Re: Strange timeout issue
Heho, On Sun, 2023-08-06 at 22:58 +0400, Archange wrote: > isis.lip6.fr This host has an IPv4 and IPv6 address. If you use the v4 addr. verbatim, the connection fails. If you use the FQDN, you use the v6 addr, the connection works. Works: openssl s_client -connect \[2001:660:3302:283c::2\]:25 -servername isis.lip6.fr -starttls smtp openssl s_client -connect isis.lip6.fr:25 -servername isis.lip6.fr - starttls smtp Does not work: openssl s_client -connect 131.227.60.2:25 -servername isis.lip6.fr - starttls smtp Best guess: The IPv4 address for this host (132.227.60.2) seems to have (i guess) MTU issues (at least for me); From my homebox (mtu <1500 on-path) i cannot connect via v4 on tcp/25, from another host in the same /24 (same routing policy) but 1500mtu on the whole path i can with the s_client line noted as 'does not work' above. Alternatively, they might be doing something else 'somewhat funny'. Not easy to guess, though, without sinking a lot of time, but this really smells like a them-issue to me. Solution: Make lip6.fr fix their stuff. With best regards, Tobias
Issues with outbound connections to dualstack on v6 only host
Heho, Running on OpenBSD7.3. I am currently facing an issue that OpenSMTPd disables a route for a dual-stack MX if a connection to the v4 address fails, without retrying v6. The system has a local v4 network, but no routes; A v6 default route is set and the system is reachable via IPv6. smtpd.conf is fully default (it is internal mail-sending for monitoring purposes, so the remote is rather 'friendly'). Other hosts with a similar configuration (but no v4 except lo) do not show the same behavior. Any ideas what i might have missed? With best regards, Tobias -- Dr.-Ing. Tobias Fiebig M tob...@fiebig.nl
Re: Move user+...@domain.tld into tag folder (if it exists)
Heho,
funny. Anything else the dovecot log is spitting out then?
Hard to debug through mail, thoug. Lemme see if i can quickly setup a
mailer to test this with your config. Could you send me a pkg_info -m
off-list?
With best regards,
Tobias
On Sun, 2023-04-09 at 23:21 +0200, Benjamin Stürz wrote:
> Hello Tobias,
>
> I assume it's `getent passwd`, because it needs a database.
> This is my output:
> vmail:*:2000:2000:Virtual Mail Account:/var/vmail:/sbin/nologin
>
> On 09.04.23 23:17, Tobias Fiebig wrote:
> > Heho,
> >
> > can you do a `getent|grep vmail` on your system? That sounds like
> > you
> > haven't fully configured the virtual setup?
> >
> > With best regards,
> > Tobias
> >
> > On Sun, 2023-04-09 at 23:15 +0200, Benjamin Stürz wrote:
> > > Hello Tobias,
> > >
> > > Thanks for your reply.
> > >
> > > I put your script into
> > > /usr/local/lib/dovecot/sieve/redirect.sieve
> > > and compiled it with sievec.
> > >
> > > I also put
> > > > sieve_after =
> > > file:/usr/local/lib/dovecot/sieve/redirect.sieve
> > > into my plugin section and enabled lmtp in both dovecot and
> > > smtpd.
> > >
> > > Unfortunately this caused errors like:
> > > >
> > > a42fc59a8f9aa94a|inet4|mda|auth|be...@stuerz.xyz
> > > > be...@stuerz.xyz
> > > > |be...@stuerz.xyz|1681074451|1681074451|0|1|pending|
> > > 5|"mail.lmtp:
> > > LMTP server error: 550 5.1.1 User doesn't exist: vmail"
> > >
> > > when sending a test email to myself.
> > >
> > > I then removed "virtual " from my smtpd.conf and it
> > > replaced
> > > "vmail" with "benni" (not be...@stuerz.xyz).
> > >
> > > I have reverted the change in smtpd.conf again.
