Niall O'Higgins

Using OpenBSD's OpenSMTPd for Email

Sat, 31 Oct 2009 13:52:00 PDT

As many readers may be aware, the venerable Sendmail has been the default mail daemon in OpenBSD for years. This is largely because it is the only reasonable BSD-licensed mail server around. Personally, I have never trusted Sendmail enough to use it on any of my hosts - despite the fact that it has been audited by the OpenBSD team. It has a Byzantine configuration which I could never figure out, and perhaps more importantly has a terrible security record, owing at least partly to its monolithic single-process design. So I've always used either Qmail or more recently

Postfix

Postfix is a free and open source mail transfer agent (MTA), a computer program for the routing and delivery of email. It is intended as...

License: IBM Public License

Get one for any topic!

Qmail has a very strange license which prevents it even being in the OpenBSD ports system. Postfix is not BSD-licensed, and so cannot be included in the base system. This means that running Postfix can be a little bit of extra work, since you have to deal with installing and upgrading packages. Wouldn't it be nice if there was a modern, simple, secure SMTP daemon in base? Now there is. New in OpenBSD 4.6 is the latest secure SMTP daemon on the block, OpenSMTPd. Turning on OpenSMTPd Sendmail is still the default MTA in base. You must follow these instructions to enable OpenSMTPd on your system:

smtpd is not enabled by default. In order to use it as the system mailer, ensure the mail queue is empty, then stop sendmail(8): # pkill sendmail Modify the current mailwrapper(8) settings by editing /etc/mailer.conf: sendmail /usr/sbin/smtpctl send-mail /usr/sbin/smtpctl mailq /usr/sbin/smtpctl makemap /usr/libexec/smtpd/makemap newaliases /usr/libexec/smtpd/makemap Rebuild the aliases database, and enable the daemon: # newaliases # echo "sendmail_flags=NO" >> /etc/rc.conf.local # echo "smtpd_flags=" >> /etc/rc.conf.local # smtpd

Note that while debugging your setup, you might find running smtpd in verbose foreground mode via `smtpd -dv' useful. OpenSMTPd configuration I'm very impressed at how simple and clean the OpenSMTPd configuration is. Check out the docs here. There are some more docs and example configs at Calomel.org. It still took me a little while to figure out a few things, so I thought I'd post my configurations to help others. Using OpenSMTPd as a Backup MX I've been using Postfix as a backup MX for unworkable.org. I decided to try OpenSMTPd in this role instead.

listen on lo0
listen on bnx0

map "aliases" { source db "/etc/mail/aliases.db" }

accept from all for local deliver to mbox
accept for all relay

accept from all for domain "unworkable.org" relay

The configuration is pretty straight forward once you are aware that the default 'from' is 'local' - that is why its necessary to add `accept from all' to accept mail from the outside world. Relaying mail to another SMTP server for delivery (nullmailer) with SSL I use Mutt as my MUA. Mutt assumes you have a local MTA to deliver mail. This means you need to use something like nullmailer or msmtp. Until now. My ISP (sonic.net) doesn't let me use port 25, so I have to relay to their SMTP server to send mail,

listen on lo0

map aliases { source db "/etc/mail/aliases.db" }
map secrets { source db "/etc/mail/secrets.db" }

accept for local deliver to maildir
accept for all relay via smtp.sonic.net ssl enable auth

The /etc/mail/secrets.db file is generated from a map, /etc/mail/secrets. This file includes your username and password - check out the smtpd.conf manual page for details.

