Re: volatility or something like that in the future ?
Hey, Am 19.08.2023 um 12:05 schrieb whistlez: I honestly don't understand this hatred. I call it that because I refuse to accept that you didn't understand the question. Volatility has no plugin to interpret a ram dump on openbsd and so having only the dump is totally useless. If you really don't understand I'll paste the volatility help to show you that there are no plugins for openbsd but only for linux, windows and mac. just a simply suggestion here, as far as i can see this Tool/Application is written in python so as mention before make your own plugin then? Python should be available on openBSD, you can use the tools to dump information, you can start asking people who got a clue to interpret the dump to give you hints and pointers and then simply display it in your plugin as you please. That said you need of course to put in the effort to write the plugin and if you cant do it you might wanna as on github if people who can are willing to do the work mentioned above. At that point you might get your plugin done. And as clarification, I dont write that without any hatred just as a observer of the past few mails. Cheers -- Before you write me an email ... have you tried switching it off and on again ? Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227
Re: Allwinner D1 riscv64 mango pi SBC
Then I may be able to get a handful of these perhaps. Do you still keep tabs on Shivam, Mars, Brian, and Wenyan? Are they still interested in riscv64 after the initial port with yours and Dales guidance? I think I paid something like 30 EUR for a Mango Pi from AliExpress buying 4 would work but I can only do this when I have secured the job. Best Regards, -peter -- Over thirty years experience on Unix-like Operating Systems starting with QNX. -- Markus Rosjat mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Compatible
Hi, Am 22.02.2023 um 23:35 schrieb Iwil C: Is OpenSSH compatible with an Azure VM, Windows Server OS 2016 ? regarding to microsoft its offically supported for Windows Server 2019/2022 https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
Hi all, Just wanted to thank all you guys who posted suggestions, i got an openBSD now running on my XTM5. I will try the Graeme solution for flashing the the rom to unlock the BIOS and I will post my progress too. What worked for me was: - Installing miniroot70.img on a USB drive - Installing openBSD on a notebook with a SSD HDD - setting tty to com0 in /etc/boot.conf After pluging in the HDD in the XTM5 it booted like a charm. Thanks again you wonderful helpful people :) Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
Hi Lukas, Am 10.03.2022 um 10:23 schrieb Łukasz Moskała: Hi, From what I read, you can use SSD/HDD in these things. So basically, you have two ways which I think should work: - DD miniroot70.img to hdd, plug hdd in, boot from it, install to same hdd you booted from. You may need to create boot.conf in miniroot70.img to use serial instead of non-existent vga if "boot>" prompt does not show up to do that at boot time. - plug hdd to another computer, install openbsd to it, move hdd to watchguard. I will give it a shot , device is a XTM 5 . The second way I found here: https://www.reddit.com/r/PFSENSE/comments/rce3i6/howto_pfsense_252_on_watchguard_xtm_5/ I saw that already but the steps he took doesnt seem to work for me so far. Let us know how it goes. -- Łukasz Moskała Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: OpenBSD on WatchGuard devices
I already tried that on my XTM5 here but it isnt working so far , the problem seems to be a locked down bios and I fround some post that mentioned booting from the USB ports wasnt enabled. What i tried so far is: - booting from USB -> not working - booting from a CF Card -> not working the BISO Version of the WatchGuard is 1.3 Am 09.03.2022 um 17:21 schrieb Graeme Neilson: On the Watxhguard XTM5 you remove the compact flash, add a hard drive to the internal SATA port and boot from USB using the RJ45 serial console. I have a patched lcdproc for the small screen. Arch is amd64 and you can very cheaply upgrade the CPU and add up to 8Gb RAM. On 10/03/2022, at 00:01, Markus Rosjat wrote: Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSD on WatchGuard devices
Hi list, has someone out there ever attemted to reuse WatchGuard devices? If so can he point out some hints on how to go about it? We have a few devices laying around here and i dont see the point in not trying to reuse them. Cheers -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
Hi, for you output ... Am 26.03.2019 um 22:45 schrieb Jérôme FRGACIC: write track data: error after 552960 bytes cdrecord: A write error occured. cdrecord: Please properly read the error message above. cdrecord: Input/output error. test unit ready: scsi sendcmd: retryable error CDB: 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s test unit ready checks if the device is ready to do what you want it to do. cdrecord: Input/output error. flush cache: scsi sendcmd: retryable error CDB: 35 00 00 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 120s Trouble flushing the cache Writing time: 5.115s Average write speed 860.1x. Fixating... this cdb tries to sync the cache and it seems to have a prob here, the good status indecates that the cdb was recieved by the device after that it seems to get in trouble cdrecord: Input/output error. close track/session: scsi sendcmd: retryable error CDB: 5B 00 02 00 00 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.009s timeout 480s cmd finished after 0.009s timeout 480s this cdb tries to close the track session i dont know why you get a cmd finised twice here maybe its related to the cache problem. cdrecord: faio_wait_on_buffer for writer timed out. cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s here you have your cdb for removing the media again cdrecord: Cannot fixate disk. Fixating time: 466.776s cdrecord: Input/output error. prevent/allow medium removal: scsi sendcmd: retryable error CDB: 1E 00 00 00 00 00 status: 0x0 (GOOD STATUS) cmd finished after 0.000s timeout 40s and once again because he could fixate it before i guess cdrecord: fifo had 77 puts and 10 gets. cdrecord: fifo was 0 times empty and 2 times full, min fill was 89%. so this is what happens by the log why it happend i cant tell by this output but again the trouble starts with syncing the cache i guess. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
sorry it might got a bit confusing Am 26.03.2019 um 15:41 schrieb Markus Rosjat: cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. it means the optcode does alllow or prevent media removal it depends on the prevent bits in the cdb but you basically just have a 00 for allow or a 01 for prevent in the cdb. Anyway since sense already told you the request is illegal you have to figure out what came befor the removal request so you might get a clue in what state the hardware is still. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Infinite spin when trying to burn a CD
Hi, might not to much help but Am 26.03.2019 um 14:57 schrieb Maurice McCarthy: I never looked at your dmesg earlier. These lines cd0(ahci0:2:0): Check Condition (error 0x70) on opcode 0x1e SENSE KEY: Illegal Request the opcode is for the cdb prevent allow media removal so I assume your hardware got a problem with the cdb send by the software so it might be in a state where it still wants to read/write stuff. if you really want to figure out what the sense code or the check condition error means you have to read up sbc specification on t10.org i guess suggest the Openbsd system finds something wrong with your hardware. I'm not clever enough to speculate further. Sorry. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd acme-client renew multiple domains
Hi Mischa, if you like some python i got a small script for multiple domain cert renew on my github. I hope its ok to post the link here https://github.com/rosjat/scripts/blob/master/shell/OpenBSD/acme_renew its nothing fancy and you can modify it for your need or may make it better :) regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: python3 script not running as root
Hi Marc, Am 15.11.2018 um 14:05 schrieb Marc Espie: 6.4, or snapshot ? there was an unveil snafu with doas a few days ago. 6.4 release -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: python3 script not running as root
Hi Martin and Daniel, Am 15.11.2018 um 09:24 schrieb Martin Sukany: Hi, you'd fix this by defining PATH variable in your crontab, or specify the full path to python3 interpreter instead using env. as daniel also suggested I will try the the PATH crontab approach and this is because scripts with a full path in the shebang seem to run anymore on 6.4 regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
python3 script not running as root
Hi all, I have a python script to get some traffic stats from my machines and it is running without problems except for a new installed OpenBSD 6.4 machine. There I get following error: env: python3: No such file or directory This only happens when the cronjob is running when I run it from terminal with doas it works. That is kinda odd sice both root and my user have python3 and env in there $PATH at least the path to the executable. some hints would be appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
GAMIN question again
Hi all, so as far as I understand now gam_server should be started if a user login (like over imap) but it seems not to work. The Docs mentioned in the /etc/garmin/garminrc file is also not helpful because it only tells to look at fam docs or api refs but I dont want to use the api I want to configure gamin to start gam_server when a user logs in. so in the rc file you see something like fsset ffs none so I thought okay i might change that to fsset ffs notify but no changes, also fsset ffs poll 1 doesnt seem to have an effect so to all out there who are using gamin enligthen me how to configure it please regards -- Markus Rosjatfon: +49 351 8107224mail:ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent, Am 03.11.2018 um 07:22 schrieb vincent delft: Hello Markus, I cannot reproduce your problem. As you can see here under I can create a user "test1" on the command line, and, with the same userid, I can create it with python2 and python3 too. (I'm running 6.4) I see 2 possible cause : - your python script, - or maybe the userid for which your python script runs is not the one defined in doas.conf. i switch back to spawnl function and it worked with doas so I will stick with that since it's working. Maybe later I will revisit the problem and give it another try. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd.conf it's so confusing
