Does the OpenSMTPD project have any plans to from OpenSSL to LibReSSL?

Just curious if OpenSMTPD has any plans to swap out OpenSSL for LibReSSL once the latter has been deemed stable enough. -- Seth I <3 nicely trimmed email replies -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsub

Invalid command: Pipelining not supported

d!) stock version of OpenSSL on FreeBSD 9x OpenSSL 0.9.8y, and that's why it's failing? -- Seth I <3 nicely trimmed email replies -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Re: Invalid command: Pipelining not supported

that particular version of the product. -- Seth I <3 nicely trimmed email replies -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

SSL3_READ_BYTES error when PHP web app attempts to relay via SMTP+TLS

11:13:36 email smtpd[34800]: warn: SNI name not found in PKI Nov 8 11:13:36 email smtpd[34800]: smtp-in: Disconnecting session 3c7ad6ded2a331fc: IO error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -- Seth I <3 nicely trimmed email replies -- You received this m

excluding sender IPs in email headers

I was inspired by the article below and want to implement this on the OpenSMTPD servers I administer. Is this possible? Stop Including Sender IPs in Email Headers https://blog.ageispolis.net/page/4/ -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, s

tls verify of CAcert certificates fails after upgrading to OpenBSD 5.6 and OpenSMTPD 5.4.3

This week I upgraded one of my OpenSMTPD email servers to OpenBSD 5.6/OpenSMTPD 5.4.3 and all of a sudden I started having all kinds of TLS cert verification interoperability problems with my existing FreeBSD OpenSMTPD 5.4.2 server. I was pulling my hair out trying to find out what heck was

Re: tls verify of CAcert certificates fails after upgrading to OpenBSD 5.6 and OpenSMTPD 5.4.3

On Wed, 14 Jan 2015 09:35:05 -0800, Jason Barbier wrote: If you are looking to get free TLS certs startcom is still in there as I recall, and unless you plan on doing something out of the ordinary or that requires the CA to do work (like you want a star cert, a cert with multiple SANs etc or

Re: tls verify of CAcert certificates fails after upgrading to OpenBSD 5.6 and OpenSMTPD 5.4.3

On Thu, 15 Jan 2015 01:26:50 -0800, John Cox wrote: If you only care about local interoperation why are you using an externally provided root cert, why not generate your own? Fallback. If my primary hosted mail exchanger goes down, I have the local one ready to accept SMTP connections from

Building a list of trusted domains for use with the verify TLS certificate option

I thought it would be interesting to inspect the logs of a production OpenSMPTD mail server to discover which remote SMTP servers are presenting verifiable TLS certificates. The idea being that down the road I'll build a table of these domains and create a rule in smtpd.conf that will enfor

Re: strange behavior on delivering messages

this type of messages repeat many many times, and when it stops it ends with Jan 18 21:28:45 mx smtpd[10999]: relay: PermFail for 7074eecd937a1f96: session=384f0c868ad0506f, from=, to=, rcpt=<->, source=91.210.228.4, relay=91.210.228.4 (mx.kasakoff.net), delay=1s, stat=500 5.4.6 Routing l

Re: auth/auth-optional

On Sun, 18 Jan 2015 08:39:01 -0800, Edgar Pettijohn wrote: I've been lurking on the list for a while, and I'm finally getting close on my config to replace postfix/dovecot. However, I'm having some issues. I'm pretty sure I want to use auth in a listener context, but its not working ou

Re: a few more questions

On Sun, 18 Jan 2015 14:25:20 -0800, Edgar Pettijohn wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@t

Re: a few more questions

On Sun, 18 Jan 2015 17:14:19 -0800, Edgar Pettijohn wrote: Is there a way to make the listen work like the relay and just use the matching cert? I don't think so. I think you'd have to configure an additional IP address for the 2nd domain, and then create a dedicated listen rule in smptd.

Re: a few more questions

On Sun, 18 Jan 2015 20:20:19 -0800, Seth wrote: https://github.com/OpenSMTPD/OpenSMTPD/issues/376 Related email threads http://www.mail-archive.com/misc%40opensmtpd.org/msg00625.html "Declare your listener with a hostnames table and declare a pki entry for every domain that shou

Re: Is my virtual user configuration correct?