> > >
> > >
> > > My full configs:
> > >
> > > /etc/dovecot/local.conf:
> > >
> > > > auth_mechanisms = plain login
> > > > first_valid_uid = 2000
> > > > first_valid_gid = 2000
> > > > mail_plugin_dir = /usr/local/lib/dovecot
> > > > managesieve_notify_capability = mailto
> > > > managesieve_sieve_capability = fileinto reject envelope
> > > > encoded-
> > > > character vacation subaddress comparator-i;ascii-numeric
> > > > relational
> > > > regex imap4flags copy include variables body enotify
> > > > environment
> > > > mailbox date index ihave duplicate mime foreverypart
> > > > extracttext
> > > > imapsieve vnd.dovecot.imapsieve
> > > > mbox_write_locks = fcntl
> > > > mmap_disable = yes
> > > >
> > > > passdb {
> > > > args = scheme=CRYPT username_format=%u
> > > > /etc/mail/credentials.dovecot
> > > > driver = passwd-file
> > > > name =
> > > > }
> > > >
> > > > mail_location =
> > > > maildir:/var/vmail/%d/%n:INBOX=/var/vmail/%d/%n/Inbox:LAYOUT=fs
> > > > namespace inbox {
> > > > inbox = yes
> > > > mailbox Drafts {
> > > > auto = subscribe
> > > > special_use = \Drafts
> > > > }
> > > > mailbox Junk {
> > > > auto = subscribe
> > > > special_use = \Junk
> > > > autoexpunge = 30d
> > > > }
> > > > mailbox Sent {
> > > > auto = subscribe
> > > > special_use = \Sent
> > > > }
> > > > mailbox Trash {
> > > > auto = subscribe
> > > > special_use = \Trash
> > > > }
> > > > mailbox Archive {
> > > > auto = subscribe
> > > > special_use = \Archive
> > > > }
> > > > }
> > > >
> > > > plugin {
> > > > imapsieve_mailbox1_before =
> > > > file:/usr/local/lib/dovecot/sieve/report-spam.sieve
> > > > imapsieve_mailbox1_causes = COPY
> > > > imapsieve_mailbox1_name = Junk
> > > > imapsieve_mailbox2_before =
> > > > file:/usr/local/lib/dovecot/sieve/report-ham.sieve
> > > > imapsieve_mailbox
Re: Move user+...@domain.tld into tag folder (if it exists)
Heho,
`getent passwd | grep vmail` of course. ;-)
With best regards,
Tobias
On Sun, 2023-04-09 at 23:17 +0200, Tobias Fiebig wrote:
> Heho,
>
> can you do a `getent|grep vmail` on your system? That sounds like you
> haven't fully configured the virtual setup?
>
> With best regards,
> Tobias
>
> On Sun, 2023-04-09 at 23:15 +0200, Benjamin Stürz wrote:
> > Hello Tobias,
> >
> > Thanks for your reply.
> >
> > I put your script into /usr/local/lib/dovecot/sieve/redirect.sieve
> > and compiled it with sievec.
> >
> > I also put
> > > sieve_after =
> > file:/usr/local/lib/dovecot/sieve/redirect.sieve
> > into my plugin section and enabled lmtp in both dovecot and smtpd.
> >
> > Unfortunately this caused errors like:
> > >
> > a42fc59a8f9aa94a|inet4|mda|auth|be...@stuerz.xyz
> > > be...@stuerz.xyz
> > > |be...@stuerz.xyz|1681074451|1681074451|0|1|pending|
> > 5|"mail.lmtp:
> > LMTP server error: 550 5.1.1 User doesn't exist: vmail"
> >
> > when sending a test email to myself.
> >
> > I then removed "virtual " from my smtpd.conf and it
> > replaced
> > "vmail" with "benni" (not be...@stuerz.xyz).
> >
> > I have reverted the change in smtpd.conf again.
> >
> >
> > My full configs:
> >
> > /etc/dovecot/local.conf:
> >
> > > auth_mechanisms = plain login
> > > first_valid_uid = 2000
> > > first_valid_gid = 2000
> > > mail_plugin_dir = /usr/local/lib/dovecot
> > > managesieve_notify_capability = mailto
> > > managesieve_sieve_capability = fileinto reject envelope encoded-
> > > character vacation subaddress comparator-i;ascii-numeric
> > > relational
> > > regex imap4flags copy include variables body enotify environment
> > > mailbox date index ihave duplicate mime foreverypart extracttext
> > > imapsieve vnd.dovecot.imapsieve
> > > mbox_write_locks = fcntl
> > > mmap_disable = yes
> > >
> > > passdb {
> > > args = scheme=CRYPT username_format=%u
> > > /etc/mail/credentials.dovecot
> > > driver = passwd-file
> > > name =
> > > }
> > >
> > > mail_location =
> > > maildir:/var/vmail/%d/%n:INBOX=/var/vmail/%d/%n/Inbox:LAYOUT=fs
> > > namespace inbox {
> > > inbox = yes
> > > mailbox Drafts {
> > > auto = subscribe
> > > special_use = \Drafts
> > > }
> > > mailbox Junk {
> > > auto = subscribe
> > > special_use = \Junk
> > > autoexpunge = 30d
> > > }
> > > mailbox Sent {
> > > auto = subscribe
> > > special_use = \Sent
> > > }
> > > mailbox Trash {
> > > auto = subscribe
> > > special_use = \Trash
> > > }
> > > mailbox Archive {
> > > auto = subscribe
> > > special_use = \Archive
> > > }
> > > }
> > >
> > > plugin {
> > > imapsieve_mailbox1_before =
> > > file:/usr/local/lib/dovecot/sieve/report-spam.sieve
> > > imapsieve_mailbox1_causes = COPY
> > > imapsieve_mailbox1_name = Junk
> > > imapsieve_mailbox2_before =
> > > file:/usr/local/lib/dovecot/sieve/report-ham.sieve
> > > imapsieve_mailbox2_causes = COPY
> > > imapsieve_mailbox2_from = Junk
> > > imapsieve_mailbox2_name = *
> > > sieve_after =
> > > file:/usr/local/lib/dovecot/sieve/redirect.sieve
> > > sieve = file:~/sieve;active=~/.dovecot.sieve
> > > sieve_global_extensions = +vnd.dovecot.pipe
> > > +vnd.dovecot.environment
> > > sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
> > > sieve_plugins = sieve_imapsieve sieve_extprograms
> > > }
> > >
> > > protocols = imap sieve lmtp
> > >
> > > service imap-login {
> > > inet_listener imap {
> > > port = 0
> > > }
> > > }
> > >
> > > service managesieve-login {
> > > inet_listener sieve {
> > > port = 4190
> > > }
> > >
> > > inet_listene
Re: Move user+...@domain.tld into tag folder (if it exists)
is the smtpd server system-wide configuration file.
