OpenBSD Journal

OpenBSD Journal

Setting up a mail server with OpenSMTPD, Dovecot and Rspamd

Contributed by rueda on from the Puffy delivers dept.

On his blog, Gilles Chehade (gilles@) has written a very detailed article on running an OpenSMTPD mail server.

The article begins:

- NO TL;DR: this time, I spent hours writing, you should spend minutes reading.
- OK... I explain in WAY TOO MUCH details how to setup a mail server

So if you have an interest in running your own mail service, you now have an excellent reference as a starting point.

DoH disabled by default in Firefox

Contributed by Paul 'WEiRD' de Weerd on from the put-your-names-in-the-crypt dept.

On Monday, Otto (otto@) committed a small but significant change to the Firefox port.

Date: Mon, 9 Sep 2019 12:50:35 -0600 (MDT)
From: Otto Moerbeek <otto@[elided]>
Subject: CVS: ports

CVSROOT:        /cvs
Module name:    ports
Changes by:    2019/09/09 12:50:35

Modified files:
        www/mozilla-firefox: Makefile
        www/mozilla-firefox/files: all-openbsd.js

Log message:
Disable DoH by default.  While encrypting DNS might be a good thing,
sending all DNS traffic to Cloudflare by default is not a good idea.
Applications should respect OS configured settings.
The DoH settings still can be overriden if needed. ok landry@ job@

If you are running your own DNS over HTTPS (DoH) server, you may want to point Firefox at it using the network.trr.uri configuration option in about:config, and overriding the network.trr.mode setting from Otto's change to 3. For more details on how to configure Firefox's use of DoH, please see their wiki.

Package updates for -stable branch now available for amd64, i386 soon

Contributed by Peter N. M. Hansteen on from the a stab at stability, packed dept.

In a very welcome development, Solene Rapenne (solene@) announced that binary package updates for the most popular platforms will be available for the latest OpenBSD release.

The announcement reads:

The OpenBSD base system has received binary updates for security and some other important problems in the base OS through syspatch(8) for the last few releases.

We are pleased to announce that we now also provide selected binary packages for the most recent release. These are built from the -stable ports tree which receives security and a few other important fixes:

-release: fixed point in time, no update (6.3, 6.4, 6.5, ...).
-stable: conservative updates only. For ports, only the most recent release is updated (currently 6.5).
-current: main development branch, receives bigger changes.

Read more…

6.6-beta has been tagged

Contributed by rueda on from the here-we-go-again dept.

Theo de Raadt (deraadt@) has just tagged 6.6-beta:

Module name:	src
Changes by:	2019/08/09 21:56:02

Modified files:
	etc/root       : root.mail 
	share/mk       : 
	sys/arch/macppc/stand/tbxidata: bsd.tbxi 
	sys/conf       : 
	sys/sys        : param.h 
	usr.bin/signify: signify.1 

Log message:
move to 6.6-beta

This serves as an excellent reminder to test both base and ports, and to report problems.

Game of Trees

Contributed by rueda on from the got-to-do-things-properly dept.

Stefan Sperling (stsp@) is developing a version control system, "Game of Trees". From <>:

Game of Trees (Got) is a version control system which prioritizes ease of use and simplicity over flexibility.

Got is still under development; it is being developed exclusively on OpenBSD and its target audience are OpenBSD developers.

Got uses Git repositories to store versioned data. At present, Got supports local version control operations only. Git can be used for any functionality which has not yet been implemented in Got. It will always remain possible to work with both Got and Git on the same repository.

GoT has been added to the ports tree as devel/got.

It is the subject of a talk at EUROBSDCON 2019.

Stefan has been involved in the discussion on

snmp(1) added to -current

Contributed by rueda on from the manage me simply dept.

Martijn van Duren (martijn@) has committed a new Simple Network Management Protocol (SNMP) client, snmp(1):

Module name:	src
Changes by:	2019/08/09 00:17:59

Added files:
	usr.bin/snmp   : Makefile mib.c mib.h smi.c smi.h snmp.1 snmp.c 
	                 snmp.h snmpc.c 

Log message:
Import snmp(1), a new snmp client which aims to be netsnmp compatible for
supported features.  It only supports get, getnext, walk, bulkget, bulkwalk,
trap, mibtree, and is SNMPv1 and SNMPv2c for now.

This will shortly replace snmpctl entirely. People using snmpctl are encouraged
to test and migrate to this code as soon as possible.

Much help with the manpage from schwarze@ and jmc@
No objections from reyk@
"Roll it in" deraadt@

This should be appearing in snapshots shortly; if you use snmpctl much today, please do test and report back to Martijn about any unexpected behaviour or possibly even feature requests.

tpmr(4) driver added to -current

Contributed by rueda on from the help you step over trolls dept.

David Gwynne (dlg@) has committed to -current another new network driver - an 802.1Q Two-Port MAC Relay driver, tpmr(4). The main commit message explains the raison d'ĂȘtre:

Module name:	src
Changes by:	2019/07/31 21:05:46

Added files:
	sys/net        : if_tpmr.c 

Log message:
add tpmr(4), a quick and dirty 802.1Q Two-Port MAC Relay implementation

a TPMR is a simplified bridge (as supported by bridge(4)). it only
supports two ports, and unconditionally forwards frames between
them. this is unlike a real bridge which can support an arbitrary
number of ports and implements a learning algorithm.

Read more…


Donate to OpenBSD


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Earlier Articles

OpenBSD Errata

OpenBSD 6.5

0112019-09-14 SECURITY Libexpat 2.2.6 was affected by the heap overflow CVE-2019-15903.
0102019-09-02 RELIABILITY When processing ECN bits on incoming IPv6 fragments, the kernel could crash. Per default pf fragment reassemble prevents the crash.
0092019-09-02 RELIABILITY Resume forgot to restore MSR/PAT configuration.
0082019-08-09 SECURITY Intel CPUs have another cross privilege side-channel attack. (SWAPGS)
0072019-08-02 RELIABILITY smtpd can crash on excessively large input, causing a denial of service.
0062019-07-25 RELIABILITY By creating long chains of TCP SACK holes, an attacker could possibly slow down the system temporarily.

Unofficial RSS feed of OpenBSD errata


Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]