On Sun, 18 Jan 2015 21:51:16 -0800, Benedikt Nießen wrote: My question is: I have to maintain the domains in the file virtual_domains and the aliases in virtual_aliases. Can I rewrite this configuration to just maintain the virtual_aliases in the form: a...@example.orga...@e

Re: a few more questions

On Mon, 19 Jan 2015 15:14:14 -0800, Edgar Pettijohn wrote: http://www.mail-archive.com/misc%40opensmtpd.org/msg01427.html That gives the following error: # /usr/sbin/smtpd -d /etc/mail/smtpd.conf:16: invalid use of table "" as HOSTNAMES parameter Looks like you're getting the same error a

Re: Is my virtual user configuration correct?

On Tue, 20 Jan 2015 10:35:14 -0800, Benedikt Nießen wrote: This is not what I have and what I need. I don’t have local users who receive emails. All email arriving to the server is forwarded to 2 or 3 addresses which are not hosted on this server. If that's the case, then I think this the

Re: Is my virtual user configuration correct?

On Tue, 20 Jan 2015 11:35:00 -0800, Benedikt Nießen wrote: The problem is that I don’t have control over the target Email server. I need to redirect all email aliases to three addresses (not at the same time). ha...@abc.com => ha...@example.com n...@cba.com => mo...@example.com … I just w

Best way to relay mail to a server with intermittent connectivity

I administer an email system which uses a VPS running OpenSMTPD as the public facing bit. The VPS relays email to and from a separate OpenSMTPD mail server which is located on premises. We'll call this the 'local' server. The local server gets powered down every night, however this currentl

Re: Best way to relay mail to a server with intermittent connectivity

On Tue, 27 Jan 2015 17:22:43 -0800, Edgar Pettijohn wrote: *bounce-warn* /n/{*s*|*m*|*h*|*d*}[, /.../] Specify the delays for which temporary failure reports must be generated when messages are stuck in the queue. For example: bounce-warn 1h, 6h, 2d will generate a failure rep

Re: Best way to relay mail to a server with intermittent connectivity

On Tue, 27 Jan 2015 20:18:04 -0800, Edgar Pettijohn wrote: Still need to solve the problem of scheduling that big morning dump. Of email. cron That's not really going to work because the power-up time could vary between 2-4 hours. The mail needs to flow as soon as possible after poweri

Re: Best way to relay mail to a server with intermittent connectivity

On Tue, 27 Jan 2015 21:11:52 -0800, Sunil Nimmagadda wrote: I was wondering what if your "local" server is the primary MX and then your "public" server a backup MX. That way, whenever your local server is online the mails end up directly in it and your backup server automatically checks for p

snapshot build against LibreSSL 2.1.3 error: previous declaration of 'SSL_CTX_use_certificate_chain' was here

Just tried building the latest snapshot and it's failing with the error below. Environment: FreeBSD 9.3 LibreSSL 2.1.3 libasr - latest git opensmptpd - latest git configure commands used: ./configure --with-libevent-dir=/usr/local --sysconfdir=/usr/local/etc/mail/ --with-ssl-dir=/usr/local

Re: snapshot build against LibreSSL 2.1.3 error: previous declaration of 'SSL_CTX_use_certificate_chain' was here

On Fri, 30 Jan 2015 14:04:55 -0800, Gilles Chehade wrote: I committed a fix yesterday to github, building from a git clone should be working, it would be nice if you could confirm. The original build attempt was against a git pull from earlier today. I ran another pull at 4:27 PST and trie

Re: fatal: smtp_setup_events: ssl_setup failure: No such file or directory

On Sun, 01 Feb 2015 11:57:01 -0800, Michael wrote: Rebuilding and reinstalling did not help. My current version is OpenSMTPD 5.4.2p1. smtpd -dv additionally shows the following: debug: SSL library error: ssl_setup: error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id debug

Re: snapshot build against LibreSSL 2.1.3 error: previous declaration of 'SSL_CTX_use_certificate_chain' was here

I think this particular issue might have been fixed by commit https://github.com/OpenSMTPD/OpenSMTPD/commit/8bca141233921dcfee7b1fc734d376adb70ef044. Can't be sure though because the build doesn't even get far enough to compile tortls.c. It fails earlier with this error: -compare -Wformat-s