Read a file line by line in C - secure fgets idiom

Sat, 03 Oct 2009 14:57:40 PDT

A pretty common thing to do in any program is read a file line-by-line. In other interpreted or managed languages this is trivial, the standard libraries will make it super easy for you. Just look at how simple it is to do this in Python or Perl or even Shell. In C its a little more complicated, because you have to think about how much memory you need up front, and also the standard library is kind of crufty. You always have to worry about overflowing buffers or dereferencing a NULL pointer. However, there is a nice libc function available in BSD-derived platforms (including Mac OS X) - fgetln(3). This function makes it nice and easy to read arbitrary-length lines from a file in a safe way. Unfortunately, its not available in GNU libc - that is to say, if you use this function, your program won't compile on Linux. Its not a trivial libc function to port - unlike say strlcpy - since it relies on private details of the FILE structure. These private details don't happen to be the same in glibc, so it doesn't work out of the box. While GNU libc doesn't provide fgetln(3), it does provide its own similar function, getline(3). Of course, if you use this function - which is a bit uglier than fgetln(3) in my opinion - your program won't work on BSD libc systems. So basically, neither of these functions are usable if you want your program to be reasonably portable. Pretty much everything I write in C I want to work on at least Linux, the BSDs, and Mac OS X. You could write your own line reading function on top of ANSI C. Or you might be able to get away with using the existing ANSI function, fgets(3). You need to be careful with fgets, however. You can easily introduce bugs if you aren't careful to cover all the error cases. The other big problem with fgets is that you need to know the maximum length of lines you are going to read in advance, otherwise you'll end up with truncation. In most applications, you can get away with a kilobyte or two on the stack for each line and be ok. In some places, it could be a deal killer though. Anyway, here is a good idiom for using fgets:

char buf[MAXLINELEN];
while (fgets(buf, MAXLINELEN, ifp) != NULL) {
    buf[strcspn(buf, "\n")] = '\0';
    if (buf[0] == '\0')
        continue;
}

The explanation of why you use strcspn() can be found in the OpenBSD manual page.

Py Web SF: The San Francisco Python & Web Technology Meet-up

Fri, 24 Jul 2009 19:29:47 PDT

Last month I started Py Web SF, the San Francisco Python & Web Technology meet-up. The idea is 1-2 conversation-style presentations of about 30 minutes with a group of 10-20 people. My hope is to have a more intimate group than the very good Bay Piggies (which I highly recommend). With a small group, it is possible to have more interaction, discussion and collaboration. In a typical lecture/audience format, people unfortunately tend to switch into "passive listener" mode.

June meet-up
Anyway, the first meet-up went extremely well - we had 15 people show up, which was a perfect number for the space. Shannon -jj Behrens gave an excellent talk on building RESTful Web services and Marius Eriksen - in fact a colleague from the OpenBSD project - gave an awesome talk on GeoDjango. Slides for both talks are online, of course.

July meet-up
Metaweb Technologies presenting a comparison of Django and Pylons. Then we have Alec Flett, another Metaweb'er, speaking about all the issues involved in scaling Python web applications.

Check it out
If you are interested in checking out the event, its July 28th, 6pm @ SF Main Public Libraryâ€™s Stong Room. Full details can be found at pywebsf.org. Or if you are interested in giving a talk, just let me know.

tmux, a BSD alternative to GNU Screen

Thu, 04 Jun 2009 20:25:13 PDT

I started using tmux today. It's a terminal multiplexer / task switcher for UNIX-likes, very much in the same vein as GNU Screen. However, it's a from-scratch implementation, designed to be clean, sane and easy to configure. The more liberal 3-clause BSD license is a plus also, since it means that OpenBSD has been able to integrate it into the source tree, so that it's available out of the box.

Comparison with GNU Screen
I've been a heavy screen user for many years - almost all my work is done on remote screen sessions. However, screen configuration has always been essentially black magic to me. For this reason, tmux and its nice manual page is a breath of fresh air. `tmux list-commands' is very straight forward and easy to grok. Furthermore, I like that everything in tmux is scriptable from the command line - you can run commands like `tmux resize-pane-up -t comms' to resize the pane on a session called 'comms'.

The other thing I really like about tmux is its default status bar. Some people might hate this, but I find it very useful to have a clock and a list of windows along with the process executing in them. This took quite some work to set up to my liking in GNU screen, but the default in tmux is great.

My config
One thing I don't much like is the default of C-b as the 'prefix' command. I suppose this makes some sense, since the author doesn't want to clobber GNU screen key bindings. Perhaps he will consider changing it to C-a, like in GNU screen, in the future. In any case, this isn't hard to change. Also, I am constantly using C-a C-a to switch back to the previous window - the default for this action in tmux is C-b l. Much less friendly in my opinion - of course, it's also easy to change!

