Appears you turned pf debugging on--try 'pfctl -x none' to shut it off.

On Thu, Jul 10, 2008 at 5:01 PM, Claus Assmann < ca+OpenBSD_misc@zardoc.endmail.org <ca%2BOpenBSD_misc@zardoc.endmail.org>> I first have to excuse myself cause I claimed that there were no errors in the log file! Well, there was no debugging output enabled. Now I did that with '-d0-17.4' flags! Still I don't see anything weird in there! I don't know if you can provide with an example of such an error or warning? Thanks George

Did you restart sendmail? -- o--------------------------{ Will Maier }--------------------------o | web:.......http://www.lfod.us/ | email.........willmaier@ml1.net | *---------------------[ BSD: Live Free or Die ]--------------------*

On Thu, Jul 10, 2008 at 5:05 PM, Stuart Henderson <stu@spacehopper.org> exaclly! That's what I did. Below is a extract from my current sendmail.cfmail: ----------- # CA directory O CACertPath=/etc/mail/CA # CA file O CACertFile=/etc/mail/CA/cacert.pem # Server Cert O ServerCertFile=/etc/mail/CA/cert.pem # Server private key O ServerKeyFile=/etc/mail/CA/key.pem # Client Cert O ClientCertFile=/etc/mail/CA/cert.pem # Client private key O ClientKeyFile=/etc/mail/CA/key.pem # File containing ...

no, that would be pointless. -- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

right, unbound already randomises the source port (arc4random from guess where) and also the source address if you list more than one (assign aliases to the interfaces, and list all of the IP address in "outgoing-interface" lines in config). http://nlnetlabs.nl/publications/DNS_cache_poisoning_vulnerability.html they have their own methods to avoid stomping on ports used by other UDP services, but since they don't have control over the rest of the OS, it's a bunch of config parameters, ...

I don't think -B8BITMIME works with sendmail on OpenBSD -- at least it does not on my 4.3 i386 from CD and on 4.4 -current. Were you thinking of EightBitMode=mode or do you have any errors on /var/log/maillog with this flag? -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: vsankar@foretell.ca

On Thu, Jul 10, 2008 at 2:26 PM, Nick Holland <nick@holland-consulting.net> (through a bitnet gateway)... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- ...

For the archives: unless it is specifically requested as rm -P Regards, David

On Soekris, does the first boot console access not function properly until ttys(5) or boot.conf(5) are edited? Do you need to run headless, but with stored network configuration from the installer?

Hi George - You need to use a mail delivery agent (MDA), such as procmail, maildrop, or dovecot's deliver. - David

One thing to rule out would be the buffer cache changes. These were committed over a little time, but you could check a kernel from june 9th (before) and june 15th (after). of course, that's the week of the hackathon, so lots of other changes occurred as well. but try those dates.

It doesn't notice this as an improvement because it is making multiple requests to the same name server, and pf will map all these requests using the same outgoing port. David

Dear list, running currently 4.3 generic with sendmail: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG ---------------------- did try to setup STARTTLS but I don't think that it works! here are the modifications in my .mc file: ---------------------- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', ...

You should study Section 15.4.1 of the FAQ: http://openbsd.org/faq/faq15.html#NoFun However if you still have questions, please provide the output of the following command: $ sysctl kern.version As others, I too suspect you have installed -current & are trying to install -release packages.

On Thu, Jul 10, 2008 at 5:07 PM, Stuart Henderson <stu@spacehopper.org> I intend to install Dovecot! So obviously that will do the job! Thanks for your prompt reply George

For some unknown reason this prompted me to look at the rm manpage for the hell of it (yeah, bored and tired at the moment). There's an odd comment in the STANDARDS section which says "The interactive mode used to be a dsw command, a carryover from the an- cient past with an amusing etymology." That piqued my interest further (yeah, still bored and still tired at the moment) so I googled away and found this tidbit about the mysterious dsw command: ...

Sounds good, but as I've successfully avoided both PPP and PPPoE for well over ten years now, I have no way to completely test, a diff would be nice. Nick.

Good afternoon! So, before the next make build I must rebuild the yacc alone. I would like to know how can I rebuild yacc. I searched in old errata patches, Makefiles, bsd.*.mk files. In my previous logfile (2008.07.07/src_make_build) I see, that by yacc the "make cleandir" is used: "rm -f yacc.cat1 ... rm -f .depend ...tags" So is this correct? cd usr.bin/yacc make obj make cleandir make depend make make install In general, how can I ascertain, what kind of make Phony Targets ...

Thnaks George

I searched /etc/syslog.conf, but can't find how to disable it. Jul 10 08:40:04 proxy /bsd: pf: loose state match: TCP in wire: 192.168.4.132:3833 58.253.67.248:80 stack: - [lo=3472355129 high=3472419308 win=65535 modulator=0] [lo=3167937694 high=3168002906 win=64857 modulator=0] 10:10 R seq=3472355129 (3472354451) ack=3167937694 len=0 ackskew=0 pkts=5:3 dir=in,fwd Jul 10 08:43:37 proxy /bsd: pf: wire key attach failed on all: TCP out wire: 219.149.124.163:80 210.21.12.116:50157 ...

Hi again, It seems that I needed: set skip on lo0 Funny thing is that the same ruleset works on 4.3 without the need for this statement. Was there some change in the route-to logic from 4.3 to 4.4? This may be of interest for someone running spamd in a bridge setup. Kind regards, Jose. -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com

reading tea leaves^H^H^H^H^H^H^H^H^H^Hsource-changes has me thinking the BIND bug has spurred some activity in other parts of the tree, too (as in, "bugs are never unique, in OpenBSD we look for patterns or AOL! -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Sorry for the noise. I should not have sent that message. What happened was, in a misguided attempt to help, I tried running sendmail with the various options GVG had mentioned. /usr/sbin/sendmail -L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /$HOME/mail_log and got the error Jul 10 11:54:09 vijay sm-mta[22142]: NOQUEUE:SYSERR(root): /etc/mail/sendmail.cf: line 0: cannot open: No such file or directory on my desktop. Obviously this had nothing to do with -B8BITMIME ...

Off topic to this thread, but: On Thu, Jul 10, 2008 at 8:24 AM, GVG GVG <gvgter@googlemail.com> wrote: Remove -B8BITMIME from that: the -B option is only applicable when sending email. Indeed, you should be seeing this error at boot time: WARNING: Ignoring submission mode -B option (not in submission mode) What docs suggested that you add that? (For the topic of this thread, you did eyeball /var/log/maillog after restarting, right?) Philip Guenther

thank you all (Jacob Meuser, Markus Lude, Louis V. Lambrecht, James Hartley) for your help i have reinstall my openbsd 4.3 and then use this -rOPENBSD_4_3 for update ports, and now i have been able to install from packages and ports it's my faults because i remember, i have update ports without -rOPENBSD_4_3 tags i litle bit confused about release and stable, if i download ISO from OpenBSD/4.3 ftp, then this is a release, then if i want using --stable, i must using -rOPENBSD_4_3 tags for ...

maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt

Dear List, having a 4.3 and sendmail installation, the default locations where the mails go is /var/mail/$USER. How can I change that and point to a Maildir formatted location? Thanks George

You did rebuild the .cf file from the .mc file, right? STARTTLS(8) OpenBSD System Manager's Manual STARTTLS(8) [...] Now that you have the TLS-enabled versions of the .mc files you must gen- erate .cf files from them and install the .cf files in /etc/mail. [...]

Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable?

Nothing for ls -ald /var/db/pkg/.* is a positive point. What is completely wrong for a 4.3 release, as Jacob said, your libiconv should be *libiconv-1.9.2p5 *as a result your gettext is also wrong, should be *gettext-0.16.1 *You, somehow, incorrectly installed the latest gettext (from current) and correctly try to install glib2 from release. Wich is not compatible. Since you don't have dot entries in the /var/db/pkg you probably can pkg_delete gettext and libiconv and reinstall them from ...

Hi OpenBSD PF experts, I am managing a private network 192.168.1.0/24, 192.168.1.2 is my Retrospect backup server running on OS X 10.5 to back up the rest of computers. To add another layer to protect my backup server, I add an OpenBSD4.3 PF transparent firewall in front of 192.168.1.2, Since it is transparent, all my current private network setting keeps the same. my /etc/bridgename.bridge0: add sis0 add sis1 blocknoip sis0 blocknoip sis1 up my ...

Frankly, re-re-re-re-read the FAQ. Since you just re-installed and still want -current packages, the best way would be to grab a snapshot and do a fresh install. Do this on a date at which your mirror has packages with the same date than the snapshots. (or a day or two off). Release updates are almost foolproof, updating from snapshots might break, while a snapshot of the next day would be perfect. My personal opinion: when you have both the stock OS and sources and started installing ...

Sorry I did a mistake! The changes in the .mc file are: ---------------- define(`CERT_DIR', `MAIL_SETTINGS_DIR`'CA')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl -------------- using the same certs for 'server' and 'client'! So the files do ...

I do prefer to use the siteXX.tgz and the install.site script to do this, since it is the recommended way to customize the install process: http://www.openbsd.org/faq/faq4.html#site I remember other thread on this list about this. At some point someone asked "Why not ask the installing user to create an unprivileged account during the install process?". The answer was simple and very coherent: "Because we want the user to give root user a strong password. If we prompt for another user creation, ...

correct but I didn't install as 'localhost' but as 'sendmail.cf'. My server does accept mails from the outside world! After that I did restart the box! Sendmail gets started as: sendmail_flags="-L sm-mta -C/etc/mail/sendmail.cf -bd -qp -B8BITMIME -X /[$HOME]/mail_log"

looks like there is some work in progress to update the in-tree BIND to 9.4.2-P1 + local tweaking, for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8 As Theo points out, patience is a virtue, and it's the "+ local tweaking" above that is the reason I gratefully use OpenBSD. /Pete