Re: Lavabit like encryption with OpenSMTPD

On Mon, 09 Feb 2015 13:28:03 -0800, brettm wrote: On Mon, 9 Feb 2015 12:02:06 + skin...@britvault.co.uk (Craig Skinner) wrote: | | Neither can Goatmail, Snotmail, NSA, govt agencies, etc. | As far as we know, NSA etc cannot read other people's PGP encrypted mail. I think it is important

Re: Lavabit like encryption with OpenSMTPD

On Tue, 10 Feb 2015 04:47:38 -0800, Gilles Chehade wrote: People actually open an account at Gmail/Yahoo/Microsoft because they do not give the slightest shit about these privacy concerns. They want mail that gets sent when pressing a button, and they want it so bad that even when most ISP pr

Re: relay via: No MX found for domain

On Wed, 11 Feb 2015 01:48:36 -0800, Meutel wrote:w libasr is installed (it was not before upgrading). I use packages built with poudriere. Attached file "pkg_info_opensmtpd.txt" contains informations about installed packages, it looks OK to me. Attached file "smtpd_vd.txt" contains output of sm

Re: relay via: No MX found for domain

On Wed, 11 Feb 2015 13:21:30 -0800, Meutel wrote: I did some tests with a simple smtp.conf which relays everything via gmail, and with a public nameserver instead of my local one. table gmailcred file:/usr/local/etc/mail/gmailcred accept from local for any relay via "tls+auth://gmailc...@sm

Re: Virtual users with valid email addresses for usernames?

On Thu, 12 Feb 2015 19:18:45 -0800, Josh Kunz wrote: I'm trying to run an OpenSSMTPd + dovecot setup for two separate domains. I'd like to be able to assign passwords based on the user and the domain part of the address, and using actual email addresses as the user names helps with integrat

Re: Virtual users with valid email addresses for usernames?

On Thu, 12 Feb 2015 21:48:02 -0800, Josh Kunz wrote: Thanks for your reply. I hadn't thought of using OpenSMTPd as the MDA, I kept trying to get the usernames to work of LMTP to dovecot. Since I need the sieve support from dovecot, I'll probably modify this solution to use the dovecot lda,

Re: snapshot build against LibreSSL 2.1.3 error: previous declaration of 'SSL_CTX_use_certificate_chain' was here

On Sun, 15 Feb 2015 09:06:35 -0800, Gilles Chehade wrote: Until we have figured a way out of this, you should expect some breakage in snapshots / git and should comment on the ticket that was opened with regard to OpenSSL -> LibreSSL transition. Thankfully I can build recent versions of the O

Re: SSL: fatal access denied with opensmtpd on freebsd

On Sun, 15 Feb 2015 23:37:55 -0800, Hugo Osvaldo Barrera wrote: Any hints? My guess is that SSL is failing somewhere, but I don't know how to continue to track this down. Someone on the FreeBSD list suggested making sure that the CAs were installed, and they are - though I'm not sure it's 1

Re: SSL: fatal access denied with opensmtpd on freebsd

On Mon, 16 Feb 2015 13:11:27 -0800, Hugo Osvaldo Barrera wrote: libressl.c:72:1: error: conflicting types for 'SSL_CTX_use_certificate_chain' SSL_CTX_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len) ^ /usr/local/include/openssl/ssl.h:1587:5: note: previous declaration is here int

Re: SSL: fatal access denied with opensmtpd on freebsd

On Mon, 16 Feb 2015 14:32:29 -0800, Hugo Osvaldo Barrera wrote: I hadn't been using portmaster (rather cd /usr/ports/mail/opensmtpd-devel && make), but I got the same error using it too: Sorry, I should have clarified that it works on FreeBSD 9.3 with the OpenSMTPD 5.4.4 release and Libre

Re: SSL: fatal access denied with opensmtpd on freebsd

On Mon, 16 Feb 2015 14:42:12 -0800, Hugo Osvaldo Barrera wrote: Oh, this works with mail/opensmtpd, but *not* mail/opensmtpd-devel. Funny. Build worked, but the same initial issue still happens: Feb 16 22:40:00 hydrogen smtpd[43826]: smtp-in: New session 7530b8f4cbc97b60 from host hyperio

Re: Mail archive

On Tue, 17 Feb 2015 06:37:05 -0800, Alan Gilson wrote: Howdy, I'm new to the list and have been lurking for a few days. I've looked around and couldn't find an archive of previous questions. Is there a repository somewhere that I could go search through before I bug you kind folks with m

