Compiling Rust, Rust toolchains for openbsd 7.2
Hey everyone, I have a "building instance" that cross compiles a rust code repository to darwin, linux and some other platforms. I want to add support for compiling rust code to openbsd 7.2. However, Openbsd does not have an official rust toolchain. List of supported systems can be found here: https://doc.rust-lang.org/nightly/rustc/platform-support.html Does anyone have a rust-toolchain work around for compiling rust code on a linux box to be able to produce a binary executable for a amd64 openbsd 7.2 server? Thanks! All the best, flipchan
Re: Upgrade from 6.6
Hey, You need to change your remote package repo link. Make sure you use a good packet mirror On 6/16/22 13:05, Anne Wainwright wrote: Hi, Thanks for the various posts and effort involved with them. I understand that we should really keep uptodate for all sorts of reasons. Updating through multiple versions is perhaps not the best idea. In view of the fact that this is my first openbsd project (that overran its schedule) I am going to reinstall so as to keep everything clean, I have copied over the few files I created or changed to minimise the work. At the bottom of the learning curve any help is appreciated. bestest Anne On Wed, Jun 15, 2022 at 12:07:23PM +0100, Maurice McCarthy wrote: You are better off backing up then installing 7.1 from scratch. It will be faster. On Wed, 15 Jun 2022, 11:53 Anne Wainwright, wrote: Hi, I am belatedly trying to update my 6.6 server. # sysupgrade ftp: Error retrieving file: 404 not found Done all the preparatory steps, so should I presume this is no longer possible? best and thanks Anne
Re: Failing to compile custom 6.6 based on git commit id
I tried with 6.4 to compile this and failed: error log: cc -O2 -pipe -Wall -Wformat -Wformat-security -Wimplicit -Wreturn-type -Wtrigraphs -Wuninitialized -Wunused -Werror -DLIBRESS L_INTERNAL -Werror-implicit-function-declaration -MD -MP -c /usr/src/usr.bin/openssl/verify.c cc -O2 -pipe -Wall -Wformat -Wformat-security -Wimplicit -Wreturn-type -Wtrigraphs -Wuninitialized -Wunused -Werror -DLIBRESS L_INTERNAL -Werror-implicit-function-declaration -MD -MP -c /usr/src/usr.bin/openssl/version.c cc -O2 -pipe -Wall -Wformat -Wformat-security -Wimplicit -Wreturn-type -Wtrigraphs -Wuninitialized -Wunused -Werror -DLIBRESS L_INTERNAL -Werror-implicit-function-declaration -MD -MP -c /usr/src/usr.bin/openssl/x509.c cc -o openssl apps.o apps_posix.o asn1pars.o ca.o certhash.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o dsaparam.o ec.o ecparam.o enc.o errstr.o gendh.o gendsa.o genpkey.o genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o p key.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smi me.o speed.o spkac.o ts.o verify.o version.o x509.o -lssl -lcrypto pkcs8.o: In function `pkcs8_main': pkcs8.c:(.text+0x2f6): undefined reference to `EVP_PKEY2PKCS8_broken' cc: error: linker command failed with exit code 1 (use -v to see invocation) *** Error 1 in usr.bin/openssl (:121 'openssl') *** Error 1 in usr.bin (:48 'all') *** Error 1 in . (:48 'all') *** Error 1 in . (Makefile:95 'do-build') *** Error 1 in /usr/src (Makefile:74 'build') if anyone got any idea, let me know On 30/01/2022 18:07, flipchan wrote: Hey Everyone, I'm trying to build an openbsd iso based on this commit: https://github.com/openbsd/src/tree/a8e222352f For a lab exercise. So far It keeps failing when I'm trying to manually build it from source, right now I have installed a fresh version of openbsd 6.6 and i'm trying to build it with: git clonehttps://github.com/openbsd/src cd src/ git checkout a8e222352f cd ../ && zip -r src.zip src/ then copy to the 6.6 mv and unzip in the /usr/src dir then I run make obj, this works make build, this fails with the message: ===> libexec/getty install -c -S -s -o root -g bin -m 555 getty /usr/libexec/getty install -c -o root -g bin -m 444 /usr/src/libexec/getty/getty.8 /usr/share/man/ man8/getty.8 install -c -o root -g bin -m 444 /usr/src/libexec/getty/gettytab.5 /usr/share/m an/man5/gettytab.5 install -c -o root -g bin -m 444 /usr/src/libexec/getty/ttys.5 /usr/share/man/m an5/ttys.5 ===> libexec/ld.so install -c -S -o root -g bin -m 444 ld.so /usr/libexec/ld.so install: ld.so: No such file or directory *** Error 1 in libexec/ld.so (:152 'realinstall') *** Error 1 in libexec (:48 'realinstall') *** Error 1 in /usr/src (:48 'realinstall') 6.6vm# Does anyone have any good idea on how I can compile openbsd from this commit? Thanks!
Failing to compile custom 6.6 based on git commit id
Hey Everyone, I'm trying to build an openbsd iso based on this commit: https://github.com/openbsd/src/tree/a8e222352f For a lab exercise. So far It keeps failing when I'm trying to manually build it from source, right now I have installed a fresh version of openbsd 6.6 and i'm trying to build it with: git clonehttps://github.com/openbsd/src cd src/ git checkout a8e222352f cd ../ && zip -r src.zip src/ then copy to the 6.6 mv and unzip in the /usr/src dir then I run make obj, this works make build, this fails with the message: ===> libexec/getty install -c -S -s -o root -g bin -m 555 getty /usr/libexec/getty install -c -o root -g bin -m 444 /usr/src/libexec/getty/getty.8 /usr/share/man/ man8/getty.8 install -c -o root -g bin -m 444 /usr/src/libexec/getty/gettytab.5 /usr/share/m an/man5/gettytab.5 install -c -o root -g bin -m 444 /usr/src/libexec/getty/ttys.5 /usr/share/man/m an5/ttys.5 ===> libexec/ld.so install -c -S -o root -g bin -m 444 ld.so /usr/libexec/ld.so install: ld.so: No such file or directory *** Error 1 in libexec/ld.so (:152 'realinstall') *** Error 1 in libexec (:48 'realinstall') *** Error 1 in /usr/src (:48 'realinstall') 6.6vm# Does anyone have any good idea on how I can compile openbsd from this commit? Thanks!
Re: email dkim signing failing with 6.8
Awesome!! This worked, thanks a lot! On 23/05/2021 14:57, Thomas Bohl wrote: Am 23.05.2021 um 12:32 schrieb flipchan: Yeah, it was all working until I upgraded to 6.8, can someone else that is running opensmtpd with dkim send me their smtpd.conf? I assume I have written some rule wrong, not sure where doe The config is all over the place. There is the rspamd filter and there is DKIM tagging with a match rules order that can't reach the tagging. It's like Martijn van Duren said, you are clearly using rspamd and not dkimproxy_out, which means your debugging is way off. But thinks got easier anyway. Please install filter-dkimsign. # pkg_add opensmtpd-filter-dkimsign Remove everything dkim and rspamd from your current smtpd.conf. Add filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \ -k /var/dkimproxy/default.private -c relaxed/relaxed" \ user _dkimsign group _dkimsign and edit the line listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "rspamd" to listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "dkimsg" Or # cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \ -k /var/dkimproxy/default.private -c relaxed/relaxed" \ user _dkimsign group _dkimsign listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth filter "dkimsg" listen on vio0 port 25 hostname example.com tls pki mail.example.com action "mbox" mbox alias action "relay" relay match from any for domain example.com action "mbox" match for local action "mbox" match auth from any for any action "relay" If you really need rspamd for spam filtering add it back in and add the filter only to "listen on vio0 port 25". Otherwise uninstall it, since even in "standby" it produces lots of DNS traffic. HTH
Re: email dkim signing failing with 6.8
Yeah, it was all working until I upgraded to 6.8, can someone else that
is running opensmtpd with dkim send me their smtpd.conf? I assume I have
written some rule wrong, not sure where doe
On 22/05/2021 13:05, Martijn van Duren wrote:
I'm not sure what you're doing, but you show a piece of rspamd config
for your signing, while you claim to use dkimproxy_out. I haven't used
dkimproxy_out in a long time (basically since I wrote filter-dkimsign)
but last time I used dkimproxy_in it worked as expected for rsa.
Also note that dkimproxy doesn't have had a new release since 2011,
which doesn't have to mean anything, but is usually not a great sign.
If you really want to continue using dkimproxy I'd suggest running
dkimproxy_out on the shell:
/usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf
--user=_dkimproxy --group=_dkimproxy
and see what it spews out.
Personally I'd replace dkimproxy with either (filter-)respamd or
filter-dkimsign depending on your needs.
martijn@
On Sat, 2021-05-22 at 11:44 +0200, flipchan wrote:
Hi all,
I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim
signatures to my emails. I have tried to debug it but im not really
getting anywhere. dkimproxy_out is running without complains.
Does anyone see what im doing wrong?
mail# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
#table other-relays file:/etc/mail/other-relays
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
#mask-src
listen on vio0 port 25 hostname example.com tls pki mail.example.com
filter "rspamd"
# auth-optional
#action "mbox" mbox alias
#action "relay" relay
#match for local action "mbox"
#match for any action "relay"
#match !from src mail-from "@example.com" for any \
# reject
listen on lo0 port 10028 tag DKIM
action "mbox" mbox alias
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027
match from any for domain example.com action "mbox"
match auth from any for any action "relay"
match for local action "mbox"
match tag DKIM for any action "relay"
#match tag dkim for any action "relay"
#match tag DKIM for any action "outbound"
#match for any action relay_dkim
match auth from any for any action "relay_dkim"
mail#
dkim_signing.conf redis.conf
mail# cat /etc/rspamd/local.d/dkim_signing.conf
domain {
example.com {
path = "/var/dkimproxy/default.private";
selector = "default";
}
}
mail# uname -a
OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
Thanks!
Sincerely,
Flipchan
email dkim signing failing with 6.8
Hi all,
I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim
signatures to my emails. I have tried to debug it but im not really
getting anywhere. dkimproxy_out is running without complains.
Does anyone see what im doing wrong?
mail# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
#table other-relays file:/etc/mail/other-relays
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
#mask-src
listen on vio0 port 25 hostname example.com tls pki mail.example.com
filter "rspamd"
# auth-optional
#action "mbox" mbox alias
#action "relay" relay
#match for local action "mbox"
#match for any action "relay"
#match !from src mail-from "@example.com" for any \
# reject
listen on lo0 port 10028 tag DKIM
action "mbox" mbox alias
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027
match from any for domain example.com action "mbox"
match auth from any for any action "relay"
match for local action "mbox"
match tag DKIM for any action "relay"
#match tag dkim for any action "relay"
#match tag DKIM for any action "outbound"
#match for any action relay_dkim
match auth from any for any action "relay_dkim"
mail#
dkim_signing.conf redis.conf
mail# cat /etc/rspamd/local.d/dkim_signing.conf
domain {
example.com {
path = "/var/dkimproxy/default.private";
selector = "default";
}
}
mail# uname -a
OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
Thanks!
Sincerely,
Flipchan
Re: Running gunicorn with rcclt
have u put anything in rc.conf.local ? Thanks On April 14, 2020 7:25:05 PM GMT+02:00, Daniel Winters wrote: >>> Hey, im trying to run a python app with gunicon-3 and rcctl >>> but rcctl start guni just returns ok as it was started and doesnt >start >>> it. what am i doing wrong? Thanks > >I am successfully running a flask apps (named "webapp" as an example) >with gunicorn using the following /etc/rc.d/webapp script: > >#!/bin/ksh > >daemon="/usr/local/bin/gunicorn-3 -D" >daemon_user="www" >daemon_flags="--bind 127.0.0.1:8000 --chdir /var/www/webapp --name >webapp webapp:app" > >. /etc/rc.d/rc.subr > >pexp=".*gunicorn: master \[webapp\].*" > >rc_cmd $1 > >Cheers, >Daniel -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Running gunicorn with rcclt
More debug data:
sh -x /etc/rc.d/guni check
...
+ eval _rctimeout=${guni_timeout}
+ _rctimeout=
+ getcap -f /etc/login.conf testuser
+ > /dev/null
+ 2>&1
+ daemon_class=daemon
+ [ -z ]
+ daemon_rtable=0
+ [ -z ]
+ daemon_user=root
+ [ -z 60 ]
+ [ -n -o check != start ]
+ [ X-c /home/testuser/stuff/main.ini -D flaskapp:app = XNO ]
+ [ -n -c /home/testuser/stuff/main.ini -D flaskapp:app ]
+ daemon_flags=-c /home/testuser/stuff/main.ini -D flaskapp:app
+ [ -n ]
+ [ -n testuser ]
+ daemon_user=testuser
+ [ -n ]
+ [ -n ]
+ readonly daemon_class
+ unset _rcflags _rcrtable _rcuser _rctimeout
+ eval echo /usr/local/bin/gunicorn-3 -c /home/testuser/stuff/main.ini -D
flaskapp:app
+ echo /usr/local/bin/gunicorn-3 -c /home/testuser/stuff/main.ini -D
flaskapp:app
+ pexp=/usr/local/bin/gunicorn-3 -c /home/testuser/stuff/main.ini -D
flaskapp:app
+ rcexec=su -l -c daemon -s /bin/sh testuser -c
+ id -R
+ [ 0 -eq 0 ]
+ rc_cmd check
guni(failed)
On April 14, 2020 3:30:40 PM GMT+02:00, Flipchan wrote:
>Hey, im trying to run a python app with gunicon-3 and rcctl
>
>computer# cat /etc/rc.conf.local
>httpd_flags=
>guni_flags="-c /home/testuser/stuff/main.ini -D flaskapp:app"
>guni_user=testuser
>pkg_scripts=tor
>
>computer# cat /etc/rc.d/guni
>#!/bin/ksh
>#
># $OpenBSD: Exp $
>
>daemon="/usr/local/bin/gunicorn-3"
> . /etc/rc.d/rc.subr
>
>#rc_pre() { # rm /home/testuser/stuff/pid.pid #}
>
>rc_stop() {
>kill -9 `cat /home/testuser/stuff/pid.pid`
># rm /home/testuser/stuff/pid.pid
>}
>rc_cmd $1
>
>#cat /home/testuser/stuff/main.ini
>bind = "0.0.0.0:8801"
>workers = 5
>pidfile = '/home/testuser/stuff/pid.pid'
>
>so this works:
>/usr/local/bin/gunicorn-3 -c /home/testuser/stuff/main.ini -D
>flaskapp:app
>
>but rcctl start guni just returns ok as it was started and doesnt start
>it.
> what am i doing wrong? Thanks
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Running gunicorn with rcclt
Hey, im trying to run a python app with gunicon-3 and rcctl
computer# cat /etc/rc.conf.local
httpd_flags=
guni_flags="-c /home/testuser/stuff/main.ini -D flaskapp:app"
guni_user=testuser
pkg_scripts=tor
computer# cat /etc/rc.d/guni
#!/bin/ksh
#
# $OpenBSD: Exp $
daemon="/usr/local/bin/gunicorn-3"
. /etc/rc.d/rc.subr
#rc_pre() { # rm /home/testuser/stuff/pid.pid #}
rc_stop() {
kill -9 `cat /home/testuser/stuff/pid.pid`
# rm /home/testuser/stuff/pid.pid
}
rc_cmd $1
#cat /home/testuser/stuff/main.ini
bind = "0.0.0.0:8801"
workers = 5
pidfile = '/home/testuser/stuff/pid.pid'
so this works:
/usr/local/bin/gunicorn-3 -c /home/testuser/stuff/main.ini -D flaskapp:app
but rcctl start guni just returns ok as it was started and doesnt start it.
what am i doing wrong? Thanks
Re: Hosting a CDN question
Yeah the point with a cdn is to lower the latency of it so therefor you what is needed is just not only a fast http server but a traffic redirector depending on the end users origin On March 17, 2020 3:44:27 AM GMT+01:00, Aaron Mason wrote: >You can easily "write" one in Go with 9 lines of code. And since Go >builds static binaries, you can chroot it for security. > >I just did a quick test between httpd and a web server written in Go >and on a simple text file with 20,000 requests from 10 threads I saw a >2.3x improvement on a pair of tests. > >On Mon, Mar 16, 2020 at 9:28 PM Flipchan wrote: >> >> Hey all, >> >> My company needs to put up a cdn for fast hosting of javascript, >images and css for websites, and then i would need something faster >then httpd. >> >> >> Does anyone here run a cdn for static website content? >> >> If so what software did u use to set it up ? >> >> have a good one >> Sincerely >> Filip > > > >-- >Aaron Mason - Programmer, open source addict >I've taken my software vows - for beta or for worse -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hosting a CDN question
Hey all, My company needs to put up a cdn for fast hosting of javascript, images and css for websites, and then i would need something faster then httpd. Does anyone here run a cdn for static website content? If so what software did u use to set it up ? have a good one Sincerely Filip
6.6 on t400
Hey all, I am trying to get openbsd on a t400 laptop The installation process works great but when it starts X the screen is just flickering and X is not working at all, is anyone running 6.6 on t400 and have any tips ? Thanks! Sincerely flipchan
Re: How did it happen?
Never mind it, its working On January 30, 2020 4:09:23 PM GMT+01:00, Flipchan wrote: >Has anyone verified that it writes to disk as the qualysis report says >? > >I have tried on 6.5 and 6.4 but its not writing to disk > > > >https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt > > > > >On January 29, 2020 2:07:38 PM GMT+01:00, Oriol Demaria > wrote: >>I understand that root might be required to open privileged ports, but >>then how commands are run as root when you exploit opensmtpd >>vulnerability? >> >>In case someone hasn't seen patch right now your system. >> >>Regards. >>-- >>Oriol Demaria >>0x58415679 > >-- >Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: How did it happen?
