Re: Wrote a blogpost on OpenSMTPD mailrelay - feedback appreciated
On Mon, 11 Mar 2024 13:59:17 + gil...@poolp.org wrote: > I created a Wiki page on the public repository for OpenSMTPD: > > https://github.com/OpenSMTPD/OpenSMTPD/wiki/OpenSMTPD-articles-and-posts > > List to be completed ;-) > Great idea! Might even inspire users to create their own to be added to the list. Just a suggestion: maybe we could collect some configs with comments for achieving certain goals: 1. How do I setup opensmtpd for outgoing mail only? 2. What is a backup MX server and how do I set one up? 3. How do I connect opensmtpd to my IMAP/POP3 server? etc. The now neglected FAQ page that many software sites used to have...
Re: Wrote a blogpost on OpenSMTPD mailrelay - feedback appreciated
On Mon, 11 Mar 2024 09:03:44 +0100 Gilles CHEHADE wrote: > Since people are sharing posts / articles, if others have written > such articles feel free to share in this thread, I’m curious :-) I've posted a couple. Mainly as a reference for myself although I've had a few emails saying they've been helpful, which is nice! https://simonh.uk/tags/opensmtpd/index.html
IO Error: certificate verification failed: certificate has expired
I've got an odd problem. I'm using smtpd as a relay. Everything works fine, except, every 2-3 weeks I get the following error (on my local machine): 47b6501430167caa mta error reason=IO Error: certificate verification failed: certificate has expired and a few lines down: result="TempFail" stat="Network error on destination MXs" Looking at the log on the server: connected address=my.ip.address host=me.at.myisp disconnected reason="io-error: handshake failed: error:0A000415:SSL routines::sslv3 alert certificate expired" I've dealt with this up until now by restarting opensmtpd on the server and then eveyrthing is fine again. But, I could do with some help getting it sorted once and for all. Local machine: Linux Mint 21.3 Servers: Debian 12.5
opensmtpd 7.3.0 Debian Bookworm Package
In case it helps anyone, I've built a .deb package from here: https://salsa.debian.org/debian/opensmtpd I'm happy to post it to the list, but if you want to build yourself, this worked for me (after downloading the repo): $ mkdir deb $ cd deb # apt install debhelper-compat bison libdb-dev libevent-dev libpam0g-dev pkg-config po-debconf $ dpkg-buildpackage -b -rfakeroot -us -uc # dpkg -i opensmtpd_7.3.0p1-1_amd64.deb Everything seems to be working fine including filter-dkimsign p.s. If Ryan Kavanagh from Debian reads this list, please ignore my email as I got it sorted.
Re: "listen ... filter ..." config syntax for 6.8.0p2
On Wed, 21 Jun 2023 18:30:31 +0200
Philippe Strauss wrote:
> Hello the list,
>
> I'm new to opensmtpd, great software BTW, but after reading the man
> page and googling around the net, I can't find the right syntax for
> the "listen ... filter ..." syntax in smtpd.conf, I'm simply trying
> to setup rspamd to filter and DKIM sign emails, someone willing to
> share some example for 6.8.0p2?
>
> TIA!
>
Here is what I use:
# Filters
filter dkimsign proc-exec "filter-dkimsign -d mydomain -s 20210622 -k
/etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign
filter "rdns" phase connect match !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
'.*\.dsl\..*' } \ disconnect "550 no residential connections"
listen on socket filter "dkimsign"
listen on localhost filter "dkimsign"
listen on eth0 port 25 tls pki mydomain filter { "dkimsign", "rdns",
"fcrdns", "check_dyndns" }
Hope that helps.
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sun, 18 Jun 2023 19:36:00 +0200 Frank de Bruijn wrote: > Relevant files: https://duinsoft.nl/dl/ > Procedure: https://duinsoft.nl/dl/building_opensmtpd_7.3.0.txt > > I noticed you mentions problems with filter-dkimsign. I don't use > that myself, so I have no idea whether my build will handle it any > better. > > Regards, > Frank > Wow, thanks Frank. Very good of you. I'm pretty busy at the moment, but I'll have a go at building using your files early next week. I'll let you know how things go! Thanks again, Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sun, 18 Jun 2023 16:08:20 +0200 Omar Polo wrote: > > On 17 Jun 2023, at 18:43, Simon Harrison wrote: > > > > On Sat, 17 Jun 2023 09:50:17 +0200 > > Omar Polo wrote: > > > >> OpenSMTPD 7.3.0p0 has just been released. > >> > > > > When someone compiles (and runs) this on Debian Bookworm, can you > > post a quick howto. I tried on one of my servers and had lots of > > errors. > > I've compiled and run successfully several times on Devuan, which I > hope it's not too different from Debian. > > Can you please share the commands you issued and the errors you are > getting? In general, when reporting an issue, attaching compile or > runtime logs (whichever more appropriate for the matter) is always the > right thing to do. Feel free to send them offlist if you prefer > > > Thanks, > > Omar Polo > Hi Omar. I'll do that next week in a new thread. There was definitely a problem with filter-dkimsign, not sure if you could bundle that with the portable version? Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 19:20:26 +0200 Frank de Bruijn wrote: > Op 17-06-2023 om 18:43 schreef Simon Harrison: > > On Sat, 17 Jun 2023 09:50:17 +0200 > > Omar Polo wrote: > > > >> OpenSMTPD 7.3.0p0 has just been released. > >> > > > > When someone compiles (and runs) this on Debian Bookworm, can you > > post a quick howto. I tried on one of my servers and had lots of > > errors. > > I built the release candidates a little while ago and rc2 is still > running here. I'll build this version one of these days (maybe > tomorrow) and I'll let you know the result and the procedure. A word > of warning, though: I always use sbuild. I don't know if you're > familiar with it. > > Regards, > Frank > Hi Frank. I'm not familiar with it, but looking into it now. Thanks, Simon
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 09:50:17 +0200 Omar Polo wrote: > OpenSMTPD 7.3.0p0 has just been released. > When someone compiles (and runs) this on Debian Bookworm, can you post a quick howto. I tried on one of my servers and had lots of errors. I've since gone back to the Debian default version. Cheers.
Re: Announce: OpenSMTPD 7.3.0p0 released
On Sat, 17 Jun 2023 09:21:45 -0700 latin...@vcn.bc.ca wrote: > Hello > > Please excuse my question, if i am lost! > > I have 3 e-mail servers using OpenSMTPD that come with OpenBSD 7.3. > > Does this complicated thing that you mentioned is going to affect my > servers? > > I use OpenBSD because its simplicity! > > Thanks. No mate. This is the portable version. You're already using the latest version on OpenBSD. This is for people like me running Linux.
Re: Capturing the log output of opensmtpd
On Sat, 15 Oct 2022 14:44:01 +0200 Tassilo Philipp wrote: > I guess your python subprocess is the submission agent? In that case > you get the error in theory automatically, but it would be in form of > a bounce message. If your submission agent cannot receive bounces > they will be lost (probably hanging in the next MTA's queue for a > while until they hit a timeout). > > On Sat, Oct 15, 2022 at 01:21:15PM +0100, Simon Harrison wrote: > > Hello. I'm using Python subprocess to send mails on a linux server. > > For outlook.com addresses I get the following error in > > /var/log/mail.log: > > > > Oct 14 11:41:22 myhost smtpd[1846073]: f01b467faa967988 mta > > delivery evpid=d9b3ae9518ff979a from= > > to= rcpt=<-> source="server.ip.address" > > relay="104.47.56.161 (104.47.56.161)" delay=2s result="PermFail" > > stat="550 5.7.1 Unfortunately, messages from [server.ip.address] > > weren't sent. Please contact your Internet service provider since > > part of their network is on our block list (S3140). You can also > > refer your provider to > > http://mail.live.com/mail/troubleshooting.aspx#errors. > > [CO1NAM11FT072.eop-nam11.prod.protection.outlook.com]" > > > > So my question is, is there any way to get that output rather than > > ssh-ing into the server and checking the log? Can opensmtpd return > > that output as well as logging it? Python subprocess.stdout > > suggests that opensmtpd does not return anything over than 0 or 1. > > > > Cheers, > > > > Simon > > > stdout and stderr are both empty strings unfortunately. Thanks, Simon
Re: Capturing the log output of opensmtpd
