, - especially in linux and freebsd implementations. Many seem to patch the openssh direct - not to happy about that, others use a shell. some approach examples: http://chrootssh.sourceforge.net/index.php http://www.adg.us/computers/chrsh.html http://olivier.sessink.nl/jailkit/ - - details and notes -- read no further unless need to know - the reason of this post is that google did not easily find answers about chrsh and openbsd beyond the helpful start by Ben Goren: http://www.trumpetpower.com/OpenBSD/chrsh His port almost works, but does not install the binary so that it can chroot, and the binary fails check because it is defined with wrong path. An approach is that you could use his port then edit the chrsh.c inside the port make area, edit ./chrsh/w-chrsh-1.0b2/chrsh/chrsh.c changing #define CHRSHPATH /bin/chrsh to #define CHRSHPATH /usr/local/bin/chrsh rm ./chrsh/w-chrsh-1.0b2/chrsh/chrsh.c cd ./chrsh/w-chrsh-1.0b2/chrsh/ make cp chrsh /usr/local/bin/chrsh --- however, the package did not install setuid nor setgid --- which probably is good because it forces you --- --- to think or at least google -- ls -al /usr/local/bin/chrsh -r-xr-xr-x 1 root wheel 18340 Dec /usr/local/bin/chrsh chmod u+s,g+s /usr/local/bin/chrsh ls -al /usr/local/bin/chrsh -r-sr-sr-x 1 root wheel 18340 Dec /usr/local/bin/chrsh --- and then you have to do all the steps for making the jail --- and the special path for the shell -- which is documented --- and sometimes scripted elsewhere like it says on Aaron D. Gifford's website: That's all the documentation ya get, folks! :)
Re: Login shell chroot implementation - unofficial chrsh openbsd port issues
- - details and notes -- read no further unless need to know - . rm ./chrsh/w-chrsh-1.0b2/chrsh/chrsh.c oops thats my very bad, should be rm ./chrsh/w-chrsh-1.0b2/chrsh/chrsh
pfctl cannot allocate memory for using spamd w/ Table for CBL
suggestions? since upgrading to openbsd 3.8 I noted my spamd was not blocking, looked closer and with me using the CBL table (huge) trying spamd-setup gave this response: pfctl Cannot allocate memory The spamd is loading okay so long as I don't use a whopper table like the CBL, rsync://rsync.cbl.abuseat.org/cbl/list.txt I have a gig of memory on the server in question, and it was the generic i386 kernel True on 3.6 and 3.7 I used a kernel compiled with options, so it could be just the generic kernel... I'm going to compile a custom kernel on platform and see if it fares better. any suggestions on kernel options for large pf Tables? typically i have added these options to the generic. OPTION GATEWAY OPTION DUMMY_NOPS
fyi - openbsd 3.8 squirrelmail php bug and imap-uw
I ran into something w/ squirrelmail on openBSD 3.8 with uw imap needing plain text login and with a php bug causing timeouts short answer - use flavor plaintext with imap-uw instead of trying edit of /etc/c-client.cf - and use imap serverside sort option on squirrelmail - or manually update/patch php4 - ughh NOTES - longwinded for those who may care, and for google, else read no further -- from the front of squirrelmail.org SquirrelMail and PHP 4.4.1 issues Nov 07, 2005 by Tomas Kuliavas PHP developers released PHP 4.4.1 version on 2005-10-31. Security fixes introduced bug, which affects three SquirrelMail functions. If your SquirrelMail install does not use server side sorting, PHP bug can create infinite loop in message display. If you are using PHP 4.4.1, you should update it to 4.4.x-dev or apply patch. (or as a quick fix set squirrel mail to serverside sort) -- According to http://www.squirrelmail.org/docs/admin/admin-10.html OpenBSD there are two different packaging flavors. [default package] and [package with plaintext support]. Use plaintext package or enable plain text login in /etc/c-client.cf I used the default make install, so I'm sure I got the package w/o plain text. I had /etc/c-client.cf edited accordingly from previous usage.. # cat /etc/c-client.cf set disable-plaintext nil But it did not work... So rather than using the port package without flavor and trying to override with /etc/c-client.cf, I made package with flavor and that worked. .. # pkg_delete imap-uw-2004g imap-uw-2004g: complete Clean shared items: complete # cd /usr/ports/mail/imap-uw # env FLAVOR=plaintext make install And that fixed it. --- then I had to do some changes to php.ini and change some squirrel mail settings because the version of php w/ 3.8 has issues with imap or the version of imap has issues with php... whatever.. anywho changing things like squirrelmail to have imap sort help.. (be sure to exercise it with some attachements before you think its good to go...) a source of info- http://www.squirrelmail.org/wiki/BrowseProblemsByPhpError a reminder to us slothful admins, imap need only be for localhost for squirrelmail... can configure pf.conf so only localhost uses imap...