Hi again, Am 02.11.2018 um 11:26 schrieb Markus Rosjat: .. but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all. this seems to be resolved and was more or less browser related -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd.conf it's so confusing
Hi all, I have a relayd running that inspects the Host header of incoming traffic and then makes a decision to which server it should relay the traffic. so far so good but a few things don't add up after a few changes. for example I have a protocol definition like so: http protocol "httpproxy" { match request quick header "Host" value "*domain1.tld" forward to match request quick header "Host" value "*domain2.tld" forward to } and a relays like: relay "www01proxy" { listen on $gateway port http protocol "httpproxy" forward to port http } relay "www02proxy" { listen on $gateway port http protocol "httpproxy" forward to port http } So this setup works but now it gets confusing if I add another protocol and relay to the above http protocol "differenthttpproxy" { match request quick header "Host" value "*domain3.tld" forward to } relay "www03proxy" { listen on $gateway port http protocol "differenthttpproxy" forward to port http } now my relays 1 and 2 stop working, no traffic reaches the hosts, the order of the relays is www03 www01 www02 in the config but it shouldn't be problem because the protocols used are diffrent. So coming to strange part two. I disabled the new relay and well the sites for relay 1 and 2 started to be reachable again but also the match defined in the new defined protocol is still working. Thats something that shouldn't happen at all. what I did between the changes was checking sysntax and a rcctl reload relayd I am relucdent to do a restart because it happens to crash the VM. The VM is running 6.1 with all syspatches applied. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd rewiterules like apache
Hi, Am 01.11.2018 um 11:40 schrieb Tony Boston: You should definitely try the relayd(8) route here. that would be forwarding it to the ip like match request quick header "Host" value "*some.tld" forward to but that wouldnt solve something like RewriteRule ^(.*)http://some.tld/someotherdir/$1 [L,P] so a http://www.my.tld would go to http:/some.tld/something.http but woudnt http://some.tld/someotherdir/something.http or do I get it wrong? -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd rewiterules like apache
Hi all, I was wondering if it is possible to do like a proxy rewrite like with Apache rewrite mod? RewriteRule ^(.*) http://some.tld/$1 [L,P] So here the P Flag should preserver the original domain in the url and just proxy the request to the other location (not on the same machine!) Since there is redirection I can do this but then the url gets of course replaced in a block directive block return 301 "http://dome.tld$REQUEST_URI"; I read that there is rewrite support but as far as I figured it's just for location on the filesystem ? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Bruno, Am 31.10.2018 um 12:23 schrieb Bruno Flueckiger: On 31.10.18 10:42, Markus Rosjat wrote: Losing ten minutes time because of a mistake you've made all by yourself made you write this useles mail. Imagine how many times you could have read the man page of doas(8) and find out that there is the parameter -C to check the config file. Cheers, Bruno thank you for the attitude! Now I learned even more it's better not to share mistakes and keep them to yourself so the real pros are not bored by your findings because they are to simple to be made. I appreciate it! -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: syntax error and doas.conf
Hi Am 31.10.2018 um 10:52 schrieb Consus: Well, that's why we have sudoedit. With doas your are forced to $ doas cp -p /etc/doas.conf /etc/doas.conf.new $ doas vi /etc/doas.conf.new $ doas -C /etc/doas.conf.new $ doas mv /etc/doas.conf.new /etc/doas.conf yeah and by default there is no sudo package installed or is it (at least it isnt in the 6.x releases if I remember right)?! Just try a sudoedit on a fresh install and see if it works. As fas as I understand the doas approach its there to provide a simple way of archiving things like sudo /do/this/cmd because 99% of the time you only need root priv to do something like that. So some very nice guy, I think is name is Ted, thought "hey lets simplify it and skip all the heavy stuff that sudo brings along". At least I imagine he thought something like that :) regard -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
syntax error and doas.conf
Hi all, just something I notice while trying out stuff with doas and my python scripts. If you do a mistake and have a syntax error in the doas.conf file you can easily look you self out from root privilages :( consider a a case where your root has no pw, you are the guy in the wheel group and of course you have only this line permit persist keepenv :wheel so far everything is peachy ok we are going to add a new line permit nopass foo as root cmt /root/scripts/dosomething and we save it ... ups we did a mistake an like to fix it, no worries we can ... or cant we? doas vi /etc/doas.conf doas: syntax error at line 15 at this point you are a bit screwed because you cant edit the doas.conf you cant reboot you only way seems to be a switch off. Ok maybe there other was but hey I'm no pro Im a simple user and its a vm so switch it off. Boot in single user mode, make a fsck because , mount the patritions, export the TERM var so yu get a vi. Well seems we are back in business but no we cant edit /etc/doas.conf. Doesnt matter we came so far we simply copy the exmaple to /etc and be done with it. At that point 5 to 10 min of your life is wasted with silly stuff but you may have learn at least one thing ... read again what you just wrote before you save it :) Have a nice day list :) and happy helloween -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi Vincent Am 30.10.2018 um 16:03 schrieb Vincent Legoll: Maybe you should try like the following: cmd = ['doas', 'useradd', '-u', user_id, '-g', '=uid', '-s', '/sbin/nologin', '-d', mb_parent_dir, user_name] exit = subprocess.check_call(cmd) this doesn't solve the problem, if I try like that check_call complains that it need a string as user_id. If I do make something like u_id = '%s' %user_id and plug u_id as the arg I'm back to square one. So it seems this seems a doas related issue and needs some adjustment in doas.conf. If this isnt resolvable I will just install sudo package using the "pointing a cannon at a sparrow" approach :( regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate python script from sudo to doas
Hi, as I stated before on a cmd is no problem, Im using 6.4 release Am 30.10.2018 um 12:56 schrieb Solene Rapenne: Markus Rosjat wrote: hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards hi what openbsd version are you using? did you try the command outside of python? There were issues with doas a few days ago in snapshots. -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate python script from sudo to doas
hi all, I have some old python scripts that using os.spawnl to execute stuff like useradd combined with sudo. This worked just fine on systems with sudo installed but these days we have doas and its totally enough for things I use to do so I said to myself "lets update these old scripts ..." . In code this was basically replasing os.spawnl with subprocess.check_call but when I run this the useradd command doesnt get executed by the script. On the cmd it does, so this works on cmd: doas useradd -u 666 -g =uid -s /sbin/nologin -d /var/mail/domain.tld/vmailuser0666 vmailuser0666 but in the script I with the code like this: exit = subprocess.check_call(['doas', 'useradd', '-u %s' % user_id, '-g =uid', '-s /sbin/nologin', '-d %s' % mb_parent_dir, user_name]) I get an exception that seems to be related to the fact that doas isnt really working here doas: Authorization failed <- this comes from the script even the provided password is correct Traceback (most recent call last): File "/root/scripts/mb_add", line 244, in mb_addresses) File "/root/scripts/mb_add", line 174, in add_mailbox user_name]) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['doas', 'useradd', '-u 666', '-g =uid', '-s /sbin/nologin', '-d /var/mail/domain.tld/vmailuser666', 'vmailuser666']' returned non-zero exit status 1 So does someone had some issues with migrating scripts from sudo to doas, then some help or hintw would be very appreciated. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: 6.4 doas gives "command not found" if no #!/bin/sh up top
Hi all, Derek wrote: Adding a "#!/bin/sh" at the top of the scripts made them all work again. it seems this is also happening with python scripts even you have shebang. To solve this you should change lines like #!/usr/local/bin/python to #!/usr/bin/env python after this change was made doas worked as expected with the script regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
cyrus-sasl/openldap question
Hi there, it seems to get sasl working with ldap is a lifetime task. Sad thing I had it working but only after adding/deleting packages of the specific versions of cyrus-sasl and I dont know which you really need to get it working in a "clean" setup. So to all the people out there who are running service like sendmail, courier with openldap and sasl could you point to the proper package to use or do in need to really install one package then replace it with another so that just the proper libs are present somewere on the system (this seems kind bad)? And docs on cyrus-sasl are a big fk^ in my opinion but thats another story. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
Hi Julian, Am 22.10.2018 um 01:26 schrieb Julian Suschlik: FAM/gamin execute programs when parts of the filesystem change AFAIK. My goto program for this is entr (http://entrproject.org/) available as port under sysutils/entr (http://ports.su/sysutils/entr) I still don't get what you trying to tell me. I simply need to know how to start gamin as a background process since FAM package isnt arround anymore. Usally there would be some kind of rc script in rc.d somewere but there isnt. There isnt a man page to be found so I'm lost how to get things running. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: FAM Question
hi Julian, Am 20.10.2018 um 01:01 schrieb Julian Suschlik: Would sysutils/entr help? canyou be more specific? thank you -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd smtp traffic
