Thursday, July 20, 2017

Build netqmail-1.06 with TLS support Devuan / Debian package

Before you start you need libssl-dev and  qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.

Make the debian package:

$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc

Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)

Install the package:

# dpkg -i ../qmail_1.06-6_amd64.deb

Make the package 'hold' so it won't be updated in next qmail update.

# echo "qmail hold" |dpkg --set-selections

To generate certificates for TLS change to netqmail-1.06-tls directory and then:

$ make cert

Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME
If there is correct pem file in control dir EHLO will show STARTTLS support:

$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.

220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME

When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.

Generate DH file:

# openssl genrsa -out /var/qmail/control/rsa2048.pem

That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:

Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000

You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):

$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
    Session-ID-ctx:
    Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03   .6..5dGd&.......
    0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07   ....D.* ........
    0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02   !|.....]..mDH...
    0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2   .>.d......t.....
    0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08   ...J..@.J.SA.. .
    0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65   ...<..........4e
    0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2   (N0q..{...!2..w.
    0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46   ~mm..\....#....F
    0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3   .@z.:.H$.....N..
    0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22   9."..1..i)....."
    00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2   .hX.NS....D..nV.
    00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86   .....{..x}Q.=...
    00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5   6M0G.n..........
    00d0 - 00 60 b0 12 97 e9 a3 de-28 cf                     .`......(.

    Start Time: 1500646890
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 SMTPUTF8

Teach apt-get not to use IPv6 addresses

Create a file in /etc/apt/apt.conf.d/ starting with 90 or higher.
Example /etc/apt/apt.conf.d/90ipv6only

Put inside the following:
Acquire::ForceIPv4 "true"; 
and the do apt-get update.

This works on Debian Jessie/Devuan Jessie.

Tuesday, July 11, 2017

Running JBOSS with Daemontools / Runit

JBOSS is installed in /usr/local/jboss
Jboss user is created for that purpose with home directory = /usr/local/jboss

daemontools/runit run script for jboss server:

#!/bin/sh

# clean the working dirs
/bin/rm -fr /usr/local/jboss/server/app1/work
/bin/rm -fr /usr/local/jboss/server/app1/tmp

JBOSS_HOST="10.10.0.25"

# next lines are fix for cyrillic letters inserted in database
# with AMERICAN_AMERICA.WE8ISO8859P1
NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1"
export LNS_LANG
LANG="bg_BG"
export LANG

exec /usr/bin/chpst -u jboss:jboss -U jboss:jboss /usr/lib/jvm/java-1.7.0-openjdk-i386/bin/java -Xms512m -Xmx1536m -XX:PermSize=256m -XX:MaxPermSize=512 -XX:+CMSClassUnloadingEnabled -XX:StackShadowPages=20 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=30 -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/usr/local/jboss/lib/endorsed -classpath /usr/local/jboss/bin/run.jar:/usr/lib/jvm/java-1.7.0-openjdk-i386/lib/tools.jar org.jboss.Main -c app1 -b $JBOSS_HOST

daemontools/runit script for logging:

#!/bin/sh
exec setuidgid jboss /usr/bin/svlogd -tt n35 s511048576 /var/log/jboss-app1

Thursday, January 12, 2017

OpenVPN renew expired CA, revoke certificate and other notes

OpenVPN and OpenSSL notes

View contents of a certificate file:

# openssl x509 -noout -text -in certificate-file.crt

Generate new CA file from expired file (This is not a good practice!!!):

# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key

Verify crt file agains CA:

# openssl verify newserver.crt -CAFile ca.crt

Revoking certificate:

# . ./vars
# ./revoke-full name_of_cert_file

Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/


Checking contents of crl.pem file:

openssl crl -text -noout -in /etc/openvpn/crl.pem
Regenerate expired CRL file

# openssl ca  -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf

you also need to do this in openssl.cnf if you want to change default expire days (1 month)

default_crl_days= 3650         # how long before next CRL

Thursday, December 1, 2016

Fast way to delete milion files in Linux

Solutions for problem when trying to delete million files and rm command says:
argument too long

1. using combination of find and xargs
# find . -print0 | xargs -0 rm -f
2. using rsync with empty directory (so far the fastest way I've found)
# rsync -a --delete /path/to/empty-directory/ /path/to/dir-to-be-deleted/

Friday, November 20, 2015

Свързване на Samba с Windows Active Directory

Тази статия предполага, че вече имате инсталирана и настроена Microsoft Windows Active Directory и знаете как се работи с нея. Samba е инсталиран върху Oracle Linux Server release 6.5, но би трябвало да работи и за други Linux дистрибуции с минимални промени.