On Sat, 15 Oct 2022 15:20:31 +0200 Martijn van Duren wrote: > On Sat, 2022-10-15 at 13:21 +0100, Simon Harrison wrote: > > Hello. I'm using Python subprocess to send mails on a linux server. > > For outlook.com addresses I get the following error in > > /var/log/mail.log: > > > > Oct 14 11:41:22 myhost smtpd[1846073]: f01b467faa967988 mta delivery > > evpid=d9b3ae9518ff979a from= to= > > rcpt=<-> source="server.ip.address" relay="104.47.56.161 > > (104.47.56.161)" delay=2s result="PermFail" stat="550 5.7.1 > > Unfortunately, messages from [server.ip.address] weren't sent. > > Please contact your Internet service provider since part of their > > network is on our block list (S3140). You can also refer your > > provider to http://mail.live.com/mail/troubleshooting.aspx#errors. > > [CO1NAM11FT072.eop-nam11.prod.protection.outlook.com]" > > > > So my question is, is there any way to get that output rather than > > ssh-ing into the server and checking the log? Can opensmtpd return > > that output as well as logging it? Python subprocess.stdout > > suggests that opensmtpd does not return anything over than 0 or 1. > > > > Cheers, > > > > Simon > > > It's send over syslog. So you can do whatever your syslog daemon > supports. If you use rsyslog one option could be to write it to a > named pipe: > https://www.rsyslog.com/doc/v8-stable/configuration/modules/ompipe.html > > martijn@ > Brilliant. I'll look into that. Many thanks, Simon
Capturing the log output of opensmtpd
Hello. I'm using Python subprocess to send mails on a linux server. For outlook.com addresses I get the following error in /var/log/mail.log: Oct 14 11:41:22 myhost smtpd[1846073]: f01b467faa967988 mta delivery evpid=d9b3ae9518ff979a from= to= rcpt=<-> source="server.ip.address" relay="104.47.56.161 (104.47.56.161)" delay=2s result="PermFail" stat="550 5.7.1 Unfortunately, messages from [server.ip.address] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3140). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [CO1NAM11FT072.eop-nam11.prod.protection.outlook.com]" So my question is, is there any way to get that output rather than ssh-ing into the server and checking the log? Can opensmtpd return that output as well as logging it? Python subprocess.stdout suggests that opensmtpd does not return anything over than 0 or 1. Cheers, Simon
Re: SMTP AUTH for both system and virtual users?
On Fri, 19 Aug 2022 13:00:27 +0200 Kamil Andrusz wrote: > Hello All, > > I’ve an old existing setup where I have existing system users. I > would like to add new domains and use virtual users (no need for them > to have system accounts). The system has only one IP available. > > I implemented the expected solution on Dovecot side simply by using > multiple passdb/userdb entries. > > However I can’t figure out how (or if it’s at all possible with a > single IP) to get SMTP AUTH working for both system and virtual users > with OpenSMTPD. > > Is that possible and if it is, any hints how to do it? > > Thank you in advance! > > With best regards, > Kamil Andrusz > According to the man page it is supported: https://man.openbsd.org/smtpd.conf listen on interface [family] [options] Listen on the interface for incoming connections, using the same syntax as ifconfig(8). The interface parameter may also be an interface group, an IP address, or a domain name. Listening can optionally be restricted to a specific address family, which can be either inet4 or inet6. The options are as follows: auth [] Support SMTPAUTH: clients may only start SMTP transactions after successful authentication. Users are authenticated against either their own normal login credentials or a credentials table authtable, the format of which is described in table(5). From one of my conf's (using a credentials table): table secrets file:/etc/mail/secrets listen on eth0 port 465 smtps pki mydomain.com auth match from auth for any action "relay" Good luck!
Re: Is nooSMTPD available anywhere?
On Thu, 23 Jun 2022 14:54:36 -0400 Demi Marie Obenour wrote: > Is nooSMTPD available anywhere? That's weird. I'm sure it used to be on Gilles github: https://github.com/poolpOrg Seems to have been removed.
Re: Help setting up relay
On Fri, 17 Jun 2022 09:54:13 +0100 Nick Ryan wrote: > I use this in my smtpd.conf: and I have a user defined on the mail > server that matches. > > > table secrets file:/etc/mail/secrets > action "outbound" relay host > smtp+tls://usern...@mail.relayserver.net:587 auth helo > myhostname.com match from local for any action "outbound" > > > secrets file: > username usern...@mailaddress.net:password > > > Hope that helps or points you in the right direction. > > Nick > Thanks Nick. I'll give it a try later on. Simon
Re: Help setting up relay
On Thu, 16 Jun 2022 17:18:56 +0100
Simon Harrison wrote:
> Embarrassingly, I'm struggling to set up a relay from my home pc,
> laptops etc via my servers.
>
> In the snippet below from the smtpd.conf, the match from src works
> great. I can't work out the correct syntax for the match mail-from
> line:
>
> table secrets file:/etc/mail/secrets
>
> action "relay" relay
>
> match from src xxx.xxx.xxx.xxx for any action "relay"
>
> match mail-from "h...@mydomain.com" auth for any action
> "relay"
>
> In /etc/mail/secrets I have
>
> h...@mydomain.com
>
> Any help appreciated.
