As I’m sure anyone who may still stumble upon this site has noticed, it’s been a long time since I posted last. Life has gotten in the way, and honestly there’s so much great stuff out there to read and experiment with. The work on OpenBSD continues and so does its evolution as a powerful, secure OS. One of my biggest gripes of sometimes hard to find documentation is improving. Already you can get your hands on a copy of The Book of PF, 3rd Edition and Absolute OpenBSD, 2nd Edition from No Starch Press. BSD Magazine continues to publish some great articles each month on OpenBSD and its brethren. Be sure to check them out!
This is a re-post of an old tutorial I wrote with some minor updates for more recent versions of OpenBSD.
One of the greatest challenges in migrating my server from a managed FreeBSD server to the new OpenBSD server was learning how to implement support for SASL on SMTP connections. This seems like something so elementary in a mail server that it should be really simple. Unfortunately, simply installing the cyrus-sasl package doesn’t handle the integration with sendmail for you nor is there any really good documentation online. I was particularly disappointed that OpenBSD’s documentation was completely silent on how to do it.
After searching online nearly all searches for SASL on OpenBSD were for Postfix. Fortunately I did come across an article on how to do it. While it was written for OpenBSD 3.3 nearly all of the steps also apply to 4.7 and later. You can find the original article here.
First we’re going to need to install the cyrus-sasl package. We’re going to be using the plain vanilla version which allows us to use OpenBSD’s Unix style authentication from /etc/master.passwd. There are other flavors for LDAP, MySQL, and db4.
Here we’ll choose option 1.
Next we want to let saslauthd (the Cyus SASL 2 daemon) know that it’s going to be working with sendmail and what types of authentication we want to support. This is done by creating a file called Sendmail.conf in /usr/local/lib/sasl2 like this. The cat command listed first allows you to enter the contents into the file without opening an editor such as vi.
# cat > /usr/local/lib/sasl2/Sendmail.conf
mech_list: LOGIN PLAIN
(hit ctrl-d to save)
There are other authentication methods than just LOGIN and PLAIN that you can use such as DIGEST-MD5 and CRAM-MD5 that you can also add on the second line of the file if you plan on using them. Since we’re using OpenBSD’s own authentication mechanism we’ll omit them from the line.
Before we forget, let’s add our startup script to /etc/rc.local to ensure that saslauthd is started with the server:
if [ -x /usr/local/sbin/saslauthd ]; then
echo -n ‘ saslauthd'; /usr/local/sbin/saslauthd -a getpwent
On OpenBSD 5.0 and later*, saslauthd will be started using the rc.d(8) mechanism. You will need to add the following line to /etc/rc.conf.local:
* Substitute “pkg_scripts” for “rc_scripts” if you’re using 4.9.
Worth noting here is that we are using getpwent(3) as our authentication method. This is basically just saying that we’re authenticating against /etc/master.passwd. Since saslauthd defaults to starting up 5 threads or processes each time it runs, we can limit this by adjusting the startup command with a -n option followed by the desired number of threads we want to limit to. This may be desirable on an older machine with fewer resources.
Recently I’ve had this really nagging issue where I could no longer send email from Roundcube. Mail would send just fine from any email client. A review of the mail logs for the failed message being sent from Roundcube gave a puzzling error about an unbalanced “< ” proceeding the recipient’s name with the email address. I did find that removing the person’s name proceeding the email address from the “To” line allowed me to send the message. Basically, removing the name when the field looks like this:
John Doe <email@example.com>
I tried playing around with a few things including re-installations of Roundcube and did a really thorough glean of my sendmail config files comparing them to the defaults. Looking through the MySQL database showed no extra angle brackets in any of the stored contacts. I did find a post on the Roundcube forums about the same error but for an older version. I tried messing around with some of the PHP files as the fix mentioned in the article was no longer applicable due to filename changes, but had no change in behavior. Thinking that perhaps there was some bug in the PHP code itself I tried installing later versions but I still got the same error about the message failing to send. I had no issues with the 0.3.x releases. This issue cropped up in the 0.5.x branch.
Finally on a hunch I began to suspect that mini_sendmail-chroot was the culprit. It turns out that I was exactly right. A search of the OpenBSD mailing list archives pointed me to a replacement called femail-chroot which was described as being less problematic. I tried it out and problem resolved! I’m not sure what it was about mini_sendmail that breaks with newer PHP scripts. Unfortunately, the project is apparently no longer maintained with the last release being from 2005.
Femail is basically a drop-in replacement for mini_sendmail. The only work involved is to just point PHP to it in your php.ini and restart Apache. You can install femail-chroot as a package (run pkg_add femail-chroot as root) or from ports (mail/femail). If you install it from ports please note that the chrooted version is available as a flavor.
This week the CVS tree has been tagged with 5.0-beta and work is being done to get it ready for its November release. You can see the announcement from Theo de Raadt here.
Peeter Hansteen, author of the indispensable The Book of PF has a very nice explanation of some of the things we can expect in 5.0 and how this is not a revolutionary release but an evolutionary one.
Some of the interesting things he mentions are that sysmerge(8) will now be available to run from the installer instead of having to boot from the CD or new bsd.rd RAM disk and later going through and merging /etc, and being able to install non-free firmware from the get-go.
You can see a list of changes already implemented since 4.9-release here.
I just installed a copy of the beta and started playing with it. So far I noticed that work on rc.d scripts continues to evolve as startup daemons in base now have individual scripts. In 4.9 rc scripts were only available for third-party software installed from packages or ports.
I’ve been using 4.9 for a week now and really love the improvements. The upgrade was dead simple and trouble free. Unfortunately, as I was upgrading my motherboard decided to die on me. Thankfully the helpful people at Westhost were able to get me back up and running in no time after a chassis swap.
The man pages for rc.conf(8) and rc.d(8) were extremely helpful for updating my configuration to take advantage of the new rc scripts. The only gotcha I ran into was that not everything has an rc script written for it yet and I had forgotten to setup certain ones to use a particular user like I had in my previous rc.local. Not a problem. The option to set a user for the startup daemon will always be named the same as the rc script. For example, the rc script for ClamAV is /etc/rc.d/clamd. To tell my server what user to run as I just add these lines to 1) start the daemon and 2) start it as the proper user in /etc/rc.conf.local.
Simple enough, huh?
OpenBSD admits that the rc script functionality is a work in progress. It works very well in its current form and is well implemented as it is in the other BSDs. This is a great release and you should upgrade if you haven’t already. A round of applause for the OpenBSD developers!
Yes, it is true. The OpenBSD Journal has a very interesting article put together by one of the OpenBSD developers on how they’re using it in their business to not only build networks, but to switch office environments over to OpenBSD. It’s a very interesting read and speaks for itself on how versatile OpenBSD can be.
Want to add some color to your shell environment? FreeBSD and most Linux distros have color options included in the “ls” utility by default. OpenBSD doesn’t but but it’s very easy to add. We just need to install the “colorls” package (sysutils/colorls in ports).
# pkg_add colorls
Colorls works exactly the same as regular “ls”. To get the color option you just need to use the -G option. If you want it to replace “ls” for regular work you can create an alias in your favorite shell’s environment file. The output for file and directory listings will now have a different color for different types of files.
White = regular file
Purple = directory
Red = executable file
Magenta = symbolic link
White highlight = Set Group ID enabled
Red highlight = Set User ID enabled
Yellow highlight = Sticky bit enabled
Enjoy! Almost as good as getting the window seat at work.
It’s a long waged battle to get working Flash support on BSD. Most OpenBSD users either learn to live without it or try semi-working solutions such as gnash. On FreeBSD the support is somewhat passable using Linux emulation with a Linux binary version of Flash.
In yet another attempt to get Adobe to reconsider their position the PC-BSD team has put together a petition to get Flash for FreeBSD. Getting Adobe to see the growing number of BSD users is very important in making BSD more mainstream. Adobe has maintained Solaris support for Flash for a number of years. I think we’ve come a long way since Solaris was last a mainstream Unix desktop system compared to the number of desktop BSD systems there are now. If Adobe were to make Flash for FreeBSD I believe that it would be a fairly simple matter to get it to work under OpenBSD’s FreeBSD emulation mode.
Please take a moment to sign.