[spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
Hi :-) These days where the NSA is watching us I decided to make my server as secure as possible. For qmail it means to use TLS with strong encryption - openssl with - ciphers EDHS:DE for example. The original QMAIL without spamdyke works fine: openssl s_client -starttls smtp -connect localhost:25 shows me this: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 Great! Now I enable spamdyke and test it again... Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Ok, not that good... maybe just a wrong cipher list? So I specified it a little bit more (works fine with qmail only): openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' Ups, an error: CONNECTED(0003) 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: I already tried to add dhparam to the qmail servercert (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) but that didnt't change anything... I also tested with tls-cipher-list param at the conf file - same error. And at the maillog this: A protocol or library failure occurred, error:140E6118:lib(20):func( 230):reason(280) Is it possible that there's a bug in spamdyke with strong encryption? Thanks for your help, Marc ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
Hi Sam, is it possible that the problem is because of missing dh keys? I think (!) spamdyke don't use or call something like this here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the 'notes' part so cipher with EDHE:DE won't work. My server/openssl is fine because the orginal qmail-tls works with cipher EDHE_DH! So the problem is the tls handling of spamdyke?! 2013/9/8 Sam Clippinger s...@silence.org Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS, so anything that works with OpenSSL on the command line should work with spamdyke as well. The option tls-cipher-list serves the same function as the -cipher option to openssl. spamdyke just takes the text it's given and passes it to the SSL_CTX_set_cipher_list() function in the OpenSSL library before the connection is established. The ciphers you give should be ones listed when you run openssl ciphers from the command line, I'm not sure how it handles abbreviations. It's possible the problem is actually within openssl's SMTP client. If it's not starting the SMTP connection and asking for TLS correctly, the client could be sending encrypted text while the server is still in plaintext mode or vice-versa. That would yield some strange error messages on both sides. I think I would suggest configuring spamdyke on port 465 with tls-level set to smtps and the tls-cipher-list option set to your specific ciphers. Then use this command to connect and test (substitute your ciphers as appropriate): openssl s_client -quiet -cipher EXP-RC4-MD5 -connect localhost:465 If it connects and you see the 220 greeting banner, it's working. If you see an alert handshake failure, you've probably selected a cipher the server doesn't support. -- Sam Clippinger On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: Hi :-) These days where the NSA is watching us I decided to make my server as secure as possible. For qmail it means to use TLS with strong encryption - openssl with - ciphers EDHS:DE for example. The original QMAIL without spamdyke works fine: openssl s_client -starttls smtp -connect localhost:25 shows me this: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 Great! Now I enable spamdyke and test it again... Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Ok, not that good... maybe just a wrong cipher list? So I specified it a little bit more (works fine with qmail only): openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' Ups, an error: CONNECTED(0003) 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: I already tried to add dhparam to the qmail servercert (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) but that didnt't change anything... I also tested with tls-cipher-list param at the conf file - same error. And at the maillog this: A protocol or library failure occurred, error:140E6118:lib(20):func( 230):reason(280) Is it possible that there's a bug in spamdyke with strong encryption? Thanks for your help, Marc ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
Looking forward to the Update :-) 2013/9/10 Sam Clippinger s...@silence.org I think you're exactly right -- I'll need to add another TLS option to spamdyke to accept the DH parameters and pass them to OpenSSL with the callback. I'll have to figure out how to test it as well... Thanks for finding that link, I don't think I would have even looked at a function with tmp in its name! -- Sam Clippinger On Sep 9, 2013, at 3:34 AM, Marc Gregel wrote: Hi Sam, is it possible that the problem is because of missing dh keys? I think (!) spamdyke don't use or call something like this here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the 'notes' part so cipher with EDHE:DE won't work. My server/openssl is fine because the orginal qmail-tls works with cipher EDHE_DH! So the problem is the tls handling of spamdyke?! 2013/9/8 Sam Clippinger s...