Re: OpenSMTPD??? how do I do these things, or do I just use postfix?
On Sat, Jan 26, 2019 at 09:23:37PM +1000, Stuart Longland wrote:
> Hi Gilles,
> On 25/1/19 11:29 pm, Gilles Chehade wrote:
> > On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
> >> First and foremost is the issue of backscatter-prevention. I would like
> >> OpenSMTPD to validate the addresses passed to it before accepting them
> >> for relay to my primary MX.???
> >
> > How you do it depends on which version you are running.
> >
> > before 6.4:
> >
> > accept [...] recipient [...]
> >
> >
> > after 6.4:
> >
> > match [..] rcpt-to [...]
> >
> >
> > where table is a table containing a list of recipient addresses for that
> > rule to match.
>
> That looks as if it'll do nicely. I'll do some research into how the
> table is formatted??? but I'm guessing of the two formats supported, the
> array form `table mylist { value1, value2, value3 }` would be the form
> to use here?
>
yes, if you use a static table:
table foobar { a@b.c, b@c.d }
if the table is a file, then one address per-line, see table(5).
> >> Second is about how to define custom mail transports. Rather than using
> >> SMTP/SSL like I am now, I'd like the emails destined for relay to my
> >> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
> >> the AES key) then either:
> >> - scp'd to a special spool directory on my Linux server??? OR if it
> >> happens to be down,
> >> - placed in a special directory on the VPS for my server to later ciphon
> >> down using `rsync --remove-source-files` over SSH. (Basically, a bit
> >> like UUCP.)
> >>
> >
> > no custom mail transports in smtpd.
> >
> > a way to achieve what you want is to write a custom mda, and this is
> > actually how i did it to achieve a use-case similar to yours in the
> > past.
>
> No problems, I'll have a closer look at how the MDA stuff works then. :-)
>
> Really it's an `rmail` work-alike that I'll probably wind up writing,
> we'll see how it goes.
>
mda is basically a program that reads input from stdin and exits with the
proper status to report to the mta that delivery was successful, whatever
happens in between is up to you.
--
Gilles Chehade @poolpOrg
https://www.poolp.org tip me: https://paypal.me/poolpOrg
Re: OpenSMTPD??? how do I do these things, or do I just use postfix?
Hi Gilles,
On 25/1/19 11:29 pm, Gilles Chehade wrote:
> On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
>> First and foremost is the issue of backscatter-prevention. I would like
>> OpenSMTPD to validate the addresses passed to it before accepting them
>> for relay to my primary MX.…
>
> How you do it depends on which version you are running.
>
> before 6.4:
>
> accept [...] recipient [...]
>
>
> after 6.4:
>
> match [..] rcpt-to [...]
>
>
> where table is a table containing a list of recipient addresses for that
> rule to match.
That looks as if it'll do nicely. I'll do some research into how the
table is formatted… but I'm guessing of the two formats supported, the
array form `table mylist { value1, value2, value3 }` would be the form
to use here?
>> Second is about how to define custom mail transports. Rather than using
>> SMTP/SSL like I am now, I'd like the emails destined for relay to my
>> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
>> the AES key) then either:
>> - scp'd to a special spool directory on my Linux server??? OR if it
>> happens to be down,
>> - placed in a special directory on the VPS for my server to later ciphon
>> down using `rsync --remove-source-files` over SSH. (Basically, a bit
>> like UUCP.)
>>
>
> no custom mail transports in smtpd.
>
> a way to achieve what you want is to write a custom mda, and this is
> actually how i did it to achieve a use-case similar to yours in the
> past.
No problems, I'll have a closer look at how the MDA stuff works then. :-)
Really it's an `rmail` work-alike that I'll probably wind up writing,
we'll see how it goes.
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
Re: OpenSMTPD??? how do I do these things, or do I just use postfix?