>
> Simon
>
OK, I've been doing some more research and realised the auth keyword
should be in the listen section on server:
server smtpd.conf:
listen on eth0 port 25 tls pki mydomain.com \
filter { "rdns", "fcrdns", "check_dyndns" } \
auth
and on home computer smtpd.conf:
action "relay2" relay host smtp://myserver.com auth \
mail-from "h...@myserver.com"
But, when checking the log, I keep getting:
result="PermFail" stat="530 5.5.1 Invalid command: Must issue an AUTH
command first"
Help setting up relay
Embarrassingly, I'm struggling to set up a relay from my home pc, laptops etc via my servers. In the snippet below from the smtpd.conf, the match from src works great. I can't work out the correct syntax for the match mail-from line: table secrets file:/etc/mail/secrets action "relay" relay match from src xxx.xxx.xxx.xxx for any action "relay" match mail-from "h...@mydomain.com" auth for any action "relay" In /etc/mail/secrets I have h...@mydomain.com Any help appreciated. Simon
Re: Configuration for local send tool -> restricted recipients relayed over SMTP
On Mon, 15 Nov 2021 11:43:41 +0100
"R. Diez" wrote:
> Hi all:
>
> I am not an actual sysadmin, not even part time. I don't know much
> about e-mail servers, and I get the shivers just by looking at the
> table of contents of the documentation for Exim or Postfix.
>
...
>
> Thanks in advance,
>rdiez
>
There are lots of pretty general tutorials for getting OpenSMTPD setup.
Here are a couple that helped me:
First one is from Gilles Chehade (one of main opensmtpd authors)
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
https://unixsheikh.com/tutorials/arch-linux-mail-server-tutorial-part-2-opensmtpd-dovecot-dkimproxy-and-lets-encrypt.html
I even did my own little tutorial for outgoing mail only:
https://simonh.uk/2021/04/16/opensmtpd-for-outgoing-mail-only/
As we all have slightly different requirements, I doubt anyone will
have a smtpd.conf that is exactly what you need. Below is one of my
conf's in use on a production server for a few months now. Bear in
mind, I only use for outgoing mail and don't use a relay.
/etc/smtpd.conf
# $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
table aliases file:/etc/aliases
pki somedomain.com key "/etc/letsencrypt/live/somedomain.com/privkey.pem"
pki somedomain.com cert "/etc/letsencrypt/live/somedomain.com/fullchain.pem"
filter dkimsign proc-exec "filter-dkimsign -d somedomain.com \
-s 20210724 -k /etc/mail/dkim/private.rsa.key" user _dkimsign \
group _dkimsign
filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
'.*\.dsl\..*' } \
disconnect "550 no residential connections"
filter check_rdns phase connect match !rdns \
disconnect "550 no rDNS is so 80s"
filter check_fcrdns phase connect match !fcrdns \
disconnect "550 no FCrDNS is so 80s"
action "local" maildir alias
action "relay" relay
match for local action "local"
match from local for any action "relay"
match from any for domain "somedomain.com" action "local"
listen on socket filter "dkimsign"
listen on localhost filter "dkimsign"
listen on eth0 port 25 tls pki somedomain.com filter { "dkimsign",\
check_dyndns, check_rdns, check_fcrdns }
Good luck.