Hi all, once again a silly question (but maybe someone is willing to answer) about relayd. Is it spossible to determine the domain of the recipient and depending on this redirect the traffic to da specific server behind the relayd machine? What I try to do is setup a test mailserver and just redirect mailtraffic for a domain to this machine. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
FAM Question
Hi there, it seems there is no FAM package anymore but there is a gamin package so is this a replacement for FAM? And following up on that how the heck do I get gamin to work, there seems to be no rc script for it but if it works like FAM there should be a process running right? The docs or pkgconfig doesnt say anything regarding this so Im kinda lost here. So if someone hast som information about that share please. regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate users from old system
hi all, what is the right way to do a migration of users from one system to another? I did the following but it seems to get some problems with permissions on the files and directories. 1. copy passwd, group, master.passwd to new machine 2. clean up files (some users doent exist anymore) 3. use pwd_mkdb to create a new db this gave no errors but after migrating some files with rsync to the new machine it seems that some directories not read- /writeable (for example by openLDAP) even all the permissions are set correct. So I wonder if it might has to do with the user accounts themself. Any advice would be helpful. Regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: CARP on Hyper-V VM
Hi Ricardo, You must set the VM's network adapter to 'Enable MAC address spoofing' under 'Advanced Features'. nope this isn't solving the problem. I can only ping the virtual ip from the local machine still. It might need the NDIS Extention enabled on the vSwitch too but I did't changed that because of the probable network disconnection. I will give it a shot later. regards MArkus -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
CARP on Hyper-V VM
Hi there, i just have a question to CARP on Hyper-V VMs. It seems there was a problemwith the virtual IP not be reachable from somewere else then the machine itself. Since I try to set up CARP on such a VM an noticed the same behaviour on a OpenBSD 6.1 I wonder if this issue is resolved in 6.3? regards -- Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OT: how do you write your tools /scripts for everyday tasks
Hi all, this is more a post to get an overview how the pros (not me ... you guys) put there tools together. I can write simple shell scripts and this is ok but I do a little python coding once in a while and noticed I'm going to write my tools in python. Sure its a little overhead and most of the time you ending up using subprocess to call a existing tool that you would use on a cmd anyway. So what you guys using these days, is it shellscripts, c programs, perl or? Would be cool to get some feedback on that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd index directive confusion
hi Paco, Am 30.05.2018 um 13:31 schrieb Paco Esteban: On Wed, 30 May 2018, Markus Rosjat wrote: so I Configure my Location in httpd.conf like this location "/admin/*" { root "/path/to/my/site/admin" root strip 1 directory index index.php fastcgi socket "/run/php-fpm.sock" authenticate with "/users/me/mysite_passwd" } have you tried to put "index.php" (in double quotes) ? I may be wrong, but I think I had a similar issue in the past. Cheers, Paco. I tried both it didn't help. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd index directive confusion
Hi there, i hope someone can sort this out for me but I dont get it. I get a nice "Primary Script unknown" message when I try to reach a defined location. I try reach https://UrlToMySite.tld/admin/ and in thsi location is a index.php file so I Configure my Location in httpd.conf like this location "/admin/*" { root "/path/to/my/site/admin" root strip 1 directory index index.php fastcgi socket "/run/php-fpm.sock" authenticate with "/users/me/mysite_passwd" } in my opinion this should show me the generated index.php but instead I get file not found. When I call the index.php explicitly like https://UrlToMySite.tld/admin/index.php it works. so where do I go wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Hi again, Am 04.04.2018 um 15:34 schrieb Christophe Simon: Yes, that should do the trick. The only problem that you could face is the certificate validation in PHPMailer: if you connect to `locahost` using a TLS connection, unless your certificate presents `localhost` as a CN (or a SAN), there's chances that the client refuses to establish the connection (I don't remember if certificate validation is enabled by default in PHPMailer). If you don't want to bypass certificate validation, one possible way to overcome this issue is to set an entry in your chroot's `/etc/hosts` pointing your certificate's CN to `127.0.0.1`, or include `localhost` in your certificate SANs. And if your certificate is self signed, you'll have to manually accept it. I will give it a try , thank you for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Hi, I will answer in the text below :) Am 04.04.2018 um 13:52 schrieb Christophe Simon: Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. no we don't want to use binary in chroot, that somehow feels just wrong :) If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). since it will be WP (i know ...) it has PHPMailer and it should be able to send with SMTP Protocol. It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I have set up the local smtpd to relay mails from local connections so it's only listen on lo0 but hey PHPMailer will connect on lo0 and can be abused still if the WP arround it allows it. I basically force the user to use something like recaptcha but even then I would like to do something with authentication thought. for me I short example would be helpful for now I basically let a script run once an hour to check if the maillog shows somewhat strange traffic to the relay. is enabling auth on lo0 simply this ? pki hostname /path/to/cert pki hostname /path/to/key table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 port submission tls auth accept for any relay via tls+auth://relaycred@relayhost:587 auth And then I can just setup the PHPMailer to use submission port on localhost with some credentials? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd.conf path substitution
Am 04.04.2018 um 00:05 schrieb Michael Hekeler: Am Thu, 29 Mar 2018 17:13:10 +0200 schrieb Michael Hekeler : Ah - I see what you try to do... But SNI doesn´t mean one single certificate for multiple hostnames (this you can do with multiple entries in the certificate subject alt name). SNI means to server multiple hostnames on ONE ip address jepp thats what it is SNI is an extension by which a client (e.g. a webbrowser) indicates (hence the name: server name INDICATION) one of these multiple hostnames to be in the TLS handshake. Then the server can choose the right certifificate to present to the client. I know So if you want to serve domain1, domain2 and domain3 each on https then you need cert1 for domain1 and cert2 for domain2 and cert3 for domain3 I have that basically but some Domains belong, in a way, together and could be served with one cert. If every domain has its own ip then you don´t need SNI. But if all domains share the same ip, then the client and the server must be SNI compatible. When the client requests domain2 the server will be able to present cert2. Of course you can issue a single cert with domain1, domain2 and domain3 in certificate´s subject name and configure the server to present this cert on every request. But that´s no SNI. it only presents this cert for the specific virtual hosts Anyway I'm okay with the fact to hardcode the path to the cert into the virtual host definition. I was just wondering if I did something wrong or it's simply not supported. Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Using stmp auth for local account with PHP scripts
Hi there, There are simple ways of relaying local mails(connection on lo0 on port 25) to a other mailserver. This is oky for logs and stuff but what's about mails created by a php on the local webserver? His do I get smtpd to still do a auth with username and pwd on lo0? Is it possible or do I need to configure the "external" addr too for this purpose? Regards Markus
httpd.conf path substitution
Hi there, its not really an issue but I noticed if I want to substitute a path for the tls key or cert I get a syntax error from httpd -n So is there some special syntax for this or is it simply not possible to do something like tls_key ="/path/to/key" tls_cert ="/path/to/cert" server "domain.tld" { tls { key $tls_key certificate $tls_cert } } regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd / acme-client confusion
Hi, acme-client can only validate an authorization that way. but for a forced renewal for something that's already active, there's likely to already be a validated authorization on the letsencrypt account, in which case it wouldn't need to revalidate. I did a forced renew after I got a valid certificate and stoped the httpd before I did the forced renew if you really stopped httpd and there is still something listening then there is another webserver process running. You can check locally with netstat(1) or 'ps -aux' there was no other process running since I checked that before I did the forced renew. I will do the suggested changes to the config and keep an eye on it. My main problem was with the block statement the other thing I just noticed as I did testing with the config and started forcing the renew of the certificate regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: httpd / acme-client confusion