@silence.org Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS, so anything that works with OpenSSL on the command line should work with spamdyke as well. The option tls-cipher-list serves the same function as the -cipher option to openssl. spamdyke just takes the text it's given and passes it to the SSL_CTX_set_cipher_list() function in the OpenSSL library before the connection is established. The ciphers you give should be ones listed when you run openssl ciphers from the command line, I'm not sure how it handles abbreviations. It's possible the problem is actually within openssl's SMTP client. If it's not starting the SMTP connection and asking for TLS correctly, the client could be sending encrypted text while the server is still in plaintext mode or vice-versa. That would yield some strange error messages on both sides. I think I would suggest configuring spamdyke on port 465 with tls-level set to smtps and the tls-cipher-list option set to your specific ciphers. Then use this command to connect and test (substitute your ciphers as appropriate): openssl s_client -quiet -cipher EXP-RC4-MD5 -connect localhost:465 If it connects and you see the 220 greeting banner, it's working. If you see an alert handshake failure, you've probably selected a cipher the server doesn't support. -- Sam Clippinger On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: Hi :-) These days where the NSA is watching us I decided to make my server as secure as possible. For qmail it means to use TLS with strong encryption - openssl with - ciphers EDHS:DE for example. The original QMAIL without spamdyke works fine: openssl s_client -starttls smtp -connect localhost:25 shows me this: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 Great! Now I enable spamdyke and test it again... Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Ok, not that good... maybe just a wrong cipher list? So I specified it a little bit more (works fine with qmail only): openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' Ups, an error: CONNECTED(0003) 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: I already tried to add dhparam to the qmail servercert (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) but that didnt't change anything... I also tested with tls-cipher-list param at the conf file - same error. And at the maillog this: A protocol or library failure occurred, error:140E6118:lib(20):func( 230):reason(280) Is it possible that there's a bug in spamdyke with strong encryption? Thanks for your help, Marc ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] So close and yet so far...
Im also running qmail with plesk and made a quick check: excatyl the same settings like @Arne wrote above! 2013/10/21 Sam Clippinger s...@silence.org I have some good news and some bad news... The good news: spamdyke version 5.0.0 is done, tested and ready. The biggest new feature is recipient validation -- spamdyke uses the qmail's configuration files and duplicates qmail's logic to determine if an address is valid, so there's no need to maintain a separate file of valid addresses. The testing has taken forever to finish, but it's finally done! The bad news: the recipient validation feature doesn't work, at least not for me. Imagine my chagrin when I tried to install it on my own server and every incoming message was rejected. I ran all of my unit tests as root, but in the real world spamdyke runs as non-root. qmail is very modular, which means the configuration files are owned by different user(s) than the mail folders, which means no one non-root user has access to all of the files needed to validate an address. I tried changing the permissions on folders to allow access, but qmail will only queue messages and won't deliver them when the permissions are too loose. Running spamdyke as root would work, but I'm just not comfortable recommending that as a solution. So, as soon as I finish wiping the egg off my face, I have another solution in mind that should be pretty easy to implement. But first I need a little help. I'd like to know how the file ownership and permissions are setup on different qmail servers. My own server was installed using the instructions from lifewithqmail.org and only root can see all the necessary files for recipient validation. However, that may not be true for other installations. So if a few of you are willing, could you send me an email to let me know: How your server was installed (QmailToaster, Plesk, lifewithqmail.org, qmailrocks.org, etc)? In your /var/qmail/users/assign file, what UID and GID are given in fields 3 4 and what username and group name do those map to? The 5th field in /var/qmail/users/assign gives a folder path. What user and group owns those folders and what permissions are set on those folders (and the subfolders)? There should be a system user named alias on your server. What permissions are set on that user's home folder and the .qmail files found there? Thanks so much (in advance) for your help! I was really really looking forward to posting the new version today and I'm very disappointed I can't do that. Needless to say, I'll be working on fixing this issue as quickly as I can so I can roll out the new version ASAP. -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] No TLS with 5.0.0
Hi there, after upgrading from 4.3.1 to 5.0.0 I can't use TLS anymore: (TLS-LEVEL=SMTP) No idea where to start the debug, because when I switch back to 4.3.1 everything works fine again. I tried the Version with MYSQL from @Haggy too - same problem, same error. That's the output: openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) didn't found starttls in server response, try anyway... write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 369 bytes and written 354 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any idea anyone? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] New version: spamdyke MySQL 5.0.0