Has anyone verified that it writes to disk as the qualysis report says ? I have tried on 6.5 and 6.4 but its not writing to disk https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt On January 29, 2020 2:07:38 PM GMT+01:00, Oriol Demaria wrote: >I understand that root might be required to open privileged ports, but >then how commands are run as root when you exploit opensmtpd >vulnerability? > >In case someone hasn't seen patch right now your system. > >Regards. >-- >Oriol Demaria >0x58415679 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Relayd in docker
Hey! I am running docker(yeah i know ..) but anyhow the task is to get a nice load balancer up in a docker container and i want to use relayd ofcourse ! has anyone gotten relayd to work in docker or has anyone created openbsd images for docker ? If not i guess i have to compile it and run it on a linux docker image... Thanks ! sincerely flipchan
Re: Dante proxy in openbsd 6.5
Thanks ! That got it working ! On October 28, 2019 7:05:47 AM GMT+01:00, Dieter Rauschenberger wrote: >Hi, > >On Mon, Oct 28, 2019 at 12:07:12AM +0100, Flipchan wrote: >> Dante has been recently upgraded and since upgrading from 6.4 to 6.5 >dante now wants to know which user it is suppose to be runned as, >> >> The new part is >> "user.privileged: > >user.unprivileged: _sockd > >Regards > Dieter > >> Thanks! >> >> Ciao >> flipchan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Dante proxy in openbsd 6.5
Hey!
Dante has been recently upgraded and since upgrading from 6.4 to 6.5 dante now
wants to know which user it is suppose to be runned as,
The new part is
"user.privileged:
user.unprivileged", is anyone running dante as a proxy server on 6.5 and has
figured this out ? For me i can not run it with the same privs as the user,
dante just dies without anymessage (even doe i run it with the verbose flag)
cat sockd2.conf | grep -v \#
internal: em0
port = 1080
external: em0
socksmethod: none
user.privileged: currentuser
user.unprivileged: currentuser
client pass { from: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0 log: connect
disconnect error }
socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error }
$ sockd -V -f sockd2.conf
just dies
Thanks!
Ciao
flipchan
Re: Syncing unbound.conf
It worked after appending do-not-query-localhost: no On July 29, 2019 12:44:45 AM GMT+03:00, Flipchan wrote: >Config file > >ns0# cat /var/unbound/etc/unbound.conf > ># $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > >server: > interface: 127.0.0.1 > #interface: ::1 > do-ip6: no > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.0.0/16 allow > > access-control: ::0/0 refuse > access-control: ::1 allow > > hide-identity: yes > hide-version: yes > > >remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > ># Use an upstream forwarder (recursive resolver) for specific zones. ># > >forward-zone: > name: "testing." > forward-addr: 127.0.0.1@5353 # to nsd daemon > >forward-zone: > name: "." # use for ALL queries > forward-addr: 1.1.1.1 > forward-addr: 74.82.42.42 > forward-addr: 2001:470:20::2 > forward-addr: 208.67.222.222 > forward-first: yes > >-- >Sincerely flipchan > >On July 28, 2019 6:21:49 PM GMT+03:00, Flipchan >wrote: >>Thanks for the configs ! >> >>https://jonwillia.ms/2018/09/23/anycast-dns-openbsd >>(github.com/bongozone/kibble) >> >>I have got it to work as only either only working with my internal >zone >>records or working with everything else >> >>Unbound ignores when i put a forward-zone: name: ".testing" when i >have >>another forward-zone: name: "." >> >>Does anyone know how this could be done ? I have nsd running the zone >>records for .testing and it works when i only have the .testing >>forward-zone in the unbound.conf , does anyone know what im doing >wrong >>? >> >> >> >>On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar >> wrote: >>> >>>Quoting Stuart Henderson : >>> >>>> No - you wouldn't do it with Unbound which is a *recursive* DNS >>>> server, you would use an authoritative one like NSD, PowerDNS, Knot > >> >>>> or BIND. All you would do with Unbound is use stub-zone to point it > >> >>>> at an authoritative server. >>>> >>>> -- >>>> Sent from a phone, apologies for poor formatting. >>>> On 26 July 2019 11:05:44 Flipchan wrote: >>>>> Can you link to any guides or pratical howtos on how to pratically > >> >>>>> do that with unbound ? >>>>> >>>>> Thanks >>>>> >>>>> >>>>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson >>>>> wrote: >>>>> On 2019-07-25, Flipchan wrote: >>>>> >>>>> Greetings everyone, >>>>> >>>>> Does anyone have a good solution for syncing unbound configuration >>>files? >>>>> >>>>> >>>>> i have the senario where i have two internal LAN's that in two >>>>> different offices that need to have the same internal >>>>> dns system for the local systems, and there is a lot of changes >>>>> being done in the internal zone records so i need >>>>> a good way to sync them(the ideal way where to have a similar >>>>> solution like mysql's master-master replication). >>>>> >>>>> Both dns resolvers are running unbound on openbsd 6.5 and right >now >> >>> >>>>> the configuration file is synced with ansible. >>>>> Does anyone have a good solution on replicating dns >records/configs >> >>> >>>>> for unbound. In the future it will be scaled >>>>> even more so right now is a good time to implement some >replication >> >>> >>>>> for the unbound configs. >>>>> >>>>> Does anyone have a solution for this? >>>>> >>>>> There is people changing the config files on both instances so the > >> >>>>> ideal way would be a replication real time sync function. >>>>> >>>>> Anyone got any ideas? >>>>> >>>>> >>>>> Thanks in advance >>>>> Ciao >>>>> flipchan >>>>> >>>>> >>>>> If multiple sites are updating records in the same internal zone >at >>>various >>>>> times, they would probably
Re: Syncing unbound.conf
Config file ns0# cat /var/unbound/etc/unbound.conf # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ server: interface: 127.0.0.1 #interface: ::1 do-ip6: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock # Use an upstream forwarder (recursive resolver) for specific zones. # forward-zone: name: "testing." forward-addr: 127.0.0.1@5353 # to nsd daemon forward-zone: name: "." # use for ALL queries forward-addr: 1.1.1.1 forward-addr: 74.82.42.42 forward-addr: 2001:470:20::2 forward-addr: 208.67.222.222 forward-first: yes -- Sincerely flipchan On July 28, 2019 6:21:49 PM GMT+03:00, Flipchan wrote: >Thanks for the configs ! > >https://jonwillia.ms/2018/09/23/anycast-dns-openbsd >(github.com/bongozone/kibble) > >I have got it to work as only either only working with my internal zone >records or working with everything else > >Unbound ignores when i put a forward-zone: name: ".testing" when i have >another forward-zone: name: "." > >Does anyone know how this could be done ? I have nsd running the zone >records for .testing and it works when i only have the .testing >forward-zone in the unbound.conf , does anyone know what im doing wrong >? > > > >On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar > wrote: >> >>Quoting Stuart Henderson : >> >>> No - you wouldn't do it with Unbound which is a *recursive* DNS >>> server, you would use an authoritative one like NSD, PowerDNS, Knot > >>> or BIND. All you would do with Unbound is use stub-zone to point it > >>> at an authoritative server. >>> >>> -- >>> Sent from a phone, apologies for poor formatting. >>> On 26 July 2019 11:05:44 Flipchan wrote: >>>> Can you link to any guides or pratical howtos on how to pratically > >>>> do that with unbound ? >>>> >>>> Thanks >>>> >>>> >>>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson >>>> wrote: >>>> On 2019-07-25, Flipchan wrote: >>>> >>>> Greetings everyone, >>>> >>>> Does anyone have a good solution for syncing unbound configuration >>files? >>>> >>>> >>>> i have the senario where i have two internal LAN's that in two >>>> different offices that need to have the same internal >>>> dns system for the local systems, and there is a lot of changes >>>> being done in the internal zone records so i need >>>> a good way to sync them(the ideal way where to have a similar >>>> solution like mysql's master-master replication). >>>> >>>> Both dns resolvers are running unbound on openbsd 6.5 and right now > >> >>>> the configuration file is synced with ansible. >>>> Does anyone have a good solution on replicating dns records/configs > >> >>>> for unbound. In the future it will be scaled >>>> even more so right now is a good time to implement some replication > >> >>>> for the unbound configs. >>>> >>>> Does anyone have a solution for this? >>>> >>>> There is people changing the config files on both instances so the > >>>> ideal way would be a replication real time sync function. >>>> >>>> Anyone got any ideas? >>>> >>>> >>>> Thanks in advance >>>> Ciao >>>> flipchan >>>> >>>> >>>> If multiple sites are updating records in the same internal zone at >>various >>>> times, they would probably be better off with a normal >>>> authoritative DNS server >>>> serving that zone (with e.g. stub-zone to point unbound at it), >>>> editing it in >>>> one place, and using normal DNS replication (zone-transfer and >>notify) >>>> to push the updates. >>>> >>>> >>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my >brevity. >> >>I have two locations (foretell.ca and lab.foretell.ca) and for quite a > >> >>while used NSD and Unbound. But switched to the following approach >>(however my use case is very simple
Re: Syncing unbound.conf
Thanks for the configs ! https://jonwillia.ms/2018/09/23/anycast-dns-openbsd (github.com/bongozone/kibble) I have got it to work as only either only working with my internal zone records or working with everything else Unbound ignores when i put a forward-zone: name: ".testing" when i have another forward-zone: name: "." Does anyone know how this could be done ? I have nsd running the zone records for .testing and it works when i only have the .testing forward-zone in the unbound.conf , does anyone know what im doing wrong ? On July 27, 2019 1:35:55 AM GMT+03:00, Vijay Sankar wrote: > >Quoting Stuart Henderson : > >> No - you wouldn't do it with Unbound which is a *recursive* DNS >> server, you would use an authoritative one like NSD, PowerDNS, Knot >> or BIND. All you would do with Unbound is use stub-zone to point it >> at an authoritative server. >> >> -- >> Sent from a phone, apologies for poor formatting. >> On 26 July 2019 11:05:44 Flipchan wrote: >>> Can you link to any guides or pratical howtos on how to pratically >>> do that with unbound ? >>> >>> Thanks >>> >>> >>> On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson >>> wrote: >>> On 2019-07-25, Flipchan wrote: >>> >>> Greetings everyone, >>> >>> Does anyone have a good solution for syncing unbound configuration >files? >>> >>> >>> i have the senario where i have two internal LAN's that in two >>> different offices that need to have the same internal >>> dns system for the local systems, and there is a lot of changes >>> being done in the internal zone records so i need >>> a good way to sync them(the ideal way where to have a similar >>> solution like mysql's master-master replication). >>> >>> Both dns resolvers are running unbound on openbsd 6.5 and right now > >>> the configuration file is synced with ansible. >>> Does anyone have a good solution on replicating dns records/configs > >>> for unbound. In the future it will be scaled >>> even more so right now is a good time to implement some replication > >>> for the unbound configs. >>> >>> Does anyone have a solution for this? >>> >>> There is people changing the config files on both instances so the >>> ideal way would be a replication real time sync function. >>> >>> Anyone got any ideas? >>> >>> >>> Thanks in advance >>> Ciao >>> flipchan >>> >>> >>> If multiple sites are updating records in the same internal zone at >various >>> times, they would probably be better off with a normal >>> authoritative DNS server >>> serving that zone (with e.g. stub-zone to point unbound at it), >>> editing it in >>> one place, and using normal DNS replication (zone-transfer and >notify) >>> to push the updates. >>> >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >I have two locations (foretell.ca and lab.foretell.ca) and for quite a > >while used NSD and Unbound. But switched to the following approach >(however my use case is very simple and my networks are small, but it >works well for me) > >My unbound.conf on four DNS servers have > >include: "/var/unbound/etc/zonedata" > >I then set up a simple zonedata file on one server with stuff such as: > >local-zone: "foretell.ca." static >. >. >local-zone: "lab.foretell.ca." static >. >. >local-zone: "0.0.10.in-addr.arpa." static >. >. >local-zone: "3.72.10.in-addr.arpa." static >. >. >etc. etc. > >Changes to zonedata reflect changes at both locations. Then I just >have a rsync process running a few times a day that does the following: > >fr1s1.foretell.ca# more dnsupdate.sh >rsync -av zonedata 10.0.0.1:/var/unbound/etc/ >rsync -av zonedata 10.0.0.3:/var/unbound/etc/ >rsync -av zonedata 10.72.3.1:/var/unbound/etc/ >rsync -av zonedata 10.72.3.3:/var/unbound/etc/ >ssh 10.0.0.1 /etc/rc.d/unbound restart >ssh 10.0.0.3 /etc/rc.d/unbound restart >ssh 10.72.3.1 /etc/rc.d/unbound restart >ssh 10.72.3.3 /etc/rc.d/unbound restart > >Obviously I am not sure if this will scale for your requirements but >mentioning this just in case it helps. > >Vijay > > >-- >ForeTell Technologies Limited >59 Flamingo Avenue >Winnipeg, MB, Canada >R3J 0X6 -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Syncing unbound.conf
Can you link to any guides or pratical howtos on how to pratically do that with unbound ? Thanks On July 25, 2019 9:32:29 PM GMT+03:00, Stuart Henderson wrote: >On 2019-07-25, Flipchan wrote: >> Greetings everyone, >> >> Does anyone have a good solution for syncing unbound configuration >files? >> >> >> i have the senario where i have two internal LAN's that in two >different offices that need to have the same internal >> dns system for the local systems, and there is a lot of changes being >done in the internal zone records so i need >> a good way to sync them(the ideal way where to have a similar >solution like mysql's master-master replication). >> >> Both dns resolvers are running unbound on openbsd 6.5 and right now >the configuration file is synced with ansible. >> Does anyone have a good solution on replicating dns records/configs >for unbound. In the future it will be scaled >> even more so right now is a good time to implement some replication >for the unbound configs. >> >> Does anyone have a solution for this? >> >> There is people changing the config files on both instances so the >ideal way would be a replication real time sync function. >> >> Anyone got any ideas? >> >> >> Thanks in advance >> Ciao >> flipchan >> > >If multiple sites are updating records in the same internal zone at >various >times, they would probably be better off with a normal authoritative >DNS server >serving that zone (with e.g. stub-zone to point unbound at it), editing >it in >one place, and using normal DNS replication (zone-transfer and notify) >to push the updates. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Syncing unbound.conf
Greetings everyone, Does anyone have a good solution for syncing unbound configuration files? i have the senario where i have two internal LAN's that in two different offices that need to have the same internal dns system for the local systems, and there is a lot of changes being done in the internal zone records so i need a good way to sync them(the ideal way where to have a similar solution like mysql's master-master replication). Both dns resolvers are running unbound on openbsd 6.5 and right now the configuration file is synced with ansible. Does anyone have a good solution on replicating dns records/configs for unbound. In the future it will be scaled even more so right now is a good time to implement some replication for the unbound configs. Does anyone have a solution for this? There is people changing the config files on both instances so the ideal way would be a replication real time sync function. Anyone got any ideas? Thanks in advance Ciao flipchan
Re: When will be created a great desktop experience for OpenBSD?
