smtpd.conf on OpenBSD: how to say "internal network"?
Hi folks, hardwired constants in my smtpd.conf are causing problems with IPv6 prefix delegation, so I wonder if there is some abbr. for "internal network"? Something like # table localnet { 10.10.10.0/24 10.10.11.0/24 2001:db8:abcd:0012::/64 } : listen on intern tls pki $xname listen on extern tls pki $xname : action "relay" relay # match from src for any action "relay" match from src (intern:network) for any action "relay" : (similar to pf.conf on OpenBSD)? "intern" would be the interface group configured for all internal network interfaces. I tried # table localnet { 10.10.10.0/24 10.10.11.0/24 2001:db8:abcd:0012::/64 } : listen on intern tls pki $xname tag INTERN listen on extern tls pki $xname tag EXTERN : action "relay" relay # match from src for any action "relay" match tag INTERN for any action "relay" : Doesn't work :-(. If I enable the old "localnet" lines, then it does. Hopefully I am not too blind to see, but I haven't found this in smtpd.conf(5). Every helpful comment is highly appreciated. Regards Harri
smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved
Hi folks, smtpctl spfwalk returns messages like smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{ir}.%{v}.%{d}.spf.has.pphosted.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{ir}.%{v}.%{d}.spf.has.pphosted.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.corp.salesforce.com contains macros and can't be resolved smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved is this something the owner of the SPF record in DNS has to fix, is this not implemented yet, or what is the story here? Every insightful comment is highly appreciated Harri
what does "from=<>" mean?
Hi folks I see quite a number of EMails mentioned in /var/log/maillog with a string "from=<>", e.g. Jul 6 08:08:24 mailgate smtpd[84448]: 90d0e01d76abce9c mta delivery evpid=e62074ed220d58f9 from=<> to= rcpt=<-> source="10.0.96.7" relay="10.0.96.11 (mailhost.mydomain.com)" delay=0s result="Ok" stat="250 2.0.0 26668Kn61587355 Message accepted for delivery" Its pretty unlikely that an EMail pop ups from nowhere, so what does this "from=<>" actually mean? Would it be possible to add some more useful information to this line? Regards Harri
bounce invalid message IDs?
Hi folks, is it possible to bounce invalid message IDs, e.g. using a UUID instead of the well-known format (https://en.wikipedia.org/wiki/Message-ID)? Regards Harri
Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected
On 2022-05-31 11:50:39, Harald Dunkel wrote: Hi Frank, I am not sure if I got this correctly, but AFAIU you assume some unusual chars in the recipient address. There are none, according to /var/log/maillog. The chars in the recipient address are between 0x33 and 0x7e. And there is neither a '+' nor a '='. PS: between 0x21 and 0x7e, of course. Regards Harri
Re: EMails to "ORCPT=rfc822;u...@example.com" are rejected
Hi Frank, I am not sure if I got this correctly, but AFAIU you assume some unusual chars in the recipient address. There are none, according to /var/log/maillog. The chars in the recipient address are between 0x33 and 0x7e. And there is neither a '+' nor a '='. I have the impression that the recipient address is valid. Regards Harri On 2022-05-30 18:30:04, opensmtpd.open...@xpoundit.com wrote: Hi Harri, we had issues with e-mails containing ORCPT as well and fixed the rejection with a patch. Originally, we created the patch when 6.7 was out and applied it to the version of OpenSMTPD available in the FreeBSD ports. As of today, OpenSMTPD 6.8 is available in the FreeBSD ports system. The attached patches can be applied to this version (if you are on FreeBSD, just put them into ports/mail/opensmtpd/files). If needed, I can massage the patches so they can be applied against the OpenBSD base as well, where OpenSMTPD resides in nowadays (we mainly use it on FreeBSD). I did not do this yet, since I wanted to provide a quick answer. In our case, the above mentioned groupware introduced characters in the ORCPT field (colons.., 0x3a), that led smtp_tx_rcpt_to() (usr.sbin/smtpd/smtp_session.c) to return with "553 ORCPT address syntax error". RFC3461 led us to the solution we are using today. In section 4.2 [1], the ABNF of ORCPT is defined as: orcpt-parameter = "ORCPT=" original-recipient-address original-recipient-address = addr-type ";" xtext addr-type = atom The log you see is: May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed- command command="RCPT TO: ORCPT=rfc822;u...@example.com" result="550 Invalid recipient: " According to the ABNF of ORCPT, everything after addr-type ";" ("rfc822;" in your case) is supposed to be xtext, which is described a bit earlier in the introductory part of section 4 [2]. xtext = *( xchar / hexchar ) xchar = any ASCII CHAR between "!" (33) and "~" (126) inclusive, except for "+" and "=". ; "hexchar"s are intended to encode octets that cannot appear ; as ASCII characters within an esmtp-value. hexchar = ASCII "+" immediately followed by two upper case hexadecimal digits smtp_tx_rcpt_to() in usr.sbin/smtpd/smtp_session.c tries to convert the text of the ORCPT DSN into an e-mail address and wants to check the validity of the local and the domain part. We replaced this check, are validating the xtext portion as specified above and are replying with a more precise error message if this check fails: if (strncasecmp(opt, "rfc822;", 7) == 0) opt += 7; -if (!text_to_mailaddr(&tx->evp.dsn_orcpt, opt) || -!valid_localpart(tx->evp.dsn_orcpt.user) || -(strlen(tx->evp.dsn_orcpt.domain) != 0 && - !valid_domainpart(tx->evp.dsn_orcpt.domain))) { +if (!valid_xtext(opt)) { smtp_reply(tx->session, -"553 ORCPT address syntax error"); +"553 ORCPT xtext syntax error"); return; } In usr.sbin/smtpd/util.c we added valid_xtext(): +int +valid_xtext(const char *s) +{ +while (*s != '\0') { +if(*s == '\x2b' || *s == '\x3d') { +return 0; +} else if(*s <= '\x21' || *s >= '\x7e') { +return 0; +} else { +s++; +continue; +} +return 0; +} +return 1; +} I hope this helps to narrow down your issue a bit. What kind of non-e- mailish characters do you see in the ORCPT? In our case, the xtext portion of the ORCPT quite often contained valid e-mail addresses, but sometimes, it did not. As far as we understood the RFCs, xtext doas not necessarily need to be an e-mail address. This is why we decided to replace the original check. The above mentioned groupware used colons as field separators inside the xtext portion to keep track of the communication belonging to certain thread or, well, recipients. What do the others think of the way we are handling the ORCPT? Cheers Frank [1] https://datatracker.ietf.org/doc/html/rfc3461#section-4.2 [2] https://datatracker.ietf.org/doc/html/rfc3461#section-4 On Mon, 2022-05-30 at 09:04 +0200, Harald Dunkel wrote: Hi folks, my MTA (opensmtpd on OpenBSD 7.0) rejects a few EMails with a message like May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed- command command="RCPT TO: ORCPT=rfc822;u...@example.com" result="550 Invalid recipient: " in /var/log/maillog. The EMails to u...@example.com without "ORCPT=rfc822;" are accepted and forwarded as usual. All EMails with "ORCPT=rfc822;" to any user are rejected. I have found https://github.com/OpenSMTPD/OpenSMTPD/issues/658 of course, but I don't see a configuration issue on my side. My MTA is just an MTA, there are no local users except for root. Every insightful comment is highly appreciated Harri
EMails to "ORCPT=rfc822;u...@example.com" are rejected
Hi folks, my MTA (opensmtpd on OpenBSD 7.0) rejects a few EMails with a message like May 27 08:42:30 mymta smtpd[10310]: f06a752b657b4a05 smtp failed-command command="RCPT TO: ORCPT=rfc822;u...@example.com" result="550 Invalid recipient: " in /var/log/maillog. The EMails to u...@example.com without "ORCPT=rfc822;" are accepted and forwarded as usual. All EMails with "ORCPT=rfc822;" to any user are rejected. I have found https://github.com/OpenSMTPD/OpenSMTPD/issues/658 of course, but I don't see a configuration issue on my side. My MTA is just an MTA, there are no local users except for root. Every insightful comment is highly appreciated Harri
do I have to set pki in the relay action?