Hi, thanks for the samples I will give it a try but wondering why acme-client still works even httpd is not serving any kind of location for a challenge exchange? Like I said I stoped httpd intirely and still got a new certificate with acme-client. But if it works as expected after a apply the suggested changes Im okay with it :) regards Markus Am 16.03.2018 um 08:42 schrieb Florian Obser: this works for me: server "tlakh.xyz" { listen on 0.0.0.0 tls port 443 listen on :: tls port 443 tls certificate "/etc/ssl/tlakh.xyz.crt" tls key "/etc/ssl/private/tlakh.xyz.key" hsts location "/shop.6.html" { block return 402 } location "/coffee.6.html" { block return 418 } location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } } server "tlakh.xyz" { listen on 0.0.0.0 port 80 listen on :: port 80 hsts block return 302 "https://$HTTP_HOST$REQUEST_URI"; } On Thu, Mar 15, 2018 at 11:01:42AM +0100, Markus Rosjat wrote: Hi there, Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple httpd.conf with a definition for a http server and a https server so far so good, I figured I need to have a http server so acme-client can talk to let's encrypt an issue certificate requests also no big problem but now it get confusing. I tried to automate the certificate renew and as far as I understand the docs httpd.conf get evaluated to to bottom with first matching rule found. So this would mean a definition like: $ext_addr ="*" # its just one nic with one external ip on that vm server "mydomain.tld" { listen on $ext_addr port http location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 directory no auto index } block return 302 "https://$HTTP_HOST$REQUEST_URI"; } should enable acme-client to renew certificates but redirect other traffic to the https server. Well it doesn't ! So I need to comment out the block request to renew the certificate. That's a thing I could live with and just invent some script that loads a different conf file just for the renew and when the certificate is obtained just load the normal httpd.conf and restart httpd. I was playing arround and stumbled over the fact that acme-client suddenly can renew certificates even without running httpd in the first place o.O Thats just wrong since there isn't support that does dns-01 challenges right? I stoped httpd to checked the site wasn't reachable and did a acme-client -vvF mydomain.tld it gave me a new certificate from let's encrypt ... anyway can someone who has the insight please tell me whats goin on here and maybe post a config example that works for a basic https redirect? Or is it really the case that I need to load a config that hasn't a blok return statement in the http server definition? One last note, I did a syspatch today and don't know if this changed something in the behaviour of the components involved. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd / acme-client confusion
Hi there, Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple httpd.conf with a definition for a http server and a https server so far so good, I figured I need to have a http server so acme-client can talk to let's encrypt an issue certificate requests also no big problem but now it get confusing. I tried to automate the certificate renew and as far as I understand the docs httpd.conf get evaluated to to bottom with first matching rule found. So this would mean a definition like: $ext_addr ="*" # its just one nic with one external ip on that vm server "mydomain.tld" { listen on $ext_addr port http location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 directory no auto index } block return 302 "https://$HTTP_HOST$REQUEST_URI"; } should enable acme-client to renew certificates but redirect other traffic to the https server. Well it doesn't ! So I need to comment out the block request to renew the certificate. That's a thing I could live with and just invent some script that loads a different conf file just for the renew and when the certificate is obtained just load the normal httpd.conf and restart httpd. I was playing arround and stumbled over the fact that acme-client suddenly can renew certificates even without running httpd in the first place o.O Thats just wrong since there isn't support that does dns-01 challenges right? I stoped httpd to checked the site wasn't reachable and did a acme-client -vvF mydomain.tld it gave me a new certificate from let's encrypt ... anyway can someone who has the insight please tell me whats goin on here and maybe post a config example that works for a basic https redirect? Or is it really the case that I need to load a config that hasn't a blok return statement in the http server definition? One last note, I did a syspatch today and don't know if this changed something in the behaviour of the components involved. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
acme-client problem when requesting certificate
hi there, so I set up the acme infrastructure and after some trying I got it almost to work :) I had to change the agreement url in the acme-client.conf but now I get a strange message from acme-client I cant really figure out acme-client: /var/www/acme/2_e53Y1KM9Tq14dMJuuxMAT8m5gUhxMqD9TntO8ZxbE: created acme-client: https://acme-staging.api.letsencrypt.org/acme/challenge/NY-kkO6QuTWuArFUOhtcilQ0KuotpV41aOwlO9UL9oY/78051622: challenge acme-client: acme-staging.api.letsencrypt.org: cached acme-client: acme-staging.api.letsencrypt.org: cached acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/NY-kkO6QuTWuArFUOhtcilQ0KuotpV41aOwlO9UL9oY/78051622";, "token": "2_e53Y1KM9Tq14dMJuuxMAT8m5gUhxMqD9TntO8ZxbE", "keyAuthorization": "2_e53Y1KM9Tq14dMJuuxMAT8m5gUhxMqD9TntO8ZxbE.0s8MYWFs-8TXdp2jx4tPwoDczZpltpon9LGtdsFu0V0" }] (338 bytes) acme-client: 2_e53Y1KM9Tq14dMJuuxMAT8m5gUhxMqD9TntO8ZxbE: File exists acme-client: bad exit: netproc(29731): 1 acme-client: bad exit: challengeproc(50545): 1 so as far as I understand files get created and right away deleted on the whole certificate creating process and if I look in /var/www/acme there isnt any file so what is acme-client telling me with File exists? Where do I find this file? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
board ord boards with case for a router firewall
Hi there, we use mostly soekris for ourt router/firewall solution with openBSD but since there seems to be not much of development and they are kinda expensive still... I was wondering if you guys could give some suggestions on other Hardware for this usecase? Also Boards with more then 4 nic would be interesting, so if someone likes to share his experiences it would be much appreciated regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi again, I looked further and notice not the syslogd was the cause but somehow spamd died while talking to a server. Could something in the body screw up spamd? here are my logs on that: - the spamd log file part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: This is a multi-part message in MIME format. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0006_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: multipart/alternative; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: boundary="=_NextPart_000_0007_01D349CD.8A885470" Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0007_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: text/plain; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: charset="windows-1251" 2017-10-22T06:00:01.101Z heimdal newsyslog[25423]: logfile turned over - and the daemon log part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Am 22.10.2017 um 12:59 schrieb Markus Rosjat: Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, as far as I understud the whole thing Am 20.10.2017 um 15:09 schrieb Michael Hekeler: pass on hvn0 inet proto icmp all icmp-type echoreq just to be curious: what is the effect of "on" in your rules "pass on ..." As to pf.conf(5) there are only "in" or "out" this should allow traffic in and out on a given nic but I might be wrong here. This is basically a training exercise for me so I dont do to much harm if some rules don't work right away as expected. and this rule is valid even it if its not working as expected but after I activated it I could ping from the host and to the host. Without the rule I couldn't. On a host with just one nic it might be redundant but if you have more the one nic this might be a valid choice. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi Michael, as far as pfctl -sr goes a block return expands to block return all but since I got it working now here is the ruleset that does what it suppose to do :) ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass on $ext_if inet proto {tcp udp} to port domain pass on $ext_if inet proto icmp icmp-type echoreq pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh pass in on $ext_if inet proto tcp from any to ($ext_if) port 443 pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission } $ doas pfctl -sr block return all block drop inet6 all pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA pass on hvn0 inet proto tcp from any to any port = 53 flags S/SA pass on hvn0 inet proto udp from any to any port = 53 pass on hvn0 inet proto icmp all icmp-type echoreq as you may notice I added the ping and the dns to the ruleset since this was blocked in the original set of rules. regards Am 20.10.2017 um 14:27 schrieb Michael Hekeler: On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote: ... block return# block stateless traffic Hi Markus, here´s another hint: no matter if you want to drop silently or send a return for the dropped packet, you have to tell **on which packet the block action should react** block drop all -or- block return all -or- block all If you have this in your pf.conf and load this ruleset then 'pfctl -sr' will give you a line like: block drop all (or whatever you have in pf.conf) -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi again, okay big time PEBKAC ... if you do the the -d you should at some point do the -e ... haha anyway always fun to brainstorm with you guys this list rocks !!! Am 20.10.2017 um 14:11 schrieb Markus Rosjat: Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make it all clean. I tried ssh m...@domain.tld from the machine with the ruleset. this works with the given rules but it shouldnt in my opinion. and yes there is no dns traffic allowed in the rules. Maybe its really the flush that makes it all work. I will try that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make it all clean. I tried ssh m...@domain.tld from the machine with the ruleset. this works with the given rules but it shouldnt in my opinion. and yes there is no dns traffic allowed in the rules. Maybe its really the flush that makes it all work. I will try that :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: a pf question maybe asked a 1000 times
Hi, Am 20.10.2017 um 13:11 schrieb Bryan Harris: I don't know the answer but I'm curious. What does "pfctl -sr" command show? Can you do dns lookups? PS - my rules have the "pass out all" rule at the bottom. V/r, Bryan sure I can give the output: $ doas pfctl -sr doas (m...@my.own) password: block return all block drop inet6 all pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA I dont have a pass out all rule this would match every outgoing traffic then but maybe match is the key here :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
a pf question maybe asked a 1000 times