Awesome wm no more words needed On May 7, 2019 7:01:34 AM GMT+02:00, Clark Block wrote: >In 2019 still there is not a great desktop experience for NetBSD. >However, >the new "OS108" is seeking to improve this with a NetBSD operating >system >paired with the MATE desktop environment. >So, OS108, a derivative of NetBSD, has just been released: >https://os108.org/?ez_cid=CLIENT_ID(AMP_ECID_EZOIC) > >When will be created a great desktop experience for OpenBSD? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: hacked for the second time
Setup snort or verbose logging to find out whats wrong On April 3, 2019 8:56:39 PM GMT+02:00, Cord wrote: >Hi, >I have some heavy suspect that my openbsd box was been hacked for the >second time in few weeks. The first time was been some weeks ago, I >have got some suspects and after few checks I have found that someone >was been connected to my vps via ssh on a non-standard port using my >ssh key. The connection came from a tor exit node. There were been 2 >connections and up since 5 days. Now I have some other new suspects >because some private email seems knew from others. Also I have found >other open sessions on the web gui of my email provider, but I am >abolutely sure I have done the logout always. >I am using just chrome+unveil and I haven't used any other script or >opened pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I >have used epiphany *only* to open the webmail because chrome crash. My >email provider support html (obviously) but generally photo are not >loaded. Ofcourse I have pf enable and few service. >I also use a vpn and I visit very few web site with chrome.. maybe 20 >or 25 website just to read news. Sometimes I search things about >openbsd. >Anyone could help me ? >Cord. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Django + httpd + relayd
How to create it with socat(not working with httpd): doas -uwww socat UNIX-LISTEN:/var/www/run/listen.sock,reuseadseaddr,fork, TCP:internetaddress:portgoeshere You can check it with curl: curl -v --unix-socket /var/www/run/listen.sock http:/robots.txt This is the fastcgi reverse proxy(pkg_add -iv kcgi | https://kristaps.bsd.lv/kcgi/): kfcgi -d -u www -n 2 -r -p /var/fcgihttp -- /fcgihttp ip port Best of luck ! On March 30, 2019 8:37:42 PM GMT+01:00, Michael Joy wrote: >Thanks so much Flipchan. I'll give it a go. Feel free to send on any >config >examples relating to the fastcgi reverse proxy. All help much >appreciated! > >On Sat, 30 Mar 2019 at 19:34, Flipchan wrote: > >> Reyk if your reading this reverseproxy is a feature request for >httpd. >> >> >> Just set up a bunch off ur django stuff and have relayd redirect to >the >> hosts in a way you seem fit, like create a relay for http in the conf >and >> write a table with the host n ports and forward it to the table, >check out >> hugo's project hiawatha it comes with alot of nice features and it >will get >> rid of the ugly reverse proxy hack cuz it has a native build in >reverse >> proxy, i can send you how i solved the fastcgi reverse proxy its >basicly >> httpd listens on a fastcgi socket that is a reverseproxy, i tried >just >> creating a reverse unix socket but httpd will not work with that so >fastcgi >> socket only it seems like. >> >> Good luck >> >> >> >> On March 30, 2019 4:29:46 PM GMT+01:00, Michael Joy > >> wrote: >>> >>> Sounds perfect. Any tips on how to get started with configuration >and such? >>> >>> On Sat, 30 Mar 2019 at 15:19, Flipchan wrote: >>> >>> You cant do a reverse proxy with httpd however you can do it ugly >with a >>>> fastcgi reverse proxy , httpd fastcgi reverseproxy to relayd and >load >>>> balance to mulitple python listeners i have it working like a >charm :) >>>> >>>> On March 30, 2019 3:22:47 PM GMT+01:00, Michael Joy > >>>> wrote: >>>> >>>>> >>>>> Apologies in advance for the noobish question. >>>>> Does anyone have a tutorial or example of a working configuration >for a >>>>> Django app being served with httpd and relayd? Beating my head >off the wall >>>>> with it at this point. >>>>> >>>>> >>>>> -- >>>> Sent from my Android device with K-9 Mail. Please excuse my >brevity. >>>> >>>> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Django + httpd + relayd
Reyk if your reading this reverseproxy is a feature request for httpd. Just set up a bunch off ur django stuff and have relayd redirect to the hosts in a way you seem fit, like create a relay for http in the conf and write a table with the host n ports and forward it to the table, check out hugo's project hiawatha it comes with alot of nice features and it will get rid of the ugly reverse proxy hack cuz it has a native build in reverse proxy, i can send you how i solved the fastcgi reverse proxy its basicly httpd listens on a fastcgi socket that is a reverseproxy, i tried just creating a reverse unix socket but httpd will not work with that so fastcgi socket only it seems like. Good luck On March 30, 2019 4:29:46 PM GMT+01:00, Michael Joy wrote: >Sounds perfect. Any tips on how to get started with configuration and >such? > >On Sat, 30 Mar 2019 at 15:19, Flipchan wrote: > >> You cant do a reverse proxy with httpd however you can do it ugly >with a >> fastcgi reverse proxy , httpd fastcgi reverseproxy to relayd and load >> balance to mulitple python listeners i have it working like a charm >:) >> >> On March 30, 2019 3:22:47 PM GMT+01:00, Michael Joy > >> wrote: >>> >>> Apologies in advance for the noobish question. >>> Does anyone have a tutorial or example of a working configuration >for a >>> Django app being served with httpd and relayd? Beating my head off >the wall >>> with it at this point. >>> >>> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Django + httpd + relayd
You cant do a reverse proxy with httpd however you can do it ugly with a fastcgi reverse proxy , httpd fastcgi reverseproxy to relayd and load balance to mulitple python listeners i have it working like a charm :) On March 30, 2019 3:22:47 PM GMT+01:00, Michael Joy wrote: >Apologies in advance for the noobish question. >Does anyone have a tutorial or example of a working configuration for a >Django app being served with httpd and relayd? Beating my head off the >wall >with it at this point. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: what about security ?
Check out pledge On March 25, 2019 11:20:13 PM GMT+01:00, Cord wrote: >Hi, >what security technology can I implement to securify for example script >that connect to any website ? >Is there any howto for chroot ? >Thank you. >Cord -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Leveldb in 6.4
Hey all, Has anyone been able to install leveldb on 6.4 with header files ? i have installed it with pkg_add # pkg_info -Q leveldb leveldb-1.20 (installed) but it will not include: fatal error: 'leveldb/db.h' file not found #include "leveldb/db.h" ^~ 7 warnings and 1 error generated. error: command 'cc' failed with exit status 1 - flipchan
Re: httpd: need root privileges
Listen to ingo's advice, just put the stuff in a dir in /var/www/ On March 19, 2019 2:05:33 PM GMT+01:00, Alfred Morgan wrote: >I tried starting a temporary httpd server on port 8080 as a user to >serve >some files and I found this error: >httpd: need root privileges > >I would think there would be value in letting httpd be run by standard >users. >-- >-alfred -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Live iso with 6.4
Has anyone been able to create a live iso of 6.4? Cant seem to find any scripts/documentation about it Cheers -- Sincerely flipchan
Re: Opensmtpd auth in 6.4
I got it working , thanks :) On January 14, 2019 1:45:22 PM GMT+01:00, Gilles Chehade wrote: >On Mon, Jan 14, 2019 at 01:42:19PM +0100, Flipchan wrote: >> I tried to echo it another way (echo -ne '\user\passwd' | base64 ) >> and then >> auth plain string >> and it works >> >> >> Now im getting new errrors :/ or i think i have misconfigured match, >i cant send to external addresses, log: >> http://dpaste.com/2M8JMQC.txt >> > >you need a rule that matches auth, for example: > >match auth from any for any action "relay" > > >> On January 14, 2019 1:10:24 PM GMT+01:00, Gilles Chehade > wrote: >> >On Mon, Jan 14, 2019 at 01:03:19PM +0100, Flipchan wrote: >> >> Seems like it adds "\^J" to the username , i base64 encode it >using: >> >> echo "user" | base64 >> >> >> >> Log from smtpd -dv -T smtp : >> >> http://dpaste.com/0CAVJFF.txt >> >> >> > >> >honestly, i'm confused by what you're doing >> > >> >can you setup a temporary account, with a temporary password, >> >authenticate to it >> >using a regular MUA (whichever you want, just don't auth manually), >> >then trash >> >the account and send us logs that aren't doctored ? >> > >> > >> > >> >> On January 14, 2019 9:41:42 AM GMT+01:00, Gilles Chehade >> > wrote: >> >> >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >> >> >> Hey, am tryin to upgrade my opensmtpd >> >> >> email server running on openbsd 6.3 towards a new one on 6.4, >> >> >> i have used a simple config with the new syntax: >> >> >> cat /etc/mail/smtpd.conf >> >> >> >> >> >> table aliases file:/etc/mail/aliases >> >> >> >> >> >> #table other-relays file:/etc/mail/other-relays >> >> >> >> >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >> >> >> pki mail.example.com key >"/etc/ssl/private/mail.example.com.key" >> >> >> >> >> >> listen on lo0 >> >> >> listen on vio0 port 587 hostname example.com tls-require pki >> >> >mail.example.com auth mask-source >> >> >> listen on vio0 port 25 hostname example.com tls pki >> >mail.example.com >> >> >> >> >> >> action "mbox" mbox alias >> >> >> action "relay" relay >> >> >> >> >> >> match for local action "mbox" >> >> >> match for any action "relay" >> >> >> match from any for domain example.com action "mbox" >> >> >> >> >> >> >> >> >> i cant login with a users regular username and passwd which is >> >weird. >> >> > >> >> >> In the documentation it says that it is suppose to take regular >> >user >> >> >creds if not a table is defined which it is not. >> >> >> https://man.openbsd.org/smtpd.conf#listen_on >> >> >> >> >> >> "Users are authenticated against either their own normal login >> >> >credentials or a credentials table authtable, the format of which >is >> >> >described in table(5)." >> >> >> >> >> >> Does anyone know what im doing wrong here? >> >> >> >> >> >> maillog: >> >> >> Jan 12 16:47:49 host smtpd[95842]: XXX smtp >connected >> >> >address=ip host=ip Jan 12 16:47:49 host >> >> >> smtpd[95842]: XXX smtp starttls address=ip host=ip >> >> >ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, >> >bits=256" >> >> >Jan 12 16:47:49 host >> >> >> smtpd[95842]: XXX smtp authentication user=user >> >> >address=ip host=ip result=permfail Jan 12 16:47:49 host >> >> >> smtpd[95842]: XXX smtp failed-command address=ip >> >host=ip >> >> >command="AUTH PLAIN (...)" result="535 Authentication failed" Jan >12 >> >> >16:47:49 host >> >> >> smtpd[95842]: XXX smtp authentication user=user >> >> >address=ip host=ip result=permfail Jan 12 16:47:50 host >> &
Re: Opensmtpd auth in 6.4
I tried to echo it another way (echo -ne '\user\passwd' | base64 ) and then auth plain string and it works Now im getting new errrors :/ or i think i have misconfigured match, i cant send to external addresses, log: http://dpaste.com/2M8JMQC.txt On January 14, 2019 1:10:24 PM GMT+01:00, Gilles Chehade wrote: >On Mon, Jan 14, 2019 at 01:03:19PM +0100, Flipchan wrote: >> Seems like it adds "\^J" to the username , i base64 encode it using: >> echo "user" | base64 >> >> Log from smtpd -dv -T smtp : >> http://dpaste.com/0CAVJFF.txt >> > >honestly, i'm confused by what you're doing > >can you setup a temporary account, with a temporary password, >authenticate to it >using a regular MUA (whichever you want, just don't auth manually), >then trash >the account and send us logs that aren't doctored ? > > > >> On January 14, 2019 9:41:42 AM GMT+01:00, Gilles Chehade > wrote: >> >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >> >> Hey, am tryin to upgrade my opensmtpd >> >> email server running on openbsd 6.3 towards a new one on 6.4, >> >> i have used a simple config with the new syntax: >> >> cat /etc/mail/smtpd.conf >> >> >> >> table aliases file:/etc/mail/aliases >> >> >> >> #table other-relays file:/etc/mail/other-relays >> >> >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >> >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" >> >> >> >> listen on lo0 >> >> listen on vio0 port 587 hostname example.com tls-require pki >> >mail.example.com auth mask-source >> >> listen on vio0 port 25 hostname example.com tls pki >mail.example.com >> >> >> >> action "mbox" mbox alias >> >> action "relay" relay >> >> >> >> match for local action "mbox" >> >> match for any action "relay" >> >> match from any for domain example.com action "mbox" >> >> >> >> >> >> i cant login with a users regular username and passwd which is >weird. >> > >> >> In the documentation it says that it is suppose to take regular >user >> >creds if not a table is defined which it is not. >> >> https://man.openbsd.org/smtpd.conf#listen_on >> >> >> >> "Users are authenticated against either their own normal login >> >credentials or a credentials table authtable, the format of which is >> >described in table(5)." >> >> >> >> Does anyone know what im doing wrong here? >> >> >> >> maillog: >> >> Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected >> >address=ip host=ip Jan 12 16:47:49 host >> >> smtpd[95842]: XXX smtp starttls address=ip host=ip >> >ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, >bits=256" >> >Jan 12 16:47:49 host >> >> smtpd[95842]: XXX smtp authentication user=user >> >address=ip host=ip result=permfail Jan 12 16:47:49 host >> >> smtpd[95842]: XXX smtp failed-command address=ip >host=ip >> >command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12 >> >16:47:49 host >> >> smtpd[95842]: XXX smtp authentication user=user >> >address=ip host=ip result=permfail Jan 12 16:47:50 host >> >> smtpd[95842]: XXX smtp failed-command address=ip >host=ip >> >command="AUTH LOGIN (password)" result="535 Authentication failed" >> >> >> > >> >Hi, >> > >> >First of all, it should read mask-src and not mask-source, otherwise >> >the >> >auth keyword is assuming a table containing literal string >> >"mask-source" >> >and this will cause authentication to fail. >> > >> >A good method to troubleshoot, is to run smtpd in trace mode: >> > >> > smtpd -dv -T smtp >> > >> >create a test user with a temporary password, so you can share the >> >trace >> >output here and we can try to figure out what's wrong ... but likely >> >the >> >mask-source issue is the cause here. >> > >> > >> >-- >> >Gilles Chehade @poolpOrg >> > >> >https://www.poolp.org tip me: >> >https://paypal.me/poolpOrg >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >-- >Gilles Chehade@poolpOrg > >https://www.poolp.org tip me: >https://paypal.me/poolpOrg -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Opensmtpd auth in 6.4
Seems like it adds "\^J" to the username , i base64 encode it using: echo "user" | base64 Log from smtpd -dv -T smtp : http://dpaste.com/0CAVJFF.txt On January 14, 2019 9:41:42 AM GMT+01:00, Gilles Chehade wrote: >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >> Hey, am tryin to upgrade my opensmtpd >> email server running on openbsd 6.3 towards a new one on 6.4, >> i have used a simple config with the new syntax: >> cat /etc/mail/smtpd.conf >> >> table aliases file:/etc/mail/aliases >> >> #table other-relays file:/etc/mail/other-relays >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" >> >> listen on lo0 >> listen on vio0 port 587 hostname example.com tls-require pki >mail.example.com auth mask-source >> listen on vio0 port 25 hostname example.com tls pki mail.example.com >> >> action "mbox" mbox alias >> action "relay" relay >> >> match for local action "mbox" >> match for any action "relay" >> match from any for domain example.com action "mbox" >> >> >> i cant login with a users regular username and passwd which is weird. > >> In the documentation it says that it is suppose to take regular user >creds if not a table is defined which it is not. >> https://man.openbsd.org/smtpd.conf#listen_on >> >> "Users are authenticated against either their own normal login >credentials or a credentials table authtable, the format of which is >described in table(5)." >> >> Does anyone know what im doing wrong here? >> >> maillog: >> Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected >address=ip host=ip Jan 12 16:47:49 host >> smtpd[95842]: XXX smtp starttls address=ip host=ip >ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" >Jan 12 16:47:49 host >> smtpd[95842]: XXX smtp authentication user=user >address=ip host=ip result=permfail Jan 12 16:47:49 host >> smtpd[95842]: XXX smtp failed-command address=ip host=ip >command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12 >16:47:49 host >> smtpd[95842]: XXX smtp authentication user=user >address=ip host=ip result=permfail Jan 12 16:47:50 host >> smtpd[95842]: XXX smtp failed-command address=ip host=ip >command="AUTH LOGIN (password)" result="535 Authentication failed" >> > >Hi, > >First of all, it should read mask-src and not mask-source, otherwise >the >auth keyword is assuming a table containing literal string >"mask-source" >and this will cause authentication to fail. > >A good method to troubleshoot, is to run smtpd in trace mode: > > smtpd -dv -T smtp > >create a test user with a temporary password, so you can share the >trace >output here and we can try to figure out what's wrong ... but likely >the >mask-source issue is the cause here. > > >-- >Gilles Chehade@poolpOrg > >https://www.poolp.org tip me: >https://paypal.me/poolpOrg -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Opensmtpd auth in 6.4
I changed mask-src and tried some other stuff still without success when using openssl ehlo test and auth login , all i get is authentication failed , i have verified that the password is legit but no luck On January 12, 2019 11:37:42 PM GMT+01:00, Carlin Bingham wrote: >On Sat, Jan 12, 2019 at 05:36:11PM +0100, Flipchan wrote: >> Hey, am tryin to upgrade my opensmtpd >> email server running on openbsd 6.3 towards a new one on 6.4, >> i have used a simple config with the new syntax: >> cat /etc/mail/smtpd.conf >> >> table aliases file:/etc/mail/aliases >> >> #table other-relays file:/etc/mail/other-relays >> >> pki mail.example.com cert "/etc/ssl/mail.example.com.crt" >> pki mail.example.com key "/etc/ssl/private/mail.example.com.key" >> >> listen on lo0 >> listen on vio0 port 587 hostname example.com tls-require pki >mail.example.com auth mask-source > >mask-source was changed to mask-src > >I think because mask-source is no longer a valid keyword its being >interpreted as a parameter to auth. > > >-- >Carlin -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Opensmtpd auth in 6.4
Hey, am tryin to upgrade my opensmtpd email server running on openbsd 6.3 towards a new one on 6.4, i have used a simple config with the new syntax: cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases #table other-relays file:/etc/mail/other-relays pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" listen on lo0 listen on vio0 port 587 hostname example.com tls-require pki mail.example.com auth mask-source listen on vio0 port 25 hostname example.com tls pki mail.example.com action "mbox" mbox alias action "relay" relay match for local action "mbox" match for any action "relay" match from any for domain example.com action "mbox" i cant login with a users regular username and passwd which is weird. In the documentation it says that it is suppose to take regular user creds if not a table is defined which it is not. https://man.openbsd.org/smtpd.conf#listen_on "Users are authenticated against either their own normal login credentials or a credentials table authtable, the format of which is described in table(5)." Does anyone know what im doing wrong here? maillog: Jan 12 16:47:49 host smtpd[95842]: XXX smtp connected address=ip host=ip Jan 12 16:47:49 host smtpd[95842]: XXX smtp starttls address=ip host=ip ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" Jan 12 16:47:49 host smtpd[95842]: XXX smtp authentication user=user address=ip host=ip result=permfail Jan 12 16:47:49 host smtpd[95842]: XXX smtp failed-command address=ip host=ip command="AUTH PLAIN (...)" result="535 Authentication failed" Jan 12 16:47:49 host smtpd[95842]: XXX smtp authentication user=user address=ip host=ip result=permfail Jan 12 16:47:50 host smtpd[95842]: XXX smtp failed-command address=ip host=ip command="AUTH LOGIN (password)" result="535 Authentication failed" Sincerely flipchan
