Checking my new smtpd.conf syntax

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Checking my new smtpd.conf syntax

Walter Alejandro Iglesias-3
Could someone tell me if my changes below are OK. :-)

The part I'm not clear is I read in current.html remote authenticated
users need a explicit rule.  Do I need to add some "match auth" rule?


# /etc/mail/smptd.conf

egress_int="em0"
server="server.roquesor.com"

table aliases file:/etc/mail/aliases
table valiases file:/etc/mail/valiases
table vdomains file:/etc/mail/vdomains
table addresses file:/etc/mail/addresses
table users file:/etc/mail/users

pki $server certificate "/etc/ssl/server.crt"
pki $server key "/etc/ssl/private/server.key"

listen on lo0
listen on $egress_int port 25 tls pki $server
listen on $egress_int port 465 smtps pki $server auth \
        senders <users> masquerade

# Old
#accept from local for local alias <aliases> deliver to mbox
#accept from any for domain <vdomains> virtual <valiases> deliver to mbox
#accept from local sender <addresses> for any relay

# New
action local_users mbox alias <aliases>
action remote_users relay

match from local for local apply local_users
match from any for domain <vdomains> virtual <valiases> apply local_users
match from local sender <addresses> for any apply remote_users

# End of file

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Gilles Chehade-7
On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> Could someone tell me if my changes below are OK. :-)
>
> The part I'm not clear is I read in current.html remote authenticated
> users need a explicit rule.  Do I need to add some "match auth" rule?
>

yes.

before, "from local" would match authenticated users as if they had sent
mail from the local machine but this led to being unable to express some
setups where depending on the source you want to relay to different hubs
even though users are authenticated.


With this:

> match from local for local apply local_users
> match from any for domain <vdomains> virtual <valiases> apply local_users
> match from local sender <addresses> for any apply remote_users

you need an additonal rule such as:

match auth from any sender <addresses> for any apply remote_users


because:

> #accept from local sender <addresses> for any relay

no longer matches authenticated users



--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Consus-2
On 14:31 Fri 25 May, Gilles Chehade wrote:

> On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > Could someone tell me if my changes below are OK. :-)
> >
> > The part I'm not clear is I read in current.html remote authenticated
> > users need a explicit rule.  Do I need to add some "match auth" rule?
> >
>
> yes.
>
> before, "from local" would match authenticated users as if they had sent
> mail from the local machine but this led to being unable to express some
> setups where depending on the source you want to relay to different hubs
> even though users are authenticated.
>
>
> With this:
>
> > match from local for local apply local_users
> > match from any for domain <vdomains> virtual <valiases> apply local_users
> > match from local sender <addresses> for any apply remote_users
>
> you need an additonal rule such as:
>
> match auth from any sender <addresses> for any apply remote_users
>
>
> because:
>
> > #accept from local sender <addresses> for any relay
>
> no longer matches authenticated users

Ain't it "action local_users" instead of "apply local_users"? The man
page states "action".

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Gilles Chehade-7
On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:

> On 14:31 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > Could someone tell me if my changes below are OK. :-)
> > >
> > > The part I'm not clear is I read in current.html remote authenticated
> > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > >
> >
> > yes.
> >
> > before, "from local" would match authenticated users as if they had sent
> > mail from the local machine but this led to being unable to express some
> > setups where depending on the source you want to relay to different hubs
> > even though users are authenticated.
> >
> >
> > With this:
> >
> > > match from local for local apply local_users
> > > match from any for domain <vdomains> virtual <valiases> apply local_users
> > > match from local sender <addresses> for any apply remote_users
> >
> > you need an additonal rule such as:
> >
> > match auth from any sender <addresses> for any apply remote_users
> >
> >
> > because:
> >
> > > #accept from local sender <addresses> for any relay
> >
> > no longer matches authenticated users
>
> Ain't it "action local_users" instead of "apply local_users"? The man
> page states "action".

oopsie, yes, action, forget about apply, it doesn't exist, I should not
answer mail while talking on the phone :-)


--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Consus-2
On 15:14 Fri 25 May, Gilles Chehade wrote:

> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> > On 14:31 Fri 25 May, Gilles Chehade wrote:
> > > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > > Could someone tell me if my changes below are OK. :-)
> > > >
> > > > The part I'm not clear is I read in current.html remote authenticated
> > > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > >
> > >
> > > yes.
> > >
> > > before, "from local" would match authenticated users as if they had sent
> > > mail from the local machine but this led to being unable to express some
> > > setups where depending on the source you want to relay to different hubs
> > > even though users are authenticated.
> > >
> > >
> > > With this:
> > >
> > > > match from local for local apply local_users
> > > > match from any for domain <vdomains> virtual <valiases> apply local_users
> > > > match from local sender <addresses> for any apply remote_users
> > >
> > > you need an additonal rule such as:
> > >
> > > match auth from any sender <addresses> for any apply remote_users
> > >
> > >
> > > because:
> > >
> > > > #accept from local sender <addresses> for any relay
> > >
> > > no longer matches authenticated users
> >
> > Ain't it "action local_users" instead of "apply local_users"? The man
> > page states "action".
>
> oopsie, yes, action, forget about apply, it doesn't exist, I should not
> answer mail while talking on the phone :-)

Frankly, I like apply better :(

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Gilles Chehade-7
On Fri, May 25, 2018 at 04:15:00PM +0300, Consus wrote:

> On 15:14 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> > > On 14:31 Fri 25 May, Gilles Chehade wrote:
> > > > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > > > Could someone tell me if my changes below are OK. :-)
> > > > >
> > > > > The part I'm not clear is I read in current.html remote authenticated
> > > > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > > >
> > > >
> > > > yes.
> > > >
> > > > before, "from local" would match authenticated users as if they had sent
> > > > mail from the local machine but this led to being unable to express some
> > > > setups where depending on the source you want to relay to different hubs
> > > > even though users are authenticated.
> > > >
> > > >
> > > > With this:
> > > >
> > > > > match from local for local apply local_users
> > > > > match from any for domain <vdomains> virtual <valiases> apply local_users
> > > > > match from local sender <addresses> for any apply remote_users
> > > >
> > > > you need an additonal rule such as:
> > > >
> > > > match auth from any sender <addresses> for any apply remote_users
> > > >
> > > >
> > > > because:
> > > >
> > > > > #accept from local sender <addresses> for any relay
> > > >
> > > > no longer matches authenticated users
> > >
> > > Ain't it "action local_users" instead of "apply local_users"? The man
> > > page states "action".
> >
> > oopsie, yes, action, forget about apply, it doesn't exist, I should not
> > answer mail while talking on the phone :-)
>
> Frankly, I like apply better :(
>

no matter the keywords, there's no way 100% people would be satisfied :)

be happy, first iteration was "match [...] => foobar", now 'action' does
not look so bad hu ?


--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Consus-2
On 15:20 Fri 25 May, Gilles Chehade wrote:
> no matter the keywords, there's no way 100% people would be satisfied :)
>
> be happy, first iteration was "match [...] => foobar", now 'action'
> does not look so bad hu ?

Guess so :D

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Amelia A Lewis
In reply to this post by Consus-2
On Fri, 25 May 2018 16:15:00 +0300, Consus wrote:

> On 15:14 Fri 25 May, Gilles Chehade wrote:
>> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
>>> On 14:31 Fri 25 May, Gilles Chehade wrote:
>>>>
>>>> you need an additonal rule such as:
>>>>
>>>> match auth from any sender <addresses> for any apply remote_users
>>>>
>>>> because:
>>>>
>>>>> #accept from local sender <addresses> for any relay
>>>>
>>>> no longer matches authenticated users
>>>
>>> Ain't it "action local_users" instead of "apply local_users"? The man
>>> page states "action".
>>
>> oopsie, yes, action, forget about apply, it doesn't exist, I should not
>> answer mail while talking on the phone :-)
>
> Frankly, I like apply better :(

For what it's worth (this is *not* a democracy), I like apply better as
well. "action" to declare; "apply" to refer. There's then no
possibility that someone will attempt to create an action "inline" in a
match directive; the syntax of reference is 'keyword barename' while
the syntax of declaration is 'keyword uniquename activities'. Different
keywords makes it unambiguous for humans; can't use declaration syntax
where reference keyword is used.