Re: Mail archive

On Tue, 17 Feb 2015 06:45:43 -0800, Alan Gilson wrote: These are great, thanks folks. May I suggest that they be added to the auto-footer for the group? They're sort of common knowledge amongst most people that have been using mailing lists for a while, but I guess that doesn't really doesn

Support for ECDSA CA server certificates

I'm in the process of switching out existing RSA Certificate Authority server certificates for ECDSA (Elliptical Curve DSA) ones. Are ECDSA certs supported by OpenSMTPD? Or does that depend completely on the chosen SSL library, i.e. OpenSSL, LibreSSL, BoringSSL, etc? -- You received this ma

Re: TLS decode error

On Thu, 19 Feb 2015 17:35:27 -0800, Adam Thompson wrote: I'm seeing this in my logs, which prevents me from emailing my Dell reps: Feb 19 14:27:49 mail smtpd[10516]: smtp-out: Connecting to smtp+tls://143.166.224.193:25 (ps-smtp.us.dell.com) on session e622753fb14af8b3... Feb 19 14:27:49

Re: secrets db with passwords containing a hash symbol #

On Thu, 26 Feb 2015 03:51:37 -0800, Guenther Niess wrote: Hi, I've problems with a password in the file /etc/mail/secrets containing the hash symbol '#'. The passwords gets truncated before the hash symbol, when I try to escape the hash symbol with a backslash \# the full password with the ba

Re: opensmtpd 5.4.4 in freebsd 9 jail

On Fri, 27 Feb 2015 01:47:16 -0800, Eric Faurot wrote: I'll think how asr can be improved in the way you suggest. In the meantime, the regression you see is actually due to the following change in smtpd. Try without it. Note that it will also retreive inet6 addresses, so you might want to add

Custom bounce messages for messages sent from NSA PRISM program providers

So I've finally had it with all the surveillance sluts and their sh*tty gmail/yahoo/hotmail accounts and I'm going to start blocking inbound messages from any mail service participating in the NSA PRISM program. It's important that the sender receive a custom bounce message explaining that

Re: Custom bounce messages for messages sent from NSA PRISM program providers

On Sat, 28 Feb 2015 16:13:18 -0800, Hugo Osvaldo Barrera wrote: Use sieve on the LDA side for that, and reject messages. You can provide a custom message when rejecting via sieve. Your second choice is to pass it via some proxy (look at the examples on how DKIMProxy is used), and reject th

Re: Custom bounce messages for messages sent from NSA PRISM program providers

On Sun, 01 Mar 2015 20:36:17 -0800, Jason Barbier wrote: Custom bounce messages are in the issue tracker as I recall. Maybe this is this ticket you're thinking of? Bounces without Bodies #429 [1] I was thinking it would be convenient to simply use SPF records published by Microsoft,

OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

I just updated OpenSMTPD to the v5.4.4 release on an OpenBSD 5.6 system patched with LibreSSL 2.1.4. The smtpd executable is linked the the older LibreSSL library files however. Locations of the older and newer LibreSSL libraries: $ sudo find /usr/ -name 'libssl.so*' -type f /usr/local/lib/l

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

Solved. This can be accomplished by setting environment variables with the make command, no configure script needed. Hat tip to Nick Mathewson from the Tor-relays mailing list for cluing me in to this method. $ sudo CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make $ sudo make insta

Re: Virtual domains

On Wed, 11 Mar 2015 13:11:16 -0700, Gonzalo wrote: Hi Guys, I have this conf on OpenBSD 5.6 table dominios file:/etc/mail/dominios table usuarios file:/etc/dovecot/users table aliases db:/etc/mail/aliases.db table spa

Re: Virtual domains

You might need to include a '${dest}' bit at the end of this smptd.conf accept statement: accept from any for domain virtual deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{dest}" Found a related LDA accept statement example here: http://www.mail-archive.com/mis

Re: Virtual domains

On Thu, 12 Mar 2015 07:14:11 -0700, Gonzalo wrote: Mmm I have the same output.. El mar 11, 2015 11:31 PM, "Seth" escribió: Offhand I would say this is probably more of Dovecot delivery configuration issue moreso than an OpenSMTPD one. I don't have much expe