> > # See smtpd.conf(5) for more information.
> >
> > pki "mail" cert "/etc/ssl/mixdown.me.fullchain.pem"
> > pki "mail" key "/etc/ssl/private/mixdown.me.key"
> >
> > table aliases file:/etc/mail/aliases
> > table credentials file:/etc/mail/credentials.smtpd
> > table virtuals file:/etc/mail/virtuals
> >
> > filter dkim_sign proc-exec "filter-dkimsign -d mixdown.me -s
> > selector1 -k /etc/mail/dkim/mixdown.me.key" user _dkimsign group
> > _dkimsign
> > #filter check_fcrdns phase connect match !fcrdns disconnect "550 no
> > FCrDNS"
> > #filter check_rdns phase connect match !rdns disconnect "550 no
> > rDNS"
> > filter rspamd proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
> > filter filters chain { dkim_sign, rspamd }
> >
> > listen on all tls pki "mail" #filter "filters"
> > listen on egress port submission tls-require pki "mail" auth
> > filter "filters"
> > listen on egress port smtps tls-require pki "mail" auth
> > filter "filters"
> >
> > action "local_mail" mbox alias
> > #action "domain_mail" maildir
> > "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}/I
> > nbox" virtual
> > action "domain_mail" lmtp "/var/dovecot/lmtp" #virtual
> > action "outbound" relay
> >
> > match from any for domain "mixdown.me" action "domain_mail"
> > match from any for domain "stuerz.art" action "domain_mail"
> > match from any for domain "stuerz.xyz" action "domain_mail"
> > match from local for local action "local_mail"
> > match from auth for any action "outbound"
> > match from local for any action "outbound"
> > match from any for any reject
>
>
>
> On 09.04.23 22:28, Tobias Fiebig wrote:
> > Heho,
> >
> > The documentation for sieve is here:
> > https://doc.dovecot.org/configuration_manual/sieve/configuration/
> >
> > Sieve is its own script language for mail filtering. Once you
> > configured it, you can either use pidgeonhole/managesieve to edit
> > the
> > sieverc, or just write one to the right path on your server.
> >
> > You are looking for a sieve script like this (does what you asked
> > for
> > for my mail account for a couple of years now.):
> >
> > """
> > require ["variables", "envelope", "fileinto", "subaddress"];
> >
> > if envelope :matches :detail "to" "*" {
> > set :lower "name" "${1}";
> > }
> >
> > if string :is "${name}" "" {
> > fileinto "INBOX";
> > stop;
> > } else {
> > fileinto "delimiters.${name}";
> > stop;
> > }
> > """
> >
> > With best regards,
> > Tobias
> >
> >
> > On Sun, 2023-04-09 at 22:21 +0200, Benjamin Stürz wrote:
> > > Hello Michael,
> > >
> > > Thanks for helping me!
> > >
> > > I too use dovecot, but I'm not really familiar with it.
> > > That's why I took most of my config from a tutorial.
> > >
> > > As far as I can tell, I have to put something like this into my
> > > config:
> > > > protocol lmtp {
> > > > mail_plugins = $mail_plugins sieve
> > > > }
> > > But how do I connect it with my script?
> > >
> > > I'm thinking of using a script like this:
> > > > #!/bin/sh
> > > >
> > > > # Usage: $0 user[+tag]@domain.tld
> > > >
> > > > # user[+tag]
> > > > user_tag=$(echo "$1" | cut -d@ -f1)
> > > >
> > > > # domain.tld
> > > > domain=$(echo "$1" | cut -d@ -f2)
> > > >
> > > > # user
> > > > user=$(echo "${user_tag}" | cut -d+ -f1)
> > > >
> > > > # [tag]
> > > > tag=$(echo "${user_tag}" | cut -d+ -f2)
> > > >
> > > > prefix="/var/vmail/${domain}/${user}"
> > > >
> > > > [ "$tag" ] && echo "${prefix}/${tag}" || echo "${prefix}/Inbox"
> > >
> > >
> > > My current
Re: Move user+...@domain.tld into tag folder (if it exists)
inet_listener sieve_deprecated {
> > port = 2000
> > }
> > }
> >
> > ssl_cert = > ssl_key = >
> > userdb {
> > args = username_format=%u /etc/mail/credentials.dovecot
> > driver = passwd-file
> > name =
> > }
> >
> > protocol imap {
> > mail_plugins = " imap_sieve"
> > }
>
>
> On 09.04.23 22:00, Michael Breuer wrote:
> > Hello Benjamin,
> >
> > what mda do you use? I use dovecot and a sieve script to process
> > incoming mail.