I looked at your tests, Gilles, and was hopeful because they all use
'apply'. I found that easier to understand. However ... chances are, if
the tests were created early, that others have already argued in favor
of using the same keyword for declarations and references.

Amy!
Amelia A. Lewis                    amyzing {at} talsever.com
  Light is the left hand of darkness
  and darkness the right hand of light.
    Two are one, life and death, lying
    together like lovers in kemmer,
      like hands joined together,
      like the end and the way.
        -- Tormer's Lay [Ursula K. Le Guin, "The Left Hand of Darkness"]

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Gilles Chehade-7
On Fri, May 25, 2018 at 09:27:21AM -0400, Amelia A Lewis wrote:

> On Fri, 25 May 2018 16:15:00 +0300, Consus wrote:
> > On 15:14 Fri 25 May, Gilles Chehade wrote:
> >> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> >>> On 14:31 Fri 25 May, Gilles Chehade wrote:
> >>>>
> >>>> you need an additonal rule such as:
> >>>>
> >>>> match auth from any sender <addresses> for any apply remote_users
> >>>>
> >>>> because:
> >>>>
> >>>>> #accept from local sender <addresses> for any relay
> >>>>
> >>>> no longer matches authenticated users
> >>>
> >>> Ain't it "action local_users" instead of "apply local_users"? The man
> >>> page states "action".
> >>
> >> oopsie, yes, action, forget about apply, it doesn't exist, I should not
> >> answer mail while talking on the phone :-)
> >
> > Frankly, I like apply better :(
>
> For what it's worth (this is *not* a democracy), I like apply better as
> well. "action" to declare; "apply" to refer. There's then no
> possibility that someone will attempt to create an action "inline" in a
> match directive; the syntax of reference is 'keyword barename' while
> the syntax of declaration is 'keyword uniquename activities'. Different
> keywords makes it unambiguous for humans; can't use declaration syntax
> where reference keyword is used.
>
> I looked at your tests, Gilles, and was hopeful because they all use
> 'apply'. I found that easier to understand. However ... chances are, if
> the tests were created early, that others have already argued in favor
> of using the same keyword for declarations and references.
>

indeed, but at least your mail made me update the tests :-)

thanks!


--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Walter Alejandro Iglesias-3
In reply to this post by Consus-2
On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:

> On 14:31 Fri 25 May, Gilles Chehade wrote:
> > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > Could someone tell me if my changes below are OK. :-)
> > >
> > > The part I'm not clear is I read in current.html remote authenticated
> > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > >
> >
> > yes.
> >
> > before, "from local" would match authenticated users as if they had sent
> > mail from the local machine but this led to being unable to express some
> > setups where depending on the source you want to relay to different hubs
> > even though users are authenticated.
> >
> >
> > With this:
> >
> > > match from local for local apply local_users
> > > match from any for domain <vdomains> virtual <valiases> apply local_users
> > > match from local sender <addresses> for any apply remote_users
> >
> > you need an additonal rule such as:
> >
> > match auth from any sender <addresses> for any apply remote_users
> >
> >
> > because:
> >
> > > #accept from local sender <addresses> for any relay
> >
> > no longer matches authenticated users
>
> Ain't it "action local_users" instead of "apply local_users"? The man
> page states "action".

I took the "apply" from here:

  https://undeadly.org/cgi?action=article;sid=20180430122930

Now reading this:

  https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/

I see I also have to change the "certificate" keyword to "cert" here:

  pki $server cert "/etc/ssl/server.crt"


Gilles, I also saw the "ca" directive.  I've been using the acme
certificates in pki directives, can I use them in the "ca" directive
too? (any advantage in doing this?)



        Walter

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Gilles Chehade-7
On Fri, May 25, 2018 at 09:37:07PM +0200, Walter Alejandro Iglesias wrote:

> On Fri, May 25, 2018 at 03:58:59PM +0300, Consus wrote:
> > On 14:31 Fri 25 May, Gilles Chehade wrote:
> > > On Fri, May 25, 2018 at 02:20:50PM +0200, Walter Alejandro Iglesias wrote:
> > > > Could someone tell me if my changes below are OK. :-)
> > > >
> > > > The part I'm not clear is I read in current.html remote authenticated
> > > > users need a explicit rule.  Do I need to add some "match auth" rule?
> > > >
> > >
> > > yes.
> > >
> > > before, "from local" would match authenticated users as if they had sent
> > > mail from the local machine but this led to being unable to express some
> > > setups where depending on the source you want to relay to different hubs
> > > even though users are authenticated.
> > >
> > >
> > > With this:
> > >
> > > > match from local for local apply local_users
> > > > match from any for domain <vdomains> virtual <valiases> apply local_users
> > > > match from local sender <addresses> for any apply remote_users
> > >
> > > you need an additonal rule such as:
> > >
> > > match auth from any sender <addresses> for any apply remote_users
> > >
> > >
> > > because:
> > >
> > > > #accept from local sender <addresses> for any relay
> > >
> > > no longer matches authenticated users
> >
> > Ain't it "action local_users" instead of "apply local_users"? The man
> > page states "action".
>
> I took the "apply" from here:
>
>   https://undeadly.org/cgi?action=article;sid=20180430122930
>
> Now reading this:
>
>   https://poolp.org/posts/2018-05-21/switching-to-opensmtpd-new-config/
>
> I see I also have to change the "certificate" keyword to "cert" here:
>
>   pki $server cert "/etc/ssl/server.crt"
>
>
> Gilles, I also saw the "ca" directive.  I've been using the acme
> certificates in pki directives, can I use them in the "ca" directive
> too? (any advantage in doing this?)
>

don't touch a knob if you don't KNOW that you absolutely need it.

I know why some people would like to use a custom CA certificate instead
of the one shipped with the system, I don't know why YOU should do it so
if you are asking I can only guess you are going to break your setup.


--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Walter Alejandro Iglesias-3
On Sat, May 26, 2018 at 08:15:18AM +0200, Gilles Chehade wrote:

> > Gilles, I also saw the "ca" directive.  I've been using the acme
> > certificates in pki directives, can I use them in the "ca" directive
> > too? (any advantage in doing this?)
> >
>
> don't touch a knob if you don't KNOW that you absolutely need it.
>
> I know why some people would like to use a custom CA certificate instead
> of the one shipped with the system, I don't know why YOU should do it so
> if you are asking I can only guess you are going to break your setup.

First of all, each one is responsible of what they do with their system,
it's the nature of free software, isn't it?  Don't be afraid, if I break
my setup I won't sue you. :-)

In the past I used the defunct StartSSL(TM) certificates with Apache and
Sendmail during years.  In the case of a mail server I thought that, by
logic, to present something that certificates your identity (what a CA
is for, isn't it?) should be one among the more acceptable ways to avoid
your messages be considered SPAM.

What I'm not clear about is what Let's Encrypt does (differently).  And,
logically, I'm not clear about what your software does in this case.
And over all I'm not clear about (and probably nobody is at this stage)
what mail servers do and why with their SPAM filters.  That was the aim
of my question.

By the way, your messages got to my server but not to misc@ (at least I
can't not read them through gmane), I guess they got trapped in spamd
daemon.


>
>
> --
> Gilles Chehade
>
> https://www.poolp.org                                          @poolpOrg


        Walter

Reply | Threaded
Open this post in threaded view
|

Re: Checking my new smtpd.conf syntax

Walter Alejandro Iglesias-3
On Sat, May 26, 2018 at 12:35:57PM +0200, Walter Alejandro Iglesias wrote:

> On Sat, May 26, 2018 at 08:15:18AM +0200, Gilles Chehade wrote:
> > > Gilles, I also saw the "ca" directive.  I've been using the acme
> > > certificates in pki directives, can I use them in the "ca" directive
> > > too? (any advantage in doing this?)
> > >
> >
> > don't touch a knob if you don't KNOW that you absolutely need it.
> >
> > I know why some people would like to use a custom CA certificate instead
> > of the one shipped with the system, I don't know why YOU should do it so
> > if you are asking I can only guess you are going to break your setup.
>
> First of all, each one is responsible of what they do with their system,
> it's the nature of free software, isn't it?  Don't be afraid, if I break
> my setup I won't sue you. :-)
>
> In the past I used the defunct StartSSL(TM) certificates with Apache and
> Sendmail during years.  In the case of a mail server I thought that, by
> logic, to present something that certificates your identity (what a CA
> is for, isn't it?) should be one among the more acceptable ways to avoid
> your messages be considered SPAM.
>
> What I'm not clear about is what Let's Encrypt does (differently).  And,
> logically, I'm not clear about what your software does in this case.
> And over all I'm not clear about (and probably nobody is at this stage)
> what mail servers do and why with their SPAM filters.  That was the aim
> of my question.
>
> By the way, your messages got to my server but not to misc@ (at least I
> can't not read them through gmane), I guess they got trapped in spamd
> daemon.

Let me add something more about what I know.

Each software (i.e. apache, ngnix, uw-imap, sendmail, etc) requires a
different setup to get the certificates working.  In some cases you need
to put chain and cert in one file, in others (uw-imap) you need to
include the key in a same one file.

I just expected you could tell me (or point me where this is documented)
what to do in opensmptd case.  The explanaintion in starttls(8) isn't
enough.

For example, what does the smptd.conf "ca" directive expect?, a root
certificates bundle?  Intermediate certificates?  What does the software
use in case you don't set this option?, the system provided
/etc/ssl/cert.pem?

I'll tell you what I been doing so far.  When time ago I started using
opensmtpd with the certs downloaded with acme-client, *after some trial
and error* I got it working with this set up:

Here I use the "full chain" certificate:

  pki $server cert "/etc/ssl/server.crt"

Here the key:

  pki $server key "/etc/ssl/private/server.key"


Reply | Threaded
Open this post in threaded view
|

I got smtpd.conf working thanks to the man page

Walter Alejandro Iglesias-3
In reply to this post by Walter Alejandro Iglesias-3
Just in case it could be useful to others.

After upgrading the snaptshot requiring the new version of smtpd.conf
it happend that the new rules I'd written (included the last one Gilles
passed me) were all wrong.

I could get it working thanks to the man page.  The result:

# OLD
accept from local for local alias <aliases> deliver to mbox
accept from any for domain <vdomains> virtual <valiases> deliver to mbox
accept from local sender <addresses> for any relay


# FIST ATTEMPT (smtpd -n told me the three last lines were wrong)
action local_users mbox alias <aliases>
action remote_users relay

match from local for local apply local_users
match from any for domain <vdomains> virtual <valiases> apply local_users
match from local sender <addresses> for any apply remote_users
match auth from any sender <addresses> for any apply remote_users


# NOW WORKING
action "local" mbox alias <aliases>
action "virtual" mbox virtual <valiases>
action "relay" relay

match from local for local action "local"
match from any for domain <vdomains> action "virtual"
match mail-from <addresses> for any action "relay"
match auth mail-from <addresses> for any action "relay"


My advice to others is not to pay attention to anything but the man
page, checking one by one each option you used in the old configuration,
if it still exists, if it was replaced and finally *where* to pass it,
if to match or to action.  Doing it in that order you'll probably go
faster. :-)

As you see above I had to replace "sender" for "mail-from" and to create
a third action to pass the virtual aliases table that in the first
attempt I'd wrongly included it in the match.

Reply | Threaded
Open this post in threaded view
|

Re: I got smtpd.conf working thanks to the man page

Ingo Schwarze
Hi Walter,

Walter Alejandro Iglesias wrote on Tue, May 29, 2018 at 05:47:36PM +0200:

> My advice to others is not to pay attention to anything
> but the man page,

While that's often nor bad advice in other areas of OpenBSD,
this particular manual page is not perfect yet, as should be
obvious to anyone looking at it.

So until these manual pages get finished, Gilles' various blog and
mailing list posts, and the source code, might be required for
missing clues.  Of course, only start searching elsewhere after
checking the manual.

Yours,
  Ingo