Building dkimproxy on headless OpenBSD server with no X install sets

I was going to build and configure dkimproxy for use with OpenSMTPD according to this guide [1] but got stopped cold by the following error: $ sudo make Fatal: /usr/local/lib/X11/app-defaults should exist and be a symlink *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2513 '/usr/p

Re: Building dkimproxy on headless OpenBSD server with no X install sets

On Thu, 12 Mar 2015 09:54:52 -0700, Eric Ripa wrote: I did the following on my "X-less" installation of OpenBSD 5.6 - downloaded the two sets xetc56.tgz and xbase56.tgz - added the sets according to the FAQ http://www.openbsd.org/faq/faq4.html#AddFileSet

Re: Building dkimproxy on headless OpenBSD server with no X install sets

On Thu, 12 Mar 2015 09:54:52 -0700, Eric Ripa wrote: I have not tried to remove the sets after installation however. This command will remove the installation sets $ pax -vzf xetc56.tgz | awk '{ print $9}'| sudo xargs rm -rf Obviously test it out first somewhere where it won't trash your s

Re: Building dkimproxy on headless OpenBSD server with no X install sets

On Thu, 12 Mar 2015 11:13:53 -0700, Seth wrote: On Thu, 12 Mar 2015 09:54:52 -0700, Eric Ripa wrote: I have not tried to remove the sets after installation however. This command will remove the installation sets $ pax -vzf xetc56.tgz | awk '{ print $9}'| sudo xargs rm -rf

Re: How to debug "Bad response: line too short"?

On Mon, 16 Mar 2015 12:51:16 -0700, Eric Ripa wrote: One of the failing envelopes are below (this one was sent using Apple mail but it doesn't seem to related as other clients are doing the same, seemingly random). Does the error occur frequently enough where you could perhaps grab some

Re: How to debug "Bad response: line too short"?

On Tue, 17 Mar 2015 01:17:24 -0700, Eric Ripa wrote: Hard to say because after a retry or two the mail goes through so I will have to monitor it more closely. What traces are suitable for more verbose output of smtp-out? Simply smtp? I would start with 'smtpctl trace smtp' -- You received

Re: Is my server relaying or sending spam?

On Tue, 17 Mar 2015 03:45:13 -0700, Clint Pachl wrote: I don't see a loop in my virtual users table. What am I missing? (below, I condensed the domains and "vmail" is my dovecot user) Have you tried running an 'smtpctl trace expand' command to see where it might be looping? -- You received

Re: Case sensitivity in automatic folder filtering by tag

On Sat, 28 Mar 2015 07:14:20 -0700, Kevin Chadwick wrote: If the filesystem supports case sensitivity then I can understand users expecting the current behaviour but it doesn't seem practical to me and I couldn't see a format specifier to lowercase deliveries to Maildir expanding to just TAG.

Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."

On Wed, 08 Apr 2015 12:16:49 -0700, Kevin Chadwick wrote: http://marc.info/?l=openbsd-misc&m=142842356024311&w=2 When I looked at the actual traffic it appeared that it gets one step further and the connection actually stops at OpenSMTPD sending a client hello via STARTTLS with no further re

Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."

On Wed, 08 Apr 2015 14:33:39 -0700, Kevin Chadwick wrote: Also, whether this hangs /usr/bin/openssl s_client -connect mx5.demon.co.uk:25 -starttls smtp -CAfile /etc/ssl/cert.pem I ran the command above on an OpenBSD 5.6-release host and it stopped responding at the "250 8BITMIME" line at t

Re: Slight correction on "Does anyone else have an issue establishing a starttls to this host."

On Thu, 09 Apr 2015 02:06:58 -0700, Kevin Chadwick wrote: Hmm, now I am puzzled as that is what should happen. You don't have /usr/bin/openssl and /usr/sbin/openssl installed do you? I guess you ran the same as above but /usr/sbin on 5.6 as it has moved to /usr/bin/ on 5.7 No, the system wa

Re: Vacation

On Wed, 15 Apr 2015 08:30:06 -0700, JC PAROLA wrote: hi, i configure openstpd on openBSD 5.6 whith vitual users and smt pauth. i want to configure vacation but i dont find any information on man or google opensmtpd have this feature ? There was a thread about this topic back in Februa