Hi there, I was wondering, after reading mr hansteens excelent book about pf and the man pages, if I got it all wrong :) so here is my example pf.conf ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh pass in on $ext_if inet proto tcp from any to ($ext_if) port 443 pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission } and what I expect is the following: - traffic ipv4 and ipv6 gets blocked -> general deny - I let enter ssh traffic - I let enter https traffic - I let out treffic on https und submission port - I should not be able to establish a ssh connection from this host to another machine but should connect to be able to connect to this machine what I notice is I can initiate a ssh connection from this machine. So there are three possible answers to this: - 1st with allowing ssh traffic in the first place ssh port will be considered passable from both sites of the nic. Which would somehow makes no sense to me at all because its a explicit in rule - 2nd the ssh connection initiated is somehow considered coming fom lo and for that not passed to the following rules - 3rd my rules are just wrong :) So for all the more skilled human beings out there can you help me with it? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamd pf rule question
Hi there, it's a quiet simple question :) I have a rule like this pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to 127.0.0.1 port spamd and was wondering if it's better to use pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp divert-to 127.0.0.1 port spamd the mailserver isn't the same machine. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: php-fpm and OpenBSD 6.2
Hi Peter, thank you for the hint :) In the end I would simply try to run a php script and see if it works ;) regards Markus Am 12.10.2017 um 10:20 schrieb Peter Faiman: On Oct 12, 2017, at 00:39, Markus Rosjat wrote: Hi there, I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. Is this the new php-fpm naming convention starting with 6.2 or do I get this wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT There is no php-fpm package, fpm is built in the plain php package. There is an effort to split php into more granular packages, including a php-fpm package, but it didn’t make it into 6.2. You can read more about the repackaging effort on the ports mailing list; the thread was updated just yesterday. I believe php-fastcgi is a legacy module of some kind, and fpm is the preferred way to run php. So you just need the plain php package that comes with fpm. Peter -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
php-fpm and OpenBSD 6.2
Hi there, I can't find a php-fpm package under 6.2 but there are php-fastcgi packages. Is this the new php-fpm naming convention starting with 6.2 or do I get this wrong here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamd randomly and silently dying on OpenBSD 6.1
Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate .htaccess conent to httpd.conf
Hi, Am 05.10.2017 um 12:53 schrieb Michael Hekeler: I don't need them I have them on a older system were apache 1.3 was the standard webserver for openbsd still. So I simply want to migrate the content to a system with a new standard webserver httpd. Okay But keep in mind that httpd is not Apache and converting complicated htaccess stuff is not always possible... ;-) sure no problem so this would mean if I have 20 files spread over 10 directories I need for all of them a location statement to block or otherwise auth befor someone could access it? :-) No, of course not You can do thinks like: location "/.ht*" { block } and with Lua's pattern matching you can do really cool things. See patterns(7) and httpd.conf(5) I'll check it out Thank you -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: migrate .htaccess conent to httpd.conf
Hi, Am 05.10.2017 um 10:11 schrieb Michael Hekeler: And 2nd question would be how to give the user a way to implement something like it on there own? I was thinking of a simply standard include in the server definition but this might mess things up if you need directory specific and user define-able override files like those .htaccess then why not use Apache? I don't need them I have them on a older system were apache 1.3 was the standard webserver for openbsd still. So I simply want to migrate the content to a system with a new standard webserver httpd. Don´t get me wrong: I don´t want to vote for Apache but I think it´s better to use "Tool X" when you need the features of "Tool X" than to bend "Tool Y" that it acts like "Tool X" ;-) I understand :) To your 1st question: location "/filename" { block } so this would mean if I have 20 files spread over 10 directories I need for all of them a location statement to block or otherwise auth befor someone could access it? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd.conf and directory index
hi there, I can't get it around my head how this should work if different locations have diffrent index files. so I have a config like so: server "domain.tld" { alias "*.domain.tld" listen on $ext_addr tls port https log error "domain_ssl_error" log access "domain_ssl_access" tls { certificate "/etc/ssl/web/domain.fullchain.pem" key "/etc/ssl/web/keys/domain.key" } root "/htdocs/domain.tld" directory { index index.html } location "/admin/*" { directory { index index.php } fastcgi socket "/run/php-fpm.sock" authenticate with "../domain_passwd" } directory { index index.html } location "*.php" { fastcgi socket "/run/php-fpm.sock" } } So this makes the site browsable and it works with the php scripts. So now I expect that when I request https://domain.tld/admin/ I would get the index.php loaded after I authenticated but I get a 404 On the other hand https://domain.tld/admin/index.php works fine. Since the rules get evaluated top to bottom and stoping at first match I should work because the second directory statement seems to work just fine and it gets evaluated after the first location statement. but well even the authenticate statement is, just in my opinion, wrong on so many lvls and it also works ... could someone that is more skilled in httpd.conf give me some insight here? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
openSMTPD relaying and aliases
Hi there, just a simple question about relaying a local mail with an alias instead of the user name. so it works to relay mail to the alias address via the relay aliases file: root: logs+...@domain.tld secrets file: test acco...@domain.tld:secret_pass smtpd.conf table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 accept for local alias deliver to mbox accept for any relay via tls+auth://t...@mail.domain.tld:587 auth But I get mails in my log account From: r...@machinename.domain.tld To:r...@machinename.domain.tld but i would like to have a it with From: r...@machinename.domain.tld To: logs+...@domain.tld to make my filtering easier in the mail account. So is it possible to get smtpd to use the alias in the to: field by default when sending a mail from a user account? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
migrate .htaccess conent to httpd.conf
Hi there, I was wondering if there is some guidence out there for this sort of thing? I know it's possible to simply block directories or put basic auth in front of it but what's about some more fine grained stuff for a file in a directory? Like this order deny,allow deny from all Require all denied Is there a way to rewrite this for the httpd.conf ? And 2nd question would be how to give the user a way to implement something like it on there own? I was thinking of a simply standard include in the server definition but this might mess things up regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
[solved]httpd.conf authenticate with question
hi, was my mistake I forgot the evaluation order is diffrent in httpd.conf! put the auth location for the general wildcard location. regards Markus Am 02.10.2017 um 19:13 schrieb Michael Hekeler: location "/some/secret/location/*" { directory index index.php authenticate with "/path/to/the/htpasswd/file" } Can we use "authenticate [realm] with htpasswd" in a location? From httpd.conf(5) I thought http-Auth is enabled in server section and only disabled in location. No? -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
httpd.conf authenticate with question
Hi there, I can protecat a location with a password like so: location "/some/secret/location/*" { directory index index.php authenticate with "/path/to/the/htpasswd/file" } this works if I request https://my.domain.tld/some/secret/location/ and it will ask for the password but if I request https://my.domain.tld/some/secret/location/index.php It will simply load the site without asking for credentials. So how do I prevent the access over a full url ??? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
du algorithm to calculate diskspace
hi there, I just noticed, while copying stuf from a very old OpenBSD 4.2 to a OpenBSD 6.1 that du on both systems gives me different results. Did something change in the calculation from 4.2 to 6.1 ? for example 4.2 calculates ~ 136MB 6.1 calculates ~ 148MB I copied the files with scp regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi there again, so I will try to ask the question about implementing rspam on a dedicated machine oder at the mailsystem again because I don't know if it was lost in the converstion :). Is there some effort in NOT run rspamd on the same machine as the mailsystem? I was just wondering because it could make some transitioning a little easier but if the amount of "workarounds" to relays mails through another instance is not worth it then I will go with spamfilterting on the mailsystem. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi, thank you all for the helpful input on that subject. I have one last thing to ask about it. What would be a good approach to implementing rspamd? I start greylisting on the firewall and thats ok but should I implement a dedicated system for rspamd and relay the "ok-Mails" from there to the mailsystem or simply run rspamd on the mailsystem und plug it front of the mailserver like postfix? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi Leo, Am 29.09.2017 um 16:57 schrieb Leo Unglaub: Hey, On 09/29/17 15:06, Markus Rosjat wrote: my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine i assume that your boss is not an engineer and also not very familiar with how emails work. Greylisting it clearly NOT out of date at all. Greylisting simply makes use of stuff that is defined in the SMTP RFC. Every email server is allowed to temporary deny the delivery of an email and ask the sending server for another try. well we use greylisting and I gave MS a free pass but sometimes it doesn't seem to work anyway but that's ok for me. The problem in this case is clearly Microsoft who has no idea how email is supposed to work. You have two options here. the customer will always complain no matter how often you explain the real problem :) A: Simply don't care about Microsoft and just send customers to a website where you describe the problem and tell them to contact Microsoft in order to fix there stuff. This works very well, my Company hosts around 2,3 Million mailboxes and we use Greylisting and customers are okay with it. B: You exclude the outlook.com outgoing servers from greylisting. Microsoft provides a list of IP addresses that they use for delivery: https://mail.live.com/mail/ipspace.aspx 65.54.190.0/26 65.54.190.64/26 65.54.190.128/26 65.54.190.192/26 65.55.116.0/26 65.55.111.64/26 65.55.116.64/26 65.55.111.128/26 65.55.34.0/26 65.55.34.64/26 65.55.34.128/26 65.55.34.192/26 65.55.90.0/26 65.55.90.64/26 65.55.90.128/26 65.55.90.192/26 65.54.51.64/26 65.54.61.64/26 207.46.66.0/28 157.55.0.192/26 157.55.1.128/26 157.55.2.0/26 157.55.2.64/26 Greetings Leo I also check the spf record files of MS and added them too so we will see what's going to happen. I need to move to a more up to date setup so I just check my options what's used these days and yes greylisting works for me as long as no office 365 is involved but a lot of business partners of our customers moving to 365 and the email solution so it becomes a problem for me too. It's just fustrating to see a mail greylisted from 40 different ips ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: the whole greylisting, spam filtering thing