Re: Httpd unix socket
i used reyks fcgi to http proxy to reverse proxy it :)) https://github.com/reyk/fcgihttp On December 23, 2018 8:34:40 PM GMT+01:00, Stuart Henderson wrote: >On 2018-12-23, Flipchan wrote: >> I have a http server listening on a socket in >/var/www/run/listen.sock , with permissions 0666 and www:www i can curl >the socket and it works , but it does not work when i try to use it >with httpd, maybe because httpd only support fastcgi sockets and not >"raw" unix sockets. > >Exactly - httpd doesn't do any kind of HTTP proxying, only fastcgi. > >relayd doesn't support proxying to a unix socket either - you would >either >need to switch to HTTP-over-TCP, or FastCGI-over-socket, or use a >different >reverse proxy (nginx supports this). -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Httpd unix socket
Its also works when i curl the socket from the user www with doas On December 23, 2018 2:17:50 AM GMT+01:00, Tom Smyth wrote: >Hi Flip > >at a guess httpd is chrooted perhaps this is causing you the issue > >can you see if you refer to it in your config as /run/listen.sock >does it work for you ? > >I hope this helps... > >On Sun, 23 Dec 2018 at 01:10, Flipchan wrote: >> >> Hey, >> >> I have a http server listening on a socket in >/var/www/run/listen.sock , with permissions 0666 and www:www i can curl >the socket and it works , but it does not work when i try to use it >with httpd, maybe because httpd only support fastcgi sockets and not >"raw" unix sockets. >> >> Does anyone know how to get httpd to use unix sockets? >> >> The only solution i could image was to monkey hack a fastcgi socket >to reverse proxy to the regular socket, this was without success. >> >> >> Take Care >> Sincerely Filip > > > >-- >Kindest regards, >Tom Smyth > >Mobile: +353 87 6193172 >The information contained in this E-mail is intended only for the >confidential use of the named recipient. If the reader of this message >is not the intended recipient or the person responsible for >delivering it to the recipient, you are hereby notified that you have >received this communication in error and that any review, >dissemination or copying of this communication is strictly prohibited. >If you have received this in error, please notify the sender >immediately by telephone at the number above and erase the message >You are requested to carry out your own virus check before >opening any attachment. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Httpd unix socket
Hey, In httpd.conf i have put it as: fastcgi socket "/run/listen.sock" The request just times out, when running httpd in debug mode: httpd -dvv Nothing is reported about this which is very weird On December 23, 2018 2:17:50 AM GMT+01:00, Tom Smyth wrote: >Hi Flip > >at a guess httpd is chrooted perhaps this is causing you the issue > >can you see if you refer to it in your config as /run/listen.sock >does it work for you ? > >I hope this helps... > >On Sun, 23 Dec 2018 at 01:10, Flipchan wrote: >> >> Hey, >> >> I have a http server listening on a socket in >/var/www/run/listen.sock , with permissions 0666 and www:www i can curl >the socket and it works , but it does not work when i try to use it >with httpd, maybe because httpd only support fastcgi sockets and not >"raw" unix sockets. >> >> Does anyone know how to get httpd to use unix sockets? >> >> The only solution i could image was to monkey hack a fastcgi socket >to reverse proxy to the regular socket, this was without success. >> >> >> Take Care >> Sincerely Filip > > > >-- >Kindest regards, >Tom Smyth > >Mobile: +353 87 6193172 >The information contained in this E-mail is intended only for the >confidential use of the named recipient. If the reader of this message >is not the intended recipient or the person responsible for >delivering it to the recipient, you are hereby notified that you have >received this communication in error and that any review, >dissemination or copying of this communication is strictly prohibited. >If you have received this in error, please notify the sender >immediately by telephone at the number above and erase the message >You are requested to carry out your own virus check before >opening any attachment. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Httpd unix socket
Hey, I have a http server listening on a socket in /var/www/run/listen.sock , with permissions 0666 and www:www i can curl the socket and it works , but it does not work when i try to use it with httpd, maybe because httpd only support fastcgi sockets and not "raw" unix sockets. Does anyone know how to get httpd to use unix sockets? The only solution i could image was to monkey hack a fastcgi socket to reverse proxy to the regular socket, this was without success. Take Care Sincerely Filip
Re: Relayd with multiple lets encrypt cert's
So the only way is to have each vhost listen on on port each? On December 22, 2018 12:31:54 PM GMT+01:00, Claudio Jeker wrote: >On Sat, Dec 22, 2018 at 12:28:46PM +0100, Aham Brahmasmi wrote: >> Hi, >> >> > On Sat, Dec 22, 2018 at 07:07:58AM +0100, Flipchan wrote: >> > > Hello, >> > > Does anyone know how to get this working with multiple >letsencrypt certs? >> > > >> > >> > You need individual IP:port settings for each of the certs. Also >don't >> > forward to different hosts based on match rules unless you really >know >> > what you are doing. The backend system is only evaluated at the >start of >> > the connection and so keepalive sessions will not route correctly. >> > >> > -- >> > :wq Claudio >> >> Would having a single SAN certificate help in this case [1]? >> > >Yes and no. It would make listening on one port possible but it does >not >solve the issue of 'match forward to' being sticky for a connection. > >-- >:wq Claudio -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Relayd with multiple lets encrypt cert's
Hello,
im trying to get relayd to work with multiple letsencrypt certificates,
i want to go user -> https -> http backendhost based on Host header
relayd:
table { 192.168.3.3 192.168.3.3 }
table { 127.0.0.1 }
table { 192.168.3.6 192.168.3.5 }
http protocol vhost {
match request header "Host" value "0.domain.tld" forward to
match request header "Host" value "1.domain.tld" forward to
match request header "Host" value "2.domain.tld" forward to
}
relay vhost {
listen on 127.0.0.1 port 8089
protocol vhost
forward to port http check icmp
forward to port http check icmp
forward to port http check icmp
}
http protocol https {
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
# tls ca cert "/etc/ssl/1.domain.tld.crt"
# tls ca file "/etc/ssl/1.domain.tld.fullchain.pem"
# tls ca key "/etc/ssl/private/1.domain.tld.key" password ""
}
relay sslhost {
listen on 127.0.0.1 port 8443 ssl
protocol https
forward with tls to port https check icmp
}
Does anyone know how to get this working with multiple letsencrypt certs?
Sincerely
flipchan
Re: Pf traffic redirection on internal lan
I solved it with relayd :)
On December 20, 2018 3:00:45 AM GMT+02:00, Tom Smyth
wrote:
>Hi,
>A quick read of your rule below
>pass in quick on any proto tcp from any to any port 80 rdr-to
>192.168.2.21 port 8801
>
>seems way too general
>
>try this instead
>pass in quick on any proto tcp from any to 192.168.2.5 port 80
>rdr-to 192.168.2.21 port 8801
>
>and see how you get on ...
>
>
>On Thu, 20 Dec 2018 at 00:13, Flipchan wrote:
>>
>> Hello all,
>>
>> I am trying to get packets(/curl -v) to go 192.168.2.4 >
>192.168.2.5:80 > 192.168.2.21:8801
>>
>>
>>
>> .5 middle host | cat /etc/pf.conf
>>
>>
>> set skip on lo
>>
>> block return# block stateless traffic
>> pass# establish keep-state
>>
>>
>> pass in quick on any proto tcp from any to any port 80 rdr-to
>192.168.2.21 port 8801
>> pass out quick on any proto tcp from 192.168.2.21
>>
>> block return in on ! lo0 proto tcp to port 6000:6010
>>
>> # Port build user does not need network
>> #block return out log proto {tcp udp} user _pbuild
>>
>>
>>
>> the connection just times out, what am i missing?
>>
>>
>> .4host$ ifconfig
>> lo0: flags=8049 mtu 32768
>> index 3 priority 0 llprio 3
>> groups: lo
>> inet6 ::1 prefixlen 128
>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
>> inet 127.0.0.1 netmask 0xff00
>> em0: flags=8843 mtu 1500
>> lladdr 2c:40:0a:7d:1c:4d
>> index 1 priority 0 llprio 3
>> groups: egress
>> media: Ethernet autoselect (1000baseT full-duplex)
>> status: active
>> inet 192.168.2.5 netmask 0xff00 broadcast 192.168.2.255
>> enc0: flags=0<>
>> index 2 priority 0 llprio 3
>> groups: enc
>> status: active
>> pflog0: flags=141 mtu 33136
>> index 4 priority 0 llprio 3
>> groups: pflog
>> $
>>
>>
>> i tried a syntax suggestion in on the bottom page of:
>https://www.openbsd.org/faq/pf/rdr.html
>> without any luck...
>>
>>
>> i am just getting timeouts here, does anyone know how i could solve
>this?
>>
>>
>> Take Care
>> Sincerely
>> flipchan
>
>
>
>--
>Kindest regards,
>Tom Smyth
>
>Mobile: +353 87 6193172
>The information contained in this E-mail is intended only for the
>confidential use of the named recipient. If the reader of this message
>is not the intended recipient or the person responsible for
>delivering it to the recipient, you are hereby notified that you have
>received this communication in error and that any review,
>dissemination or copying of this communication is strictly prohibited.
>If you have received this in error, please notify the sender
>immediately by telephone at the number above and erase the message
>You are requested to carry out your own virus check before
>opening any attachment.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Pf traffic redirection on internal lan
Hello all,
I am trying to get packets(/curl -v) to go 192.168.2.4 > 192.168.2.5:80 >
192.168.2.21:8801
.5 middle host | cat /etc/pf.conf
set skip on lo
block return# block stateless traffic
pass# establish keep-state
pass in quick on any proto tcp from any to any port 80 rdr-to 192.168.2.21 port
8801
pass out quick on any proto tcp from 192.168.2.21
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
#block return out log proto {tcp udp} user _pbuild
the connection just times out, what am i missing?
.4host$ ifconfig
lo0: flags=8049 mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
em0: flags=8843 mtu 1500
lladdr 2c:40:0a:7d:1c:4d
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.2.5 netmask 0xff00 broadcast 192.168.2.255
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141 mtu 33136
index 4 priority 0 llprio 3
groups: pflog
$
i tried a syntax suggestion in on the bottom page of:
https://www.openbsd.org/faq/pf/rdr.html
without any luck...
i am just getting timeouts here, does anyone know how i could solve this?
Take Care
Sincerely
flipchan
export http_proxy to a socks5
Hey, Does anyone have a good way to set the system variables https and http_proxy to a socks5 proxy so that all my http ad https traffic forwards to my socks5 box? ( Anyone got any good way or a quick ugly hack to solve this? ) -- Sincerely Flipchan
Re: Monitoring system
Thanks alot! I needed to symlink the files to enable them to be libs in php On October 6, 2018 9:41:29 PM UTC, Richard Toohey wrote: >On 10/07/18 09:05, flipchan wrote: >> My phpinfo: dpaste.com/0VDR4TE >Have you looked in /usr/local/share/doc/pkg-readmes/ for anything >useful. > >I've moved off PHP 5.6 so not exactly sure what the file will be >called. > >The instructions for 7.0.31: > > /usr/local/share/doc/pkg-readmes/php-7.0.31 > >... include instructions about what to do for some extensions so you >/may/ need to do something similar. > > >- some 'core' extensions with extra dependencies are packaged >separately >(e.g. php-pdo_mysql, php-ldap, php-soap, and others) and can be >installed >with pkg_add(1). >... >For all extensions packaged separately (and for opcache), you will find >a >file named /etc/php-7.0.sample/(MODULE_NAME).ini. To enable it, >add a symlink into /etc/php-7.0 and restart: > > ln -sf ../php-7.0.sample/MODULE_NAME.ini /etc/php-7.0/ > > >Obviously these instructions will not be directly applicable in your >case, but do have a look in /usr/local/share/doc/pkg-readmes for >anything php-related. >> >> On October 6, 2018 4:42:16 PM UTC, Stuart Henderson > wrote: >>> On 2018-10-06, Richard Toohey wrote: >>>> On 10/06/18 07:16, Stuart Henderson wrote: >>>>> On 2018/10/05 17:35, flipchan wrote: >>>>>> It's weird because I have no error files that it describes the >>> error in, I am promted with >>>>>> "Configuration file errror DB type MYSQL is not supported by >>> current setup" >>>> I don't think the issue here - but if you are using PHP 7 make sure >>>> mysqli is used. >>>> >>>> http://php.net/manual/en/mysqlinfo.api.choosing.php >>> It all depends what zabbix-web wants. If it's written to use one >>> specific >>> api then you will need to use the module providing that. pdo_mysql >is >>> probably the most common nowadays. -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
My phpinfo: dpaste.com/0VDR4TE On October 6, 2018 4:42:16 PM UTC, Stuart Henderson wrote: >On 2018-10-06, Richard Toohey wrote: >> On 10/06/18 07:16, Stuart Henderson wrote: >>> On 2018/10/05 17:35, flipchan wrote: >>>> It's weird because I have no error files that it describes the >error in, I am promted with >>>> "Configuration file errror DB type MYSQL is not supported by >current setup" >> I don't think the issue here - but if you are using PHP 7 make sure >> mysqli is used. >> >> http://php.net/manual/en/mysqlinfo.api.choosing.php > >It all depends what zabbix-web wants. If it's written to use one >specific >api then you will need to use the module providing that. pdo_mysql is >probably the most common nowadays. -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
Is not returning anything On October 6, 2018 6:36:38 AM UTC, Tom Smyth wrote: >Howdy > >Create a atest phpinfo(); file in ur webserver htdocs directory >And open the url to that file in ur browser >to show you what php configuration and modules are loaded >Check this page for details > >http://php.net/manual/en/function.phpinfo.php >On a side note >This function is useful in testing other oses also because the os can >load phpconfig from anywhere.. and frequently with nonstandard packages >you >can be editing the wrong php.ini config... > > >On Fri 5 Oct 2018, 22:35 Edgar Pettijohn, >wrote: > >> >> On Oct 5, 2018 3:48 PM, flipchan wrote: >> > >> > Maybe I need to set some sys variable or something similar cuz >> > php-mysqli >> > php-pdo_mysql >> > php-mysql is installed >> > >> >> But are they enabled. Read the package read me for PHP for >instructions. >> > On October 5, 2018 6:16:07 PM UTC, Stuart Henderson > >> wrote: >> > >On 2018/10/05 17:35, flipchan wrote: >> > >> It's weird because I have no error files that it describes the >error >> > >in, I am promted with >> > >> "Configuration file errror DB type MYSQL is not supported by >current >> > >setup" >> > > >> > >Oh, in that case (always include the actual error message!) I'm >pretty >> > >sure >> > >you didn't enable the relevant PHP database module. I don't know >which >> > >one >> > >zabbix-web needs but I'd try php-pdo_mysql first. >> > > >> > >> I have set all configs (/var/www/zabbix/conf/zabbix.conf.php and >> > >/etc/zabbix*) to use 127.0.0.1 >> > >> 3306 , but nono :/ >> > >> >> > >> On October 5, 2018 12:55:15 PM UTC, Stuart Henderson >> > > wrote: >> > >> >> > >> On 2018-10-05, flipchan wrote: >> > >> Hey how did everyone get zabbix running I tried the >zabbix >> > >MySQL with the zabbix web on 6.2 but I get a database connection >error >> > >in the php , I assume the php can't read the config >> > >> >> > >> This is usually mysql/mariadb's annoying feature of >automatically >> > >trying >> > >> to use a unix socket when you try to make a TCP connection >to >> > >localhost. >> > >> See pkg-readmes/mariadb-server (the "chrooted daemons and >MariaDB >> > >> socket" for a workaround. >> > >> >> > >> >> > >> >> > >> >> > >> -- >> > >> Take Care Sincerely flipchan layerprox dev >> > >> > -- >> > Take Care Sincerely flipchan layerprox dev >> >> -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
Maybe I need to set some sys variable or something similar cuz php-mysqli php-pdo_mysql php-mysql is installed On October 5, 2018 6:16:07 PM UTC, Stuart Henderson wrote: >On 2018/10/05 17:35, flipchan wrote: >> It's weird because I have no error files that it describes the error >in, I am promted with >> "Configuration file errror DB type MYSQL is not supported by current >setup" > >Oh, in that case (always include the actual error message!) I'm pretty >sure >you didn't enable the relevant PHP database module. I don't know which >one >zabbix-web needs but I'd try php-pdo_mysql first. > >> I have set all configs (/var/www/zabbix/conf/zabbix.conf.php and >/etc/zabbix*) to use 127.0.0.1 >> 3306 , but nono :/ >> >> On October 5, 2018 12:55:15 PM UTC, Stuart Henderson > wrote: >> >> On 2018-10-05, flipchan wrote: >> Hey how did everyone get zabbix running I tried the zabbix >MySQL with the zabbix web on 6.2 but I get a database connection error >in the php , I assume the php can't read the config >> >> This is usually mysql/mariadb's annoying feature of automatically >trying >> to use a unix socket when you try to make a TCP connection to >localhost. >> See pkg-readmes/mariadb-server (the "chrooted daemons and MariaDB >> socket" for a workaround. >> >> >> >> >> -- >> Take Care Sincerely flipchan layerprox dev -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
It's weird because I have no error files that it describes the error in, I am promted with "Configuration file errror DB type MYSQL is not supported by current setup" I have set all configs (/var/www/zabbix/conf/zabbix.conf.php and /etc/zabbix*) to use 127.0.0.1 3306 , but nono :/ On October 5, 2018 12:55:15 PM UTC, Stuart Henderson wrote: >On 2018-10-05, flipchan wrote: >> Hey how did everyone get zabbix running I tried the zabbix MySQL with >the zabbix web on 6.2 but I get a database connection error in the php >, I assume the php can't read the config > >This is usually mysql/mariadb's annoying feature of automatically >trying >to use a unix socket when you try to make a TCP connection to >localhost. >See pkg-readmes/mariadb-server (the "chrooted daemons and MariaDB >socket" for a workaround. -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
Yeah I have put the Unix socket in /var/www/run and chown www:www but nono On October 5, 2018 12:55:15 PM UTC, Stuart Henderson wrote: >On 2018-10-05, flipchan wrote: >> Hey how did everyone get zabbix running I tried the zabbix MySQL with >the zabbix web on 6.2 but I get a database connection error in the php >, I assume the php can't read the config > >This is usually mysql/mariadb's annoying feature of automatically >trying >to use a unix socket when you try to make a TCP connection to >localhost. >See pkg-readmes/mariadb-server (the "chrooted daemons and MariaDB >socket" for a workaround. -- Take Care Sincerely flipchan layerprox dev
Re: Monitoring system