> >
> > Instead of saving mail directly to maildir, I transfer it to the
> > mda via lmtp. The required changes on the smtpd site would look
> > like this:
> >
> > > On 9. Apr 2023, at 16:04, Benjamin Stürz
> > > wrote:
> > >
> > > I think this line has to be changed:
> > > action "domain_mail" maildir
> > > "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}
> > > /Inbox" virtual
> >
> > action "domain_mail" lmtp "/var/dovecot/lmtp" virtual
> >
> > In dovecot, you need to activate the sieve plugin and a
> > script for your user account.
> >
> >
>
--
Dr.-Ing. Tobias Fiebig
T +31 616 80 98 99
M tob...@fiebig.nl
Re: Mails sent in IPv4 while I expect IPv6
Heho, > - In DMARC Report Deliverability, it's written "To authorize this > RUA, add the following DMARC DNS record:", first it was not obvious > to me in which zone I have to add the record, maybe you can write "To > authorize this RUA, add the following DMARC DNS record in zone > xyz.org:" > I guessed it when i read the record > mydomain.fr._report._dmarc.mydomain.com. IN TXT "v=DMARC1;" > but it was not 100% obvious, because there was mydomain with > different extensions Good point; I will put that on the todo. > - Transport Encryption "Your email provider/server does not support > transport encryption. I don't get what I'm doing wrong and what I > have to do What may also be the case is that the mail has not yet arrived (the base-tls-support mail has to have arrived for the other TLS mails to be evaluated). Did you try reloading the report page? With best regards, Tobias
Re: Email Sending Test-Setup
Heho, > That is a real cool project! Thanks. And mostly running on openbsd. ;-) > I didn't knew signed rDNS is possible. Yeah; It actually is: https://dnssec-analyzer.verisignlabs.com/3.197.191.195.in-addr.arpa But many orgs don't sign their rDNS, which makes it hard for endusers to get signed rDNS on their VMs. No clue how openbsd.amsterdam is doing in that regard... ;-) With best regards, Tobias
Email Sending Test-Setup
Heho, together with some colleagues i setup an email-sending-selftest (powered by openbsd, and partially opensmtpd ;-)) In case it is useful for some: https://www.email-security-scans.org/ Only thing keeping me from 10/10 at the moment is outbound MTA-STS and DANE checking. If anyone has taken a shot at adding that to opensmtpd (Maybe a filter before hitting the relay action or something?), i'd be happy to hear about that. :-) With best regards, Tobias
Re: Using MySQL procedures
Heho, this might be useful for you: https://doing-stupid-things.as59645.net/mail/nsfp/2022/04/14/send-it.html https://doing-stupid-things.as59645.net/mail/opensmtpd/mysql/2022/08/30/receiving-an-email.html Essentially, opensmtpd has rather specific ideas regarding the number of columns in the result set (error thrown for you) and the number of (variable) inputs in the input query. With best regards, Tobias On Tue, 2023-02-21 at 17:31 +0100, Roko Dobovičnik wrote: > Hello everyone, > > I've been using OpenSMTPD for few months now and I'm pretty happy > with > how it works and how easy it is to configure. Recently I decided to > start using MySQL database to store tables with user accounts and > aliases so I can easily connect other services to the same database. > I > found a man page TABLE_MYSQL(5) which describes how to configure > smtpd > to so. The problem is that I would like to have a bit different > database > structure than the one described on the man page, so I created MySQL > stored procedures that can be called in order to fetch data needed by > OpenSMTPD server. And when I configured server to call these > procedures > it simply crashes (when started with -v flag writes following to the > log): > > credentials[3280425]: debug: (re)connecting > credentials[3280425]: warn: wrong number of columns in resultset > credentials[3280425]: fatal: could not connect > warn: table-proc: imsg_read: Connection reset by peer > lookup: table-proc: exiting > > Then I created same configuration as described on the man page and it > worked, but then I tried to create stored procedure which does the > same > job as one of the queries: > > DELIMITER $$ > CREATE PROCEDURE get_aliases(IN email_var VARCHAR(255)) > BEGIN > SELECT destination FROM virtuals WHERE email = email_var; > END $$ > DELIMITER ; > > I changed line in configuration file from this: > > query_alias SELECT destination FROM virtuals WHERE email=?; > > To this, so procedure is called: > > query_alias CALL get_aliases(?); > > But then, same error occurred again. > So my question is, am I doing something wrong. And can OpenSMTPD be > configured to call MySQL stored procedures. > > Thanks, > Roko Dobovičnik > > -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl
Re: smtpd loop with default config
Heho, you can't, really. Technically, they should set a null MX (RFC7505 [1]), instead of publishing localhost, though. What would/might help would be loop detection in opensmtpd; I always kind of assumed that it had it, though; I.e., bouncing messages as soon as $self already appears in delivered-to with the same dst. address. Alternatively, you could set a rule at lo tcp/25 to treat local different from tcp submitted mails. Still, similar issues, e.g., not setting an MX and thereby having opensmtpd deliver to the domain's A (often keeping the mail queued for some time) will still be there. With best regards, Tobias [1] https://www.rfc-editor.org/rfc/rfc7505 On Fri, 2023-02-17 at 16:23 +0100, Heinrich Rebehn wrote: > Hello all, > > I stumbled upon a weird situation when trying to send mail to > t...@webmail.de. smtpd entered into an endless loop: > > ——— > obsd-test# mail -s test t...@webmail.de > test > . > EOT > obsd-test# Feb 17 16:00:01 obsd-test smtpd[74143]: f63245c93259f11c > smtp connected address=local host=obsd-test.rebehn.net > Feb 17 16:00:01 obsd-test smtpd[74143]: f63245c93259f11c smtp message > msgid=7157a411 size=363 nrcpt=1 proto=ESMTP > Feb 17 16:00:01 obsd-test smtpd[74143]: f63245c93259f11c smtp > envelope evpid=7157a411f91aaef7 from= > to= > Feb 17 16:00:01 obsd-test smtpd[74143]: f63245c93259f11c smtp > disconnected reason=quit > 2023-02-17T15:00:01.986Z obsd-test newsyslog[87010]: logfile turned > over > tail: /var/log/maillog has been replaced, reopening. > 2023-02-17T15:00:01.986Z obsd-test newsyslog[87010]: logfile turned > over > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245cd0d08e264 mta > connecting address=smtp://127.0.0.1:25 host=localhost > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245cd0d08e264 mta > connected > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245ce7265d1ed smtp > connected address=127.0.0.1 host=localhost > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245ce7265d1ed smtp message > msgid=d2ff5ca2 size=546 nrcpt=1 proto=ESMTP > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245ce7265d1ed smtp > envelope evpid=d2ff5ca2aa40c428 from= > to= > Feb 17 16:00:02 obsd-test smtpd[74143]: f63245cd0d08e264 mta delivery > evpid=7157a411f91aaef7 from= > to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 > (localhost)" delay=1s result="Ok" stat="250 2.0.0 d2ff5ca2 Message > accepted for delivery" > Feb 17 16:00:03 obsd-test smtpd[74143]: f63245ce7265d1ed smtp message > msgid=209c5192 size=729 nrcpt=1 proto=ESMTP > Feb 17 16:00:03 obsd-test smtpd[74143]: f63245ce7265d1ed smtp > envelope evpid=209c519220fca0c2 from= > to= > Feb 17 16:00:03 obsd-test smtpd[74143]: f63245cd0d08e264 mta delivery > evpid=d2ff5ca2aa40c428 from= > to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 > (localhost)" delay=1s result="Ok" stat="250 2.0.0 209c5192 Message > accepted for delivery" > Feb 17 16:00:04 obsd-test smtpd[74143]: f63245ce7265d1ed smtp message > msgid=2f497747 size=912 nrcpt=1 proto=ESMTP > Feb 17 16:00:04 obsd-test smtpd[74143]: f63245ce7265d1ed smtp > envelope evpid=2f497747f408bbd3 from= > to= > Feb 17 16:00:04 obsd-test smtpd[74143]: f63245cd0d08e264 mta delivery > evpid=209c519220fca0c2 from= > to= rcpt=<-> source="127.0.0.1" relay="127.0.0.1 > (localhost)" delay=1s result="Ok" stat="250 2.0.0 2f497747 Message > accepted for delivery” > > etc... > —— > > The reason for this is: > > obsd-test# host webmail.de > webmail.de has address 64.190.63.111 > webmail.de mail is handled by 0 localhost. > > I mistyped swbmail.de as webmail.de. So it is partially my fault. > Webmail.de is for sale by sedo.com. It is really weird that they > enter localhost as mx. They should at least have their own fake > mailer which simply rejects emails to webmail.com. > > But my question is: How can I harden smtpd.conf against such mx > entries? > > OpenBSD obsd-test.rebehn.net 7.2 GENERIC#6 amd64 running under ESXi > 7.0U3 > Clean install, default smtpd.conf > > Thanks for any help, > > Heinrich > > -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl
Re: 550 Invalid recipient errors