Hi folks, what is the default for the pki option in a relay action? The man page doesn't tell, AFAICS. Regards Harri
what happened to "protocols" and "ciphers" options?
Hi folks, on OpenBSD's smtpd I can set "protocols" and "ciphers" for the listen lines. They are not mentioned in the man page for smtpd.conf on Linux. What is the story here? Regards Harri
restart necessary on certificate upgrade (letsencrypt)?
Hi folks, I wonder if opensmtpd starts using new key and certificate chain automagically, in case they replaced the old files? Do I have to hup or restart smtpd? Hopefully I am not too blind to see, but apparently the man page doesn't tell. Regards Harri
6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
Hi folks, since the upgrade to OpenBSD 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. opensmtpd.conf and the certificate chain hasn't changed. There is only a single MX defined in DNS (for both "example.com" and "example.de"), matching the certificate. The FAQs for the openbsd upgrade state for opensmtpd Configurations that use only a single certificate do not need updating. Did I miss something here? Every helpful comment is highly appreciated. Harri # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. # https://man.openbsd.org/OpenBSD-6.9/smtpd.conf.5 xname = "mail.example.de" pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname dhe auto # # ca can be used to introduce another root CA authority. Intermediate # certs should be appended to the client certificate, instead. # # ca $xname cert "/etc/ssl/public/DigiCertCA.crt" listen on lo0 tls pki $xname listen on internal tls pki $xname listen on external tls pki $xname smtp max-message-size 128M table aliases db:/etc/mail/aliases.db # # permitted hosts: srvvm01, gate4a/b table trusted_mta {192.168.96.11 192.168.96.22 192.168.98.246 192.168.98.248 } table at_example{"@example.de", "@example.com"} table example {"example.de", "example.com"} table spf_protection_outlook_com file:/etc/mail/spf_protection_outlook_com table external_mta file:/etc/mail/external_mta action "local" mbox alias action "relay_example" relay host smtp://mailhost.ac.example.de helo "mail.example.de" action "relay_external" relay src { 10.145.142.10 2001:db8:13b0:::60 } helo "mail.example.de" # # first match wins, default is to reject. # # "from local" and "for local" are the defaults, but it is good practice to not # omit these statements. # match from localfor local action "local" match from localfor domain action "relay_example" match from localfor any action "relay_external" match from src for domain action "relay_example" match from src for domain action "relay_example" match from srcfor domain action "relay_example" match from src for any action "relay_external" match from any mail-fromfor any reject match from any for domain action "relay_example" # the rest is rejected by default match from any for any reject
Re: smtpctl spf walk -6 ?
On 5/12/21 2:56 PM, Martijn van Duren wrote: Apparently it's a problem in glibc's inet_net_pton. It does not support AF_INET6. to.c has the same problem and works around this problem by handcrafting broken_inet_net_pton_ipv6(). Would it be possible to use inet_pton() ? Regards Harri
Re: smtpctl spf walk -6 ?
On 5/12/21 8:56 AM, nathanael wrote: this is what i get on my machine: ~ echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 2a01:111:f400::/48 2a01:111:f403::/48 51.4.72.0/24 51.5.72.0/24 51.5.80.0/27 20.47.149.138/32 51.4.80.0/27 2a01:4180:4051:0800::/64 2a01:4180:4050:0800::/64 2a01:4180:4051:0400::/64 2a01:4180:4050:0400::/64 no idea why you don't see the ipv6 addresses On OpenBSD 6.8 and 6.9 I get the expected result, too. The problem shows up on Debian 10 and Unstable (opensmtpd 6.8.0p2). Using strace I verified that smtpctl and dig connect to the same DNS server. Yet dig reports the IPv6 addresses, smtptl spf walk doesn't. Its unlikely that the DNS server drops the IPv6 addresses from a TXT record, anyway. Maybe its a problem of the BSD compatibility layer, included in the portable version? Regards Harri
smtpctl spf walk -6 ?
Hi folks, I am a big fan of IPv6, so I wonder why smtpctl spf walk omits all the IPv6 addresses? # echo spf.protection.outlook.com | smtpctl spf walk 40.92.0.0/15 40.107.0.0/16 52.100.0.0/14 104.47.0.0/17 51.4.72.0/24 51.5.72.0/24 51.5.80.0/27 20.47.149.138/32 51.4.80.0/27 # dig spf.protection.outlook.com TXT +short | tr \ \\n "v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/48 include:spfd.protection.outlook.com -all" # echo spf.protection.outlook.com | smtpctl spf walk -6 invalid command Regards Harri
Re: dkim signing integrated in opensmtpd?