Hey how did everyone get zabbix running I tried the zabbix MySQL with the zabbix web on 6.2 but I get a database connection error in the php , I assume the php can't read the config On October 5, 2018 4:43:05 AM UTC, Tony Boston wrote: >I am using Icinga2 on all our machines - you'll find it in packages and >the newest version you'll get with OpenBSD 6.4 > >On 10/05/18 05:09, Tom Smyth wrote: >> Both of of the ones I emailed to you are in ports >> >> also there is pmmact by the Legend paulo Lucende >> that can aggregate and convert multiple logs to different formats >> worth having a look at that also ... >> On Fri, 5 Oct 2018 at 04:08, Tom Smyth >wrote: >>> >>> >>> Librenms would be worth a look i believe it has email alerting >>> and snmp support needs php and mysql >>> Zabbix ...havent used this one but it has monitoring functionality >... >>> If you are monitoring alot of systems, make sure your storage can >>> cope with alot of I/O or you will see annoying gaps in your graphs >>> so use SSDs and make sure that when formatting the system >>> that you align with 1MB offset ... 2048 sectors (instead the >default >>> 64 bytes) >>> >>> Peace >>> Tom Smyth >>> >>> >>> On Thu, 4 Oct 2018 at 23:57, flipchan wrote: >>>> >>>> Greetings all, >>>> >>>> I need to install a monitoring system with email notifications, I >have used mmonit which is great but it's a little too pricey for >personal use. >>>> >>>> Can anyone recommend a open source monitoring system that support >email notifications and monitoring of multiple hosts running openbsd. >>>> >>>> >>>> Something more modern then nagios would be great, I just need it to >work so as long as it supports email notifications and monitoring of >more then one host it's good >>>> >>>> >>>> Thanks in advance >>>> >>>> >>>> >>>> -- >>>> Take Care Sincerely flipchan layerprox dev >>> >>> >>> >>> -- >>> Kindest regards, >>> Tom Smyth >>> >>> Mobile: +353 87 6193172 >>> The information contained in this E-mail is intended only for the >>> confidential use of the named recipient. If the reader of this >message >>> is not the intended recipient or the person responsible for >>> delivering it to the recipient, you are hereby notified that you >have >>> received this communication in error and that any review, >>> dissemination or copying of this communication is strictly >prohibited. >>> If you have received this in error, please notify the sender >>> immediately by telephone at the number above and erase the message >>> You are requested to carry out your own virus check before >>> opening any attachment. >> >> >> > >-- >GPG-KEY: 0x5C5C239D81121B35 >GPG-FP: 49CC8250 CDCF2183 6209C1AE 625677C1 F7783D5F >Threema: DN8PJX4Z -- Take Care Sincerely flipchan layerprox dev
Monitoring system
Greetings all, I need to install a monitoring system with email notifications, I have used mmonit which is great but it's a little too pricey for personal use. Can anyone recommend a open source monitoring system that support email notifications and monitoring of multiple hosts running openbsd. Something more modern then nagios would be great, I just need it to work so as long as it supports email notifications and monitoring of more then one host it's good Thanks in advance -- Take Care Sincerely flipchan layerprox dev
Re: EuroBSD Con 2018 1 Free Ticket for Ansible Tutorial and LibTLS Tutorial Thursday
Hey if Dumitru didn't already take the ansible/is not taking it I would love to take the ansible:) On September 19, 2018 2:38:08 PM UTC, Dumitru Moldovan wrote: > >Hi Tom, > >That is very generous of you... But are you sure those tickets are >transmittable? > >If yes, I would like to attend the Ansible Tutorial. LibTLS is way >over >my head, as I can't program in C to save my life. > >Thanks a lot! > > >On 09/19/18 08:24, Tom Smyth wrote: >> Hello, >> >> I have paid for Ticekts for the Ansible Tutorial and the Lib TLS >> tutorial Thursday in EuroBSD Con2018 Bucharest. I cant attend >Thursday >> and >> I dont want the tickets to go to waste, so if any of the mailing list >> subscribers woudl like to go ... please reply directly to me and you >> can have the ticket for the >> either or both tutorials ... first come first served, >> >> Hope this helps, >> Tom Smyth, >> -- Take Care Sincerely flipchan layerprox dev
Re: Running your own mail server
Randomly jumping into this thread , does anyone have a quick and easy way to do auto matical responses to certain aliases in opensmtpd? On September 9, 2018 12:23:41 PM UTC, Thomas Bohl wrote: >> But the second (far more important) point I want to make is please >*THINK TWICE* if "running your own mail server" is something you are >planning to do on your home internet connection. > >For all intents and purposes, sending emails from a private internet >connection directly to the receiving MX stopped working 15 years ago. >(People started blocking everything with "dial" or "dyn" in the reverse >DNS or HELO not being followed with the matching reverse DNS of the >connected IP.) It should be in all books and tutorials by now. >Word on the street has it that the IP networks of the cloud providers >are slowly getting burned too. > >To live hassle-free you want your MX to have a static IP from a good >"commercial neighbourhood", with a reverse DNS that matches the SPF >entry and with your server's HELO greeting. >Check whether your IP is listed on a DNSBL >https://mxtoolbox.com/blacklists.aspx >Demand a different one from your provider if it is *before* you >associate your domain with it! (Or let the IP idle for a year or two.) >Plus: Thanks to Let's Encrypt and the super easy acme-client in base >there are no more excuses not to have a valid certificate. > >Of course that is only true for your MX. You can host your mailboxes at >home as long as you relay through said MX. > >OpenSMTPD + Dovecot (Sieve, IMAP, dsync) + Nextcloud(Calender, >Contacts) >works for me for month without looking. (Be on the announce mailing >lists for security informations.) > >PS, don't sneak through you kids thoughts. Not even by "only" scanning >for "troubling words". -- Take Care Sincerely flipchan layerprox dev
Re: Vultr hosting of OpenBSD
I think vultr is setting a great example that many hosting providers should follow, I mean I bet 65% run kvm and then it is possible to run openbsd , but I think many providers doesn't put in the energy to do it / configure a template for it On September 9, 2018 12:26:29 AM UTC, Ken M wrote: >On Sat, Sep 08, 2018 at 08:36:01PM +0100, Chris Narkiewicz wrote: >> On 08/09/2018 19:55, Ken M wrote: >> What kind of issues? I'm curious. Can you pls provide a reference? >> > >Without digging them up I did a quick google on openbsd issues vultr. >It pulled >some things I saw before with 6.2 and timing, as well as issues with >the base >image, and other ones talking about a setting in KVM that was causing >issues on >certain servers. > >I can link them if you wish. I wanted to ask here because they seemed >out of >date, and when it comes to openbsd I have to filter what a google >search pulls >as I find so much misinformation about openbsd out there. Some of it >more for >being out of date, some of it just plain anti without knowing, some >just >misinformation. > >So in short I figured asking here would be more current and accurate. >This is a >case where I consider the absence of such information a result. >Although I think >I might consider openbsd amsterdam that was mentioned. My only >hesitation is >vmm/vmd considered mature enough for a production hosting solution? > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: Running your own mail server
opensmtpd is great! Aliases and alot more goodness On September 8, 2018 3:23:35 PM UTC, Ken M wrote: >Just curious how many of you use openbsd to run your own personal email >server? >Do you find it a hassle to manage in any way? > >I know openbsd is perfectly fine for a mail server, don't get me wrong >the >question is more about is it worth it to do yourself. Specifically I >will >probably be doing it through a guest on vultr. > >Back story my family all has email addresses through the domain I have. >Which >basically will forward to a gmail account. The kids accounts don't >really >forward anywhere, they are place holders I guess. But they are getting >old >enough to use their own accounts for things and not just through the >school >which sets them up with google accounts to use through their >chromebook. > >So my wife really doesn't like the idea of setting them loose on their >own email >accounts, and I don't necessarily disagree with her, but I disagree on >the way >to do it. In a gmail point of view all I can think of is shared >passwords for >for the kids. I don't like that because first of all they could change >it, >second of all monitoring their email means literally reading their >email. > >My wife and I have different views on privacy as well. > >I was thinking I could run my own email server to give them accounts >there, and >at the same time instead of reading their email be able to more >specifically >block certain senders, but also to scan the email for troubling words. >In my >mind that is things like suicide, kill, etc. > >So I guess the end question, is for protecting the email of minors is >running my >own email server, when I have never done it before on any OS, worth it >over some >other solution. And yes I am very open to other suggestions for a >solution, even >if it is something I have to pay for, to avoid sharing passwords or >grotesque >privacy infringement of literally reading all their emails. > >Welcome to differences of opinion as well. Thank you. > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: Vultr hosting of OpenBSD
U have to tell em to open port 25 On September 8, 2018 6:55:16 PM UTC, Ken M wrote: >This is related to my mail server thread, but in googling about openbsd >on vultr >I have seen some comments here and there about issues with the default >image on >vultr and to use a custom image or iso instead of what they have. Some >of these >seem dated and related to older versions of openbsd. My questions are: > >1. Is it still current information that it would be better to use my >own >image/install/iso for openbsd on Vultr? > >2. Is vultr a good place to host an openbsd box? If not interested in >hearing >alternatives. > >Also a side note question, is it possible to use VMD/VMM in an openbsd >guest on >vultr. I was thinking probably not. I just ask as sometinmes I >appreciate using >docker to test things, yeah I know. But the point is my dev workflow on >my >openbsd current laptop involves sometimes using alpine linux on vmm an >using >docker on that to spin up different things I want to check out. > >Ken -- Take Care Sincerely flipchan layerprox dev
Re: acme-client agreement url in 6.3
Awesome thanks On September 2, 2018 9:57:48 AM UTC, Stuart Henderson wrote: >On 2018-09-02, flipc...@riseup.net wrote: >> Hey all, >> >> i cant be able to get acme-client to work in 6.3 . >> >> i get the same error with agreement url as >> "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; >and >> "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"; >> >> their is a error on his site, >> https://github.com/kristapsdz/acme-client-portable/issues/51 >> Does anyone know what agreement url is offically supported/works with >> openbsd 6.3? >> >> server# acme-client -vv mail.example.com >> acme-client: "agreement url" is deprecated. >> acme-client: "agreement url" is deprecated. > >Just remove "agreement url", it's no longer used in 6.3. > >> acme-client: acme-client: acme-client: >> /etc/ssl/private/mail.example.com.key: loaded RSA domain >> key/etc/acme/letsencrypt-privkey.pem: loaded RSA account >> key/etc/ssl/mail.example.com.crt: certificate valid: 120 days left > >This looks like it's worked. -- Take Care Sincerely flipchan layerprox dev
acme-client agreement url in 6.3
Hey all,
i cant be able to get acme-client to work in 6.3 .
i get the same error with agreement url as
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; and
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
their is a error on his site,
https://github.com/kristapsdz/acme-client-portable/issues/51
Does anyone know what agreement url is offically supported/works with
openbsd 6.3?
server# acme-client -vv mail.example.com
acme-client: "agreement url" is deprecated.
acme-client: "agreement url" is deprecated.
acme-client: acme-client: acme-client:
/etc/ssl/private/mail.example.com.key: loaded RSA domain
key/etc/acme/letsencrypt-privkey.pem: loaded RSA account
key/etc/ssl/mail.example.com.crt: certificate valid: 120 days left
server# cat /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
#"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
#"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-v02.api.letsencrypt.org/directory";
#"https://acme-v01.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"; #
"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
#"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-v02.api.letsencrypt.org/directory";
#"https://acme-staging.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain mail.example.com {
domain key "/etc/ssl/private/mail.example.com.key"
domain certificate "/etc/ssl/mail.example.com.crt"
domain full chain certificate
"/etc/ssl/mail.example.com.fullchain.pem"
sign with letsencrypt
}
#
Take Care
Sincerly flipchan
Re: pip install (python3) requires some development libraries
Try manually downloading it from pypi.python.org and running Python setup.py build and Python setup.py install On August 27, 2018 10:09:48 AM UTC, "Максим" wrote: >Sorry, I was wrong. >There is a file "lber.h" on the system (/usr/local/include/lber.h) >But the installer doesn't seem to know where to find it. >So the question remains. > >-- >Maksim Rodin > > >27.08.2018, 11:52, "Stuart Henderson" : >> On 2018-08-27, Максим wrote: >>> Hello. >>> I'm trying to install some django components, which >>> require development libraries be installed on the system to >>> successfully compile. >>> If it goes about Ubuntu I understand that I have to install >>> something like "packet-dev" with the command >>> "sudo apt install packet-dev" >>> What are my steps to make something equal on OpenBSD (6.3/amd64)? >>> I suppose I should begin with fetching the ports tree. >>> But what else? How do I make install script find the dev-libraries >needed? >>> >>> In my case I'm trying to install django-ldap-auth using pip. >>> When the installer begins to compile he complains that it cannot >find some files: >>> "In file included from Modules/LDAPObject.c:8: >>> Modules/constants.h:7:10: fatal error: 'lber.h' file not found >>> #include "lber.h" >>> 1 error generated. >>> error: command 'cc' failed with exit status 1" >> >> Specifically for this: pkg_add openldap-client >> >> In general: pkg_add pkglocatedb and use the pkg_locate command. -- Take Care Sincerely flipchan layerprox dev
Re: pip install (python3) requires some development libraries
Are u using pip3 and not pip2? On August 27, 2018 6:00:37 AM UTC, "Максим" wrote: >Hello. >I'm trying to install some django components, which >require development libraries be installed on the system to >successfully compile. >If it goes about Ubuntu I understand that I have to install >something like "packet-dev" with the command >"sudo apt install packet-dev" >What are my steps to make something equal on OpenBSD (6.3/amd64)? >I suppose I should begin with fetching the ports tree. >But what else? How do I make install script find the dev-libraries >needed? > >In my case I'm trying to install django-ldap-auth using pip. >When the installer begins to compile he complains that it cannot find >some files: >"In file included from Modules/LDAPObject.c:8: >Modules/constants.h:7:10: fatal error: 'lber.h' file not found >#include "lber.h" >1 error generated. >error: command 'cc' failed with exit status 1" > >-- >Best regards >Maksim Rodin -- Take Care Sincerely flipchan layerprox dev
Re: Let's Encrypt Error with cgit, httpd, acme-client
># Show extra links for each repository on the index page >enable-index-links=0 > ># Enable ASCII art commit history graph on the log pages >enable-commit-graph=1 > ># Show number of affected files per commit on the log pages >enable-log-filecount=1 > ># Show number of added/removed lines per commit on the log pages >enable-log-linecount=1 > ># Sort branches by date >branch-sort=age > ># Add a cgit favicon >favicon=/favicon.ico > ># Enable statistics per week, month and quarter >max-stats=quarter > ># Set the title and heading of the repository index page >root-title=HotBSD Code Repositories > ># Set a subheading for the repository index page >root-desc= > ># Allow download of tar.gz, tar.bz2 and zip-files >snapshots=tar.gz > >## List of common mimetypes >mimetype.gif=image/gif >mimetype.html=text/html >mimetype.jpg=image/jpeg >mimetype.jpeg=image/jpeg >mimetype.pdf=application/pdf >mimetype.png=image/png >mimetype.svg=image/svg+xml > >## Search for these files in the root of the default branch of >repositories >## for coming up with the about page: >readme=:README > >virtual-root=/ > >#scan-path=/htdocs/src >scan-path=/repos > ># Disable adhoc downloads of this repo >repo.snapshots=0 > ># Disable line-counts for this repo >repo.enable-log-linecount=0 > ># Restrict the max statistics period for this repo >repo.max-stats=month > > >File/directory permissions: ># ls -all /etc/acme /etc/ssl >/etc/acme: >total 16 >drwx-- 2 root wheel 512 Aug 3 12:58 . >drwxr-xr-x 22 root wheel 1536 Jul 30 01:30 .. >-r 1 root wheel 3272 Aug 3 12:58 letsencrypt-privkey.pem > >/etc/ssl: >total 772 >drwxr-xr-x 5 root wheel 512 Jul 29 12:51 . >drwxr-xr-x 22 root wheel1536 Jul 30 01:30 .. >drwxr-xr-x 3 root wheel 512 Jul 29 12:51 acme >-r--r--r-- 1 root bin349364 Mar 24 20:12 cert.pem >-rw-r--r-- 1 root wheel2703 Mar 24 20:12 ikeca.cnf >drwxr-xr-x 2 root wheel 512 Mar 24 20:12 lib >-r--r--r-- 1 root bin 745 Mar 24 20:12 openssl.cnf >drwx-- 2 root wheel 512 Aug 3 12:58 private >-r--r--r-- 1 root bin 1006 Mar 24 20:12 x509v3.cnf > ># ls -all /var/www >total 52 >drwxr-xr-x 13 root daemon 512 Jul 19 02:12 . >drwxr-xr-x 23 root wheel 512 Mar 24 20:43 .. >drwxr-xr-x 2 root daemon 512 Aug 4 11:50 acme >drwxr-xr-x 2 root daemon 512 Mar 24 20:12 bin >drwx-T 2 www daemon 512 Mar 24 20:12 cache >drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgi-bin >drwxr-xr-x 2 root daemon 512 Jul 13 19:43 cgit >drwxr-xr-x 2 root daemon 512 Jul 13 19:50 conf >drwxr-xr-x 3 root daemon 512 Mar 24 20:12 htdocs >drwxr-xr-x 2 root daemon 512 Aug 1 15:00 logs >drwxr-xr-x 4 git git 512 Jul 20 17:30 repos >drwxr-xr-x 2 root daemon 512 Jul 13 19:50 run > > > >This e-mail, and any attachments are strictly confidential and intended >for the addressee(s) only. The content may also contain legal, >professional or other privileged information. If you are not the >intended recipient, please notify the sender immediately and then >delete the e-mail and any attachments. You should not disclose, copy or >take any action in reliance on this transmission. > >You may report the matter by contacting us via our UK Contacts >Page<https://www.nationalgrid.com/uk/contact-us/> or our US Contacts >Page<https://www.nationalgridus.com/contact-us> (accessed by clicking >on the appropriate link) > >Please ensure you have adequate virus protection before you open or >detach any documents from this transmission. National Grid plc and its >affiliates do not accept any liability for viruses. An e-mail reply to >this address may be subject to monitoring for operational reasons or >lawful business practices. > >For the registered information on the UK operating companies within the >National Grid group please use the attached link: >https://www.nationalgrid.com/group/about-us/corporate-registrations -- Take Care Sincerely flipchan layerprox dev
Re: Python flask socket with httpd problems
After some verbose logging httpd -dvv I found that I forgot about chroot so
instead of /var/www/run I changed it to /run/my.sock and chmod www:www my.sock
and got it working :))
On August 12, 2018 10:14:55 PM UTC, ed...@pettijohn-web.com wrote:
>What are the permissions on the socket? Can user www read and write to
>it?