Re: "relay verify" produces syntax error

On Mon, 04 May 2015 09:44:09 -0700, Daniel Pajonzeck wrote: $ cat smtpd.conf table aliases { root=pi, pi=f...@domain.tld } accept for local alias deliver to mbox accept for any relay verify $ smtpd -dv /usr/local/etc/smtpd.conf:3: syntax error If I change the 'verify' to 'tls' everything is

Re: "relay verify" produces syntax error

On Tue, 05 May 2015 13:11:32 -0700, Daniel Pajonzeck wrote: I haven't tested if invalid certificates are rejected, but surprisingly "accept for any relay tls verify" doesn't result in a syntax error. This contradicts the manpage: "relay ... [tls | verify]" and "Note that the tls and verify opt

Re: "relay verify" produces syntax error

On Tue, 05 May 2015 13:11:32 -0700, Daniel Pajonzeck wrote: It's a man page bug, found this in the list archives http://marc.info/?l=opensmtpd-misc&m=142866776526943&w=2 -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr..

Re: [IMPORTANT] latest snapshot - certificate check failed issue

On Sat, 09 May 2015 07:37:13 -0700, Gilles Chehade wrote: Hi, We are preparing upcoming major release and there's been some invasive updates since latest snapshot. In particular these 3 parts require HEAVY testing: - smtp and mta TLS setup can never be concurrent anymore, simplify l

Re: [IMPORTANT] latest snapshot - certificate check failed issue

On Sun, 10 May 2015 23:56:36 -0700, Gilles Chehade wrote: I have spotted a logic error which explains your issue. Without this, you cannot fallback to the default CA, you have to declare your CA explicitely. Can you apply the following diff ? diff --git a/smtpd/lka.c b/smtpd/lka.c index 31b7

THE SAD STATE OF SMTP ENCRYPTION - is OpenSMTPD also vulnerable?

Came across this article the other day and was curious if OpenSMTPD can be configured to address the vulnerability without using DNSSEC (ack!) = https://blog.filippo.io/the-sad-state-of-smtp-encryption/ Filippo Valsorda, 31 Mar 2015 THE

Re: THE SAD STATE OF SMTP ENCRYPTION - is OpenSMTPD also vulnerable?

On Mon, 11 May 2015 13:43:23 -0700, Johannes Löthberg wrote: There is one server which has a feature to automatically save domains to a whitelist to always force TLS on, though I don't remember which one. It seems like it could be nice to implement if it wouldn't be too hard. That would be gr

Re: THE SAD STATE OF SMTP ENCRYPTION - is OpenSMTPD also vulnerable?

On Tue, 12 May 2015 05:53:37 -0700, Johannes Löthberg wrote: Fair point. Any hints for where to start looking at implementing one? ;) This is my own terrible crude attempt: http://www.mail-archive.com/misc@opensmtpd.org/msg01582.html I think if you had a cronjob that ran a script once a day

Re: THE SAD STATE OF SMTP ENCRYPTION - is OpenSMTPD also vulnerable?

On Mon, 11 May 2015 17:45:47 -0700, Kevin Chadwick wrote: I wonder what is best more likely and easier to accomplish or gain traction. SMTPS or DNSSEC DNSSEC causes problems but people seem to be wanting it enough to implement it anyway, though many providers still including I believe Google

Re: Latest portable snapshot not sending emails.

On Tue, 12 May 2015 09:37:10 -0700, Gilles Chehade wrote: Please try the snapshot I just published, it should fix your issue The snapshot does, but a pull from the latest github version does not. How far behind the snapshots does the Github repo lag? -- You received this mail because you

Re: [OpenSMTPD] portable snapshot opensmtpd-201505121836p1 available

On Tue, 12 May 2015 09:36:42 -0700, gilles chehade wrote: A new opensmtpd portable snapshot is available at: http://www.opensmtpd.org/archives/opensmtpd-201505121836p1.tar.gz Checksum: SHA256 (opensmtpd-201505121836p1.tar.gz) = 42ccd5cd13377cc84e7040bf0e92a2277ef311c5c27d5dc731

Re: [OpenSMTPD] portable snapshot opensmtpd-201505121836p1 available

On Fri, 15 May 2015 13:22:40 -0700, Gilles Chehade wrote: This is now fixed in git, will be part of next snapshot to be published this week-end That did the trick, thanks. BTW, if you're running FreeBSD and installing over a packaged version, you probably need to remove some symlinks firs

TLS Policy Database and the 'relay tls verify' option....like peas and carrots?