On 5/10/21 3:14 PM, Martijn van Duren wrote: There's filter-dkimsign in packages, which is also mentioned in smtpd.conf. I don't think there's a more lightweight solution possible. I had found your web site https://palant.info/2020/11/09/adding-\ dkim-support-to-opensmtpd-with-custom-filters/, but it mentioned building opensmtpd-filter-dkimsign from "some Dutch web server". I didn't expect a package. Actually I am running my major MTA with sendmail, still. The problem in this configuration is, the opendkim milter is called before masquerading is done. opendkim signs a header that is modified my sendmail later. (There are some workarounds, but they are unreliable.) Is there a similar pitfall for opensmtpd-filter-dkimsign and opensmtpd? Regards Harri
dkim signing integrated in opensmtpd?
Hi folks, Would it be possible to *integrate* dkim signatures in opensmtpd? I saw rspamd, but this is not an option. I am looking for a lightweight solution for signing EMail headers. Regards Harri
Re: what happened to smtpd-filters.7 ?
Hi Martin, thank you very much for your response. I stumbled over this lost man page looking for additional information about the filters mentioned on https://man.openbsd.org/smtpd.conf. Apparently there are a few more unused source files in the git repository. They are very hard to detect without running make. Regards Harri
what happened to smtpd-filters.7 ?
Hi folks, looking at github there is a file "smtpd-filters.7" and "filter.c" in smtpd, but apparently they are not used at build or install time. configure.ac doesn't mention them, either, so I wonder whats the story here? Have they been forgotten? Obsolete code? Regards Harri
how to reject a spoofed "From: " address?
Hi folks, AFAICS opensmtpd can reject EMails with a spoofed from address in the envelope, as shown in smtpd.conf(5). But how can I reject EMails with a spoofed "From: " address in the EMail header, matching my own domain? See below for smtpd.conf. EMails with a spoofed From addresses get through via rule 8. Every insightful comment is highly appreciated. Harri -- xname = "mail.example.de" pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname dhe auto listen on lo0 tls pki $xname listen on internal tls pki $xname listen on external tls pki $xname table aliases db:/etc/mail/aliases.db table trusted_mta { 10.1.0.11 10.1.0.22 } table at_example{"@example.de", "@example.com", "@*.example.de", "@*.example.com"} table example {"example.de", "example.com", "*.example.de", "*.example.com"} action "local"mbox alias action "relay_example"relay host smtp://mail.int.example.de helo "mail.example.de" action "relay_external" relay src { 10.0.0.1 2001:db8::::1 } helo "mail.example.de" match from localfor local action "local" match from localfor domain action "relay_example" match from localfor any action "relay_external" match from src for domain action "relay_example" match from src for any action "relay_external" match from any mail-from for any reject match mail-from for any reject match from any for domain action "relay_example" # the rest is rejected by default match from any for any reject
Re: how to watch opensmtpd filters at work?
On 1/7/21 3:03 PM, Martijn van Duren wrote: Could you show your config, steps to reproduce and expected behaviour? Because I'm not entirely sure what you try to achieve. I was trying to see which rules in smtpd.conf match. "smtpctl trace all" didn't work. Problem was, I hadn't enabled debug logging in syslog.conf. This rendered "smtpctl trace rules" useless. I would strongly recommend to mention this in the man page. Its easy to forget. Regards Harri
Re: how to watch opensmtpd filters at work?
On 1/7/21 1:03 PM, Martijn van Duren wrote: Your question isn't really specific, but my best guess is that -Tfilters will do the trick. I tried "smtpctl trace all", but there was no visual effect. Regards Harri
how to watch opensmtpd filters at work?
Hi folks, for debugging I would like to know which "match" line does actually match the incoming EMails. Is there some option for opensmtpd to watch it? "-v" seems to be insufficient. Every insightful comment would be highly appreciated. Regards Harri
Re: OpenSMTPD 6.8.0p1 RC1 - please test !
I installed it on my mailhost: Seems to work. The problem with logging ("y express" instead of "smtpd" in the logfile) seems to be gone. Good work Harri
common format for maillog lines?
Hi folks, apparently there are 2 different kinds of lines in /var/log/maillog: Lines with a message id, and lines without. Very painful. The lines without message id seem to start with "smtp-out:", eg smtp-out: No valid route for [connector:10.125.142.10->[relay:example.com,smtp,sourcetable=,heloname=mail.example.de],0x0] Do you think it would be possible to clean this up? I would like to grep for the message ID to get the *whole* set of log file lines related to this message, and to ignore the unrelated smtp-out lines. Thanx in advance Harri
Re: how to ignore TLS1.3 for test purposes?
On 2020-07-29 04:12, Larkin Nickle wrote: Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be a useful starting point. That helped alot. Using TLS 1.2 I was able to actually see something in the tcpdump (see attachment). Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the peer, including a list of ciphers and several extensions. The peer (buxtehude.debian.org) answers with "Handshake failure", but it doesn't tell what exactly is wrong. See attachment. Any ideas? I am sure you guys are more proficient in reading TLS protocol than I am. Harri buxtehude.debian.org.pcap Description: application/vnd.tcpdump.pcap
how to ignore TLS1.3 for test purposes?