>On Aug 12, 2018 11:40 AM, Tony Boston wrote:
>>
>> On 12.08.18 03:25, flipchan wrote:
>> > Hello all,
>> >
>> > im trying to run a python flask application with httpd
>> > as a reverse proxy and im not getting it to work.
>> >
>> > According to the python flask's online documentation,
>> > i should be able to just create a fast-cgi socket that
>> > should work with httpd, however i am only getting 500
>> > errors when i do this.
>> > Link: https://uwsgi-docs.readthedocs.io/en/latest/OpenBSDhttpd.html
>> >
>> >
>> >
>> > curl output:
>> > * About to connect() to mywebsite.com port 8086 (#0)
>> > * Trying myip...
>> > * connected
>> > * Connected to mywebsite.com (myip) port 8086 (#0)
>> > > GET /test HTTP/1.1
>> > > User-Agent: curl/7.26.0
>> > > Host: mywebsite.com:8086
>> > > Accept: */*
>> > >
>> > * additional stuff not fine transfer.c:1037: 0 0
>> > * HTTP 1.0, assume close after body
>> > < HTTP/1.0 500 Internal Server Error
>> > < Date: Tue, 15 May 2018 15:40:40 GMT
>> > < Server: OpenBSD httpd
>> > < Connection: close
>> > < Content-Type: text/html
>> > < Content-Length: 451
>> > <
>> >
>> >
>> >
>> >
>> > 500 Internal Server Error
>> > <!--
>> > body { background-color: white; color: black; font-family: 'Comic
>Sans MS', 'Chalkboard SE', 'Comic Neue', sans-serif; }
>> > hr { border: 0; border-bottom: 1px dashed; }
>> >
>> > -->
>> >
>> >
>> > 500 Internal Server Error
>> >
>> > OpenBSD httpd
>> >
>> >
>> > * Closing connection #0
>> >
>> > # cat /etc/httpd.conf
>> > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
>> >
>> > # A minimal default server
>> > server "default" {
>> > listen on 0.0.0.0 port 8086
>> >
>> > fastcgi socket "/var/www/run/pfweb.sock"
>> > }
>> >
>> >
>> >
>> >
>> > i also tried to have the python script manually create a
>> > fast-cgi socket with the python library flup
>("https://pypi.python.org/pypi/flup/1.0.2";)
>> >
>> >
>> >
>> > Have anyone gotten a python flask application to work with httpd
>> > as a reverse proxy with a fast-cgi socket? cuz im really not
>> > getting it to work.
>> >
>> >
>> >
>> > Thanks in advanced
>> > -flipchan
>> >
>> > --
>> > Take Care Sincerely flipchan layerprox dev
>>
>> Since you're getting Error 500 - you should look at your webserver
>> logs - I don't see any in your email
>>
>> --
>> Tony
>>
>> GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580
>> Threema: DN8PJX4Z
--
Take Care Sincerely flipchan layerprox dev
Python flask socket with httpd problems
Hello all,
im trying to run a python flask application with httpd
as a reverse proxy and im not getting it to work.
According to the python flask's online documentation,
i should be able to just create a fast-cgi socket that
should work with httpd, however i am only getting 500
errors when i do this.
Link: https://uwsgi-docs.readthedocs.io/en/latest/OpenBSDhttpd.html
curl output:
* About to connect() to mywebsite.com port 8086 (#0)
* Trying myip...
* connected
* Connected to mywebsite.com (myip) port 8086 (#0)
> GET /test HTTP/1.1
> User-Agent: curl/7.26.0
> Host: mywebsite.com:8086
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.0, assume close after body
< HTTP/1.0 500 Internal Server Error
< Date: Tue, 15 May 2018 15:40:40 GMT
< Server: OpenBSD httpd
< Connection: close
< Content-Type: text/html
< Content-Length: 451
<
500 Internal Server Error
<!--
body { background-color: white; color: black; font-family: 'Comic Sans MS',
'Chalkboard SE', 'Comic Neue', sans-serif; }
hr { border: 0; border-bottom: 1px dashed; }
-->
500 Internal Server Error
OpenBSD httpd
* Closing connection #0
# cat /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
# A minimal default server
server "default" {
listen on 0.0.0.0 port 8086
fastcgi socket "/var/www/run/pfweb.sock"
}
i also tried to have the python script manually create a
fast-cgi socket with the python library flup
("https://pypi.python.org/pypi/flup/1.0.2";)
Have anyone gotten a python flask application to work with httpd
as a reverse proxy with a fast-cgi socket? cuz im really not
getting it to work.
Thanks in advanced
-flipchan
--
Take Care Sincerely flipchan layerprox dev
Re: The Ultimate OpenBSD Media Server
Awesome !! Plex feels like an blob of unknown black magic that you execute on your system, I will check out this new one out, thanks On August 12, 2018 4:55:15 AM UTC, Jordan Geoghegan wrote: >Hi Folks, > >I found a viable Plex alternative that runs perfectly on OpenBSD called > >'Serviio'. It does DLNA with on the fly media transcoding / remuxing >and >also has an HTML5 media player. I've found it able to handle >cataloguing >and indexing my 10TB media library great and I've enjoyed the automatic > >media metadata retrieval. It is nice to be able to have episode names, >subtitles and cover art automatically pulled from IMDB / TVDB. The >HTML5 >media player is quite nice for sharing content with the family and >watching movies on the go. > >I've rewritten the install guide from the official Serviio website to >instead run Serviio as a separate user, use a better install location >and not grab the full jdk. I mentioned Serviio a few days ago on a >ports@ thread and several people messaged me privately asking for my >write up on Serviio; I hope others can get some use and enjoyment out >of >this, so I thought I would share it here for others to see as well. > >Link to Guide: > >www.geoghegan.ca/serviio.html -- Take Care Sincerely flipchan layerprox dev
Re: Employers, Jobs and OpenBSD
Pf is a must to know in my company On July 14, 2018 2:05:09 AM UTC, Man Hobby wrote: >Hi, > >What is the opinion of employers about OpenBSD? > >There is reason for to learn use OpenBSD to find job? > >If not, why? > >If there is not reason for to learn use OpenBSD to find job, why use >OpenBSD? -- Take Care Sincerely flipchan layerprox dev
Re: New laptop recommendations
I got the x200 with libreboot and openbsd On June 19, 2018 10:47:24 AM UTC, Kaya Saman wrote: >I couldn't say for the compatibility with OpenBSD though I have read >other people running on them, but how about Lenovo?? > > >I've got an X220 which I run a Linux distro on which I'm really happy >with though the i7 CPU does seem to overheat for some reason, though I >seem to have this issue with all laptops I've gone through?? Must be me >:-S > >- only system that never overheated was my old PowerBook G3 Firewire >running Mac OS 9 > > >I might be remembering wrong but I'm sure I've seen people on the list >running OBSD on X-series Lenovo's so it might be worth a shot unless >anyone else has better suggestions :-) > > >Regards, > > >Kaya > > >On 06/19/18 11:37, Rupert Gallagher wrote: >> I'm done with my 10 years old 1200EUR MacBookPro. It served me well, >every day, but is now falling apart, finally. >> >> I would buy a new one if only Steve Jobs would be alive and keeping >Apple inspired. The new models are meticulously designed to make you >suffer: expensive, slow cpu, soldered ram, soldered disk, small disk, >bad keyboard keys, wifi only, must pay extra for standard connectors. >> >> I have 1500EUR for a new laptop. What would you buy with it? -- Take Care Sincerely flipchan layerprox dev
Re: Have a 1 Gbit connection but I not all devices are getting 1 Gbit speed from my ISP
Do u run cat 6 cables ? On June 20, 2018 9:25:56 AM UTC, Kollar Arpad wrote: >Hello: > >Original question: >https://superuser.com/questions/1332664/have-a-1-gbit-connection-but-i-not-all-devices-are-getting-1-gbit-speed-from-my > > > >I have 3 laptops and a 1 Gbit network connection to my ISP. But when I >connect my ISPs cable to the laptops ethtool link/speedtest precisely >says: > >Lenovo G500 with USB 3.0 Ethernet and OpenBSD 6.2 - 100mbit >Lenovo T400 with motherboard Ethernet Ubuntu 14.04 - 100mbit >Lenovo T560 with motherboard Ethernet Windows 10 - 1 Gbit > >All the HWs support 1 Gbit connection. > >The big question: Why cannot the Lenovo G500 and Lenovo T400 >auto-negotiate to 1 Gbit? It is a 1 Gbit connection to my ISP, but I >can only auto-negotiate with 1 Gbit with the Windows 10/T560 laptop. > >Maybe I need cross-cable? The ISP I think has a switch at the other >end. > >This is the cable that I have from my ISP: >https://i.stack.imgur.com/1rH37.jpg > > > >the USB 3.0 Gbit ethernet to USB is cdce. > >Anybody seen similar? What could cause the 100mbit connection instead >of the Gbit? > >Thanks for any hint.. -- Take Care Sincerely flipchan layerprox dev
Re: chromium and firefox - myths and facts?
Im currently using qutebrowser which is written in python 3 and pledge has started to get in to the python world so i hope that will be supported soon On June 12, 2018 12:40:18 AM UTC, Stuart Longland wrote: >On 11/06/18 21:28, Marko Cupać wrote: >> I don't understand neither browser's code. However, current >propaganda >> that reaches me goes along the lines "Firefox is made by non-profit >> organization with users' freedom in mind, while Chromium is made by >> for-profit organization for the purpose of extraction of users' >> personal information". > >There's a great irony here… > >Firefox is a derivative of the Mozilla code base which used to be known >in the general public as Netscape. Netscape Communications was a >for-profit company, that actually *sold* their browser for commercial >use (it was only free for personal use). > >Chrome and Safari both derive from Apple WebKit which itself is a fork >of the KHTML rendering engine developed by the KDE project, and has >*always* been, LGPL licensed code since its first release in 1998. > >Yet today, Firefox is held up as the open-source darling and >Chrome/Safari is seen as the proprietary devil. Go figure. :-) >-- >Stuart Longland (aka Redhatter, VK4MSL) > >I haven't lost my mind... > ...it's backed up on a tape somewhere. -- Take Care Sincerely flipchan layerprox dev
Re: thank you for 6.3
Running 6.3 on x200 here aswell but with libreboot, except for libreboot not allowing me to have full disk encryption it works like a charm On April 18, 2018 5:10:26 PM UTC, Scott Bonds wrote: >Under 6.2 my laptop would hang a few hours after waking from sleep, and > >it was my own damn fault for running an unsupported config (Lenovo x200 > >+ coreboot + SeaBIOS). But after upgrading to 6.3 I haven't been able >to >get it to hang and I find myself back in 'it just works' land which is >so, so nice. So nice. > >I don't know who to thank, and maybe the dev that fixed my issue >wouldn't know *they* fixed it, but...thank you. -- Take Care Sincerely flipchan layerprox dev
Re: 4-ports router under $150
yes a apu2b4 its is very stable with openbsd6.2 and it performs rly good , im running it with cat 6 cables and i am much more happier with that one rather then my consumer router, i now have a fully working seperation of my different networks and having a rly good dhcp server rly does wonders, i recommend it, just dont forget to enable com0 as output , i recommended the board to a friend and he loves it to he is running linux on it doe :/ On April 8, 2018 4:02:20 PM UTC, Michael Price wrote: >Was it an apu2c4 by any chance? I was thinking about picking one of >those >up and was curious as to what kind of packet rates people were seeing >with >them. > >Michael > >On Sun, Apr 8, 2018 at 1:41 AM, flipchan wrote: > >> I run a apu board with 3 ports with openbsd 6.2 and coreboot, i >recommend >> it >> >> On April 8, 2018 2:01:50 AM UTC, jungle boogie > >> wrote: >> >Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700 >> >> The Edgerouter 6 is going to be coming out shortly, that is what I >am >> > >> >> holding out for to run my home network on. >> >> >> >> >> > >> >Just curious, why this and not amd64 bit with something like the >> >pcengine apu2 board? I know it only has three NICs, so it's likely a >> >non-started for the OP, but it's 64bit amd. >> > >> >I don't know the MSRP of the ER6. Do you? >> >> -- >> Take Care Sincerely flipchan layerprox dev >> -- Take Care Sincerely flipchan layerprox dev
Re: 4-ports router under $150
I run a apu board with 3 ports with openbsd 6.2 and coreboot, i recommend it On April 8, 2018 2:01:50 AM UTC, jungle boogie wrote: >Thus said Jordan Geoghegan on Sat, 7 Apr 2018 17:57:16 -0700 >> The Edgerouter 6 is going to be coming out shortly, that is what I am > >> holding out for to run my home network on. >> >> > >Just curious, why this and not amd64 bit with something like the >pcengine apu2 board? I know it only has three NICs, so it's likely a >non-started for the OP, but it's 64bit amd. > >I don't know the MSRP of the ER6. Do you? -- Take Care Sincerely flipchan layerprox dev
Re: Status of X i386 openbsd 6.2 on x200
It works when installing but it wont boot On their website it says: " Installing OpenBSD with full disk encryption Not working. You can modify the above procedure (installation w/o encryption) to install OpenBSD using full disk encryption, and it appears to work, except that it’s not yet clear how to actually boot an OpenBSD+FDE installation using libreboot+Grub2. If you get it working, please let us know." Site: https://libreboot.org/docs/bsd/openbsd.html On April 5, 2018 4:39:56 PM UTC, Jordan Geoghegan wrote: >What is it that prevents full disk encryption? I have been wanting a >libreboot machine for travel, but Full disk encryption is more >important >that a clean bios when travelling. > >Thanks for your time, > >Jordan > > >On 04/04/18 15:23, flipchan wrote: >> The amd64 fs file for 6.2 is working good i know got it running with >libreboot which is cool, libreboot doesnt support full disk encryption >which sucks but i am glad that it works . >> >> On April 2, 2018 7:26:58 PM UTC, Markus Lude >wrote: >>> On Sun, Apr 01, 2018 at 09:41:07PM +, flipchan wrote: >>>> Hello all, >>>> >>>> I have tried to installed 6.1 and 6.2 on a thinkpad x200 it works >but >>> X does work ... >>>> Its works great with 6.0 but then i dont get the good 6.2 packages >>> and features such as syspatch. >>>> >>>> It seems lika well known problem: >>>> https://marc.info/?l=openbsd-bugs&m=150506076421862&w=2 >>>> >>>> >>>> Does anyone know the status of this/ if anyone is working on this ? >>> The problem still exists. The drm diff back then was quite huge and >I >>> am >>> unable to break it down in smaller chunks to see where the cause >>> therein >>> is. >>> The T61 is quite old and still runs with 6.1. >>> It is new for me that newer Thinkpads do have the same problem. >Could >>> you please post a trace of your crash? >>> >>> Regards, >>> Markus -- Take Care Sincerely flipchan layerprox dev
Re: Status of X i386 openbsd 6.2 on x200
The amd64 fs file for 6.2 is working good i know got it running with libreboot which is cool, libreboot doesnt support full disk encryption which sucks but i am glad that it works . On April 2, 2018 7:26:58 PM UTC, Markus Lude wrote: >On Sun, Apr 01, 2018 at 09:41:07PM +0000, flipchan wrote: >> Hello all, >> >> I have tried to installed 6.1 and 6.2 on a thinkpad x200 it works but >X does work ... >> >> Its works great with 6.0 but then i dont get the good 6.2 packages >and features such as syspatch. >> >> >> It seems lika well known problem: >> https://marc.info/?l=openbsd-bugs&m=150506076421862&w=2 >> >> >> Does anyone know the status of this/ if anyone is working on this ? > >The problem still exists. The drm diff back then was quite huge and I >am >unable to break it down in smaller chunks to see where the cause >therein >is. >The T61 is quite old and still runs with 6.1. >It is new for me that newer Thinkpads do have the same problem. Could >you please post a trace of your crash? > >Regards, >Markus -- Take Care Sincerely flipchan layerprox dev
Status of X i386 openbsd 6.2 on x200
