Perhaps stunnel may work for port 25, though I guess I would lose some of
opensmtpds priv sep features
Is it possible to have both?
letsencrypt for tls on port 25 for remote servers to verify
and tls-require verify auth on port 587 permitting self signed certificates
signed by myca only for client authentication without any risk of arbitrary CAs
providing forged certificates.
Perhaps I can move /
I sent my elansys one direct, should I have posted it to the list?
On Sun, 6 Aug 2017 14:32:16 +0200
> The next question would be ...why does it work for other ppl?
I use system accounts and some scripts but if you need a database then
I can't help. It's not actually that difficult once you work it out to
sync system pwd.db files actually and you get the OpenBS
> This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd
> to crash as soon as the RSA engine is used (ie: whenever there's crypto)
>
> A quick workaround is to not upgrade to 1.0.2f yet and maybe ask OpenSSL
> why a "patchlevel" release contains more than patches.
>
> Meanwhile
> All I know is that I don't want to be blacklisted by VISA and MasterCard
> because I'm failing PCI compliance. I want to continue accepting credit
> cards, but I also want to keep using stock OpenSMTPD on OpenBSD.
I guess I may be missing some idiocy of PCI DSS compliance but why
do you need i
> >
> > For testing purposes, I changed my smtpd.conf to listen on 127.0.0.1
> > instead of enp0s4 and it did not crash on startup, so that tells me that
> > our
> > troubleshooting is on the right track.
> >
>
> Hmm, I also did some testing. I added "ExecStartPre=/usr/bin/ip a" to the
> smtpd ser
On Mon, 11 May 2015 17:15:35 +0200
Gilles Chehade wrote:
> I can't honestly recall if we still do this without checking first, but there
> was some code in OpenSMTPD to always attempt SMTPS before attempting STARTTLS
> when trying to do opportunistic crypto. This means that for hosts that would
>
On Thu, 09 Apr 2015 09:54:17 -0700
Seth wrote:
> > On my 5.6 box it stops at CONNECTED and the traffic shows client hello
> > like for OpenSMTPD (well actually a certificate receipt can be seen in
> > the encrypted traffic but not much more).
>
> Only thing I can think of is that you're running
For a minute I thought the following was possible that my old server
couldn't do. I know gpg is the solution but getting people to use it
can sometimes be easy and sometimes impossible and so there are times
when you are on the border of what you are comfortable sending in plain
text.
accept tagge
On Wed, 08 Apr 2015 19:55:52 -0700
Seth wrote:
> > Also, whether this hangs
> >
> > /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp
> > -CAfile /etc/ssl/cert.pem
>
> I ran the command above on an OpenBSD 5.6-release host and it stopped
> responding at the "250 8BITMIME" l
On Wed, 08 Apr 2015 13:27:48 -0700
Seth wrote:
> Do you have a test email address we can try sending something to which
> uses that server?
>
Sent privately
Also, whether this hangs
/usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp
-CAfile /etc/ssl/cert.pem
> Starttls.in
http://marc.info/?l=openbsd-misc&m=142842356024311&w=2
When I looked at the actual traffic it appeared that it gets one step
further and the connection actually stops at OpenSMTPD sending a client
hello via STARTTLS with no further response from the other side.
If someone can say it happens to th
On Sat, 28 Mar 2015 08:55:24 -0700
Seth wrote:
> > > If the filesystem supports case sensitivity then I can understand users
> > > expecting the current behaviour but it doesn't seem practical to me and
> > > I couldn't see a format specifier to lowercase deliveries to Maildir
> > > expanding to j
On Sat, 28 Mar 2015 08:55:24 -0700
Seth wrote:
> > If the filesystem supports case sensitivity then I can understand users
> > expecting the current behaviour but it doesn't seem practical to me and
> > I couldn't see a format specifier to lowercase deliveries to Maildir
> > expanding to just TAG.
If the filesystem supports case sensitivity then I can understand users
expecting the current behaviour but it doesn't seem practical to me and
I couldn't see a format specifier to lowercase deliveries to Maildir
expanding to just TAG.
When someone sends to a tag user+...@users.org and there is an
Assuming it's correct I wonder if something along the lines of the
following would improve the makemap man page virtual domains section.
I tried a few different things to get majordomo and the power
of virtual domains working, including a second deliver to mda before
noticing the 'extension' keywor
On Thu, 14 Aug 2014 02:35:10 +0200
Gilles Chehade wrote:
> An external program check has a very low chance of being accepted.
>
> We have a filter API that let's you do that kind of thing, you don't
> even need us to accept anything if you use it ;-)
Ok, thanks for the info. I'll look into the A
previously on this list Kevin Chadwick contributed:
> I may have come across some information about rewriting envelopes but I
> am struggling to find it right now.
>
> With OpenSMTPD you can use bob+compa...@bobs.com, which is great.
>
> My existing server however alre
I may have come across some information about rewriting envelopes but I
am struggling to find it right now.
With OpenSMTPD you can use bob+compa...@bobs.com, which is great.
My existing server however already uses bob-compa...@bobs.com and on
that system I can specify the character after which th
previously on this list Gilles Chehade contributed:
> > that connection can be man-in-the-middle'd, which leads to the attacker
> > being able to make it appear so that the mailserver doesn't support
> > STARTTLS.
> >
> > I've seen this in practice at my old school for one.
> >
>
> Yes, I kno
previously on this list Kevin Chadwick contributed:
> With STARTTLS I believe there is a clear text race where an attacker can
> create a response stating STARTTLS is unsupported resulting in
> cleartext transmission which I believe would not be the case for smtps.
If as I guess there
I am not talking about submission which I guess is what the smtps
option is for and I know GPG is the best method and I also know that
spamd causes plain text transmissions.
With STARTTLS I believe there is a clear text race where an attacker can
create a response stating STARTTLS is unsupported r
On Thu, 7 Aug 2014 20:41:39 +0200
Gilles Chehade wrote:
> Nope there's currently no way to turn chrooting for the lookup process.
> It's not really a resolver thing, we could have the resolver code in a
> chroot with some refactoring, but we need a process that does not run
> chrooted for other lo
On Thu, 7 Aug 2014 19:39:28 +0200
Alexander Schrijver wrote:
> > Yeah I'm not sure whether it is worth the effort but I was thinking if
> > a user has set a localhost as the nameserver then can we be very close
> > to certain that they are not going to change the resolv.conf?
>
> Having two DNS
On Thu, 7 Aug 2014 18:34:19 +0200
Alexander Schrijver wrote:
> without issues like dhcp changes?
>
> I think the problem is that you can't read the file again after being
> chrooted.
> So you won't know if it's updated.
Yeah I'm not sure whether it is worth the effort but I was thinking if
a
If the only nameserver entry in /etc/resolv.conf is say 127.0.0.1 or
localhost such as when using unbound couldn't opensmtpds resolver read
that line and chroot without issues like dhcp changes?
--
___
'Write programs that do o
previously on this list Kevin Chadwick contributed:
> when trying to view the presentation with xombrero I enabled
> javascript but the controls do not appear and using the url bar is
> a bit cumbersome.
Print works well though; printing the whole presentation
Hi,
Firstly I haven't used smtpd outside of it's default config yet
but intend to as a backup relay today and later move my main
server, so thanks for creating OpenSMTPD
when trying to view the presentation with xombrero I enabled
javascript but the controls do not appear and using the url bar
29 matches
Mail list logo