Hi folks, there seems to be a compatibility issue between opensmtpd on OpenBSD 6.7 and exim4 on Debian's bugtracker, see https://lists.debian.org/debian-user/2020/07/msg01091.html Most recent syspatches are applied, of course. I cannot reproduce this problem with opensmtpd 6.7.1-p1 on Debian. How can I tell opensmtpd on OpenBSD to ignore TLS1.3 and to use TLS1.2 only, just for test purposes? TLS1.3 in libressl appears to be brand new. Maybe its buggy. Every helpful hint is highly appreciated Harri
Re: smtp-out: Address family mismatch
The Network error on destination MX has been resolved. The Address family mismatch is still open. smtpctl show queue gives me a9f755dd88e88083|inet4|mta||u...@example.com|cont...@bugs.debian.org|cont...@bugs.debian.org|1595227438|1595227438|0|27|pending|29446|Address family mismatch on destination MXs ebbe485d057fa820|inet4|mta||u...@example.com|xxx...@bugs.debian.org|xxx...@bugs.debian.org|1595227386|1595227386|0|27|pending|29394|Address family mismatch on destination MXs Please note the "inet4" and % host bugs.debian.org bugs.debian.org has address 140.211.166.212 bugs.debian.org has address 209.87.16.39 bugs.debian.org has IPv6 address 2605:bc80:3010:b00:0:deb:166:212 bugs.debian.org has IPv6 address 2607:f8f0:614:1::1274:39 bugs.debian.org mail is handled by 10 buxtehude.debian.org. % host buxtehude.debian.org. buxtehude.debian.org has address 209.87.16.39 buxtehude.debian.org has IPv6 address 2607:f8f0:614:1::1274:39 buxtehude.debian.org mail is handled by 10 mailly.debian.org. buxtehude.debian.org mail is handled by 10 muffat.debian.org. Currently telnet 140.211.166.212 smtp fails with Connection refused, but where is the address family mismatch between inet4 and 209.87.16.39 ? Regards Harri
Re: opensmtpd appears to be IPv4-only
Hi Slavik, On 2020-07-22 18:26, Slavik Svyrydiuk wrote: I do not have any issues with IPv6. It works for me. Ubuntu == opensmtpd 6.0.3p1-1ubuntu0.2 smtpd.conf lines: listen on 0.0.0.0 port 25 listen on ::0 port 25 $ netstat -lnt | grep ':25' tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp6 0 0 :::25 :::*LISTEN Nice hint, but AFAIU your smtpd is listening on all interfaces. Thats not the case on my host. Regards Harri
opensmtpd appears to be IPv4-only
Hi folks, I've got a problem with IPv6 support for opensmtpd 6.7.1p1 on Debian: Apparently opensmtpd seems to ignore IPv6 after a reboot. My smtpd.conf says : xname = "mailhost.example.com" pki $xname cert "/etc/mail/ssl/mailhost.example.com.cert" pki $xname key "/etc/mail/ssl/mailhost.example.com.key" listen on lotls pki $xname listen on eth0 tls pki $xname : lsof -p shows that smtpd is listening only on the IPv4 address on eth0. The IPv6 addresses bound to eth0 (link-local and global) are ignored. If I *restart* smtpd, then it is listening on IPv6 as well, up to the next prefix change propagated via router advertisement. The IPv6 address with the new prefix is ignored. When the old prefix expires, then opensmtpd is back to IPv4-only. I have to restart it again. Can anybody reproduce this? Every helpful comment is highly appreciated. Regards Harri
Re: smtp-out: Address family mismatch
Currently I have 100+ EMails queued with "Network error on destination MX". This is a severe regression since OpenBSD 6.6. Every insightful comment is highly appreciated Harri On 7/6/20 9:01 AM, Harald Dunkel wrote: Hi folks, I see a lot of outgoing EMails queued with a message "smtp-out: Address family mismatch" in the log file. My colleagues don't like EMails being put on hold at all. Prior to 6.4 there was a limit mta inet4 The upgrade guide to the new smtpd.conf syntax (https://www.openbsd.org/faq/upgrade64.html) mentioned "set and limit removed as main keywords" and a new "mta namespace", but smtpd.conf(5) is insufficient in this aspect. It doesn't tell. https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ doesn't tell, either. My current (new-style) smtpd.conf has a line action "relay_external" relay src 192.168.1.1 helo "mail.example.com" i.e. the AF is implicitly defined, but as the AF mismatch messages indicate this is not sufficient. Could you please elaborate? Regards Harri
Re: smtp-out: Address family mismatch
Hi Thomas, On 7/7/20 2:12 AM, Thomas Bohl wrote: My guess would be that the target domain, at the time of the DNS query, only returned a IPv6 address. I have a similar problem. My config is action "relay2Internet" relay \ helo $hostn \ src {$v4adr, $v6adr} as I want to allow IPv4 and IPv6. Since the src-adresses are getting alternated I often get "Address family mismatch" because the target doesn't have IPv6 yet. (At least I believe that is what's happening.) Sorry to say, but thats pretty unlikely. IPv4 is much more common than IPv6 (still), especially for EMail. I would guess thats a bug. Somebody didn't care about the old-style limit mta inet4 for the new config file syntax. Regards Harri
smtp-out: Address family mismatch
Hi folks, I see a lot of outgoing EMails queued with a message "smtp-out: Address family mismatch" in the log file. My colleagues don't like EMails being put on hold at all. Prior to 6.4 there was a limit mta inet4 The upgrade guide to the new smtpd.conf syntax (https://www.openbsd.org/faq/upgrade64.html) mentioned "set and limit removed as main keywords" and a new "mta namespace", but smtpd.conf(5) is insufficient in this aspect. It doesn't tell. https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/ doesn't tell, either. My current (new-style) smtpd.conf has a line action "relay_external" relay src 192.168.1.1 helo "mail.example.com" i.e. the AF is implicitly defined, but as the AF mismatch messages indicate this is not sufficient. Could you please elaborate? Regards Harri
syslog logging changed ?
Hi folks, before 6.7 the smtpd log file entries were easy to find: Just look for "smtpd" in /var/log/mail.log. With 6.7 this became "y express". On OpenBSD 6.7 its still "smtpd" as expected, so I wonder wth? Regards Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Jason, On 2020-01-29 14:33, Jason Barbier wrote: According to the CVE everything since the commit in May 2018 that established the new grammar. The EMail did not mention a CVE. I was very concerned that I had to upgrade my "old" hosts to the new smtpd.conf syntax, so this is good news. Thanx for your reply. Regards Harri
Re: OpenSMTPD 6.6.2p1 released: addresses CRITICAL vulnerability
Hi Gilles, On 2020-01-28 23:30, gil...@poolp.org wrote: Hello misc@, Qualys has found a critical vulnerability leading to a possible privilege escalation. It is very important that you upgrade your setups AS SOON AS POSSIBLE. We'll provide more details when the advisory will be out and I'll take time to write about how this bug was made possible, but in the meantime get your setups fixed ! Which versions of opensmtpd are affected? Thanx for the quick fix. Harri
improve smtpd.conf syntax check at startup?
Hi folks, Do you think it would be possible to improve checking the syntax of the config file? A line like action "relay" relay host smtp+tls"//t...@example.com auth did not trigger an error message at startup time. When there was an EMail to send I got an error message in mail.log Jan 24 10:04:35 mailproxy smtpd[2041]: warn: Failed to parse smarthost smtp+tls"//t...@example.com Obviously this was too late. smtpd was version OpenSMTPD 6.6.1p1 on Debian 10. Regards Harri
Re: tags on the portable branch?
Hi Gilles, On 8/24/19 9:14 PM, Gilles Chehade wrote: > > This is expected. > > Version 6.4.x only builds with LibreSSL or OpenSSL 1.0.x > do you think it would be possible to set a tag matching support for openssl 1.1.1c as well? The version I am using right now now is based on 772da22936c8d80f7ad3284ea7e5bdbfdbee2efb, but this might be too experimental for production use. Regards Harri
Re: tags on the portable branch?
On 8/23/19 9:55 PM, John Cox wrote: > Hi > > Whilst I know it doesn't help you I just git cloned that URL and the > tag checkout just worked for me. What happens if you make another new > (temporary) repo with clone and try again? > > Regards > > John Cox > Using a new clone, as suggested: The tag "opensmtpd-6.4.2p1" is available, but it doesn't build on Debian sid (openssl 1.1.1c). Full build.log is attached. : : gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I. -I/usr/include -DSMTPD_CONFDIR=\"/usr/local/etc\" -DPATH_CHROOT=\"/var/empty\" -DPATH_SMTPCTL=\"/usr/local/sbin/smtpctl\" -DPATH_MAILLOCAL=\"/usr/local/libexec/opensmtpd/mail.local\" -DPATH_LIBEXEC=\"/usr/local/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL -DCA_FILE=\"/etc/ssl/cert.pem\" -g -O2 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o ../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo './'`../../smtpd/ca.c ../../smtpd/ca.c: In function 'ca_X509_verify': ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type 'X509_STORE_CTX' {aka 'struct x509_store_ctx_s'} 204 |*errstr = X509_verify_cert_error_string(xsc->error); | ^~ ../../smtpd/ca.c: At top level: ../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but incomplete type 307 | static RSA_METHOD rsae_method = { | ^~ ../../smtpd/ca.c:308:2: warning: excess elements in struct initializer 308 | "RSA privsep engine", | ^~~~ ../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:309:2: warning: excess elements in struct initializer 309 | rsae_pub_enc, | ^~~~ ../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:310:2: warning: excess elements in struct initializer 310 | rsae_pub_dec, | ^~~~ ../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:311:2: warning: excess elements in struct initializer 311 | rsae_priv_enc, | ^ ../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:312:2: warning: excess elements in struct initializer 312 | rsae_priv_dec, | ^ ../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:313:2: warning: excess elements in struct initializer 313 | rsae_mod_exp, | ^~~~ ../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:314:2: warning: excess elements in struct initializer 314 | rsae_bn_mod_exp, | ^~~ ../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:315:2: warning: excess elements in struct initializer 315 | rsae_init, | ^ ../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:316:2: warning: excess elements in struct initializer 316 | rsae_finish, | ^~~ ../../smtpd/ca.c:316:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:317:2: warning: excess elements in struct initializer 317 | 0, | ^ ../../smtpd/ca.c:317:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:318:2: warning: excess elements in struct initializer 318 | NULL, | ^~~~ ../../smtpd/ca.c:318:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:319:2: warning: excess elements in struct initializer 319 | NULL, | ^~~~ ../../smtpd/ca.c:319:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:320:2: warning: excess elements in struct initializer 320 | NULL, | ^~~~ ../../smtpd/ca.c:320:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c:321:2: warning: excess elements in struct initializer 321 | rsae_keygen | ^~~ ../../smtpd/ca.c:321:2: note: (near initialization for 'rsae_method') ../../smtpd/ca.c: In function 'rsae_pub_enc': ../../smtpd/ca.c:407:21: error: dereferencing pointer to incomplete type 'RSA_METHOD' {aka 'const struct rsa_meth_st'} 407 | return (rsa_default->rsa_pub_enc(flen, from, to, rsa, padding)); | ^~ ../../smtpd/ca.c: In function 'ca_engine_init': ../../smtpd/ca.c:493:38: error: invalid use of incomplete typedef 'RSA_METHOD' {aka 'struct rsa_meth_st'} 493 | if (!ENGINE_set_name(e, rsae_method.name)) { | ^ ../../smtpd/ca.c:511:27: error: 'RSA_FLAG_SIGN_VER' undeclared (first use in this function) 511 | if (rsa_default->flags & RSA_FLAG_SIGN_VER) | ^ ../../smtpd/ca.c:511:27: note: each undeclare
Re: tags on the portable branch?
On 8/23/19 1:37 PM, Harald Dunkel wrote: {hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v origin https://github.com/OpenSMTPD/OpenSMTPD.git (fetch) origin https://github.com/OpenSMTPD/OpenSMTPD.git (push) {hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1 error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git ??? PS: Of course I did a "git fetch --all" first.
Re: tags on the portable branch?
On 8/22/19 10:34 AM, Gilles Chehade wrote: On Thu, Aug 22, 2019 at 10:24:30AM +0200, Harald Dunkel wrote: Hi folks, would it be possible to set tags on the portable branch as well? Something like portable-6.4.1 would do. This could help alot for creating some kind of "official" source package for Debian and Fedora/RedHat. you mean like this ? :-) https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/opensmtpd-6.4.2p1 {hdunkel@dpcl082:OpenSMTPD (portable) 518} git remote -v origin https://github.com/OpenSMTPD/OpenSMTPD.git (fetch) origin https://github.com/OpenSMTPD/OpenSMTPD.git (push) {hdunkel@dpcl082:OpenSMTPD (portable) 519} git checkout opensmtpd-6.4.2p1 error: pathspec 'opensmtpd-6.4.2p1' did not match any file(s) known to git ???
tags on the portable branch?
Hi folks, would it be possible to set tags on the portable branch as well? Something like portable-6.4.1 would do. This could help alot for creating some kind of "official" source package for Debian and Fedora/RedHat. Thanx in advance Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/14/19 3:43 PM, Harald Dunkel wrote: > > This is Debian sid (amd64), including openssl version 1.1.1c . > Here is the list of packages providing shared objects for smtpd: > > ||/ Name VersionArchitecture Description > +++--==--=== > ii libasr0 1.0.2-2+b1 amd64asynchronous DNS > resolver > ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for > security auditing > ii libc6:amd64 2.28-10amd64GNU C Library: > Shared libraries > ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX > capabilities library > ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3 > Database Libraries [runtime] > ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event > notification library > ii libpam0g:amd64 1.3.1-5amd64Pluggable > Authentication Modules library > ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer > toolkit - shared libraries > ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library > - runtime > PS: compiler version: {harri@cecil:~ (master) 502} gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper OFFLOAD_TARGET_NAMES=nvptx-none OFFLOAD_TARGET_DEFAULT=1 Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19' --with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-8 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex Thread model: posix gcc version 8.3.0 (Debian 8.3.0-19) Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/13/19 9:02 PM, gil...@poolp.org wrote: > 13 août 2019 12:35 "Harald Dunkel" a écrit: > >> >> Surely I don't have a highly complex EMail configuration, but >> the new version is running on my MTA and the nullclients since >> Aug 7th: No issues by now, AFAICT. Cool. >> > > Care to mention what system you are using ? :-) > This is Debian sid (amd64), including openssl version 1.1.1c . Here is the list of packages providing shared objects for smtpd: ||/ Name VersionArchitecture Description +++--==--=== ii libasr0 1.0.2-2+b1 amd64asynchronous DNS resolver ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for security auditing ii libc6:amd64 2.28-10amd64GNU C Library: Shared libraries ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX capabilities library ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3 Database Libraries [runtime] ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event notification library ii libpam0g:amd64 1.3.1-5amd64Pluggable Authentication Modules library ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer toolkit - shared libraries ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - runtime Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
Hi folks, On 7/24/19 1:16 PM, Gilles Chehade wrote: > On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > >> I will check runtime ASAP. >> > > Great ! > > Keep on providing feedback please ! > Surely I don't have a highly complex EMail configuration, but the new version is running on my MTA and the nullclients since Aug 7th: No issues by now, AFAICT. Cool. Regards Harri
Re: git portable branch: Failed to parse smarthost
Hi Gilles, On 8/6/19 1:35 PM, Gilles Chehade wrote: > > you're using an auth label but this requires a secure transport. > > from smtpd.conf(5): > > The label corresponds to an entry in a credentials table, > as documented in table(5). It is used with the > "smtp+tls" and "smtps" protocols for authentication. > found it. Sorry, my bad. Regards Harri
unsubscribe old email address?
Hi folks, https://www.opensmtpd.org/list.html doesn't tell how to unsubscribe an old EMail address, that cannot be used for sending EMails anymore. The same page doesn't list an administrative user, either, so please excuse sending this question to this mailing list. I tried to send an EMail (new address) to misc+unsubscr...@opensmtpd.org saying unsubscribe o...@example.com but this didn't work as expected. The EMail address was ignored. Every helpful hint is highly appreciated. Harri
git portable branch: Failed to parse smarthost
Hi folks, trying the new smtpd with openssl support on Debian I get the following error: Aug 5 18:56:26 mailhost smtpd[712]: warn: Failed to parse smarthost smtp://someh...@mail.somehost.de Mail is not forwarded, of course. The config file says : table localnet { 10.0.0.0/24, 2001:db8:1f24:b803::/64 } table secrets file:/etc/secrets : action "relay_somehost" relay host smtp://someh...@mail.somehost.de auth mail-from "@example.de" : match from srcfor any action "relay_somehost" match from localfor any action "relay_somehost" The secrets file is: somehost postmas...@x.mail.somehost.de:geheim AFAICS the syntax follows the man page, so why does it complain? I don't see it. Every helpful hint is highly appreciated. Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
Hi Gilles, On 7/23/19 11:58 AM, Gilles Chehade wrote: Hello people, The portable branch of OpenSMTPD should build with OpenSSL again as long as your system is using >= 1.1.x This is excellent news. I highly appreciate the new portable version. This solves a lot of problems in my environment. OpenSMTPD portable has been built and tested with Ubuntu only, please do provide feedback ! On a first build (Debian 9) configure returned an error checking if programs using libevent functions will link... no checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes configure: error: *** Can't find recent LibreSSL libcrypto (see config.log for details) *** but actually libevent was missing: : configure:19442: checking openssl/opensslv.h usability configure:19442: gcc -c -g -O2 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include conftest.c >&5 configure:19442: $? = 0 configure:19442: result: yes configure:19442: checking openssl/opensslv.h presence configure:19442: gcc -E -I/usr/local/ssl/include conftest.c configure:19442: $? = 0 configure:19442: result: yes configure:19442: checking for openssl/opensslv.h configure:19442: result: yes configure:19468: gcc -o conftest -g -O2 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include -L/usr/local/ssl/lib conftest.c -lcrypto -lssl -levent -lasr -lcrypt -lresolv >&5 /usr/bin/ld: cannot find -levent collect2: error: ld returned 1 exit status : After installing the missing package it built fine. I will check runtime ASAP. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: openssl support
Hi Gilles, I understand that ssl support is a highly complex issue, making it necessary to focus and to get rid of the cruft. It would be a pity if opensmtpd becomes "OpenBSD-only", though. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
openssl support
Hi folks, I wonder what became of https://github.com/OpenSMTPD/OpenSMTPD/issues/534 ? IMHO this issue was closed way too early. Are all OS distros happy with opensmtpd going libressl-only? Will the rest follow? Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account
On 5/10/19 10:55 AM, Harald Dunkel wrote: Hi folks, for testing purposes I have to setup opensmtpd 6.0.3 to redirect all outgoing EMails from a list of stage systems to a dedicated internal account. smtpd.conf is attached. I have found it: : table aliases file:/etc/aliases table vmap file:/etc/vmap accept for local alias deliver to mbox accept from source sender for any virtual deliver to mbox accept from source sender for any relay hostname "mailproxy.example.com" pki $xname : with an appropriate vmap file, e.g. @ catchall and a local user "catchall" did the trick. Thanx anyway. Keep on your good work Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: opensmtpd 6.0.3: redirect outgoing EMails to an internal account
Hi Gilles, On 5/10/19 11:30 AM, Gilles Chehade wrote: without your configuration it's hard to determine what's wrong Config file was attached. You can find it in the archive as well, e.g. on https://www.mail-archive.com/misc@opensmtpd.org/msg04343.html Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
opensmtpd 6.0.3: redirect outgoing EMails to an internal account
Hi folks, for testing purposes I have to setup opensmtpd 6.0.3 to redirect all outgoing EMails from a list of stage systems to a dedicated internal account. smtpd.conf is attached. Problem is, there is an invalid recipient error for sending an EMail from such a stage system: % netcat 10.0.0.115 25 220 example.de ESMTP OpenSMTPD EHLO stage 250-example.com Hello stage [10.0.0.238], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250-DSN 250-STARTTLS 250 HELP MAIL from: 250 2.0.0: Ok RCPT to: 550 Invalid recipient ^C If I replace the "deliver to mda ..." by a usual relay statement, then the EMail is relayed, so I have to assume that the "deliver to mda" somehow affects filtering EMails. Unfortunately opensmtpd 6.4 is not an option. Every insightful comment is highly appreciated. Harri xname="mp2.example.com" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname certificate "/etc/ssl/public/mailproxy.example.com.pem" limit mta inet4 listen on lo inet4 tls pki $xname listen on eth0 inet4 tls pki $xname table aliases file:/etc/aliases table lan { 10.0.0.0/24 } # hosts allowed to send emails table stage_hosts { 10.0.0.238 10.0.0.240 10.0.0.245 }# stage hosts *not* allowed to send emails table at_example_com{ "@example.com" } # From address accept for local aliasdeliver to mbox accept from source sender for any deliver to mda "/usr/bin/procmail -f -" as gotcha accept from source sender for any relay hostname "mailproxy.example.com" pki $xname
Re: kill -HUP not working as expected
Hi Gilles, On 11/29/18 9:17 AM, Gilles Chehade wrote: there are multiple reasons behind that: - smtpd can be killed/restarted right away without having to do cleanups and given that other MTA are supposed to retry transfers if connection drops, the complexity of dealing with reloading when you could just do a plain restart was not worth it. reload would be nice, it's not a big deal as far as i'm concerned and not high on my todo. I agree that this is not a high-prio task. But when I sent a HUP to smtpd, it was gone afterwards. Thats the unexpected part, but maybe it is still better then silently ignoring the HUP, still running the old configuration. My suggestion would be to mention it in the man page. Thanx very much. Keep on your good work Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
kill -HUP not working as expected
Hi folks, I learned some time ago that daemons restart or reload their config file, when they receive a HUP. sendmail, sshd and tons of others do. smtpd doesn't. :-( Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Address family mismatch on destination MXs
Hi folks, sometimes opensmtpd (OpenBSD 6.3) queues an EMail with Address family mismatch on destination MXs even though smtpd.conf says limit mta inet4 The destination MX on my testcase (running OpenBSD 6.3 and opensmtpd as well) has both IPv4 and IPv6 address. According to smtpd.conf(5) opensmtpd is supposed to ignore IPv6 completely on outgoing connections due to the "limit" line. Did I miss something here? Every helpful comment is highly appreciated Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: 6.4 broke procmail .forward
Hi Gilles, On 10/28/18 6:52 PM, Gilles Chehade wrote: Please do yourselves a favor, ditch procmail in favor of fdm. I am not sure if fdm is an option. Looking at https://github.com/ft/fdm.git it seems that this code has been abandoned. Are there others? Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: "limit mta inet4" is ignored, smtpd fails to start
On 03/18/18 13:54, Richard wrote: > > It appears that "limit mta inet4" statement limits outgoing ipv6 > connections but not incoming ipv6 connections... > > Instead of the limit statement one might use a notation like this > which limits incoming and outgoing connections to ipv4 by interface: > >listen on lo inet4 tls pki $xname >listen on eth0 inet4 tls pki $xname >listen on eth1 inet4 tls pki $xname > This works for me in this case (thanx very much), but apparently it doesn't really solve the problem. If I use a global IPv6 address and a dual-stack configuration xname="mailhost.example.com" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname certificate "/etc/ssl/public/mailhost.example.com.pem" listen on lo tls pki $xname listen on eth0 tls pki $xname listen on eth1 tls pki $xname : then smtpd stumbles over the tentative IPv6 address again. The only difference is that its not a link-local address anymore: : : 670 bind(11, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("10.0.0.2")}, 16 670 <... bind resumed> ) = 0 670 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP 670 <... socket resumed> )= 12 670 setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4 670 <... setsockopt resumed> )= 0 670 setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4 670 <... setsockopt resumed> )= 0 670 bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6, "2001:DB8:30:ffe0::e6", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28 < 670 <... bind resumed> ) = -1 EADDRNOTAVAIL (Cannot assign requested address) 670 write(2, "pony express: smtpd: bind: Canno"..., 59 670 <... write resumed> ) = 59 670 exit_group(1) = ? 670 +++ exited with 1 +++ Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
"limit mta inet4" is ignored, smtpd fails to start
Hi folks, problem using opensmtpd 6.0.3 on Debian: I have set xname=mailhost.example.com : limit mta inet4 listen on lo tls pki $xname listen on eth0 tls pki $xname listen on eth1 tls pki $xname : in smtpd.conf, but apparently this "limit" line ignored. At boot time it tries to bind to a link-local IPv6 address. And this fails, as strace shows: : 695 setsockopt(11, SOL_SOCKET, SO_REUSEADDR, [1], 4 695 <... setsockopt resumed> )= 0 695 bind(11, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("10.0.0.2")}, 16 695 <... bind resumed> ) = 0 695 socket(PF_INET6, SOCK_STREAM, IPPROTO_IP 695 <... socket resumed> )= 12 695 setsockopt(12, SOL_SOCKET, SO_REUSEADDR, [1], 4 695 <... setsockopt resumed> )= 0 695 setsockopt(12, SOL_IPV6, IPV6_V6ONLY, [1], 4 695 <... setsockopt resumed> )= 0 695 bind(12, {sa_family=AF_INET6, sin6_port=htons(25), inet_pton(AF_INET6, "fe80::216:3aff:feca:38bb", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=if_nametoindex("eth0")}, 28 695 <... bind resumed> ) = -1 EADDRNOTAVAIL (Cannot assign requested address) 695 write(2, "pony express: smtpd: bind: Canno"..., 59 695 <... write resumed> ) = 59 695 exit_group(1) = ? 695 +++ exited with 1 +++ "ip address show" (run immediately before smtpd) shows, that the link-local address is still "tentative": : 194: eth0@if195: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:16:3a:ca:38:bb brd ff:ff:ff:ff:ff:ff inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::216:3aff:feca:38bb/64 scope link tentative valid_lft forever preferred_lft forever : If I try to run smtpd later, then it works. Every helpful comment is highly appreciated. Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
greylisting vs round robin
Hi folks, Looking at my opensmtpd log file (see attachment) some EMails are greylisted by the peer several times. Apparently the receiving ISP has several MX hosts, probably each running its own local whitelist. :-( Do you think it would be possible in opensmtpd to avoid hopping from one IP address to another, when the greylisted EMails are processed again? opensmtpd is version 6.0.2, running on Debian. Every helpful comment is highly appreciated Harri % ( zcat mail.log.{4..1}.gz; cat mail.log ) | grep -i greylist | grep bigisp Nov 7 14:57:14 mailproxy-example smtpd[119331]: relay: TempFail for 0d2a26cfe2294eca: session=b7187e777bb83a3a, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.216 (mx-v1.bigisp.de), delay=0s, stat=457 Greylisted, please come back later. Nov 7 15:03:55 mailproxy-example smtpd[119331]: relay: TempFail for 0d2a26cfe2294eca: session=b7187e7abd6d6e31, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.217 (mx-v2.bigisp.de), delay=6m41s, stat=457 Greylisted, please come back later. Nov 7 15:04:04 mailproxy-example smtpd[119331]: relay: TempFail for 654b3d5f30fed65b: session=b7187e7abd6d6e31, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.217 (mx-v2.bigisp.de), delay=0s, stat=457 Greylisted, please come back later. Nov 7 15:10:44 mailproxy-example smtpd[119331]: relay: TempFail for 654b3d5f30fed65b: session=b7187e84bff763ce, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.216 (mx-v1.bigisp.de), delay=6m40s, stat=457 Greylisted, please come back later. Nov 8 15:22:57 mailproxy-example smtpd[119331]: relay: TempFail for 3f15b7e90cd2ef63: session=b7187f68a34c154c, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=1s, stat=457 Greylisted, please come back later. Nov 8 15:29:36 mailproxy-example smtpd[119331]: relay: TempFail for 3f15b7e90cd2ef63: session=b7187f6befadda90, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.217 (mx-v2.bigisp.de), delay=6m40s, stat=457 Greylisted, please come back later. Nov 9 10:51:02 mailproxy-example smtpd[119331]: relay: TempFail for 40fb08780512a754: session=b7187fd9afa71414, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=0s, stat=457 Greylisted, please come back later. Nov 9 10:51:03 mailproxy-example smtpd[119331]: relay: TempFail for 581347b24118025c: session=b7187fd9afa71414, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=1s, stat=457 Greylisted, please come back later. Nov 9 10:57:43 mailproxy-example smtpd[119331]: relay: TempFail for 40fb08780512a754: session=b7187fed3db16b83, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.216 (mx-v1.bigisp.de), delay=6m41s, stat=457 Greylisted, please come back later. Nov 9 10:57:44 mailproxy-example smtpd[119331]: relay: TempFail for 581347b24118025c: session=b7187fed3db16b83, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.216 (mx-v1.bigisp.de), delay=6m42s, stat=457 Greylisted, please come back later. Nov 9 10:58:54 mailproxy-example smtpd[119331]: relay: TempFail for 5a5fa8c0eccb9626: session=b7187ff7a4818ba0, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=1s, stat=457 Greylisted, please come back later. Nov 9 11:05:34 mailproxy-example smtpd[119331]: relay: TempFail for 5a5fa8c0eccb9626: session=b7187ffaefedc912, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=6m40s, stat=457 Greylisted, please come back later. Nov 17 14:31:29 mailproxy-example smtpd[123933]: relay: TempFail for 8bb5026ac8135c6b: session=266bf548e8c88d6b, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.217 (mx-v2.bigisp.de), delay=0s, stat=457 Greylisted, please come back later. Nov 17 14:38:10 mailproxy-example smtpd[123933]: relay: TempFail for 8bb5026ac8135c6b: session=266bf54b45686ed0, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.215 (mx-v0.bigisp.de), delay=6m41s, stat=457 Greylisted, please come back later. Nov 27 12:23:16 mailproxy-example smtpd[128520]: relay: TempFail for 6675c67d74f917d2: session=2d4fc6fbef6099cf, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.218 (mx-v3.bigisp.de), delay=1s, stat=457 Greylisted, please come back later. Nov 27 12:29:56 mailproxy-example smtpd[128520]: relay: TempFail for 6675c67d74f917d2: session=2d4fc6fe42cd1f52, from=, to=, rcpt=<->, source=10.0.11.115, relay=192.168.92.216 (mx-v1.bigisp.de), delay=6m41s, stat=457 Greylisted, please come back later. % dig @8.8.8.8 bigisp.de MX +short 1 mx.bigisp.de. % host mx.bigisp.de mx.bigisp.de has address 192.168.92.215 mx.bigisp.de has address 192.168.92.217 mx.bigisp.de has address 192.168.92.218 mx.bigisp.de has address 192.168.92.216
Re: smtpd: listen on (eth0)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/21/17 05:56, Harald Dunkel wrote: > Hi folks, > > I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: > Apparently smtpd doesn't recognize a new IPv6 address assigned to the network > interface (e.g. due to a prefix change). It keeps on listening on the old > IPv6 address only. > PS: Of course the old address is tagged "deprecated". Regards Harri -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAlj7WuIACgkQCp4qnmbT gcuPywf/aHlonhxuhtKrnrmk4IQ1fGdjvsrohnQCm/8+X+a/391/ZwDbVJKpCzX4 zdXmVORTM+Th7SqGr4tqcoTWzp0RwfrZhr/j1hH7hVWH0DeUpjaiKW+b2N21sj8s xcutHnEvburegaI9zeJwlPxCmrhMnBip5OOFy8Qxhm3q8Ue4cYuHIHzVhvRjceaS nDEX9YXgpsX+3d5+btzEPpSsnZbluE7W2ECsTCv6sG5OX1TlTCZDhi1oB194HWeV IrnELy7i2EhnSzmDoSWbd6E6MLcJ7mTij+WGYgr4rQtvP9TVaubaKV7hQBX0H0NA WEqbaNbDPh3IQ3uuB/Qy9SNDXV0u9g== =XT4U -END PGP SIGNATURE- -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
smtpd: listen on (eth0)
Hi folks, I am running opensmtpd on Linux (next to OpenBSD, of course). Problem: Apparently smtpd doesn't recognize a new IPv6 address assigned to the network interface (e.g. due to a prefix change). It keeps on listening on the old IPv6 address only. Do you think this could be improved? Thanx in advance Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org