Hello all, I have tried to installed 6.1 and 6.2 on a thinkpad x200 it works but X does work ... Its works great with 6.0 but then i dont get the good 6.2 packages and features such as syspatch. It seems lika well known problem: https://marc.info/?l=openbsd-bugs&m=150506076421862&w=2 Does anyone know the status of this/ if anyone is working on this ? -- Take Care Sincerely flipchan layerprox dev
Re: Opensmtpd authentication error
Okey i installed opensmtpd-extra and tried a cleaner smtpd.conf file: dpaste.com/255DGXH.txt Same authentication failed when i try in mutt On March 7, 2018 9:25:18 PM UTC, ed...@pettijohn-web.com wrote: >You have to install opensmtpd-extras package to use the passwd table. >On Mar 7, 2018 3:21 PM, flipchan wrote: >> >> Yeah, they are encrypted using smtpctl and the syntax with space >doesnt work and in other ppls configurations they have passwd instead >of file but its not supported anymore it seems like >> >> On March 7, 2018 3:19:18 PM UTC, trondd >wrote: >> >On Wed, March 7, 2018 10:06 am, flipchan wrote: >> >> smtpctl encrypt mypassword >> >> >> >> Then syntax >> >> user:password ? >> >> >> >> On March 6, 2018 9:46:26 PM UTC, trondd >> >wrote: >> >>>On Tue, March 6, 2018 1:48 pm, flipchan wrote: >> >>>> Hello, >> >>>> im trying to create a mail server and i keep getting opensmtpd >> >>>> authentication fail >> >>>> >> >>>> >> >>>> i tried using neomutt and regular mutt, but no success >> >>>> >> >>>> >> >>>> tail -f /var/log/maillog >> >>>> Mar 6 18:15:37 mail dovecot: imap-login: Login: >> >>>user=, >> >>>> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS, >> >>>> session= >> >>>> Mar 6 18:15:48 mail dovecot: imap-login: Login: >> >>>user=, >> >>>> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS, >> >>>> session= >> >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> >>>event=connected >> >>>> address=homeip host=homeip >> >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> >>>event=starttls >> >>>> address=homeip host=homeip ciphers="version=TLSv1.2, >> >>>> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" >> >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> >>>> event=authentication user=user address=homeip host=homeip >> >>>result=permfail >> >>>> Mar 6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> >>>> event=failed-command address=homeip host=homeip command="AUTH >PLAIN >> >>>(...)" >> >>>> result="535 Authentication failed" >> >>>> Mar 6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> >event=closed >> >>>> address=homeip host=homeip reason=disconnect >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> dovecot works so i can get imap but opensmtpd does work >> >>>> >> >>>> im using openbsd6.2 >> >>>> >> >>>> >> >>>> # cat /etc/mail/smtpd.conf >> >>>> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt" >> >>>> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key" >> >>>> >> >>>> # tables setup >> >>>> table aliases file:/etc/mail/aliases >> >>>> table domains file:/etc/mail/domains >> >>>> table passwd file:/etc/mail/passwd >> >>>> table virtuals file:/etc/mail/virtuals >> >>>> >> >>>> # listen ports setup >> >>>> #listen on lo0 >> >>>> listen on vio0 port 25 tls-require pki mail.mysite.com >> >>>> #listen on vio0 port 587 tls-require pki mail.mysite.com auth >> >>> >> >>>> listen on vio0 port 587 smtps pki mail.mysite.com auth >> >>>> # special case for gmail to avoid ipv6 here >> >>>> #limit mta for domain gmail.com inet4 >> >>>> >> >>>> # allow local messages >> >>>> accept from local for local alias deliver to lmtp >> >>>> "/var/dovecot/lmtp" rcpt-to >> >>>> # allow virtual domains >> >>>> accept from any for domain virtual deliver >to >> >>>lmtp >> >>>> "/var/dovecot/lmtp" rcpt-to >> >>>> # allow outgoing mails >> >>>> accept from local for any relay >> >>>> #reject from ! source sender "@mysite.com" for >any >> >>>> >> >>>> >> >>>> >> >>>> both dovecot and smtpd reads passwd's from /etc/mail/passwd and >> >only >> >>>> dovecot works, think its some kind of smtpd config that is >wrong... >> >>>> >> >>> >> >>>Is the password encrypted properly? >> >>> >> >>> In a listener context, the credentials are a mapping of >username >> >and >> >>> encrypted passwords: >> >>> >> >>> user1 >> >>>$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe >> >>> user2 >> >>>$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK >> >>> >> >>> The passwords are to be encrypted using the smtpctl(8) >encrypt >> >>> subcommand. >> >> >> >> -- >> >> Take Care Sincerely flipchan layerprox dev >> >> >> > >> >This comes from the table(5) man page. >> > >> >The file will be: >> >username encryptedpassword >> >> -- >> Take Care Sincerely flipchan layerprox dev -- Take Care Sincerely flipchan layerprox dev
Re: Opensmtpd authentication error
Yeah, they are encrypted using smtpctl and the syntax with space doesnt work and in other ppls configurations they have passwd instead of file but its not supported anymore it seems like On March 7, 2018 3:19:18 PM UTC, trondd wrote: >On Wed, March 7, 2018 10:06 am, flipchan wrote: >> smtpctl encrypt mypassword >> >> Then syntax >> user:password ? >> >> On March 6, 2018 9:46:26 PM UTC, trondd >wrote: >>>On Tue, March 6, 2018 1:48 pm, flipchan wrote: >>>> Hello, >>>> im trying to create a mail server and i keep getting opensmtpd >>>> authentication fail >>>> >>>> >>>> i tried using neomutt and regular mutt, but no success >>>> >>>> >>>> tail -f /var/log/maillog >>>> Mar 6 18:15:37 mail dovecot: imap-login: Login: >>>user=, >>>> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS, >>>> session= >>>> Mar 6 18:15:48 mail dovecot: imap-login: Login: >>>user=, >>>> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS, >>>> session= >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >>>event=connected >>>> address=homeip host=homeip >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >>>event=starttls >>>> address=homeip host=homeip ciphers="version=TLSv1.2, >>>> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" >>>> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >>>> event=authentication user=user address=homeip host=homeip >>>result=permfail >>>> Mar 6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >>>> event=failed-command address=homeip host=homeip command="AUTH PLAIN >>>(...)" >>>> result="535 Authentication failed" >>>> Mar 6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >event=closed >>>> address=homeip host=homeip reason=disconnect >>>> >>>> >>>> >>>> >>>> >>>> dovecot works so i can get imap but opensmtpd does work >>>> >>>> im using openbsd6.2 >>>> >>>> >>>> # cat /etc/mail/smtpd.conf >>>> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt" >>>> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key" >>>> >>>> # tables setup >>>> table aliases file:/etc/mail/aliases >>>> table domains file:/etc/mail/domains >>>> table passwd file:/etc/mail/passwd >>>> table virtuals file:/etc/mail/virtuals >>>> >>>> # listen ports setup >>>> #listen on lo0 >>>> listen on vio0 port 25 tls-require pki mail.mysite.com >>>> #listen on vio0 port 587 tls-require pki mail.mysite.com auth >>> >>>> listen on vio0 port 587 smtps pki mail.mysite.com auth >>>> # special case for gmail to avoid ipv6 here >>>> #limit mta for domain gmail.com inet4 >>>> >>>> # allow local messages >>>> accept from local for local alias deliver to lmtp >>>> "/var/dovecot/lmtp" rcpt-to >>>> # allow virtual domains >>>> accept from any for domain virtual deliver to >>>lmtp >>>> "/var/dovecot/lmtp" rcpt-to >>>> # allow outgoing mails >>>> accept from local for any relay >>>> #reject from ! source sender "@mysite.com" for any >>>> >>>> >>>> >>>> both dovecot and smtpd reads passwd's from /etc/mail/passwd and >only >>>> dovecot works, think its some kind of smtpd config that is wrong... >>>> >>> >>>Is the password encrypted properly? >>> >>> In a listener context, the credentials are a mapping of username >and >>> encrypted passwords: >>> >>> user1 >>>$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe >>> user2 >>>$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK >>> >>> The passwords are to be encrypted using the smtpctl(8) encrypt >>> subcommand. >> >> -- >> Take Care Sincerely flipchan layerprox dev >> > >This comes from the table(5) man page. > >The file will be: >username encryptedpassword -- Take Care Sincerely flipchan layerprox dev
Re: Opensmtpd authentication error
smtpctl encrypt mypassword Then syntax user:password ? On March 6, 2018 9:46:26 PM UTC, trondd wrote: >On Tue, March 6, 2018 1:48 pm, flipchan wrote: >> Hello, >> im trying to create a mail server and i keep getting opensmtpd >> authentication fail >> >> >> i tried using neomutt and regular mutt, but no success >> >> >> tail -f /var/log/maillog >> Mar 6 18:15:37 mail dovecot: imap-login: Login: >user=, >> method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS, >> session= >> Mar 6 18:15:48 mail dovecot: imap-login: Login: >user=, >> method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS, >> session= >> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >event=connected >> address=homeip host=homeip >> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >event=starttls >> address=homeip host=homeip ciphers="version=TLSv1.2, >> cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" >> Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> event=authentication user=user address=homeip host=homeip >result=permfail >> Mar 6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp >> event=failed-command address=homeip host=homeip command="AUTH PLAIN >(...)" >> result="535 Authentication failed" >> Mar 6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed >> address=homeip host=homeip reason=disconnect >> >> >> >> >> >> dovecot works so i can get imap but opensmtpd does work >> >> im using openbsd6.2 >> >> >> # cat /etc/mail/smtpd.conf >> pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt" >> pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key" >> >> # tables setup >> table aliases file:/etc/mail/aliases >> table domains file:/etc/mail/domains >> table passwd file:/etc/mail/passwd >> table virtuals file:/etc/mail/virtuals >> >> # listen ports setup >> #listen on lo0 >> listen on vio0 port 25 tls-require pki mail.mysite.com >> #listen on vio0 port 587 tls-require pki mail.mysite.com auth > >> listen on vio0 port 587 smtps pki mail.mysite.com auth >> # special case for gmail to avoid ipv6 here >> #limit mta for domain gmail.com inet4 >> >> # allow local messages >> accept from local for local alias deliver to lmtp >> "/var/dovecot/lmtp" rcpt-to >> # allow virtual domains >> accept from any for domain virtual deliver to >lmtp >> "/var/dovecot/lmtp" rcpt-to >> # allow outgoing mails >> accept from local for any relay >> #reject from ! source sender "@mysite.com" for any >> >> >> >> both dovecot and smtpd reads passwd's from /etc/mail/passwd and only >> dovecot works, think its some kind of smtpd config that is wrong... >> > >Is the password encrypted properly? > > In a listener context, the credentials are a mapping of username and > encrypted passwords: > > user1 >$2b$10$hIJ4QfMcp.90nJwKqGbKM.MybArjHOTpEtoTV.DgLYAiThuoYmTSe > user2 >$2b$10$bwSmUOBGcZGamIfRuXGTvuTo3VLbPG9k5yeKNMBtULBhksV5KdGsK > > The passwords are to be encrypted using the smtpctl(8) encrypt > subcommand. -- Take Care Sincerely flipchan layerprox dev
Opensmtpd authentication error
Hello, im trying to create a mail server and i keep getting opensmtpd authentication fail i tried using neomutt and regular mutt, but no success tail -f /var/log/maillog Mar 6 18:15:37 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=homeip, lip=server, mpid=54071, TLS, session= Mar 6 18:15:48 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=homeip, lip=server, mpid=11081, TLS, session= Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=connected address=homeip host=homeip Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=starttls address=homeip host=homeip ciphers="version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256" Mar 6 18:15:55 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=authentication user=user address=homeip host=homeip result=permfail Mar 6 18:15:56 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=failed-command address=homeip host=homeip command="AUTH PLAIN (...)" result="535 Authentication failed" Mar 6 18:15:57 mail smtpd[77144]: 7b289a2a8f3efe40 smtp event=closed address=homeip host=homeip reason=disconnect dovecot works so i can get imap but opensmtpd does work im using openbsd6.2 # cat /etc/mail/smtpd.conf pki mail.mysite.com certificate "/etc/ssl/mail.mysite.com.crt" pki mail.mysite.com key "/etc/ssl/private/mail.mysite.com.key" # tables setup table aliases file:/etc/mail/aliases table domains file:/etc/mail/domains table passwd file:/etc/mail/passwd table virtuals file:/etc/mail/virtuals # listen ports setup #listen on lo0 listen on vio0 port 25 tls-require pki mail.mysite.com #listen on vio0 port 587 tls-require pki mail.mysite.com auth listen on vio0 port 587 smtps pki mail.mysite.com auth # special case for gmail to avoid ipv6 here #limit mta for domain gmail.com inet4 # allow local messages accept from local for local alias deliver to lmtp "/var/dovecot/lmtp" rcpt-to # allow virtual domains accept from any for domain virtual deliver to lmtp "/var/dovecot/lmtp" rcpt-to # allow outgoing mails accept from local for any relay #reject from ! source sender "@mysite.com" for any both dovecot and smtpd reads passwd's from /etc/mail/passwd and only dovecot works, think its some kind of smtpd config that is wrong... Does anyone know why it fails/has tips? my mutt config: # cat .mutt/muttrc set my_user = 'u...@mysite.com' set smtp_url = 'smtps://u...@mail.mysite.com:587' set from = "user" set realname = 'user' set ssl_force_tls = yes set ssl_starttls = yes #imap set imap_user = 'u...@mysite.com' #use user_agent = no set imap_pass = 'useruser' #set from = 'u...@mysite.com' #set realname = 'user' set smtp_pass = 'useruser' set folder = 'imap://mail.mysite.com' set spoolfile = 'imap://mail.mysite.com/INBOX' set postponed = 'imap://mail.mysite.com/Drafts' set header_cache = '/home/test/mutt/cache/headers' set message_cachedir = '/home/test/mutt/cache/bodies' -- Take Care Sincerely flipchan layerprox dev
Re: risc-v
I love risc-v ! But has risc-v started producing on real hardware and not kvm/qemu ? would be cool to have that On January 14, 2018 9:43:27 PM GMT+01:00, "Peter J. Philipp" wrote: >Is anyone interested/working/planning around this ingenious open source >Instruction Set Architecture? Not many developer boards yet but there >is >simulators... > >Small contribution from me (how to compile riscv-qemu on OpenBSD >6.2-stable): > >http://centroid.eu/blog/index.php?article=1515597453 <-- needs >javascript to >view > >I've spent a few hours trying to compile a cross compiler but haven't >had >much luck with that, my ultimate goal would be to boot OpenBSD on qemu >and >by then there would be enough developer boards perhaps to look further. > >More interesting things are found at https://riscv.org , there is a >FreeBSD >port but I had problem building it in vmware. Perhaps FreeBSD can >serve as >a helping source to port OpenBSD to this? > >Regards, >-peter -- Take Care Sincerely flipchan layerprox dev
Re: FYI: logitech mouse LED color tool
Nice On January 12, 2018 2:42:06 AM GMT+01:00, Jan Klemkow wrote: >Hi, > >I implemented a utility to set the LED color of Logitech mouse devices >on OpenBSD. Some people might also use this mouse and would like to >change the LED color. > >If you are interested just try it: https://github.com/younix/g403led > >I just tested it with the "G403 Prodigy Gaming Mouse" model. If it >also >work for other models, let me know. > >Any feedback is welcome. > >bye, >Jan -- Take Care Sincerely flipchan layerprox dev
Re: Kernel memory leaking on Intel CPUs?