So here are the contents of my $HOME/.tmux.conf:

set -g prefix C-a
bind-key C-a last-window

Getting tmux
I'm sure that packages exist for most operating systems. You can grab the source from http://tmux.sourceforge.net/. On OpenBSD, you can simply run `pkg_add -i tmux' to get the binary on your system.

UPDATE
Since OpenBSD 4.6, tmux is part of the base system. This means that if you are running OpenBSD 4.6 or later, you don't need to install any packages in order to get tmux.

Easy private DNS - authoritative and recursive - with Unbound

Tue, 19 May 2009 18:30:32 PDT

Lots of people have a small home network. Usually you have a combo box which acts as a router/firewall/file server. Then you have a couple of other machines hooked up, and you share the Internet using NAT. A private DNS server is helpful in this kind of scenario for two reasons:

Recursive resolver cache can speed up common DNS lookups.
Private authoritative resolver lets you easily refer to machine in your home by name, instead of remembering IP addresses.

The DNS Dichotomy For many years there has been a dichotomy in the DNS server implementation world, pretty much between the ISC's BIND and just about everything else. The essence of this dichotomy is that BIND integrates both djbdns, has one tool - tinydns - for the authoritative portion while another - dnscache - implements the caching recursive resolver functionality. Convenience costs you security The monolithic BIND approach has certain limited benefits - mainly that it is convenient to configure and install a private DNS server which acts both as a cache and as an authority for the private domain. Unfortunately, this design has severe implications for the robustness of the software. It serves both to increase complexity within a single process while ignoring the principle of least privilege. Essentially, BIND is a horribly complicated beast, with serious security vulnerabilities being found pretty often - and even the smallest security flaw can result in major problems due to the single process design. Alternative approaches [caption id="attachment_487" align="aligncenter" width="250" caption="Unbound: A modern, secure DNS server"][/caption] While djbdns might be one of the better-known BIND alternatives, I recently came across Unbound, a BSD licensed recursive resolver. One of the authors of Unbound is also an OpenBSD developer, which inspires confidence in the security of the software. Unbound also does simple authoritative resolution One of the nifty features of Unbound is that you can very simply configure it to act as an authority for your private domains. Due to this feature, you can have a single daemon on your home network router acting as both a cache and server for your local domain. This is very nice. In fact, I have found the Unbound configuration format to be considerably nicer to deal with than that of BIND. Setup under OpenBSD This describes how I set up Unbound on my OpenBSD machine - it should be a pretty similar procedure on most other operating systems.

# install the package
$ sudo pkg_add -i unbound

Now you have the binaries on disk, you can edit the configuration to set up your private domain. Unbound runs as a recursive resolver out of the box, so this is just about all the configuration you'll need to do.

# edit the config
$ sudo vi /var/unbound/etc/unbound.conf

For a single machine, add the following under 'server', replacing 'inet' with the desired name of your local domain, and 'joust' with the name of your machine:

    local-zone: "inet." static
    local-data: "joust.inet. IN A 192.168.1.1"

Since you want the DNS server to be accessible from other machines, you probably want it to listen on 0.0.0.0 (all available interfaces). Make sure you have some kind of firewall in place before you do this, though - you don't want to let random Internet hosts query your DNS server:

    interface: 0.0.0.0
    # Make sure you have a packet filter to block queries from the Internet.
    # Alternatively, set this only for your local network.
    access-control: 0.0.0.0/0 allow

Now you can start up Unbound:

$ sudo /usr/local/sbin/unbound

And of course you probably want it to come up on boot, so follow these instructions:

$ pkg_info -D unbound
Information for inst:unbound-1.2.1p0

Install notice:
You should add:

    syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log"

to /etc/rc.conf.local to create a syslog socket in the unbound chroot.