За да може да са активни Windows потребители и групи в Samba са нужни допълнителни настройки на файловата система.

За целта е нужно файловата система да бъде монтирана с допълнителни опции acl и user_xattr. Можем да проверим за default опции при монтиране ето така:

# tune2fs -l /dev/mapper/vg_server-lv_root |grep -i "mount opt"
Default mount options:    user_xattr acl

Ако не са настроени по default, можем да го направим с командата:

# tune2fs -o acl /dev/mapper/vg_server-lv_root
# tune2fs -o user_xattr /dev/mapper/vg_server-lv_root

 За да проверим в момента тази опция дали е активна, използваме следната команда:

# getfacl /
getfacl: Removing leading '/' from absolute path names
# file: .
# owner: root
# group: root
user::r-x
group::r-x
other::r-x
Инсталираме следните пакети: samba, krb5 (Kerberos), OpenLDAP. При Oracle Linux пакетите са както следва:
# rpm -qa|grep krb
pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.10.3-15.el6_5.1.x86_64
krb5-libs-1.10.3-15.el6_5.1.i686
krb5-workstation-1.10.3-15.el6_5.1.x86_64

# rpm -qa|grep -i openldap
openldap-2.4.23-34.el6_5.1.i686
openldap-2.4.23-34.el6_5.1.x86_64
# rpm -qa|grep -i samba  
samba-client-3.6.9-169.el6_5.x86_64
samba-common-3.6.9-169.el6_5.x86_64
samba-winbind-clients-3.6.9-169.el6_5.x86_64
samba-3.6.9-169.el6_5.x86_64
samba-winbind-3.6.9-169.el6_5.x86_64
В другите дистрибуции имената на пакетите са аналогични.

Трябва да се уверим, че Samba е компилирана с поддръжка на LDAP, Kerberos, Winbind и Active Directory:
# smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST


# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
# smbd -b | grep ADS
WITH_ADS
WITH_ADS


# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIN
Настройваме и тестваме Kerberos. Нека домейна да се казва HORIZON9.LOCAL и домейн сървъра се намира на адрес ad-dc-01.horizon9.local
Ето как трябва да излгежда /etc/krb5.conf:
[libdefaults]
 default_realm = HORIZON9.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HORIZON9.LOCAL = {
  kdc = AD-DC-01.HORIZON9.LOCAL
  admin_server = AD-DC-01.HORIZON9.LOCAL
  default_domain = HORIZON9.LOCAL
 }

[domain_realm]
 .horizon9.local = HORIZON9.LOCAL
 horizon9.local = HORIZON9.LOCAL

Тестваме дали работи:
# kinit Administrator@HORIZON9.LOCAL
Password for Administrator@HORIZON9.LOCAL:
#
Ако не покаже никакво съобщение, значи работи както трябва.


Настройките на Samba са както следва за примерен домейн HORIZON9 (/etc/samba/smb.conf):
[global]

 log file = /var/log/samba/log.%m
 max log size = 50
 security = ads
 netbios name = LINUX-SAMBA-AD
 realm = HORIZON9.LOCAL
 workgroup = HORIZON9
 idmap uid = 500-20000000
 idmap gid = 500-20000000
 winbind enum users = yes
 winbind enum groups = yes
 winbind use default domain = yes
 template homedir = /home/%U
 template shell = /bin/bash
 client use spnego = yes
 domain master = no

 vfs objects = acl_xattr
 map acl inherit = yes
 store dos attributes = yes

 username map = /etc/samba/user.map

 [share1]
    path = /home/samba
    comment = Share1
    public = yes
    browsable = yes
    guest ok = yes
    writable = yes
Файлът /etc/samba/user.map трябва да съдържа следното:
!root = HORIZON9\Administrator HORIZON9\Administrator
или който и да е потребител с администраторски права в домейна.
# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- HORIZON9
Joined 'LINUX-SAMBA-AD' to dns domain 'horizon9.local'
No DNS domain configured for linux-samba-ad. Unable to perform DNS Update.
DNS update failed!
#
Грешката при DNS update се поправя, като се добави на ръка запис в Windows DNS-а.

