Re: [qmailtoaster] qq soft reject with Centos 7

Tue, 02 May 2017 07:31:49 -0700 

Hi Eric:
- The simscan SA pass operates as an initial filter deleting all emails with a score higher than 12 ( the assumption is that with a threshold that high it would be unlikely to have a false negative). In the case where one message might be forwarded to several email accounts this would be more efficient then having maildrop run SA separately for each account. 


- For messages with a score less than 12 then we let maildrop calculate 
the score and compare to each email account's custom threshold, custom 
white and black list and determine if the message should be transferred 
to the 'spam' account.


There's probably a better way to do this.

Jeff


On 5/2/2017 12:32 AM, Eric Broch wrote:


Also,


If SA scans on messages in simscan why are they also being scanned in 
maildrop?





On 5/1/2017 10:27 PM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?


You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,


My plan was that you would change things a step at a time (and 
check between steps whether qq soft rejects persisted) in this order:



Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) 
to 128000000



No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)



Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.


So far it looks good. I've let the server run for 20 minutes and I 
don't see any 'DENIED_OTHER' or 451's nor do we see any qq soft 
rejects in /var/qmail/log/smtp/current.



It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the threshold the filter diverts the 
message to the domain's spam user's mailbox. I'm also now getting 
detailed spam analysis information in the /var/log/maillog. I wasn't 
seeing that before.



I should point out that this is the same procedure and setup we've 
used successfully for almost ten years with Bill's Toaster. With the 
Bill's Toaster setup the spamassassin logs were logged separately at 
/var/log/spamd/. Is it possible that two instances of spamassassin 
are conflicting with each other



The issue does seem to be related to simscan - even with spam and 
clam disabled in simscan we were getting 451 rejects / DENIED_OTHER


Please let me know what you think.

Jeff



Once we get this stop we can start adding things in one at a time 
with simscan in debug mode to find out where the problem is.


Eric




On 4/29/2017 10:26 PM, Eric Broch wrote:


Sorry, Jeff,

change

QMAILQUEUE="/var/qmail/bin/qmail-queue


QMAILQUEUE="/var/qmail/bin/qmail-queue.orig


qmail-queue is a link to qmail-dk so use qmail-queue.orig

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 100000000  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:


DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora....@capexxxx.info to: 
contabxx...@idfimpoxxxx.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) 
reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp


qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.cxxxxtickets.com> 
RCPTTO:rodx...@brxxx.com.ec



This seems weird. Not sure why the server would be trying to sign 
a message that is coming to a local recipient. I could see it 
signing a message being sent or relayed but not received for a 
local recipient


Jeff


On 4/29/2017 2:02 PM, Eric Broch wrote:


Jeff,

In summary...


DENIED_OTHER: The connection was rejected by qmail (or another 
downstream filter), not spamdyke.|REASON| will contain the 
rejection message given by qmail (or other downstream filter).


REASON: 451_mail_server_temporarily_rejected_message_(#4.3.0).

Check /var/log/messages for segfault

Check /var/qmail/supervise/smtp/run softlimit

Try this:

Edit /var/qmail/control/simcontrol and set the following to 'no'

:clam=no,spam=no

# qmailctl stop

# qmailctl cdb

# qmailctl start

Let me know.

If that doesn't work edit /etc/tcprules.d/tcp.smtp

change

QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue"


Eric



On 4/29/2017 11:23 AM, Jeff Koch wrote:

Hi Erin:


Thanks, we found the tcp.smtp file at /etc/trcrules.d and 
pointed spamdyke there. So that's fixed.



We also pointed the certificate file to 
/var/qmail/control/servercert.pem and cleared those errors.



However, we are still seeing qq soft rejects in 
/var/log/qmail/smtp/current. They seem to be related to the 
matching spamdyke log entries in /var/log/maillog. Example:



Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/msg.1493481946.217350.3912: 


OK

Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/addr.1493481946.217350.3912:

 OK

Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/textfile1: OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/2c7fdfebf8050265e8b51bd3c2ea

58f0: OK

Apr 29 11:05:46 server spamdyke[3905]: DENIED_OTHER from: 
xxxx....@pokemailing.com to: yyyy.yyy@idfim
portadora.com origin_ip: 67.211.215.94 origin_rdns: 
km61.pokemailing.com auth: (unknown) encryption: (no

ne) reason: 451_mail_server_temporarily_rejected_message_(#4.3.0)


I put the clamd log entries above so you could that clamd 
passed the message OK.  However does anybody know what 'DENIED 
OTHER" means or figure out from the message why spamdyke 
rejected the message?



Jeff Koch


On 4/29/2017 1:18 AM, Eric Broch wrote:

Hi Jeff,


Do you know why spamdyke would be looking in 
/home/vpopmail/etc for anything ? I've never heard of this 
before.



Spamdyke's configuration directory is a link in /etc: 
/etc/spamdyke -> ../opt/spamdyke/etc.



Here's my spamdyke configuration: 'cat 
/etc/spamdyke/spamdyke.conf'


<spamdyke.conf>

#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
graylist-dir=/var/spamdyke/graylist
graylist-level=none
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=2
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=60
ip-blacklist-file=/etc/spamdyke/blacklist_ip

ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords 

ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords 


ip-whitelist-file=/etc/spamdyke/whitelist_ip
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
#qmail-rcpthosts-file=/var/qmail/control/qmail-morercpthosts-cdb
log-level=info
max-recipients=50
#policy-url=http://my.policy.explanation.url/
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns
#reject-ip-in-cc-rdns
reject-sender=no-mx
reject-unresolvable-rdns
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp

</spamdyke.conf>

And, how did you make your certificate and where did you put it?

Let me know if that helps.

Eric


On 4/28/2017 6:26 PM, Jeff Koch wrote:

Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open 
file for searching /home/vpopmail/etc/open-smtp: No such file 
or directory
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to load 
or decrypt SSL/TLS private key from file: 
/home/vpopmail/spamdyke/server_domain_net.key : A protocol or 
library failure occurred, 
error:0B080074:lib(11):func(128):reason(116)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: incorrect 
SSL/TLS private key password or SSL/TLS 
certificate/privatekey 
mismatch/home/vpopmail/spamdyke/server_domain_net.key : A 
protocol or library failure occurred, 
error:140A80B1:lib(20):func(168):reason(177)






--
Eric Broch
White Horse Technical Consulting (WHTC)




--
Eric Broch
White Horse Technical Consulting (WHTC)


--
Eric Broch
White Horse Technical Consulting (WHTC)

































					Reply via email to