Re: ssh brute force attacks
I'm the same way - I do not look forward to spending an afternoon upgrading a box, and then manually hacking through the config files checking for changes. After 30 minutes of this mind-numbing minutae, I usually start making mistakes which leads to more time consumed. Anyway - most upgrades are not so bad, but I've found if I get more than 2 releases behind a fresh install is usually the best medicine. openbsd is secure by default so getting behind on it is not so bad... if you are using default install, what is really dangreous is anything we do to our boxes after the default install PORTS for example.. have you looked at the right block on undeadly.org occassionally, they list recent vulnerablities from the website http://www.vuxml.org/openbsd/ For example, if you used the port for the antivirus, clamav, and have not upgraded to stable recently or to 3.8, read this quote: During analysis ClamAV Antivirus Library is vulnerable to buffer overflows allowing attackers complete control of the system Similar goes for ports of other things like mysql: a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack Yes, if you used the default install, and its in the last year or so it's secure, but in a real world many admins make holes, and use ports and don't check or upgrade the ports adequately. So the concept of migrating data every 6 months or at least every year to a fresh install is a very good... That way even if a rootkit left a cronjob, it likely is gone with install not upgrade on new file systems ok, yes this thread is diverging.
Re: Text editor
http://www.gnu.org/fun/jokes/ed.msg.html Ed, man! !man ed On Sun, 7 Aug 2005, Richard P. Koett wrote: Date: Sun, 7 Aug 2005 09:01:40 -0700 From: Richard P. Koett [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: Text editor You guys are all sissies. Real men use cat(1).
any luck with CBL for spamd pf Table ?
Tried to use CBL for spamd.conf, it was a bust. may have been sysadmin err0r/misunderstanding..:). Anyone else successfully using CBL for /usr/libexec/spamd-setup ? It appears that the CBL black list has about 1,744,279 entries The CBL list is a big part of the Spamhaus XBL list, and gets a lot that others may miss. And using dns instead of pf to reject is not preferred... But how many addresses can be put into pf Table without overload? (depends on arch and resources... but in short.. rule of thumb.. how many lines should be stay under when putting Tables for spamd?) with over million IPs in CBL, trying /usr/libexec/spamd-setup -d just sets there cooking and doesn't finish retrieval notes: == /usr/local/bin/rsync rsync://rsync.cbl.abuseat.org/cbl/list.txt \ /tmp/cbl-list.txt.rsync sed -e '/^[0-9]/!d' /tmp/cbl-list.txt.rsync /tmp/cbl-list.txt wc -l /tmp/cbl-list.txt === mv list to appropriate folder, edit /etc/spamd.conf, run spamd-setup and it just does not do well... so many lines... or some of the lines have something that hangs spamd-setup???
ssh from cellpone to openbsd
FYI - I was able to ssh2 vith vt320term using username/password to openbsd using sprintpcs cellphone (not the fancy palm like ones but the newer lesser vision phones that play media and midp java apps) application on cellphone: MidpSSH is an SSH and Telnet client for MIDP 1.0 / 2.0 devices such as Java(tm)-capable cellphones. http://www.xk72.com/midpssh/index.html You can send this URL http://xk72.com/wap in a text message, messaging.sprintpcs.com, and the phone can go to it give wap menu and after selection can download and know its an application. BTW, full ssh2 build, 108KB seems to be working on the new sprintpcs phones, like the SANYO MM-5600 will take some playing with to figure best way to macro key inputs. not sure how audited the software is, but java source is suppose to be available. and not sure if can use keys, it does have a import session from url feature that I have not explored. but it is interesting.
Re: phpbb
sauce for the goose...
On Fri, 17 Jun 2005, Clint M. Sand wrote:
Anyone care to share a procmail line to destroy any message with how do
I chroot and mysql and php?
see http://perlcode.org/tutorials/procmail/proctut/
HINT
By default, procmail scans only the headers of the email message.
This means that if you want your recipe to scan the body of the message,
you'll need to use the B flag
HINT
If a recipe has multiple condition lines, all of the conditions must be
true for the recipe to match. If any one of the conditions is not true,
procmail skips the remaining conditions and moves to the next recipe.
:0 B:
* how do I
* chroot
* mysql and php
/dev/null
or block it inside another recipie perhaps
:0
* ^To:[EMAIL PROTECTED]
{
:0 B:
* how do I
* chroot
* mysql and php
/dev/null
}
goldflipper as a ringer for cellphone
Okay WAY 2 cool I finally killed the old cell phone I was using for years and years, and got a sprintpcs replacement with multimedia (after signing another 2 years...:( Anywho Had to try making a ringer, what better mp3 than an OpenBSD lyric! I trimmed 29 seconds from the Gold Flipper and sent it to my phone, quite commonly someone asks the source :) so I tell them it's open source - har anyways - 4 anyone else using or wanting to try custom ringers, I slapped links up on this webpage with m4a, qcp and the trimmed mp3 I used: http://www.cocoavillagepublishing.com/ringers/