За да имат достъп програмите до новите потребители и групи от домейна, трябва да редактираме /etc/nsswitch.conf

Редовете:
passwd:     files
shadow:     files
group:      files
ги заменяме с:
passwd:     compat winbind
shadow:     files
group:      compat winbind
Рестартираме winbind и samba:
# service winbind restart
# service smb restart 
Добавяме групата 'Domain Admins' към ACL на файловата система, където ще се намират споделените директории (примерно /home/samba):
# setfacl -Rm g:'Domain Admins':rwx /home/samba
# chown -R nobody:"domain admins" /home/samba
Ако някоя от тези команди ви дава грешка, че не може да намери такава група, най-вероятно е да не се виждат потребителите/групите от домейна. Може да проверите дали потребителите и групите се виждат с помощта на следната команда:
# wbinfo -g
# wbinfo -u
Добавяме winbind в методите за автентикация в /etc/pam.d/. В Oracle Linux това се прави с командата authconfig-tui (за конзола) или authconfig-gtk (графичен интерфейс). Ето промените, които прави authconfig-tui:
# grep -nri winb /etc/pam.d/
/etc/pam.d/system-auth-ac:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/system-auth-ac:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth-ac:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth-ac:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/password-auth-ac:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth-ac:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/smartcard-auth:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth-ac:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/fingerprint-auth:10:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/system-auth:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/system-auth:17:password    sufficient    pam_winbind.so use_authtok
/etc/pam.d/password-auth:7:auth        sufficient    pam_winbind.so use_first_pass
/etc/pam.d/password-auth:12:account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
/etc/pam.d/password-auth:17:password    sufficient    pam_winbind.so use_authtok
Ако всичко е наред, можете вече да си раздавате права за samba shares от windows машина. След като сте раздали права от Windows машината, може да проверите дали всичко е наред със споделената директория (/home/samba):
# getfacl /home/samba
getfacl: Removing leading '/' from absolute path names
# file: home/samba
# owner: administrator
# group: domain\040admins
user::rwx
user:root:rwx
user:nobody:rwx
group::rwx
group:domain\040users:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:domain\040users:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::r-x
Тук се виждат и добавените права за достъп от АD потребители и групи.

Забележка:

Навсякъде, където има нужда да се пише домейн или име на хост, пишете го с ГЛАВНИ БУКВИ. Samba е капризна и понякога нещата не се получават, защото нещо е написано с малки букви.

Ако искате да разрешите потребител guest за да могат компютри извън домейна да имат достъп до samba share, е нужно да добавите следното в /etc/samba/user.map :
!root = HORIZON9\guest HORIZON9\guest
От компютъра, който не е в домейна, при опит за достъпване на samba share ще ви поиска потребител и парола. Пишете за потребител: HORIZON9\guest без да въвеждате парола, и вече имате достъп до този share.

Wednesday, May 13, 2015

Qmail on OpenBSD 5.7 qmail-queue problem.

OpenBSD 5.7 default install with netqmail-1.06 installation.

The problem: When you try to send mail the qmail server returns the following error:
geroy@newsrv:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mx1.polycomp.bg ESMTP
helo
250 mx1.polycomp.bg
mail from: test@mail.bg
250 ok
rcpt to: testovacc@gmail.com
250 ok
data
354 go ahead
test test 1 2 3
.
451 qq trouble creating files in queue (#4.3.0)
The solution: Default installation of OpenBSD 5.7 makes /var directory mounted with nosuid option. Remove it from /etc/fstab and then reboot.
# cat /etc/fstab
f292a8d8eba5b8dc.b none swap sw
f292a8d8eba5b8dc.a / ffs rw 1 1
f292a8d8eba5b8dc.k /home ffs rw,nodev,nosuid 1 2
f292a8d8eba5b8dc.d /tmp ffs rw,nodev,nosuid 1 2
f292a8d8eba5b8dc.f /usr ffs rw,nodev 1 2
f292a8d8eba5b8dc.g /usr/X11R6 ffs rw,nodev 1 2
f292a8d8eba5b8dc.h /usr/local ffs rw,nodev 1 2
f292a8d8eba5b8dc.j /usr/obj ffs rw,nodev,nosuid 1 2
f292a8d8eba5b8dc.i /usr/src ffs rw,nodev,nosuid 1 2
f292a8d8eba5b8dc.e /var ffs rw,nodev,nosuid 1 2
remove nosuid to look like this:
f292a8d8eba5b8dc.e /var ffs rw,nodev 1 2
Save and reboot.