There's been some discussion on the list recently about using the 'relay tls verify' to mitigate STARTTLS downgrade attacks. [1] Gilles suggested using something like this in smtpd.conf as a protective measure: table validcrt file:/etc/mail/hosts-with-valid-certs accept for domain relay tl

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 09 Mar 2015 16:05:28 -0700, Seth wrote: Solved. This can be accomplished by setting environment variables with the make command, no configure script needed. Hat tip to Nick Mathewson from the Tor-relays mailing list for cluing me in to this method. $ sudo CFLAGS=-I/usr/local

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 29 Jun 2015 09:38:54 -0700, Gilles Chehade wrote: You installed LibreSSL 2.2.0 on top of OpenBSD 5.7 ? Correct Previous versions worked ? If you mean OpenSMTPD would compile with updated LibreSSL libraries when using the CFLAGS and LDFLAGS were needed as described earlier, then 'yes

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 29 Jun 2015 09:38:54 -0700, Gilles Chehade wrote: Can you show me the build error ? Ran 'sudo CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make' 'from opensmtpd-5.7.1-rc1/smtpd' dir and there were no errors. Log of make output attached. opensmtpd-make.log Description: Bi

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 29 Jun 2015 12:46:08 -0700, Gilles Chehade wrote: The subject being: Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries The original issue from March concerned LibresSL 2.1.4, which was solved with the CFLAGS LDFLAGS workaround. The recent posts con

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 29 Jun 2015 12:55:21 -0700, Gilles Chehade wrote: what is is that you experience in this setup ? it builds but fails at startup ? It build and runs fine, however the binaries is not linked to the latest libssl in /usr/local/lib. Only the libcrypto lib is correctly linked. $ ldd /u

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

On Mon, 29 Jun 2015 12:55:21 -0700, Gilles Chehade wrote: what is is that you experience in this setup ? I should add that I would like OpenSMTPD to detect and build against the latest installed LibreSSL libraries automatically without requiring any manual CFLAGS/LDFLAGS workaround. --

revisiting 'feature: show program version' request for configuration management testing purposes

I'd like to revisit github issue #283 [1] "feature: show program version" In a nutshell I'm trying to create some OpenSMTPD version tests for the Ansible config mgmt system, and grepping the logs for the version has the following problems 1) Version number could be in uncompressed or gzippe

Re: revisiting 'feature: show program version' request for configuration management testing purposes

On Wed, 01 Jul 2015 17:33:38 -0700, Seth wrote: Dennis F (ledeuns@github) informs me that the smptd version number can be obtained via the following command 'smtpd -h'. It appears that this switch is currently undocumented in the smtpd man page. The only outstanding issue I ca

Re: revisiting 'feature: show program version' request for configuration management testing purposes

On Wed, 01 Jul 2015 23:18:11 -0700, Seth wrote: The only outstanding issue I can think of is how to distinguish between patch versions, e.g. 5.7.1 vs 5.7.1p1 Disregard that dumb question, realized that p1 stands for portable, been a long day. This is the command I'm using to extrac

Recommended method for blasting the queue clean- can smtpctl be used?

I discovered I had thousands of message stuck in my queue from running some stress tests earlier which needed removal. Apparently the 'smtpctl remove |' command does not support wild cards. Instead, I changed to /var/spool/smtpd/queue and ran this command with root privs: # 'find . -type

Re: Emails not forwarding to external addresses

On Thu, 02 Jul 2015 01:08:08 -0700, Tom Keene wrote: I'm setting up opensmtp in order to learn about email systems, forward emails t...@domain1.com to t...@gmail.com account and deliver emails from b...@domain2.com to a local maildir. I'm starting with a simple setup so I can understand the s

Re: Recommended method for blasting the queue clean- can smtpctl be used?