--
Web: https://simonh.uk
Email: m...@simonh.uk
Re: dkimsign doesn't sign message sent from mail command
On Wed, 20 Oct 2021 20:19:22 -0700 p...@mostlybsd.com wrote: > Hello! > > I am killing myself on configuring this simple tool. Messages sent > from mail command ($ mail u...@example.com) aren't being signed but > otherwise arrive at the external receiving server with everything > else looking good. > > smtpd.conf: > > filter "dkimsign_rsa" proc-exec "filter-dkimsign -d > smtp.mostlybsd.com -s 10172021 \ > -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group > _dkimsign > > listen on socket filter "dkimsign_rsa" > listen on lo0 filter "dkimsign_rsa" > listen on vio1 filter "dkimsign_rsa" > > action "outbound" relay > > match from any for any action "outbound" > > The only thing a little unusual in regards to dkimsign is I first > installed the ed25519 version, then deleted it (including pkg_delete > -a and removing user and group), then added again with the RSA only > version. > > At the moment, I don't have anything else configured for sending mail > from this server. > > If anyone can enlighten me as to what I am missing, I would really > appreciate it. > > Thank you, > > > Paul > I'm no expert on opensmtpd, but I have this in my conf: listen on localhost filter "dkimsign" Might be worth trying. -- Web: https://simonh.uk Email: m...@simonh.uk
Re: Help setting up SRS
It appears that simply invoking mail with -r m...@simonh.uk did the trick! Not going in the spam folder anyway... -- Web: https://simonh.uk Email: m...@simonh.uk
Help setting up SRS
Hello all. Another day, another problem! I'm trying to get SRS working from my home computer. I'm using mail.baby as an SMTP relay (which works). However the from address is my home computer, rather than m...@simonh.uk (which is what I want). Any help appreciated. Here's my smtpd.conf: # $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. table aliases file:/etc/aliases table secrets file:/etc/mail/secrets srs key "my-long-secret-key" listen on localhost action "local" maildir alias action "outgoing_mails" relay srs action "outbound" relay host smtp+tls://mailb...@relay.mailbaby.net:587 auth match for local action "local" match from local for any action "outbound" -- Web: https://simonh.uk Email: m...@simonh.uk
Re: How to check if TLS enabled?
On Fri, 25 Jun 2021 16:21:18 +0100 Simon Harrison wrote: > On Fri, 25 Jun 2021 11:15:44 -0400 > chris wrote: > > > $ openssl s_client -starttls smtp -connect example.com:25 > Ah, I tried from a different server (not example.com) The final bit looks like this (which I think is all good)? Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher: TLS_AES_256_GCM_SHA384 Session-ID: BEDED905BA61C76329A26A3E4ED3CA0A138CE33481E9BF0C593C4037F41C32C0 Session-ID-ctx: Resumption PSK: 4EF05EE86153440BA789388A2DFFEE685D43F8A591897F5C737675BAAE8838507559011CBC5C5BF74CD52BCD1292DA1D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 60 5e d6 fc a3 47 44 42-4a 50 75 db 4d a9 7f 07 `^...GDBJPu.M... 0010 - c6 00 4d e0 9b 41 53 83-f7 90 c4 42 83 19 76 b7 ..M..ASB..v. Start Time: 1624634527 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK ^C -- Web: https://simonh.uk Email: m...@simonh.uk
Re: How to check if TLS enabled?
On Fri, 25 Jun 2021 11:15:44 -0400 chris wrote: > $ openssl s_client -starttls smtp -connect example.com:25 Thanks Chris. That fails: 140500707382400:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110: 140500707382400:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111: connect:errno=111 Any idea where I should start trouble shooting? -- Web: https://simonh.uk Email: m...@simonh.uk
How to check if TLS enabled?
From what I can gather, SPF and DKIM are in the mail headers. What is an easy way to check that TLS is working correctly? I have the following in my /etc/stmpd.conf listen on eth0 tls pki example.com Thanks -- Web: https://simonh.uk Email: m...@simonh.uk
Re: Tutorial for filter-dkimsign on Debian
On Wed, 23 Jun 2021 17:02:28 +0200 Martijn van Duren wrote: > Note that with this setup you only sign mail received via the local > unix socket. In other words: via the sendmail command submission. > Also, if a mail is send via this way and smtpd is down it's > "manually" queued by smtpctl (in sendmail mode) itself, which > circumvents the filter code. If a mail is send over tcp via localhost > it won't be signed, since it doesn't have have the filter statement. > > The filter command should be placed on each "listen on" statement you > want the filter to apply. Maybe you intend it like this, but if you're > going to post this it might become a pitfall for others. > > Anyway, thanks for sharing and hope it runs well for you. > > Out of curiosity, Martijn, what would you recommend for both an outgoing only and outgoing/incoming server? As I wrote previously, having listen on socket filter "dkimsign" was the only way I could get dkimsign to work?! I'm not very clued up on mail servers (at all). Thanks, Simon -- Web: https://simonh.uk Email: m...@simonh.uk
Re: Tutorial for filter-dkimsign on Debian
On Wed, 23 Jun 2021 17:02:28 +0200 Martijn van Duren wrote: > Note that with this setup you only sign mail received via the local > unix socket. In other words: via the sendmail command submission. > Also, if a mail is send via this way and smtpd is down it's > "manually" queued by smtpctl (in sendmail mode) itself, which > circumvents the filter code. If a mail is send over tcp via localhost > it won't be signed, since it doesn't have have the filter statement. > > The filter command should be placed on each "listen on" statement you > want the filter to apply. Maybe you intend it like this, but if you're > going to post this it might become a pitfall for others. > > Anyway, thanks for sharing and hope it runs well for you. > > Ah yes, I'll make a note that this is for an outgoing only mail server. I've not yet dared muck about with incoming mail! -- Web: https://simonh.uk Email: m...@simonh.uk
Tutorial for filter-dkimsign on Debian
Not sure if I'm supposed to do this, but as I like to document things that I've found hard, I've put up a tutorial for getting dkim working with opensmtpd. The link is below in case it might help someone now or in the future: https://simonh.uk/2021/06/23/get-dkim-working-with-opensmtpd/ -- Web: https://simonh.uk Email: m...@simonh.uk
Re: filter-dkimsign -- listen on socket required?
On Wed, 23 Jun 2021 15:35:13 +0200 Martijn van Duren wrote: > I worked hard recently to get it into Debian with rak@debian.[0][1] > > A simple example of how to set it up is part of the OpenBSD package[2] > and will also be part of Debian's package[3]. > > "Unfortunately" Debian is currently getting ready for release, so it > might take some time before this work actually lands in the Debian > repos, but it's all queued up. > > Hope this helps. > > martijn@ > > [0] https://www.mail-archive.com/misc@opensmtpd.org/msg05329.html > [1] https://www.mail-archive.com/misc@opensmtpd.org/msg05336.html > [2] > http://cvsweb.openbsd.org/ports/mail/opensmtpd-filters/dkimsign/pkg/README?rev=1.2=text/x-cvsweb-markup > [3] > https://salsa.debian.org/debian/opensmtpd-filter-dkimsign/-/blob/debian/sid/debian/README.Debian > > Your work is much appreciated Martijn. I'm doing (an idiots) guide on my blog right now. I'll put the link on here in case it might help someone else. Cheers, Simon -- Web: https://simonh.uk Email: m...@simonh.uk
filter-dkimsign -- listen on socket required?
Afternoon all. After *much* hunting around for examples, I've finally gotten filter-dkimsign working correctly (on Debian 10). from my /etc/smtpd.conf: filter dkimsign proc-exec "filter-dkimsign -d mydomain.com -s 20210622 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign listen on socket filter "dkimsign" listen on localhost tls pki mydomain.com It turned out that the line: listen on socket filter "dkimsign" did the trick. To be fair, it's right there on https://man.openbsd.org/smtpd.conf but I must have continually missed it until now. Perhaps it might be helpful to have a couple of examples in the filter-dkimsign man page? Also, it would be great to see this filter incorporated into the main package as the alternatives (dkimproxy, rspamd) seem to need ~200MB of ram. -- Web: https://simonh.uk Email: m...@simonh.uk
Re: IRC freenode #opensmtpd has reached user limit - can you increase?
On Fri, 11 Jun 2021 11:02:24 + Peter Thurner | Blunix GmbH wrote: > Hi, > > I've been trying to join the #opensmtpd on freenode for a few days, > however it seems to have reached its user limit. Can somebody please > increase this? Thank you. > > It's moved to libera.chat (see below): https://www.mail-archive.com/misc@opensmtpd.org/msg05303.html -- ┏━┳┓╋╋╋┏┓╋╋╋┏┓ ┃━╋╋━━┳━┳━┳┫┗┓┏┳┫┣┓ ┣━┃╋┃┣┫┃┃━┫ ┗━┻━┻┻━━┻┻┛ Web: https://simonh.uk Email: m...@simonh.uk
Re: New release libopensmtpd and filter-dkimsign
On Thu, 10 Jun 2021 13:13:30 +0200 Martijn van Duren wrote: > EHLO, > > I just pushed a new release of libopensmtpd and filter-dkimsign to the > OpenBSD ports tree. These contains the following changes: > > libopensmtpd (0.7): > - Registering OSMTPD_PHASE_LINK_CONNECT should be OSMTPD_TYPE_REPORT > - Fix manpage: 0 is for outgoing connections, not 2. > From Edgar Pettijohn pettijohn-web com> > - Fix a spelling mistake. > From Ryan Kavanagh debian org> > - Major overhaul of the Makefile.gnu so that things properly build on > Debian (not relevant for OpenBSD) > With Ryan Kavanagh debian org> > > filter-dkimsign (0.5): > - Add support for ed25519. This currently requires openssl1.1 > libcrypto and is thus only enabled in an ed25519 flavor of the > package. Lots of help from tb@ and sthen@ > - Fix error handling in a couple of places > - Fix an initialization issue > Spotted by Maarten de Vries de-vri es> > - Fix a couple of signedness warnings > - Allow filter-dkimsign to be build on Debian (not relevant for > OpenBSD) With Ryan Kavanagh debian org> > > The two major things: > - filter-dkimsign now supports ed25519. Since LibreSSL doesn't have > ed25519 signing yet it requires building against OpenSSL (I've only > tested version 1.1). People on OpenBSD wanting to sign with ed25519 > should intall the ed25519 flavor, which links against openssl's > libcrypto. Note that in my testing many major mail platforms don't > support ed25519 verifying, so continuing to sign with RSA in > addition to ed25519 is still recommended. > - libopensmtpd and filter-dkimsign should now be able to build on > Debian without problems and should appear in the testing release of > Debian soon(tm). This also means that other Linux distros should > probably be able to compile and package them. If you run into issue > please contact me so that things can be ironed out. > > For people who want to test filter-dkimsign on other platforms, the > source can be downloaded at: > https://distfiles.sigtrap.nl/libopensmtpd-0.7.tar.gz > https://distfiles.sigtrap.nl/filter-dkimsign-0.5.tar.gz > > martijn@ > > Hello again. I've got libopensmtpd and filter-dkimsign compiled and installed successfully (I think) but something is wrong as no mail is sent with the below config. According to https://dmarcly.com/tools/dkim-record-checker everything is fine DNS wise. I used the sample from https://openports.pl/path/mail/opensmtpd-filters/dkimsign Here is my /etc/smtpd.conf: # $OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. table aliases file:/etc/aliases # To accept external mail, replace with: listen on all # listen on localhost action "local" maildir alias action "relay" relay # Uncomment the following to accept external mail for domain "example.org" # # match from any for domain "example.org" action "local" match for local action "local" match from local for any action "relay" # Below is for filter-dkimsign filter "dkimsign" proc-exec "filter-dkimsign -d -s -k /mail/dkim/b0x.key" user _dkimsign group _dkimsign listen on localhost filter "dkimsign" I'm wondered if the user and group might be the issue so commented them out, but that didn't help. Do I need to create a _dkimsign user and group? Any help appreciated. I feel so close now. I've tried rspamd and dkimproxy but they both use about 200MB on my server which seems somewhat heavy. -- Web: https://simonh.uk Email: m...@simonh.uk
Re: New release libopensmtpd and filter-dkimsign
On Thu, 10 Jun 2021 13:52:33 +0200 Martijn van Duren wrote: > On Thu, 2021-06-10 at 12:35 +0100, Simon Harrison wrote: > > On Thu, 10 Jun 2021 13:13:30 +0200 > > Martijn van Duren wrote: > > > > > EHLO, > > > > > > I just pushed a new release of libopensmtpd and filter-dkimsign > > > to the OpenBSD ports tree. These contains the following changes: > > > > > > libopensmtpd (0.7): > > > - Registering OSMTPD_PHASE_LINK_CONNECT should be > > > OSMTPD_TYPE_REPORT > > > - Fix manpage: 0 is for outgoing connections, not 2. > > > From Edgar Pettijohn pettijohn-web com> > > > - Fix a spelling mistake. > > > From Ryan Kavanagh debian org> > > > - Major overhaul of the Makefile.gnu so that things properly > > > build on Debian (not relevant for OpenBSD) > > > With Ryan Kavanagh debian org> > > > > > > filter-dkimsign (0.5): > > > - Add support for ed25519. This currently requires openssl1.1 > > > libcrypto and is thus only enabled in an ed25519 flavor of the > > > package. Lots of help from tb@ and sthen@ > > > - Fix error handling in a couple of places > > > - Fix an initialization issue > > > Spotted by Maarten de Vries de-vri es> > > > - Fix a couple of signedness warnings > > > - Allow filter-dkimsign to be build on Debian (not relevant for > > > OpenBSD) With Ryan Kavanagh debian org> > > > > > > The two major things: > > > - filter-dkimsign now supports ed25519. Since LibreSSL doesn't > > > have ed25519 signing yet it requires building against OpenSSL > > > (I've only tested version 1.1). People on OpenBSD wanting to sign > > > with ed25519 should intall the ed25519 flavor, which links > > > against openssl's libcrypto. Note that in my testing many major > > > mail platforms don't support ed25519 verifying, so continuing to > > > sign with RSA in addition to ed25519 is still recommended. > > > - libopensmtpd and filter-dkimsign should now be able to build on > > > Debian without problems and should appear in the testing release > > > of Debian soon(tm). This also means that other Linux distros > > > should probably be able to compile and package them. If you run > > > into issue please contact me so that things can be ironed out. > > > > > > For people who want to test filter-dkimsign on other platforms, > > > the source can be downloaded at: > > > https://distfiles.sigtrap.nl/libopensmtpd-0.7.tar.gz > > > https://distfiles.sigtrap.nl/filter-dkimsign-0.5.tar.gz > > > > > > martijn@ > > > > > > > > > > Hello. Just tried compiling on MX Linux 19.4 (Debian 10) and get > > this error: > > > > $ make -f Makefile.gnu > > cc -I/home/simon/src/libopensmtpd-0.7/ > > -I/home/simon/src/libopensmtpd-0.7//openbsd-compat/ -Wall > > -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations > > -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -fPIC > > -DNEED_RECALLOCARRAY=1 -DNEED_STRLCAT=1 -DNEED_STRLCPY=1 > > -DNEED_STRTONUM=1 -c -o opensmtpd.o opensmtpd.c opensmtpd.c:27:10: > > fatal error: event.h: No such file or directory #include > > ^ compilation terminated. make: *** [: opensmtpd.o] > > Error 1 > > > > > > > You're missing the libevent-dev. > > When I get a header missing error I usually go to: > https://packages.debian.org and search via > "Search the contents of packages" for that particular file. > > > That was it. Also need to have libssl-dev installed for filter-dkim. Thanks for the help. -- Web: https://simonh.uk Email: m...@simonh.uk
Re: New release libopensmtpd and filter-dkimsign
On Thu, 10 Jun 2021 13:13:30 +0200 Martijn van Duren wrote: > EHLO, > > I just pushed a new release of libopensmtpd and filter-dkimsign to the > OpenBSD ports tree. These contains the following changes: > > libopensmtpd (0.7): > - Registering OSMTPD_PHASE_LINK_CONNECT should be OSMTPD_TYPE_REPORT > - Fix manpage: 0 is for outgoing connections, not 2. > From Edgar Pettijohn pettijohn-web com> > - Fix a spelling mistake. > From Ryan Kavanagh debian org> > - Major overhaul of the Makefile.gnu so that things properly build on > Debian (not relevant for OpenBSD) > With Ryan Kavanagh debian org> > > filter-dkimsign (0.5): > - Add support for ed25519. This currently requires openssl1.1 > libcrypto and is thus only enabled in an ed25519 flavor of the > package. Lots of help from tb@ and sthen@ > - Fix error handling in a couple of places > - Fix an initialization issue > Spotted by Maarten de Vries de-vri es> > - Fix a couple of signedness warnings > - Allow filter-dkimsign to be build on Debian (not relevant for > OpenBSD) With Ryan Kavanagh debian org> > > The two major things: > - filter-dkimsign now supports ed25519. Since LibreSSL doesn't have > ed25519 signing yet it requires building against OpenSSL (I've only > tested version 1.1). People on OpenBSD wanting to sign with ed25519 > should intall the ed25519 flavor, which links against openssl's > libcrypto. Note that in my testing many major mail platforms don't > support ed25519 verifying, so continuing to sign with RSA in > addition to ed25519 is still recommended. > - libopensmtpd and filter-dkimsign should now be able to build on > Debian without problems and should appear in the testing release of > Debian soon(tm). This also means that other Linux distros should > probably be able to compile and package them. If you run into issue > please contact me so that things can be ironed out. > > For people who want to test filter-dkimsign on other platforms, the > source can be downloaded at: > https://distfiles.sigtrap.nl/libopensmtpd-0.7.tar.gz > https://distfiles.sigtrap.nl/filter-dkimsign-0.5.tar.gz > > martijn@ > > Hello. Just tried compiling on MX Linux 19.4 (Debian 10) and get this error: $ make -f Makefile.gnu cc -I/home/simon/src/libopensmtpd-0.7/ -I/home/simon/src/libopensmtpd-0.7//openbsd-compat/ -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wshadow -Wpointer-arith -Wcast-qual -Wsign-compare -fPIC -DNEED_RECALLOCARRAY=1 -DNEED_STRLCAT=1 -DNEED_STRLCPY=1 -DNEED_STRTONUM=1 -c -o opensmtpd.o opensmtpd.c opensmtpd.c:27:10: fatal error: event.h: No such file or directory #include ^ compilation terminated. make: *** [: opensmtpd.o] Error 1 -- Web: https://simonh.uk Email: m...@simonh.uk