We need risc-v openhardware ! On January 5, 2018 3:49:22 PM GMT+01:00, Graham Allan wrote: >Also I don't believe any of these mechanisms are able to protect >against >meltdown or spectre. I think *BSD is no more immune than any other >system, without performing the same separation between user and kernel >memory. > >On 1/5/2018 7:27 AM, Riccardo Giuntoli wrote: >> But this is only for FreeBSD sure? >> >> On Fri, Jan 5, 2018 at 2:02 AM, torsten >wrote: >> >>> Ps >>> security.bsd.see_other_uids=0 >>> security.bsd.see_other_gids=0 >>> security.bsd.unprivileged_read_msgbuf=0 >>> security.bsd.unprivileged_proc_debug=0 >>> kern.randompid=$(jot -r 1 ) >>> security.bsd.stack_guard_page=1 >>> >>> >>>> -Original Message- >>>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On >Behalf >>>> Of torsten >>>> Sent: 05 January 2018 00:59 >>>> To: 'Rupert Gallagher'; 'Daniel Wilkins'; 'Allan Streib' >>>> Cc: 'Alceu R. de Freitas Jr.'; misc@openbsd.org >>>> Subject: Re: Kernel memory leaking on Intel CPUs? >>>> >>>> I wonder how it is in reality for most *BSD users due to 1. hide >>>> processes run by other users 2. disable reading kernel messaging >>>> buffers... >>>> 3. disable kernel messaging debugging by unprivileged users >>>> >>>> And some other tweeks >>>> >>>> What surprises me is the "panic" publication of this because of >already >>>> known and in *BSDs addressed concerns about hyper threatening and >>>> shared memory well back since 1994 >>>> >>>> >>>>> -Original Message- >>>>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On >>>> Behalf >>>>> Of Rupert Gallagher >>>>> Sent: 04 January 2018 22:22 >>>>> To: Daniel Wilkins; Allan Streib >>>>> Cc: Alceu R. de Freitas Jr.; misc@openbsd.org >>>>> Subject: Re: Kernel memory leaking on Intel CPUs? >>>>> >>>>> https://mobile.twitter.com/misc0110/status/948706387491786752 >>>>> >>>>> On Thu, Jan 4, 2018 at 16:49, Daniel Wilkins > >>>>> wrote: >>>>> >>>>>> Intel's said that it affects every processor in the last 20+ >years >>>>> and that it's "not a big deal for most users" because it's only a >>>>> kernel memory *read*. @yahoo.com.br> >>> >>> >>> >> >> > >-- >Graham Allan >Minnesota Supercomputing Institute - g...@umn.edu -- Take Care Sincerely flipchan layerprox dev
Re: OpenBSD Puffy Stickers
Was stickermule good ? Good quality ? On November 29, 2017 6:34:21 PM GMT+01:00, Jay Williams wrote: >I like putting stickers on my laptop, but alas after searching high and >low over the internet I wasn't able to find any good OpenBSD stickers >So, I got a few printed up myself at StickerMule so now all of my >laptops >and even my car can show support for OpenBSD. > >That being said, I have 7 extra Puffy stickers available if anyone else >would like to have one. They're 3" wide, and have a matte UV coating on >the outside, so they'll work indoors or outdoors. > >If you'd like one, you can send me your address, and I'll drop one in >the mail for you. Even better, you can make a donation to the OpenBSD >Foundation as "payment." It's my small way of saying thank you to the >amazing OpenBSD community. > >-- >Jay Williams > >P.S. Does anyone know why the official OpenBSD store doesn't sell >stickers? I bet they'd be a big seller! -- Take Care Sincerely flipchan layerprox dev
Re: Hellos from the Lands of Norway.
Be fkn simple 1:what do you want 2: why is it openbsd related ? On November 25, 2017 5:51:45 PM GMT+01:00, "Ywe Cærlyn" wrote: >The thread descends into Querulus Paranoid state after a simple >introduction? Not good. > >My profile on my youtube channel is about me, for those wanting to know > >me, and there will be more content there, full audio/video media wise, >since I am indeed trying to do what I am saying. And which also says >"No >GNU-Zealots". > >I changed name from the amigamusician-bit related name to "Nodemeister >Of Üccüg" aswell. > >Particulary something I am thinking about ATM, is optimal >respresentation of pixels, pr pixel, thinking of screen rendering and >things like that, and using graphics hardware for something useful. Not > >games. > >So if anyone wants to do some benignant hacking, my suggestion is to >implement a mode like this, in the relelvant area of work: >https://www.youtube.com/watch?v=2dx6dbiTm8w > >Peaceful Salutations. -- Take Care Sincerely flipchan layerprox dev
Re: Android development on OpenBSD
I'm sure u can compile the apps On November 1, 2017 3:55:03 PM GMT+01:00, Jan Stary wrote: >What do people use to develop Android apps on OpenBSD? > >Currently, I am using the Android Studio on a Mac, >I would very much rather use my favorite IDE of vim+make >and just write C code and run it through NDK >https://developer.android.com/ndk/guides/index.html >but it seems some form of the Android SDK is unavoidable. > > Jan -- Take Care Sincerely flipchan layerprox dev
Re: Forum software
Nice , thanks On October 24, 2017 8:55:52 PM GMT+02:00, Tommy Nevtelen wrote: >On 2017-10-24 20:47, Jay Williams wrote: >> Discourse is a popular option used by a number of open source >projects. >> >> https://www.discourse.org > >That is probably a good choice but here is a list of different >alternatives that might be worth to look at: >https://github.com/Kickball/awesome-selfhosted/blob/master/README.md#social-networks-and-forums > >It's a pretty nice repo with cool projects other than forums as well. > >-- >Tommy Nevtelen -- Take Care Sincerely flipchan layerprox dev
Forum software
Grtz *! Sry for going alittle bit off topic , me and a friend are trying to rebuild a swedish openbsd forum (openbsd.se) it's been live since 2005 , and been running punbb. But punbb is not actively being developed and we wonder if anyone can suggest a good forum software , we don't have time to write one from scratch (both have full time jobs and kids and other stuff , but we want a swedish openbsd forum to flurish) Could anyone suggest some forum software that we can run? We are also thinking about posting tutorials on the site to help more ppl find openbsd throw search engines. Take care all! And thanks in advance -- Take Care Sincerely flipchan layerprox dev
Re: DMCA Free OpenBSD VPS Hosting, multiple payment methods
I want to c a system that Auto encrypts it vms (can "easily" be done with some lines of python/whateverulike) and just forward all abuses to the customer, some isp's does this , however they are fucking assholes ISP that are retarded like dg-access in sweden who doesn't care about its customers , I am thinking that Switzerland would be a good way to host something in but as allways do allooot of research, try out acouple of different and c who works On October 20, 2017 7:48:42 AM GMT+02:00, Michael Hekeler wrote: >> An "OpenBSD friendly hoster" is one who knows you are running an >OpenBSD >> VPS, and doesn't suggest you change iptables settings when talking >about >> your firewall with their support team. > >Ah I see ;-) >I´m beginning to understand... >To me the term "OpenBSD friendly hoster" was not clear because for me a > >"friendly hoster" is one that cares for the hardware and doesn´t care >for what I run inside my container (RedHat, *BSD, Plan9, whatever) -- Take Care Sincerely flipchan layerprox dev
Re: Openbsd 6.1 and Current Console Freezes and lockup Proxmox PVE5.0
I run openbsd6 vm's with kvm and I have no problems On October 8, 2017 11:59:52 PM GMT+02:00, Oliver Marugg wrote: >On 7 Oct 2017, at 22:01, Mike Larkin wrote: > >> On Sat, Oct 07, 2017 at 02:19:58PM +0200, Oliver Marugg wrote: >>> Just to add a 4th situation of hangs: Login via proxmox (pve)/kvm >>> serial >>> console (via noVNC), login successful: Vm guest in pve hangs, cpu >>> usage at >>> above 102%. Only way is to hard stop the Vm guest. -oliver >>> >> >> sounds like a kvm bug. Ask your provider to investigate the host side > >> when this >> happens. > >Thanks Mike, will do so. The proxmox guys have also the idea that it >could be a bug in kvm hypervisor (which is the hypervisor part for >proxmox) and will affect OpenBSD since 4.9, they wrote me in their >public forum. As far as I understood they do not know what OpenBSD >needs >in kvm or what/where should be fixed in kvm run OpenBSD without that >freezes. > >-oliver -- Take Care Sincerely flipchan layerprox dev
Re: DMCA Free OpenBSD VPS Hosting, multiple payment methods
What I would like to c is full disk encryption supported vms , you can easily do fde and encrypt the vm's disk from the providers side, noone does it (as far as I know) On October 16, 2017 3:19:25 AM GMT+02:00, x9p wrote: >Hi, > >Anyone know a good non-DMCA-compliant (outside US) VPS hosting, >OpenBSD-firendly? Traffic is mostly torrent-related. > >Good bandwidth and Bitcoin payments also a plus. > >Most offshore VPS providers offers default ubuntu-debian or centos iso >images, some even FreeBSD iso, but OpenBSD is being a bit hard to find. >In >the past i saw some provider offering to mount your own custom iso via >a >webpanel, but this contact I have no more. > >If have any tips, will be welcomed. > >cheers. > >x9p -- Take Care Sincerely flipchan layerprox dev
Re: awk in OpenBSD
Yeah blindly follow the flow of the others , DONT THINK SO On October 19, 2017 4:25:09 AM GMT+02:00, Andras Farkas wrote: >On the 6.2 release page, and confirmed in the source code, one can see >The system includes the following major components from outside >suppliers: >Awk Aug 10, 2011 version >This turns out to be one release behind upstream, where the latest >release is from December 20 2012: a quick check shows that >DragonFlyBSD, FreeBSD, and NetBSD all use this version. > >Just out of curiosity, is there a reason why OpenBSD uses the 2011 >release? -- Take Care Sincerely flipchan layerprox dev
Re: Guess what today is
OMG, happy birthday!!! On October 18, 2017 12:16:09 PM GMT+02:00, STeve Andre' wrote: >Happy birthday to OpenBSD--22 years old! -- Take Care Sincerely flipchan layerprox dev
Re: Security question / idea
I think the most dangerous thing is the direct memory access , cuz u only need some magic code and a computer with a psu or FireWire port On October 17, 2017 1:46:43 PM GMT+02:00, Bryan Harris wrote: >Re: physical access, it seems not a technical problem. I.e. keep >laptop >with you, hire a guard, etc. I'm not very technical, but could the >hash be >stored in usb stick or online? > >Maybe construct yourself a "computer safe" to make it harder for people >to >get access while you're away? I.e. increase the time/difficulty for >them. > >On Tue, Oct 17, 2017 at 6:21 AM, flipchan wrote: > >> Hey I also run libreboot :) >> >> I have read research about signing all the components and then >verifying >> all that while you both , anyhow I think this would be very >problematic >> with the new karl implementation that has taken place in openbsd 6.2 >> >> On October 14, 2017 4:26:21 PM GMT+02:00, "Bryan C. Everly" < >> br...@bceassociates.com> wrote: >> >Hi misc@, >> > >> >In playing around with Libreboot and Coreboot, my belief that >physical >> >access to the hardware really ups an attacker’s ability to win >against >> >most >> >security has been massively reinforced. For example, someone with >> >enough >> >practice could take my Thinkpad T500 apart, force flash the BIOS (as >I >> >have >> >been doing), reassemble it and put it back on my desk in ten to >fifteen >> >minutes (or maybe faster). The payload they flash could easily >include >> >a >> >root kit and keylogger which would mitigate the advantage of Full >Disk >> >Encryption (because they could grab your passphrase keystrokes and >send >> >them off to the mother ship). So my happy little bubble that FDE >would >> >give >> >me protection against all but a brute force attack has been popped. >> > >> >Here’s my thought. What if we modified our boot code to do a hash of >> >the >> >BiOS and stored it persistently across boots? Then we could compare >it >> >this time to the last value and take some action / issue some >warning >> >that >> >something changed. It would be mildly annoying if you actually did >just >> >update your BIOS to a new version but that would be a small trade >off >> >in my >> >mind at least. >> > >> >The sticking point is this - where do you store the previous hash? >If >> >we >> >stored it outside of the FDE container, the attacker could just >rewrite >> >it >> >on boot and we wouldn’t be able to detect a change. Put it inside >the >> >FDE >> >and you would have to type your passphrase (sending it to the >attacker) >> >to >> >read it. >> > >> >So now to my ask - would a feature like this be of any interest to >> >others? >> >If so, any thoughts on how to securely persist the hash to solve the >> >problem I describe above? >> > >> >Thanks for any and all feedback. >> > >> >-- >> > >> >Thanks, >> >Bryan >> >> -- >> Take Care Sincerely flipchan layerprox dev -- Take Care Sincerely flipchan layerprox dev
Re: Security question / idea
Hey I also run libreboot :) I have read research about signing all the components and then verifying all that while you both , anyhow I think this would be very problematic with the new karl implementation that has taken place in openbsd 6.2 On October 14, 2017 4:26:21 PM GMT+02:00, "Bryan C. Everly" wrote: >Hi misc@, > >In playing around with Libreboot and Coreboot, my belief that physical >access to the hardware really ups an attacker’s ability to win against >most >security has been massively reinforced. For example, someone with >enough >practice could take my Thinkpad T500 apart, force flash the BIOS (as I >have >been doing), reassemble it and put it back on my desk in ten to fifteen >minutes (or maybe faster). The payload they flash could easily include >a >root kit and keylogger which would mitigate the advantage of Full Disk >Encryption (because they could grab your passphrase keystrokes and send >them off to the mother ship). So my happy little bubble that FDE would >give >me protection against all but a brute force attack has been popped. > >Here’s my thought. What if we modified our boot code to do a hash of >the >BiOS and stored it persistently across boots? Then we could compare it >this time to the last value and take some action / issue some warning >that >something changed. It would be mildly annoying if you actually did just >update your BIOS to a new version but that would be a small trade off >in my >mind at least. > >The sticking point is this - where do you store the previous hash? If >we >stored it outside of the FDE container, the attacker could just rewrite >it >on boot and we wouldn’t be able to detect a change. Put it inside the >FDE >and you would have to type your passphrase (sending it to the attacker) >to >read it. > >So now to my ask - would a feature like this be of any interest to >others? >If so, any thoughts on how to securely persist the hash to solve the >problem I describe above? > >Thanks for any and all feedback. > >-- > >Thanks, >Bryan -- Take Care Sincerely flipchan layerprox dev
Re: WPA2 and KRACK
This is an implementation bug, it was discussed yesterday On October 17, 2017 12:01:33 PM GMT+02:00, Kapetanakis Giannis wrote: >As it seems, WPA2 should be considered broken > >[1] https://www.krackattacks.com/ >[2] >https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt > >according to [1] OpenBSD has silently released a patch > >G -- Take Care Sincerely flipchan layerprox dev
Re: Intel NUC Kit DE3815TYKHE
You mean OpenBSD 6.1 right? On September 8, 2017 2:33:46 PM GMT+02:00, Artur Pedziwilk wrote: >Have anyone of you got that model of Intel NUC? > >Intel® NUC Kit DE3815TYKHE >https://ark.intel.com/products/78577/Intel-NUC-Kit-DE3815TYKHE >https://www.intel.com/content/dam/support/us/en/documents/boardsandkits/DE3815TYBE_TechProdSpec.pdf > > >I am trying to find some small computer to use with OpenBSD 6.2. >I am especially interested to play/test the OpenBSD with Intel Atom and >Intel AES-NI. > > >I am not sure at all if the driver >https://man.openbsd.org/re >Realtek 8139C+/8169/816xS/811xS/8168/810xE 10/100/Gigabit Ethernet >device > >will support >Realtek 8111GN-CG Gigabit Ethernet Controller (10/100/1000 Mb/s) >of this board. > >Anyone can confirm it does/doesn't work? > > >I am aware I have to have dummy VGA plug to be able to boot without >display. > > >Regards, >Artur -- Take Care Sincerely flipchan layerprox dev
Re: Amazon AWS, OpenBSD and IPv6
Dont trust Amazon run with vultr On September 5, 2017 8:56:08 PM GMT+02:00, Mike Coddington wrote: >On Tue, Sep 05, 2017 at 11:12:13AM +0200, Zbyszek ??kiewski wrote: >> > >> > Wiadomo napisana przez Peter Hessler w >dniu 05.09.2017, o godz. 11:05: >> > >> > OpenBSD's dhclient is IPv4 only. We do not have an IPv6 DHCP >client in >> > base. >> >> how does it works then on vultr for example where in same setup IPv6 >is leased from DHCP? I do not see any other daemons running there... > >On Vultr, IPv6 addresses are assigned via SLAAC, not via DHCP6. Back >when I had a need to use DHCPv6, I had good luck with the "wide-dhcpv6" >package. Try installing that and see if you're able to pick up an >address from the AWS servers. > >-- >To find a friend one must close one eye; to keep him -- two. >-- Norman Douglas -- Take Care Sincerely flipchan layerprox dev
Re: Split zone DNS?
Yupp use unbound it's great On July 28, 2017 4:47:53 PM GMT+02:00, Liviu Daia wrote: >On 28 July 2017, Steve Williams wrote: >> Hi, >> >> I recently upgraded to 6.1 and am trying to (finally, after many >OpenBSD >> versions over 10 years) fine tune my home network. >> >> I would like to run a local resolver on my internal network that will >> resolve all my hosts on my local network to IP addresses on my local >> network(s) rather than resolving to their public IP addresses. >> >> I believe it's called a "split zone" DNS, where my domain is resolved >> locally, but everyone else is resolved using normal resolution >processes. >> >> I set this up at one of my previous jobs using BIND, but that was 7 >years >> ago. I've never gone to the trouble of doing it at home, but I would >like >> to exercise my brain a bit as well as having my home network set up >> "better". >> >> What is the best tool to accomplish this these days? Is NSD the >"modern" >> tool to be using on OpenBSD? >> >> Are there any hooks for dhcpd to update records? >> >> I've read the NSD(8), nsd.conf(5) man pages and that seems to be the >way to >> go, but I thought I'd check the wisdom here to see if there is a >better >> approach. > >unbound(8) probably does exactly what you want. It's mainly a >recursive resoler, but it can also answer authoritatively for "local" >zones, or simply override addresses for given hosts (think anti-spam). >Unless you also want to answer queries for your domain comming from the >Internet, you don't need a separate authoritative server. > >Regards, > >Liviu Daia -- Take Care Sincerely flipchan layerprox dev