Hi, Am 29.09.2017 um 15:39 schrieb Larry Hynes: Markus Rosjat wrote: my boss is getting on my nerves It may be mutual. of course but well :) that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. Specifically in relation to rspamd: If you spend some time reading the documentation on the rspamd website you might find that: 1. the weight of rules which classify messages as 'ham' or 'spam' i.e. those rules which rely on the 'training' of messages, does not have to be, in the overall context, critical. rspamd deploys a boatload of 'tests', by default, and even more can be enabled, and each of those can be assigned a score. hamminess or spamminess is just one 'test'. 2. That the rspamd website specifically links to 'pre-built' ham and spam databases which you are free to download and use. I'll check this out ! Thank you for the hint !!! regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
the whole greylisting, spam filtering thing
Hi there, my boss is getting on my nerves that greylisting is basically out of date because of things like outlook.com and mails ending up delayed for ever. So the next logical step would be to deploy a tool like rspamd or spamassasin to examin mail content. These tools need to be trained and if you have a small mailserver with less accounts this could take a while I imagine. So my question is, is there some source that you could use to train these kind of tools (like a database that you could connect to for training conntent ) or is every one here, that uses these tools, lucky enough to have a shit load of users that do the training for your systems? some informations about this would be helpful regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: routing problem with wordpress and external and internal traffic
hi, Am 27.09.2017 um 15:59 schrieb x9p: I am supposing its Apache because you did not said so. no it's of course a httpd from OpenBSD You are right, httpd. my bad. I am used to Linux world. the problem here is the for internal traffic to somehow rewirite the url to a internal ip with some lines in the server part of the httpd.conf (dont know if this is possible) We know packets are being changed by pf rules when coming from outside world. From inside network, there is a URL transformation that represents the problem are facing . well if I do stuff on the internal nic I could do things to these packages too but this should be the smaller problem here. where is the URL rewrite being done? .htaccess or in another part? I believe this is the first step to search for. If it is in the .htaccess, that is the simpler solution in my point of view. well since .htaccess has nothing to do with httpd of Openbsd rewrites could be possible in relayd (maybe) od as I stated maybe in the sever definition in httpd.conf. or to somehow get the traffic rerouted wen it hits the firewall in a pf rule or rules I believe mix routing/pf rules with URL rewriting makes the problem complex, should be a simple solution. cheers. x9p regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: routing problem with wordpress and external and internal traffic
Hi, Am 27.09.2017 um 13:33 schrieb x9p: Hi there, Hi I have a small problem getting a wordpress instance, that works with ips in the url, to work from the internal net. So here ist the setup a webserver for some application behind a Openbsd Firewall (webbserver is openBSD 6.0) I have a static ip for my external nic and the wordpress I am supposing its Apache because you did not said so. no it's of course a httpd from OpenBSD So question now is, is it possible to route the way from inside to the outside and back without inventing the wheel new or is it simpler just to let the webserver listen to the diffrent port too? I hope it makes sense to someone to give me a push in the right direction I think its lacking some information, but supposing your wordpress installation is redirecting based on .htaccess rules under httpd I would include a rule to not rewrite the URL based on source IP (if internal, do not apply .htaccess rule of URL rewrite) the problem here is the for internal traffic to somehow rewirite the url to a internal ip with some lines in the server part of the httpd.conf (dont know if this is possible) or to somehow get the traffic rerouted wen it hits the firewall in a pf rule or rules something like: https://unix.stackexchange.com/questions/44129/conditional-directoryindex-based-on-ip-address-using-htaccess cheers. x9p regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
routing problem with wordpress and external and internal traffic
Hi there, I have a small problem getting a wordpress instance, that works with ips in the url, to work from the internal net. So here ist the setup a webserver for some application behind a Openbsd Firewall (webbserver is openBSD 6.0) I have a static ip for my external nic and the wordpress instance uses the external ip in the site url. Additionally I have to use a diffrent port then https because there is a proxy server listining for some other application. While reaching the site from the outsite world is no problem because its simple redirect to the webserver and the wordpress instance has the url saved it becomes kinda tricky to reach the wordpress instance from the inside. in the internal net the webserver is listens on port 80 and 443 so I can reach it from the inside but then the wordpress instance is rewiriting the url to a port that isnt 443 becuase from the outsideworld it expects a diffrent port. So question now is, is it possible to route the way from inside to the outside and back without inventing the wheel new or is it simpler just to let the webserver listen to the diffrent port too? I hope it makes sense to someone to give me a push in the right direction regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
I want to go with let's encrypt certifcates so if I provide the pem created by the acme-client it should be ok even it seems not for now. I dont know if relayd development is going to add SNI sometime soon but for now I could live with a certificate that basically has all my served domains as in the SAN field. Am 21.09.2017 um 14:49 schrieb trondd: On Thu, September 21, 2017 8:25 am, rosjat wrote: I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Using 'ca file' means you have to decrypt the SSL connection from the clients with relayd then re-encrypt from relayd to the web servers. Clients will only see relayd's SSL certificate. Originally you said you want to use a different cert for each web site. What CA signs the web server certificates? There was a bug, I don't know if it got fixed, in relayd that you can't use a big file of CAs for the 'ca file', the imsg was not chunked and if the file is too big, relayd will fail to start the relay. Take the CA cert that signed the web server certificates and put that into a file and reference that file like 'ca file "/etc/ssl/webca.pem"' Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
I try to figure out the ca file option mentioned by ronan maybe this is some kind of option here. Am 21.09.2017 um 14:11 schrieb trondd: On Thu, September 21, 2017 3:49 am, rosjat wrote: Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus You can't do what you want with a layer 7 relay in relayd. Redirect rules in pf work because pf doesn't know or care about DNS host names. Because you are using SSL, once you need to make decisions based on the host, you have two options: A relay server that supports SNI so it can see the Host and forward to the right server. Or terminating the SSL encryption at the relay server so you can read the unencrypted host value. Option 2 is required for relayd as it does not support SNI. But that means the relay server holds the SSL certificate. You can only have 1 certificate per IP and port. If you want to use individual certs for each web site, you're stuck. You either need to use different ports, which is typically a non-starter for web sites, or put multiple IPs on the relay box. If security between the relay server and web servers is necessary (don't trust someone else's network, and if possible, don't trust your own) you can re-encrypt the communication from relayd and the web server but it'll be relayd using the web server certificate, not the user. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd multiple values in match rules ?
Ok it seems I got myself a bit mixed up with the wildcard problem. I testet *.domain.tld and didnt got it to work but it seems *doamin.tld does the trick. So this one seems to be solved :) Regards MArkus Am 21.09.2017 um 11:59 schrieb rosjat: Hi there, in my battle with relayd I noticed that a line like match request quick header "Host" value "domain.tld" forward to works perfectly for a request like http://domain.tld but breaks on http://www.domain.tld So I can add a new rule like match request quick header "Host" value "www.domain.tld" forward to and I'm good for the www part but it gets kinda silly if I have to add more request. So basic question, because I didn't sow it in the examples, is it possible to write someting like match request quick header "Host" value "*.domain.tld" forward to or at least match request quick header "Host" value {"domain.tld" "www.domain.tld"} forward to Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd multiple values in match rules ?