You may also want to add the following to /etc/rc.local to start unbound
at boot:

        if [ -x /usr/local/sbin/unbound ]; then
                echo -n ' unbound'; /usr/local/sbin/unbound 
        fi

Mount remote filesystems via SSH on Windows with free software

Tue, 12 May 2009 20:06:44 PDT

I often use Windows as a terminal to my various UNIX systems. Sometimes its helpful to run proprietary software - and I don't have time/inclination to mess around with half-baked emulators/ports/binary blobs/whatevers under Linux. I either run a completely open system like OpenBSD or I run Windows. Anyway, I never use Windows to do any real work. I always shell into a remote system to actually get things done. Either PuTTY or - if you prefer real OpenSSH like me - OpenSSH via Cygwin/X work fine for getting a terminal. WinSCP or Cygwin's OpenSSH for scp(1) are good for file-transfer under most circumstances. However, one of the nice things about Windows is the Explorer shell. It - and its KDE knock-off - are useful for certain file management operations. Why not leverage it? So I started looking for a way to mount remote filesystems via SSH, so that they appear as native Windows volumes. And I found a way to do it, for free. Dokan user mode filesystem for Windows Dokan is basically FUSE for Windows. That's all dandy and there are plenty of useful FUSE filesystems out there, like this one which uses my BitTorrent implementation. Whats cool about Dokan is they also do an SSH FS implementation. Is it hard to set up I figured this thing was surely going to be a PITA and probably not work to boot. In fact, you just install three things - some Microsoft runtime library, the main Dokan library, and Dokan SSHFS - and there you go. There is simple GUI app to set up remote mounts that supports all the things you'd expect, saving sessions, both password and public key authentication. Does it actually work Yes, although it doesn't seem to support symlinks. A symlink to a directory on a remote system appears as a file under Dokan. So no $HOME/public_html for you - oh well. Final thoughts Its fun to look at your horribly un-organised UNIX home directory in Windows, and see just how messy it is. Almost makes me want to start cleaning things up. But then I remember I know how to use locate(1) and find(1).

Importing a CVS repository to Google Code Subversion

Wed, 06 May 2009 21:11:17 PDT

My C BitTorrent implementation, Unworkable, used to be hosted on an anonymous CVS repository I had running on my server at home. This was fine, until I reinstalled the machine from scratch and didn't feel like setting up the whole anonymous CVS access again. Its a pretty painful process, unfortunately, although there is this guide to setting up anonymous CVS. No public VCS, bad for an Open Source project So, for a while, there was no public source control for Unworkable, which sucked. Its difficult and cumbersome for other developers to write diffs and track changes without one. While I generally like to maintain full control of the source code hosting, I've had good experiences with Google Code before. They don't show ads, and their interface is clean and to the point, unlike say SourceForge, which is covered in ads and various nonsense. Anyway, I had a CVS repository and I first wanted to convert it to Subversion, including all the history, then I wanted to import that into Google Code. Converting from CVS to Subversion The first thing to do was to convert my existing CVS repository to Subversion. There is a nice tool specifically for this, cvs2svn. It is in fact very easy to use, at least in my basic case - I only work with HEAD or in SVN terminology, trunk. I simply ran:

cvs2svn --trunk-only --svnrepos ~/unworkable-svn ~/unworkable-cvs

Et voila, I have a shiny new Subversion repository in ~/unworkable-svn, with full history. Importing Subversion repository to Google Code Google Code lets you import an existing Subversion repository pretty easily, as long as you have an empty project. When your Google Code project is created, it will be set to revision 1. In Subversion-land, revision 0 is sort of magic, and so you will need to overwrite it to properly import your existing repository. Google give you a place to do this, but its slightly confusing because they don't put it under 'Administer'. In order to reset your repository you must:

Log into your Google Code project with administrator privileges.
Browse to the 'Source' page (either 'Checkout' or 'Browse' but not 'Changes').
Scroll to the bottom of the page, and click the 'reset this repository' link, which is sort of hidden.
Choose the option "Did you just start this project and do you want to 'svnsync' content from an existing repository into this project?"
Click the big "Reset Repository" button which has a big red warning label beside it.