On Thu, 02 Jul 2015 01:44:10 -0700, Sunil Nimmagadda wrote: As far I can see, the smtpctl is capable of... smtpctl remove all smtpctl resume envelope all smtpctl pause envelope all just like... smtpctl schedule all but a cmd_install of the "all" variant is missing. This diff works for me, co

adding rDNS check feature to OpenSMTPD

I'm searching for additional ways to combat spam and looking into using reverse DNS lookups as a tool for doing so. What do others think of using rDNS lookups as an anti-spam tactic? If rDNS lookups are worthwhile, where would the most appropriate place to implement them be; spamd or the Ope

Re: OpenSMTPD build process does not recognize newer LibreSSL 2.1.4 libraries

The issue has been partially resolved after updating to LibresSLL 2.2.1 If the OpenSMTPD 5.7.1 release is compiled using flags: $ CFLAGS=-I/usr/local/include LDFLAGS=-L/usr/local/lib make && sudo make install Then /usr/sbin/smtpd is once again linked correctly to the newer /usr/local/lib/

Re: Emails not forwarding to external addresses

On Thu, 09 Jul 2015 11:58:38 -0700, Herbert J. Skuhra wrote: CONFIG pki domain.tld certificate "/etc/smtpd/tls/smtpd.crt" pki domain.tld key"/etc/smtpd/tls/smtpd.key" table vdoms "/etc/smtpd/vdoms" table vusers "/etc/smtpd/vusers" listen on e

Re: Emails not forwarding to external addresses

On Thu, 09 Jul 2015 05:38:50 -0700, Tom Keene wrote: FILE: vusers t...@tomkeene.com tom, tomu...@gmail.com As a troubleshooting measure, try changing the above line to read t...@tomkeene.com tom You're using maildir delivery instead of mbox and I have a hunch that might not work with t

Re: Receiving broken e-mails?

On Sat, 25 Jul 2015 01:27:00 -0700, Herbert J. Skuhra wrote: anyone else who is running OpenSMTPD on FreeBSD receive broken e-mails? In tcpdump/wireshark the message looks ok, but in the trace log the lines are broken. Receiving the same message with Postfix works! I haven't seen problem of t

Re: [Extras] Problems with sqlite tables

On Sun, 26 Jul 2015 08:03:45 -0700, Edgar Pettijohn wrote: # smtpd -d If so add some v's: # smtpd -d Do the extra stmpd 'v' flags produce more verbose output on all platforms? I just tried this on Arch linux and can't tell that smptd -d yields any more output than smtpd -dv -

Revisiting Issue #359 - Allow OpenSSL options to be specified

Copying my comment on this ticket[1] to the list for discussion --- I would like to re-open discussion on this issue for a different use case: In light of more vulnerabilities discovered in the TLSv1.0 protocol since Dec 2013, I no longer feel it provides acceptable security and would like

Re: Revisiting Issue #359 - Allow OpenSSL options to be specified

On Mon, 27 Jul 2015 12:53:19 -0700, Török Edwin wrote: Would this be for incoming or outgoing connections? It's the incoming that I'm primarily concerned with, but that's a good point to raise. Should the setting effect both directions or be applied independently? For incoming connection

Re: SSL/TLS

On Mon, 27 Jul 2015 19:40:39 -0700, SSL wrote: i am afraid of being attacked . so i want to limit PCs in japan only (if japanese PC is hacked , this setting in not safe ) . It would probably be more appropriate and effective to use a firewall such as OpenBSD's pf to accomplish this goal. O

Re: spamd

On Sat, 01 Aug 2015 06:47:48 -0700, Peter N. M. Hansteen wrote: Either that or use the nospamd feature (see man 8 spamd and the rules example) and fill up the table from a useful source. I've accumulated some in my nospamd file which I make available at http://www.bsdly.net/~peter/nospamd, base

Re: That SSLv3 thing

On Wed, 15 Oct 2014 12:33:50 -0700, Gilles Chehade wrote: Hi, As you may know, SSLv3 has been pushed into end of life. While SSL libraries are working this out, I committed a fix to disable it explicitely in our code just in case someone builds it against some pre-catastrophe OpenSSL/LibreS

Re: That SSLv3 thing

On Sun, 16 Aug 2015 12:04:37 -0700, Edgar Pettijohn wrote: SSL_OP_etc are defined in /usr/include/openssl/ssl.h there is no SSL_OP_NO_TLSv1_0 defined there hence the error. There is an SSL_OP_NO_TLSv1_1 defined maybe thats what you're looking for. Thank you very much, I changed the valu

  1   2   >