Hi there, in my battle with relayd I noticed that a line like match request quick header "Host" value "domain.tld" forward to works perfectly for a request like http://domain.tld but breaks on http://www.domain.tld So I can add a new rule like match request quick header "Host" value "www.domain.tld" forward to and I'm good for the www part but it gets kinda silly if I have to add more request. So basic question, because I didn't sow it in the examples, is it possible to write someting like match request quick header "Host" value "*.domain.tld" forward to or at least match request quick header "Host" value {"domain.tld" "www.domain.tld"} forward to Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi, so I added the with tls keywords to the relay and my webserver gets request now but from my relayhost and this is making the way back quiet hard :( so I added the X Headers for Forwarded-For and Forwarded-By but it still leaves the question how to tell the relayhost to just let it all out like in a normal rdr-to rule in pf? Like I said pf rule just works fine so the traffic can go thorugh all the interfaces just fine. regards MArkus Am 21.09.2017 um 08:27 schrieb rosjat: Hi there, ok I tried the with tls option and I can al least see relayd tries to send the request to the webserver. I still cant get a proper response from the webserver. When I do da simple rdr-to rule in pf it just works. Do I need to do some magic that I miss still? Regards MArkus Am 21.09.2017 um 07:19 schrieb rosjat: Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi there, ok I tried the with tls option and I can al least see relayd tries to send the request to the webserver. I still cant get a proper response from the webserver. When I do da simple rdr-to rule in pf it just works. Do I need to do some magic that I miss still? Regards MArkus Am 21.09.2017 um 07:19 schrieb rosjat: Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi Ronan, thanks for the hint I'll give it a try! regards Markus Am 20.09.2017 um 21:30 schrieb Ronan Viel: Hi, This kind of config works perfectly on my box. I am not sure SNI has something to do here as relayd terminates the https connection, gets all the headers and reopens a new one. I just think you forgot the "with tls" in your forward directive below: relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward with tls to port https } Do not forget to set a "ca file" in your protocol section if you want relayd to check the certificate of your target's server (see relayd.conf man). Ronan -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
Hi Brian, I know that scenario but I want to serve a individual certificate for every virtual host (httpd can do that) so I was looking for a simple relay by looking at the header but I might cant get it to work this way :( Am 20.09.2017 um 14:10 schrieb Bryan Harris: I don't think you can know the host header unless you decrypt the https using a certificate. It seems that idea would require SNI but I don't know if they have SNI in relayd/httpd. (I could be wrong about that.) In mine I have listen on $ext_addr port 443 tls. Then exists /etc/ssl/ipaddr:443.crt file. Look at phrase "/etc/ssl/address:port.crt" in relayd.conf(5). The book below shows this scenario and how to use acme-client to get a free certificate from Let's Encrypt. https://www.michaelwlucas.com/tools/relayd V/r, Bryan On Wed, Sep 20, 2017 at 4:37 AM, rosjat wrote: there is of course a tls to much in the config its just relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https } Am 20.09.2017 um 10:19 schrieb rosjat: Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: relayd https relay
there is of course a tls to much in the config its just relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https } Am 20.09.2017 um 10:19 schrieb rosjat: Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
relayd https relay
Hi there, just a simple question about the relaying of https connections. Is it possible to simple pass the https traffic to the webserver with relayd? My naive approach was simply checking the host name in the header and then forward it to http or https port. This works for http but with https it doesnt. here are my relayd.conf parts http protocol "httpproxy" { match request quick header "Host" value "random-domain1.tld" forward to match request quick header "Host" value "random-domain2.tld" forward to } relay "proxy" { listen on $gateway port http protocol "httpproxy" forward to port http forward to port http } relay "proxyssl" { listen on $gateway port https protocol "httpproxy" forward to port https tls } with this I dont get a relay for https it seems, if I add tls to the listen part I got told relayd cant find the certificates. And that is totally understanable because there are no certs on this machine for these domains because the are on the webserver machine. So it all boils down to the question, do I have to set up my certificates on the relay host to be able to use a https relay ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Crash on stopping relayd
Hi Maxim, yeah I'll wait till 6.2 and do a upgrade. I misstyped the OS version I have a OpenBSD 6.1 running. I will be just a little more careful for now though :) Regards Markus Am 19.09.2017 um 22:09 schrieb Maxim Bourmistrov: Checked out http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c <http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c> Looks like this bug is fixed after 6.1 , e.g. in 6.2. 19 sep. 2017 kl. 18:43 skrev rosjat : Hi there, I don't know if someone had also a problem like this. What happen is: I was stopping the relayd daemon with rcctl stop relayd and lost connection to my remote system. An hour later, sitting in front of the server in the data center I saw that openbsd crashed. That what I could see in the logs. /bsd: panic: kernel diagnostic assertion "(sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL)" failed: file "/usr/src/sys/net/pf.c", line 7072 Sep 19 13:59:42 heimdal /bsd: Stopped atDebugger+0x9: leave Sep 19 13:59:42 heimdal /bsd: TIDPIDUID PRFLAGS PFLAGS CPU COMMAND Sep 19 13:59:42 heimdal /bsd: Debugger() at Debugger+0x9 Sep 19 13:59:42 heimdal /bsd: panic() at panic+0xfe Sep 19 13:59:42 heimdal /bsd: __assert() at __assert+0x25 Sep 19 13:59:42 heimdal /bsd: pf_state_key_unref() at pf_state_key_unref+0xc6 Sep 19 13:59:42 heimdal /bsd: pf_pkt_unlink_state_key() at pf_pkt_unlink_state_key+0x15 Sep 19 13:59:42 heimdal /bsd: m_free() at m_free+0xa0 Sep 19 13:59:42 heimdal /bsd: sbdrop() at sbdrop+0x80 Sep 19 13:59:42 heimdal /bsd: sbflush() at sbflush+0x1f Sep 19 13:59:42 heimdal /bsd: sbrelease() at sbrelease+0x11 Sep 19 13:59:42 heimdal /bsd: sorflush() at sorflush+0x158 Sep 19 13:59:42 heimdal /bsd: sofree() at sofree+0xa7 Sep 19 13:59:42 heimdal /bsd: soclose() at soclose+0xf3 Sep 19 13:59:42 heimdal /bsd: soo_close() at soo_close+0x1c Sep 19 13:59:42 heimdal /bsd: fdrop() at fdrop+0x2c Sep 19 13:59:42 heimdal /bsd: end trace frame: 0x80002526dda0, count: 0 Sep 19 13:59:42 heimdal /bsd: https://www.openbsd.org/ddb.html describes the minimum info required in bug Sep 19 13:59:42 heimdal /bsd: reports. Insufficient info makes it difficult to find and fix bugs. I run a OpenBSD 6.0, at that time I didn't had all syspatches installed ( till patch 015_sigio) so I don't know it it fixed after installing all patches. So it seems the problem isn't in the relayd daemon but in the pf, and maybe the relayd anchors? I feel a little reluctant right now to do anything with relayd on that machine because it will cause me just pain if the system crashes again. so if someone knows if this issue is fixed with an full patched system it would help a lot. And as the name suggest its a firewall machine and my SPOF :-( Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Crash on stopping relayd
Hi there, I don't know if someone had also a problem like this. What happen is: I was stopping the relayd daemon with rcctl stop relayd and lost connection to my remote system. An hour later, sitting in front of the server in the data center I saw that openbsd crashed. That what I could see in the logs. /bsd: panic: kernel diagnostic assertion "(sk->inp == NULL) || (sk->inp->inp_pf_sk == NULL)" failed: file "/usr/src/sys/net/pf.c", line 7072 Sep 19 13:59:42 heimdal /bsd: Stopped atDebugger+0x9: leave Sep 19 13:59:42 heimdal /bsd: TIDPIDUID PRFLAGS PFLAGS CPU COMMAND Sep 19 13:59:42 heimdal /bsd: Debugger() at Debugger+0x9 Sep 19 13:59:42 heimdal /bsd: panic() at panic+0xfe Sep 19 13:59:42 heimdal /bsd: __assert() at __assert+0x25 Sep 19 13:59:42 heimdal /bsd: pf_state_key_unref() at pf_state_key_unref+0xc6 Sep 19 13:59:42 heimdal /bsd: pf_pkt_unlink_state_key() at pf_pkt_unlink_state_key+0x15 Sep 19 13:59:42 heimdal /bsd: m_free() at m_free+0xa0 Sep 19 13:59:42 heimdal /bsd: sbdrop() at sbdrop+0x80 Sep 19 13:59:42 heimdal /bsd: sbflush() at sbflush+0x1f Sep 19 13:59:42 heimdal /bsd: sbrelease() at sbrelease+0x11 Sep 19 13:59:42 heimdal /bsd: sorflush() at sorflush+0x158 Sep 19 13:59:42 heimdal /bsd: sofree() at sofree+0xa7 Sep 19 13:59:42 heimdal /bsd: soclose() at soclose+0xf3 Sep 19 13:59:42 heimdal /bsd: soo_close() at soo_close+0x1c Sep 19 13:59:42 heimdal /bsd: fdrop() at fdrop+0x2c Sep 19 13:59:42 heimdal /bsd: end trace frame: 0x80002526dda0, count: 0 Sep 19 13:59:42 heimdal /bsd: https://www.openbsd.org/ddb.html describes the minimum info required in bug Sep 19 13:59:42 heimdal /bsd: reports. Insufficient info makes it difficult to find and fix bugs. I run a OpenBSD 6.0, at that time I didn't had all syspatches installed ( till patch 015_sigio) so I don't know it it fixed after installing all patches. So it seems the problem isn't in the relayd daemon but in the pf, and maybe the relayd anchors? I feel a little reluctant right now to do anything with relayd on that machine because it will cause me just pain if the system crashes again. so if someone knows if this issue is fixed with an full patched system it would help a lot. And as the name suggest its a firewall machine and my SPOF :-( Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