Now you are ready to import your repository. You will use the 'svnsync' tool included in Subversion 1.4 and up to do this. There are two commands, one which takes a path to both the Google Code repository and your repository, and another which takes just a path to the Google Code repository. The first one will run quite quickly, the second one can take a while as it imports each individual revision,

# This command takes both the path to your Google Code repository
# and the path to the repository you want to import
svnsync init --username YOURUSERNAME 
    https://YOURPROJECT.googlecode.com/svn file:///path/to/localrepos
# This command takes just the path to the Google Code repository.
# It will take a while to complete.
svnsync sync --username YOURUSERNAME https://YOURPROJECT.googlecode.com/svn

Once you've done that, your code is imported. Enjoy!

OpenBSD 4.5 is out, solid release, but some package bugs

Mon, 04 May 2009 23:32:54 PDT

OpenBSD 4.5 was released the other day. I upgraded one of my servers and workstations to the new release, from 4.4-current and 4.4-release respectively. Mostly, things have gone pretty smoothly, as is usually the case with OpenBSD. The new release has plenty of incremental improvements, with the developers gradually polishing and refining things such that the operating system as a whole gets better and better. Some of the highlights for me include the new multi-plexing, re-sampling, low-latency audio server aucat(1), the new even-stricter malloc(3) which can catch buffer overflows of even a single byte. Additionally, the Atheros wireless driver, ath(4), which I have in a couple of my laptops, now supports WPA. All in all, lots of nice improvements which make OpenBSD even more of a pleasure to use. I did however come across one nasty bug after upgrading one of my servers. We use the symon system monitor on all our servers to log and graph all the sorts of system and network metrics you'd expect - cpu usage, disk, memory, network io, etc. This is very useful for capacity planning and also for spotting bugs or mis-configurations. Especially on a shared, multi-user system you want to keep an eye on resource utilisation over time. Unfortunately, the 4.5-release symon package for amd64 would exit after startup. When I ran it in debug mode, it gave me a 'Bus error' - then when I twiddled the symon.conf a bit more to remove some sensors, it would exit with a segfault, and finally I could get it to run by disabling some stuff but it would spew warning messages to standard IO. Specifically, it had a problem with the if(lo0) and if(bnx) sensors. If I disabled those, it would run, but spit out warnings. However, these sensors were pretty useful to me, so not having them was very annoying. I noticed some recent commits to the -current symon port, so I decided to give that a shot. Its always pretty hairy building -current ports on -release, but in this case I didn't have much choice. Fortunately for me, the -current symon port built and ran fine, completely eliminating the issues I'd had with the 4.5 -release packages. So, this was a mild annoyance, although it does highlight the sad demise of the -stable ports tree. Overall, 4.5 is a solid release with plenty of new features, just be warned that the symon package might not work out of the box for you, if you rely on it.

Apache mod_rewrite RewriteRule with query string

Fri, 01 May 2009 21:35:52 PDT

I was converting some mod_rewrite rules from the Lighttpd webserver to Apache today. While Lighttpd and Apache both have request rewriting modules with pretty equivalent functionality, there are some significant differences nonetheless. Specifically, I was trying to rewrite a URL of the form:

/script?key=123abcxyz

to a file on the local disk:

/abc/123/123abcxyz

In Lighttpd, I had a single rewrite rule handling both the URL and its query string:

"^/script?key=(([0-9a-f]{3})([0-9a-f]{3}).*)" => "/$2/$3/$1"

The regular expression might be a little confusing at first, but its reasonably straight forward. My first thought was that I could do pretty much exactly the same thing with an Apache RewriteRule, like so:

RewriteRule ^/script?key=(([0-9a-f]{3})([0-9a-f]{3}).*) /$2/$3/$1

Unfortunately this won't work - the RewriteRule will only be passed the URL - that is, /script without the query string (?key=foo). So how do you make the RewriteRule aware of the value of the query string to rewrite to the local on-disk file correctly? You must have a RewriteCond directive preceeding the RewriteRule. RewriteCond can run a grouping regular expression over the query string, and RewriteRule can pull those groups out of the previous RewriteCond with a special syntax:

RewriteCond %{QUERY_STRING} key=(([0-9a-f]{3})([0-9a-f]{3}).*)
RewriteRule ^/script /%2/%3/%1

So there you are - how to have an Apache RewriteRule operate on parts of the query string as well as on the URL. The solution ends up being a little more convoluted under Apache than under Lighttpd, but is still manageable.