Heho, On Fri, 2023-02-10 at 08:18 -0600, Kevin G wrote: > action "process_dkim" relay host smtp://127.0.0.1:10027 > match from local for any action "process_dkim" As i read the config... > > let alone anything for auth? There is no rule matching auth to this action. try: match from auth for any action "process_dkim" With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl
Re: 550 Invalid recipient errors
Heho, might be missing this, but you do not have a relay rule for outbound, let alone anything for auth? With best regards, Tobias On Fri, 2023-02-10 at 07:58 -0600, Kevin G wrote: > # Accept incoming mail to local users from the local machine: > action "process_local_mail" lmtp "/run/dovecot/lmtp" rcpt-to alias > > match from local for local action "process_local_mail" > > # Accept external mail tagged after processing by SPAMPD and put in > Dovecot. We don't bother with checking spam of > # authenticated users relaying mail, so we only worry about incoming > spam > into Dovecot, so we only configure anti-spam > # in Dovecot. > action "process_spampd" lmtp "/run/dovecot/lmtp" rcpt-to virtual > > match tag SPAMPD for domain action "process_spampd" > > # Accept external mail and forward to spampd on port 10029 which will > relay > it back into us on port 10030 > action "process_relay" relay host smtp://127.0.0.1:10029 > match from any for domain action "process_relay" > > # Accept DKIM-processed mails for final relay: > action "process_outbound" relay host tls+auth://label@REDACTED auth > > match tag DKIM for any action "process_outbound" > > # Accept incoming mail from authenticated users who want to send > email to > domains we don't manage, and send it to DKIM: > action "process_dkim" relay host smtp://127.0.0.1:10027 > match from local for any action "process_dkim" -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl
Re: smtpctl: lookup_record: %{i}._spf.mta.salesforce.com contains macros and can't be resolved
Heho, i recently came about it for ibm.com, iirc, as well when implementing SPF for a measurement tool. ;-) With best regards, Tobias
Re: Filtering forged "From" header for senders
heho,
yes, this is rather easily doable. Relevant configs from my setup below
(still want to blog about _that_ part, as my mysql is a bit more...
grown...)
General setup doc (bit outdated, though... but still explaining the
rather funny SQL statement and reasoning behind that i have in there)
here:
https://doing-stupid-things.as59645.net/mail/nsfp/2022/04/14/send-it.html
With best regards,
Tobias
--- /etc/mail/smtpd.conf
...
table sndrs mysql:/etc/mail/mysql-sndr.conf
...
listen on vio0 port 465 pki mail.aperture-labs.org smtps \
auth mask-src received-auth senders \
filter "rspamd-sign" tag "DKIM"
listen on vio0 port 587 pki mail.aperture-labs.org tls-require \
auth mask-src received-auth senders \
filter "rspamd-sign" tag "DKIM"
...
--- EOF
--- /etc/mail/mysql-sndr.conf
host 127.0.0.1
username opensmtpd
password d2VsbC4uLiBhcyBpZi4uLgo=
database smtpd
query_mailaddrmap with t as (SELECT REGEXP_REPLACE( ? , \
'[+]([^@])+\@', '\@' ) as addr) select valias.addr as \
mail from valias join t on REGEXP_REPLACE(valias.alias, \
'[+]([^@])+\@', '\@' ) = t.addr JOIN vdomains AS vd ON \
valias.addr LIKE CONCAT('%',vd.domain,'%') UNION select \
mail from vusers join t on vusers.mail = t.addr;
--- EOF
Re: Cant receive emails
Heho, On Tue, 2022-12-27 at 22:54 +0100, xad...@mail.de wrote: > ... > # To accept external mail, replace with: listen on all > > #listen on all tls pki mail.example.com > > listen on egress port submission tls-require pki mail.example.com \ > hostname "example.com" auth #filter "rspamd" > ... You are not listening on tcp/25; Remove the # in front of 'listen on all'. With best regards, Tobias
smtp-out reporting / outbound filters
Heho, i am currently looking at adding MTA-STS/DANE support to my mailer; However, these are not supported in opensmtpd. Given my limited coding abilities, i figured it might make more sense to try implementing that as a filter, given that [1] mentions outbound filters. however, man smtpd-filters(7) no longer mentions outbound filters. Is that feature gone or does someone have docs on using it sitting around? With best regards, Tobias [1]https://poolp.org/posts/2019-12-24/december-2019-opensmtpd-and-filters-work-articles-and-goodies/
RE: SNI seems not working
Heho,
How are you testing this? libressl connect? Are you signalling SNI there?
With best regards,
Tobias
-Original Message-
From: wim
Sent: Friday, 23 September 2022 13:26
To: misc@opensmtpd.org
Subject: SNI seems not working
Hi,
Hi,
HI,
Hi, I'm trying to configure SNI,
but it always returns the first pki from my smtp.conf
Here is what my conf looks like for the moment:
# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
pki "*" cert "/etc/ssl/mail.thinkerwim.org.fullchain.pem"
pki "*" key "/etc/ssl/private/mail.thinkerwim.org.key"
pki "*" cert "/etc/ssl/mail.batterijland.com.fullchain.pem"
pki "*" key "/etc/ssl/private/mail.batterijland.com.key"
pki "mail.thinkerwim.org" cert "/etc/ssl/mail.thinkerwim.org.fullchain.pem"
pki "mail.thinkerwim.org" key "/etc/ssl/private/mail.thinkerwim.org.key"
pki "mail.batterijland.com" cert
"/etc/ssl/mail.batterijland.com.fullchain.pem"
pki "mail.batterijland.com" key "/etc/ssl/private/mail.batterijland.com.key"
filter dkimsign_rsa proc-exec "filter-dkimsign -d thinkerwim.org -s
20220705 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign
#filter "rdns" phase connect match !rdns disconnect "550 DNS ERROR"
#filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS ERROR"
table aliases file:/etc/mail/aliases
table batalias file:/etc/mail/batalias
#table virtuals file:/etc/mail/virtuals
#listen directives
listen on all tls pki "*"
#listen on all port 25 tls pki "*"
#listen on all port 587 tls pki hostname mail.thinkerwim.org tls pki
mail.thinkerwim.org auth #listen on all port 587 tls-require pki hostname auth
hostname
listen on all port 587 tls-require pki mail.thinkerwim.org auth hostname
mail.thinkerwim.org listen on all port 588 tls-require pki
mail.batterijland.com auth hostname mail.batterijland.com #listen on all port
465 tls-require pki mail.thinkerwim.org auth hostname mail.thinkerwim.org
listen on lo0 port 10028 tag DKIM
# send mail to maildir ~/.mail for local accounts in alias table #action
"local" maildir "%{user.directory}/.mail" alias action "local" lmtp
"/var/dovecot/lmtp" alias action "batlocal" lmtp "/var/dovecot/lmtp"
rcpt-to virtual
action "relay" relay helo mail.thinkerwim.org action "relay_dkim" relay host
smtp://127.0.0.1:10027
# thinkerwim.org
match from any for domain "thinkerwim.org" action "local"
match from any for domain "batterijland.com" action "batlocal"
#match from any for domain {"thinkerwim.org","batterijland.com"} action "local"
# local
match for local action "local"
# dkim
match tag DKIM for any action "relay"
##match auth from any for any action "relay"
match auth from any for any action "relay_dkim"
Thanks
Wim Stockman
RE: certificate verification when using multiple relay hosts
Heho, Might be a nice feature request; You could write a ticket, or shoot that at m...@openbsd.org ; I see a lot more engagement for opensmtpd related messages there. With best regards, Tobias -Original Message- From: Tassilo Philipp Sent: Thursday, 8 September 2022 08:48 To: Tobias Fiebig Cc: misc@opensmtpd.org Subject: Re: certificate verification when using multiple relay hosts This is what we're doing, but it's not directly under our control, so there is some back and forth, etc.. possible, yes, but the question still remains. I personally lean more and more towards thinking it would be nice to be able to specify multiple relay hosts, explicitly. On Thu, Sep 08, 2022 at 12:35:04AM +0200, Tobias Fiebig wrote: > Heho, > Why don't you add mailrelays.domain as a DNSAltName to the certs of these > hosts? Or are they not under your control? > > With best regards, > Tobias > > > -Original Message- > From: Tassilo Philipp > Sent: Wednesday, 7 September 2022 11:31 > To: misc@opensmtpd.org > Subject: certificate verification when using multiple relay hosts > > Hello, > > I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, > where I'm not sure about what is right, or should maybe be possible. > > The setup in question is an OpenSMTPd box that is configured to relay > to multiple, explicitly specified, redundant hosts, the crucial config > line > is: > > action "relay_out" relay host smtps://mailrelays.domain > > (note: whether it's using smtps or smtp w/ starttls, etc. isn't > important, it comes down to the same) > > Multiple A records are entered for the domain mailrelays.domain, so it > resolves to multiple IPs. > > This DNS-based multi-A-records setup is the only way I found to tell > OpenSMTPd to use a list of relay hosts, and this works nicely. I verified > given the logs and traces, that it keeps a list of them all, selects what it > thinks the best connector is, handles a connector becoming unavailable, > gracefully, etc.. Great! > > However, this DNS based multi-host setup complicates matters when verifying > certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. > Also, let's say there are specific A records pointing to those IPs, as well > as their respective PTR records, so the full list is: > > mailrelays.domain. 1.2.3.1 > mailrelays.domain. 1.2.3.2 > > mailrelay01.domain. 1.2.3.1 > mailrelay02.domain. 1.2.3.2 > > 1.3.2.1.in-addr.arpa.mailrelay01.domain. > 2.3.2.1.in-addr.arpa.mailrelay02.domain. > > > Also, let's say both relay hosts present certificates which only have their > own respective DNS names listed, but *not* "mailrelays.domain". > > In this case the cert verification fails when relaying mail fails, b/c > OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, > which they do not, they only list their specific, number-suffixed domains. > > > By itself one could argue that this is to be expected, and I kinda agree. > However, one could also argue that maybe it should do a PTR lookup, first, > and use that DNS name for verification. > > > Taking a step back, I think the question essentially boils down to: how to > specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert > verification would work per relay host? > > The problems I encountered to get this set up are: > > - multiple CNAME records for a domain isn't possible in DNS > > - one cannot make use of MX records, either, as the relay host line > seems to only resolve A records in this case > > - there is seemingly no way to list multiple relay hosts in smtpd.conf, > explicitly, but maybe I'm missing something > > > Thoughts? I'm not sure what's right or wrong here, in some ways it behaves > like it should, but then again it also makes it hard to specify multiple > relay hosts, conveniently. I obviously might also totally miss something, in > which case I would be grateful to get some feedback. > > Thanks! > > > >
RE: certificate verification when using multiple relay hosts
Heho, Why don't you add mailrelays.domain as a DNSAltName to the certs of these hosts? Or are they not under your control? With best regards, Tobias -Original Message- From: Tassilo Philipp Sent: Wednesday, 7 September 2022 11:31 To: misc@opensmtpd.org Subject: certificate verification when using multiple relay hosts Hello, I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, where I'm not sure about what is right, or should maybe be possible. The setup in question is an OpenSMTPd box that is configured to relay to multiple, explicitly specified, redundant hosts, the crucial config line is: action "relay_out" relay host smtps://mailrelays.domain (note: whether it's using smtps or smtp w/ starttls, etc. isn't important, it comes down to the same) Multiple A records are entered for the domain mailrelays.domain, so it resolves to multiple IPs. This DNS-based multi-A-records setup is the only way I found to tell OpenSMTPd to use a list of relay hosts, and this works nicely. I verified given the logs and traces, that it keeps a list of them all, selects what it thinks the best connector is, handles a connector becoming unavailable, gracefully, etc.. Great! However, this DNS based multi-host setup complicates matters when verifying certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. Also, let's say there are specific A records pointing to those IPs, as well as their respective PTR records, so the full list is: mailrelays.domain. 1.2.3.1 mailrelays.domain. 1.2.3.2 mailrelay01.domain. 1.2.3.1 mailrelay02.domain. 1.2.3.2 1.3.2.1.in-addr.arpa.mailrelay01.domain. 2.3.2.1.in-addr.arpa.mailrelay02.domain. Also, let's say both relay hosts present certificates which only have their own respective DNS names listed, but *not* "mailrelays.domain". In this case the cert verification fails when relaying mail fails, b/c OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, which they do not, they only list their specific, number-suffixed domains. By itself one could argue that this is to be expected, and I kinda agree. However, one could also argue that maybe it should do a PTR lookup, first, and use that DNS name for verification. Taking a step back, I think the question essentially boils down to: how to specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert verification would work per relay host? The problems I encountered to get this set up are: - multiple CNAME records for a domain isn't possible in DNS - one cannot make use of MX records, either, as the relay host line seems to only resolve A records in this case - there is seemingly no way to list multiple relay hosts in smtpd.conf, explicitly, but maybe I'm missing something Thoughts? I'm not sure what's right or wrong here, in some ways it behaves like it should, but then again it also makes it hard to specify multiple relay hosts, conveniently. I obviously might also totally miss something, in which case I would be grateful to get some feedback. Thanks!
OpenSMTPd Denial-of-Service with table-mysql (using default configuration)
Heho, I just started to see some DoS issue on my OpenSMTPd with table-mysql as the backend. Specifically, my server ran into the user lookup process eating a full core and torturing the mysql server after some funny brute-force attempts came in. (writeup with graphs here: https://doing-stupid-things.as59645.net/mail/opensmtpd/mysql/2022/08/30/receiving-an-email.html ) After some amateur debugging on my side, it seems like the issue occurs if the mysql table is latin1 (happens if following defaults and table-mysql man) and something is shipped to opensmtpd which does not cleanly cast to latin1 (i.e., is not plain ascii), as opensmtpd speaks UTF8 with mysql (again, my amateur analysis). The query then fails/mysql kills the connection, and table-mysql retries the connection with the same data leading to mysql... you get the idea, and this then happens at 350+ queries/s. Would it make sense to have the db-table backends return a tempfailure (for lookups for domain/forward/deliver we'd probably not want to reject mail due to a DB failure) or error (auth etc.) if the same query fails like N (5 as default?) times in a row? If this is not a clear-cut case of me having held it wrong, I can also try to replicate this in a test-setup to which I can give other people access (not a coder, so no patches from me :-/). With best regards, Tobias