running spamd on firewall ord on the mailsystem
Hi there, I like to get some opinions on where to use the spamd daemon. Is it better to do the heavy stuff on the firewall or let it all pass to the mailsystem and do the filtering there? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: maybe misc can help even it's not openbsd related
thanks all for the suggetions I will take a look at it and come back with some kind of config output thought. sorry for less usefull input but I'm trying to put pieces together in a way I can work with and this work is in progress and in a very early stage. And once again this list is at least willing to responde to a dummy like me so thumbs up guys !!! regards markus Am 24.08.2017 um 21:43 schrieb Mike Coddington: On Thu, Aug 24, 2017 at 11:49:19AM +0200, Markus Rosjat wrote: so here is my problem, I konfigured postfix and dkimproxy to work together. So far so good because it works for outgoing mail. The problem i face is with local mails. Postfix somehow rewrites the reciepent from the mail adress to u...@domain.tld and then the lookup im my ldap directory fails. So the real question is, can I configure postfix to ignore the forwarding to dkimproxy for local delivery ? Without seeing your configuration files, it's hard to tell. However, my guess is that you've got dkimproxy set to process all of your mail rather than having it only attached to the smtpd part of it. Check your master.cf and make sure that you're only referring to dkimproxy there, as opposed to calling it in main.cf somewhere. For example, I have SpamAssassin in my pipeline but only for external mail. I set it up that way by doing this with master.cf (among other things): smtpd pass - - y - - smtpd -o smtpd_client_restrictions=$client_restrictions -o content_filter=spamassassin By including the content_filter there, I'm able to have it only affect mail that originates from external hosts. I assume dkimproxy is called in a similar fashion. DKIM's too much of a pain in the butt for me though so I don't have first-hand experience with it. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
maybe misc can help even it's not openbsd related
Hi there, since I know ppl on this list are always willing to help even it's not a real openbsd problem I will give it a try. I tried to ask this on the postfix list but after a week without any response and resending the mail I gave up. so here is my problem, I konfigured postfix and dkimproxy to work together. So far so good because it works for outgoing mail. The problem i face is with local mails. Postfix somehow rewrites the reciepent from the mail adress to u...@domain.tld and then the lookup im my ldap directory fails. So the real question is, can I configure postfix to ignore the forwarding to dkimproxy for local delivery ? regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
maildrop-postfix question
Hi there, I try to get maildrop to work with postfix so I installed the maildrop-postfix package and did the config in the main.cf strange part is that maildrop still try to use authdeamon ... well I thought okay install courier-utils because it seems both things are related and I get all the authtools but they dont work because authdeamon isn't there still. so the basic question here is, what to enable with rcctl to get authdeamon up and running or if this isnt the way to go with maildrop and postfix, what is it to get rid of logs like Command output: ERR: authdaemon: s_connect() failed: No such file or directory /usr/local/bin/maildrop: Temporary authentication failure. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenBSDI 6.1 some Warnings when using OpenLDAP Tools
Hi there, this is more an info then a problem though since it seems to work. When I use the slap tool like slapcat I get a size mismatch warning like this slapcat:/usr/local/lib/libicuuc.so.12.0: /usr/local/lib/libicudata.so.12.0 : WARNING: symbol(icudt58_dat) size mismatch, relink your program It's a fresh install from the ports so some of the maintainers might like to know that. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Opensmtpd-extras documentation
ok turns out it's not a LDAP problem at all ... since openSMTPD doesn't authenticate with a plain password at all it will always fail. regards markus Am 31.07.2017 um 17:44 schrieb Markus Rosjat: Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet. -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Opensmtpd-extras documentation
Hi there, Is there some documentation on the ldapFilter ? It's kinda frustrating to see a 535 Auth failed even you are sure you got the right credentials. I have openldap running but without some basic info on how to pass looked up information on to smtpd I'm lost here Regards Markus Von meinem Samsung Gerät gesendet.
Re: OpenSMTP and OpenLDAP
Hey hendrik, This was a hint I was looking for thought! I will check that out :) Regards Markus Ursprüngliche Nachricht Von: Henrik Friedrichsen Datum: 25.07.17 19:15 (GMT+01:00) An: misc@openbsd.org Cc: ros...@ghweb.de Betreff: Re: OpenSMTP and OpenLDAP Hey, On Tue, Jul 25, 2017 at 10:50:32AM +0200, Markus Rosjat wrote: > I was just wondering if does two work together at all? I saw examples with > ldapd that ships with the OS but not with OpenLDAP. Since I try to get my > user table defined, and the man only has options for db and file, whats the > way to go here if there is a way at all? The OpenSMTPD-extras package should have an LDAP filter. I have no experience with it and whether it works with OpenLDAP, but it might be starting point: https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/master/extras/tables/table-ldap
Re: OpenSMTP and OpenLDAP
well it seems no one has an answer to that so while you see always examples for ldapd I confused still since man smtpd.conf states you should use file:/ or db:/ to define a table and not any other otion like ldap:/ is mentioned at all. So lets refine the question ... Is LDAP supported in OpenSMTP at all? And if so, where to find a piece of information how to configure it? regards MArkus Am 25.07.2017 um 10:50 schrieb Markus Rosjat: Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
OpenSMTP and OpenLDAP
Hi there, I was just wondering if does two work together at all? I saw examples with ldapd that ships with the OS but not with OpenLDAP. Since I try to get my user table defined, and the man only has options for db and file, whats the way to go here if there is a way at all? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
guidelines for migration openldap directory to ldapd ?
Hi there, I was wondering if there is something like that for migration an exisiting openLDAP directory to ldapd? I took a look at he config files and some stuff was basically the same information with diffrent syntax. The aim ist to make working with ldap authentication and opensmtp as simple as possible. So since ldapd and smtpd bothe ship with the system I thought this would be the way to go. Since I dont have much experience with both tools I was looking for some advice from all the gurus out there :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: sftp chroot
thanks for the info, the read only would be rw but it's at least worth looking at even its hackish :-P But I also figured, since I dont need a shell for these users I can simply force them in a sftp chroot somewere else but this is something I have to refine more though on my testmachine I have a kinda weird setup right now: - normal system user with home in /home/username - forced in a chroot with sshd_config somewere in /var/www/htdocs/chrootdir I have to wait an see if this is a solution to go with but then again as long as it does what it is supose to do I'm okay with it. So lets wait for the crybabies to complain about all the things they can't do without asking for permission first. Regards MArkus Am 14.06.2017 um 20:53 schrieb Ville Valkonen: On 14 June 2017 at 11:33, Markus Rosjat wrote: Hi there, I want to build an sftp environment where the user is chrooted to his home dir. So far so good but then again the user might need access to a webserver resource like /var/www/htdocs/some_dir As far as I understand a symlink doesnt work in the chroot setup and Im not quiet sure how to achieve this. I could simply make /var/www/htdocs/some_dir the home dir of the user but Im not sure if this is the recommended way. so once again adivce is helpful :) regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT Hi, here's the NFS solution you were after: $ grep 127.0.0.1 /etc/exports /home/store/music -ro -mapall=extuser1 127.0.0.1 /home/store/not_sorted -ro -mapall=extuser1 127.0.0.1 and chroot /home/$user as usual. Now the extuser1 has an read only access to certain shares. Hackish? Definitely. Use at your own risk. -- Regards, Ville -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT