Re: Wrote a blogpost on OpenSMTPD mailrelay - feedback appreciated
On Sat, 9 Mar 2024, Paul Pace wrote: That said, you are exactly correct about the problem with Postfix being an enterprise-grade tool that retains its enterprise-grade complexity. Being "easier to configure than Sendmail" is too low of a bar and I really think that OpenSMTPD is what that vast majority of admins would prefer (vs what they are really doing but won't admit right now - cargo culting their Postfix configurations), but the only OS that genuinely supports OpenSMTPD is OpenBSD (FreeBSD uses Sendmail WTF), so few people have ever even heard of it. I use OpenSMTPDD for peer to peer email, because it is small and relatively simple. I've been able to keep up with old friends thanks to p2p email, which doesn't depend on DNS, clearnet IPs, etc. I need to update this article (opensmtpd config has changed since it was posted), but the p2p setup is another well fitted use of opensmtpd. https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/
Hello and mixed dex/dns operation question
I have been using opensmtpd for fully dex operation, as described in https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ (Yes the smtpd.conf has changed a bit since that article was written.) Now, I wanted to also relay outgoing mail that is *not* a raw IP through a server. Using relay host is straightforward, but then I lose the fully dex operation. Is there any way to have my cake and eat it too?
Re: Monitoring SMTPD
On Thu, 29 Apr 2021, Antonino Sidoti wrote: I was wondering what options are available to monitor OpenBSD SMTPD? Can SNMP be utilise? My monitoring system is PRTG and I am using that for most of my systems. Can someone share their way of monitoring please? I run two OpenSMTP mail servers and would very much like to get some insight as to how they are performing day to day. I use nagios. Basic monitoring just connects to port 25 and verifies that there is a response. Most of my servers use sendmail (I use opensmtpd for vms and peer to peer), and the milter API allows me to implement "Magic HELO", to trigger GC of python milters, and report on various stats. (Note that "GC" is not a legal helo name, and thus there is an opening for command extension.) I wonder if something similar to magic HELO is possible with opensmtpd, maybe through filters?
Re: Monitoring SMTPD
On Thu, 29 Apr 2021, Lukas Tribus wrote: So I send emails through a critical SMTP infrastructure to a healthchecks.io endpoint, which triggers an alert in the *absence* of the email. That's a great idea.
Re: How to copy all outgoing mails based on sender definition
On Mon, 7 Jun 2021, Hagen Bauer wrote: is this really not possible or planed? No way? I really like the way opensmtpd is configured and I would hate to move back to postfix but this is really critical Any ideas or hints? On sendmail, I use the milter API. The filter API on opensmtpd might be able to do it. If the filter program gets a copy of the message to analyze - it can write it somewhere. Sorry, I haven't written an opensmtpd filter yet.
Re: Encryption and authentication on private network mail relay?
On Fri, 15 Oct 2021, p...@mostlybsd.com wrote: Authentication? The local network only includes servers in the same data center. Presumably, the local network cannot be accessed from outside the network controlled by the ISP. I'm already trusting the ISP with the servers - is it still a bad idea to run an open relay on a private network, even if I configure pf to only accept connections from the approved private network servers? In a similar situation, I run Cjdns on all the servers, and authorize the specific IPs. Cjdns is an IPv6 mesh VPN where the packets are authenticated (IP is hash of pubkey and all sessions are TLS under the covers) and end to end encrypted. Pros: dirt simple. Doesn't depend on private network, works with "outside the box" connectivity, e.g. I have servers connected via BATMAN-adv mesh, config doesn't change when servers are moved around to different providers/locations. Doesn't require learning how to configure conventional TLS certs in your MTA. Cons: lists of authorized IPs are manually maintained. In theory, this could be automated (refresh list periodically from an authorized server). My brother goes the full cert authority route. A trusted CA flags local MTA certs that are allowed to send mail. Pros: no lists of IPs to maintain. Doesn't depend on provate network, Config doesn't change when servers are moved around. Works with "outside the box" connectivity. Cons: Certificate infrastructure is complex and difficult for beginners to grasp and complex to configure. Encryption? What is the case for encrypting data traversing the private network? I don't find good answers on this, even in general networking type considerations. Both Cjdns and traditional TLS are e2e encrypted. P.S. I also use Cjdns with opensmtpd for fully decentralized email: https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/
Re: Limit Mail Submission to inet4
On Thu, 18 Nov 2021, Simon Hoffmann wrote: Why? Why not fix the IPv6 issue? Our servers deliver to gmail over IPv6 with no issues. Hmm, thats interesting. The last time i googled it said that its a known issue with gmail and one should use IPv4. Also, the GMail help No problems sending IPv6 to gmail here either (using he.net).
Re: Why does OpenSMTPD not support pipelining?
On Tue, 3 May 2022, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: The pipelining extension came about at a time when networks were slower and latency was higher. And as Gilles says, the only practical application is for dealing with a huge number of RCPT commands. None of those use cases apply any more, so in today's world the extension doesn't really add anything. When you do have slow, high latency networks (LoRA mesh, etc) there are modern transfer protocols that handle pipelining and high latency. E.g. NNCP (like UUCP but with strong authentication and encryption) is used for mail transfer over slow links much as UUCP was.
Re: sysupdate and space check
On Mon, 24 Oct 2022, Peter Fraser wrote: I make a stupid mistake; I didn’t check partition sizes before doing a sysupgrade. sysupgrade ran out of space or /usr in the middle of the upgrade. I know I should have checked first but it would be nice if sysupgrade did warn me. The site was a 20-minute drive away, and their down time was a lot longer then I expected. I always make an LVM or btrfs snapshot and make a boot entry for it. Then, if something goes wrong, the customer can simply press down arrow to boot the old system. Still complex to explain to customer how to alter default BIOS boot, but with linux it is pretty much "keep pressing down arrow until you see the grub menu.
Re: OpenSMTPD ignores the system time zone in mail header and logfile
On Thu, 3 Nov 2022, Nils wrote: The problem is probably Void Linux specific, since I don't have this problem on a OpenBSD installation. P.S.: This is a cross-post of https://github.com/void-linux/void-packages/issues/39918 I did some research and reported on the github issue. Summary: The Received header field should use -, not + when localtime is not actually UTC. But Received should not necessarily be in localtime. NOTE: I am not an opensmtpd dev - just use it for fully decentralized email (raw IPv6 on encrypted mesh vpn to avoid DNS and TLS cabal cancelation).
Re: opensmtpd personal mail server setup
On Sun, 26 Mar 2023, Edoardo La Greca wrote: Hi there, I'm trying to set up a SMTP server using this guide https://blog.obtusenet.com/byoes-build-your-own-email-server/ but I cannot receive any email (the `mail` command says "No mail for edo"), neither from external SMTP servers, nor from the same server (by sending it from the SMTP server to the same server). Basic debugging for this kind of problem is to connect by hand. $ openssl s_client -starttls smtp -connect mail.example.com:25 ... Lots of info about server certificates 250 HELP HELO mypc.example.com 250 mypc.example.com Hello [IPv6:2001:db8:8:808::dead:beef], pleased to meet you ... Can continue with MAIL FROM, RCPT TO, etc if you haven't seen the problem by now. BTW, "Invalid pubkey hash" could mean you have an ancient MD5 cert. I use sendmail with certs, opensmtpd for p2p email, so not familiar with all the errors.
Re: How to bypass rdns filter
On Tue, 20 Jun 2023, Mik J wrote: I have this filter configured filter check_rdns phase connect match !rdns disconnect "550 no rDNS is so 80s" Someone else answered your real question, so please excuse my rant. I note that rDNS is still not part of the SMTP RFCs. HELO is what the standard specifies, and checking that HELO resolves to the connect IP accomplishes the same as rDNS. While IPv6 has improved this, requiring rDNS for IPv4 causes problems for the little guy. You have to have at least a Class C block. (Some ISPs support CNAME based rDNS delegation for IPv4.) Even though IPv6 makes rDNS much easier for the little guy, too many IPv6 ISPs on the backbone simply do not support it. (he.net does fully support it.) Back in the 80s, there were a lot of clueless email admins (hey, at least they weren't using gmail) that couldn't figure out what "hostname of the SMTP client" means for HELO. So rejecting on invalid HELO got a lot of real business emails with clueless admins. The rDNS hack was a substitute when HELO was invalid, as a class C was typical for even a small business back then. No more.
Re: Dropping Connections Upon Connect
On Wed, 19 Jul 2023, Pete Long wrote: The filter ‘works’ in the sense that I get “421 Internal Server Error” when something matches my regex table. That's more likely to discourage the spammer than any rant you might supply instead. :-) But maybe you want to provide a channel for false positives to appeal the rejection.
Re: Setting personal mailserver
On Wed, 30 Aug 2023, Sagar Acharya wrote: I'm facing an issue similar to a person a while ago available on archive. I use alpine, and the conf is as below There is nothing in the mailbox. Are you looking with alpine, or with CLI tools like ls? Use CLI tools to check that you've configured smtpd to store incoming mail where you think you have. I go so far as to use raw IPv6 for personal mailbox on various overlay mesh vpns like Cjdns and Yggdrasil (giving you personal authenticated IPs independent of any ISP). I just caught up with an online friend that moved from Hawaii to New York. Still works despite changes in ISP and ICANN domains.
Re: Setting personal mailserver
On Thu, 7 Sep 2023, Sagar Acharya wrote: In today's times of mature NLP, you will not be able to differentiate human mail from bot mail or spam. Only in person verification is trustworthy. No. Are you saying that only people who control the network should send mails? Well DNS exactly is for that. If you find I send spams, you can easily easily block mails from my domain humaaraartha.in but it is not wise nor ethical to by default not allow people to mail. Acckshully ... when using centralized DNS root zone, ICANN, they can cancel/spoof domains. And TLS is worse, as the shadowy TLS global cabal decides the list of CAs full trusted. (And browsers do not support CA veto out of the box.) This lets the cabal MITM your TLS connections. DNS was designed to be federated - so you can lessen your dependence on ICANN by running your own root zone, or using a community root zone like https://www.opennic.org That issue lies because hardware is not mapped to people. There is no technological solution for trust hopping between machines. ssh should be discouraged and each machine, denoted by single IP address should be mapped to a human. So humaaraartha.in is run by Sagar Acharya. Yes, see https://github.com/cjdelisle/cjdns and https://github.com/yggdrasil-network/yggdrasil-go both of which create crypto unique authenticated IPv6 addresses. Use the raw IPv6 to send emails and make phone calls. Well, what action should be implemented for sending emails. I don't The scheme I use for fully decentralized opensmtpd and SIP is described at https://fedoramagazine.org/decentralize-common-fedora-apps-cjdns/ (Older version of opensmptpd for that article.) I even have a few people that will talk to me that way. And no spam. I do get connects from various spiders looking for mail server listening, but so far no spam. It is a hard sell ...