Good spam filtering with OSBF-Lua and Mutt

Sat, 17 Jan 2009 00:11:24 PST

I've used Mutt as my mail reader (aka MUA) for years. My personal mail goes through OpenBSD's greylister, spamd(8) which cuts out a very large portion of spam. However, my work email account, and also any personal account subscribed to mailing lists, still get a fair bit of spam. So some additional filtering is needed. Enter OSBF-Lua. OSBF-Lua is a port of the orthogonal sparse bigrams with confidence factor classifier from the CRM114 project. It was recommended to me around a year ago by Pedro Martelletto, a talented systems hacker who is also a very nice guy. Thanks Pedro! Anyways, OSBF-Lua is very easy to set up - assuming you already have procmail or something similar installed and hooked up to your MTA. I'm going to assume you are installing this on OpenBSD, but the instructions should not differ much for any modern UNIX system. Installing OSBF-Lua First, install the package on your machine. Any moderately recent version of OpenBSD should have a binary package for it, and its dependency, the Lua programming language:

$ sudo pkg_add -i osbf-lua
lua-5.1.4: complete
osbf-lua-2.0.4p1: complete

On OpenBSD, the important files will be installed to /usr/local/share/osbf-lua. Now follow the official OSBF-Lua install instructions, which I'm reproducing below with the OpenBSD-specific paths. Configuring OSBF-Lua to filter your mail

# Do the following steps under your account, not as root

#1) Create your local osbf-lua dir:
    mkdir $HOME/osbf-lua
# 2) Create your log and cache dirs:
    mkdir $HOME/osbf-lua/log
    mkdir $HOME/osbf-lua/cache
# Note: Old messages in the cache dir should be deleted
# regularly, typically from a cron job, to preserve disk space. 

# 3) Copy the spamfilter config file to your dir:
    cp /usr/local/share/osbf-lua/spamfilter_config.lua \
        $HOME/osbf-lua

# 4) Edit spamfilter_config.lua to set your password
    $EDITOR $HOME/osbf-lua/spamfilter_config.lua

# 5) Change to the current dir to your osbf-lua dir and 
# and create the spamfilter databases (spam.cfc, nonspam.cfc)
     cd $HOME/osbf-lua
     lua /usr/local/share/osbf-lua/create_databases.lua
# 6) Add the following lines to your .procmailrc:

# set OSBF_LUA_DIR to where spamfilter.lua, 
# spamfilter_command.lua, etc were installed

OSBF_LUA_DIR=/usr/local/share/osbf-lua
OSBF_LUA_USER_DIR=$HOME/osbf-lua

:0fw: .msgid.lock
* < 350000 # don't check messages greater than 350000 bytes
| $OSBF_LUA_DIR/spamfilter.lua --udir $OSBF_LUA_USER_DIR

Training OSBF-Lua from inside Mutt You should now have OSBF-Lua hooked up to your mail pipeline. However, it will only work with the email gateway control method. That is, OSBF-Lua will notice certain commands in the Subject header and respond to those. While nifty and occasionally useful, it is tedious to train the filter by sending emails to yourself. A much easier method is to set up a Mutt macro which invokes the filter. I have mine bound to shift-s (spam) and shift-h (ham). The additions to your $HOME/.muttrc file are trivial:

macro index,pager H "~/learn-nonspam.sh"
macro index,pager S "~/learn-spam.sh"

Now for the simple shell scripts: $HOME/learn-spam.sh

#!/bin/sh
UDIR=$HOME/osbf-lua
LEARN=/usr/local/share/osbf-lua/spamfilter.lua
$LEARN --learn=spam --udir=$UDIR

$HOME/learn-nonspam.sh

#!/bin/sh
UDIR=$HOME/osbf-lua
LEARN=/usr/local/share/osbf-lua/spamfilter.lua
$LEARN --learn=nonspam --udir=$UDIR

Now you can train the filter from inside Mutt, with a single keypress! That should save a lot of repetitive and time-consuming fiddling with the e-mail gateway method.