On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote: > Hi all, > > I've got a few silly questions regarding OpenSMTPD??? I'd ask on the > opensmtpd misc mailing list, but my subscribe requests keep bouncing > after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure > they're on-topic here too. > I can probably help with this ;-) > [...] > > First and foremost is the issue of backscatter-prevention. I would like > OpenSMTPD to validate the addresses passed to it before accepting them > for relay to my primary MX. In Postfix I can put > > relay_recipient_maps = hash:/etc/postfix/valid_recipients > > into /etc/postfix/main.cf and fill that valid_recipients file with > > f...@example.com x > b...@example.comx > > I can come up with a full list -- no problem, but the question is how do > I encode this list into the configuration of OpenSMTPD so that if the > list contained f...@example.com and b...@example.com, but someone tries > sending to foo...@example.com, that RCPT TO request is rejected before > the email delivery begins. > How you do it depends on which version you are running. before 6.4: accept [...] recipient [...] after 6.4: match [..] rcpt-to [...] where table is a table containing a list of recipient addresses for that rule to match. > Second is about how to define custom mail transports. Rather than using > SMTP/SSL like I am now, I'd like the emails destined for relay to my > server, to be encrypted using a RSA key, (well, AES, then RSA encrypt > the AES key) then either: > - scp'd to a special spool directory on my Linux server??? OR if it > happens to be down, > - placed in a special directory on the VPS for my server to later ciphon > down using `rsync --remove-source-files` over SSH. (Basically, a bit > like UUCP.) > no custom mail transports in smtpd. a way to achieve what you want is to write a custom mda, and this is actually how i did it to achieve a use-case similar to yours in the past. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg
OpenSMTPD… how do I do these things, or do I just use postfix?
Hi all, I've got a few silly questions regarding OpenSMTPD… I'd ask on the opensmtpd misc mailing list, but my subscribe requests keep bouncing after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure they're on-topic here too. I have two servers (actually more than that, but two that are relevant to this discussion). One is a Gentoo Linux machine with Postfix, which acts as my primary MX. I keep it up to date, it's been a good workhorse, and provided many years of service. No reason to change it at this stage. I have a VPS with a hosting provider (BinaryLane in Brisbane; they're OpenStack/Xen-based), which runs OpenBSD 6.4. I primarily use this machine as a slave DNS server (with nsd). I figure it'd be a nice idea to use this machine as a backup MX. Right now, OpenSMTPD is running there, and whilst it is not publicly listening for SMTP traffic, it is configured to forward all *local* mail to my primary MX (where it has a virtual domain configured) so I can receive messages from `cron`, etc. Aside from some hiccups with TLS verification which I worked around by adding my custom CA to /etc/ssl/cert.pem, it all went smoothly. (I'd prefer to have OpenSMTPD verify my home server's certificate against a *specific* CA key, but at least it's working.) First and foremost is the issue of backscatter-prevention. I would like OpenSMTPD to validate the addresses passed to it before accepting them for relay to my primary MX. In Postfix I can put relay_recipient_maps = hash:/etc/postfix/valid_recipients into /etc/postfix/main.cf and fill that valid_recipients file with f...@example.com x b...@example.comx I can come up with a full list -- no problem, but the question is how do I encode this list into the configuration of OpenSMTPD so that if the list contained f...@example.com and b...@example.com, but someone tries sending to foo...@example.com, that RCPT TO request is rejected before the email delivery begins. Second is about how to define custom mail transports. Rather than using SMTP/SSL like I am now, I'd like the emails destined for relay to my server, to be encrypted using a RSA key, (well, AES, then RSA encrypt the AES key) then either: - scp'd to a special spool directory on my Linux server… OR if it happens to be down, - placed in a special directory on the VPS for my server to later ciphon down using `rsync --remove-source-files` over SSH. (Basically, a bit like UUCP.) The idea here is two-fold: 1. if someone gets even `root` access to the VPS (or mirrors the disk, etc)… there's no copy of the private key needed to decrypt the files -- that is safely stored on my home server. 2. if say the NBN roll-out in my patch of Brisbane gets royally screwed and I lose my static IPv4 address, I can make this server my primary MX and have the old server just "poll" for new messages. (Outbound delivery of mail will be a separate issue.) Again, in Postfix I'd define a script to do the encryption/scp/etc in /etc/postfix/master.cf, then set up transport_maps to direct the mail there. Would the equivalent in OpenSMTPD be `mda` or is there some other method? -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.