I had the same problem... tar -xzvf spamdyke-mysql.tgz gzip: stdin: not in gzip format As workaround I unzipped the whole stuff on my windows machine with 7zip, then uploaded it again. 2014-02-04 Arne.Metzger mo...@foni.net: Hi, i get an error when i try to expand the tarfile from http://www.haggybear.de/download/spamdyke-mysql.tgz Any hints? Regards, Arne Am 03.02.2014 18:55, schrieb Haggy: Thanks a lot Sam for you great, great work !!! Based on Sams work the MySQL Version of 5.0.0 has been released: http://haggybear.de/de/spamdyke-mit-mysql-logging Bye Haggy ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with 5.0.0
Gz... after like one million hours I found the error - telnet is my new friend. I will blame @HAGGY for the error: === telnet localhost 465 ... ERROR(process_config_file()@configuration.c:4430): Unknown configuration file option in file /etc/spamdyke.conf on line 625: local-domains-file Connection closed by foreign host. === The option local-domains-file came with the MySQL-Version... not sure what it really does?! @Haggy??? 2014-02-04 Sam Clippinger s...@silence.org: I'm not sure... are you getting any errors from spamdyke in the server's mail log? Also, if you run spamdyke -v on the server, does the version number show +TLS? Could you post your spamdyke config file? Does anything different happen if you try the same test from a different host (e.g. so it's not localhost:25 but mail.domain.com:25)? It works fine on my server on both port 25 (TLS) and port 465 (SSL), not that that helps. :) -- Sam Clippinger On Feb 3, 2014, at 3:05 PM, Marc Gregel m...@gregel.net wrote: Hi there, after upgrading from 4.3.1 to 5.0.0 I can't use TLS anymore: (TLS-LEVEL=SMTP) No idea where to start the debug, because when I switch back to 4.3.1 everything works fine again. I tried the Version with MYSQL from @Haggy too - same problem, same error. That's the output: openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) didn't found starttls in server response, try anyway... write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 369 bytes and written 354 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any idea anyone? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] New version: spamdyke MySQL 5.0.0
Haggy, can you take a look to this error here: https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03991.html THX :-) 2014-02-03 Haggy i...@haggybear.de: Thanks a lot Sam for you great, great work !!! Based on Sams work the MySQL Version of 5.0.0 has been released: http://haggybear.de/de/spamdyke-mit-mysql-logging Bye Haggy ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
Just for the records: With Version 5.0.0 and the new option tls-dhparams-file everything works great, TLS uses the strong cipher suites now! Thank you :-) 2013-09-10 Marc Gregel m...@gregel.net: Looking forward to the Update :-) 2013/9/10 Sam Clippinger s...@silence.org I think you're exactly right -- I'll need to add another TLS option to spamdyke to accept the DH parameters and pass them to OpenSSL with the callback. I'll have to figure out how to test it as well... Thanks for finding that link, I don't think I would have even looked at a function with tmp in its name! -- Sam Clippinger On Sep 9, 2013, at 3:34 AM, Marc Gregel wrote: Hi Sam, is it possible that the problem is because of missing dh keys? I think (!) spamdyke don't use or call something like this here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html - read the 'notes' part so cipher with EDHE:DE won't work. My server/openssl is fine because the orginal qmail-tls works with cipher EDHE_DH! So the problem is the tls handling of spamdyke?! 2013/9/8 Sam Clippinger s...@silence.org Hmmm... I think you may be beyond the edge of my expertise, but I'll certainly try to help if I can. spamdyke uses the OpenSSL library to handle SSL and TLS, so anything that works with OpenSSL on the command line should work with spamdyke as well. The option tls-cipher-list serves the same function as the -cipher option to openssl. spamdyke just takes the text it's given and passes it to the SSL_CTX_set_cipher_list() function in the OpenSSL library before the connection is established. The ciphers you give should be ones listed when you run openssl ciphers from the command line, I'm not sure how it handles abbreviations. It's possible the problem is actually within openssl's SMTP client. If it's not starting the SMTP connection and asking for TLS correctly, the client could be sending encrypted text while the server is still in plaintext mode or vice-versa. That would yield some strange error messages on both sides. I think I would suggest configuring spamdyke on port 465 with tls-level set to smtps and the tls-cipher-list option set to your specific ciphers. Then use this command to connect and test (substitute your ciphers as appropriate): openssl s_client -quiet -cipher EXP-RC4-MD5 -connect localhost:465 If it connects and you see the 220 greeting banner, it's working. If you see an alert handshake failure, you've probably selected a cipher the server doesn't support. -- Sam Clippinger On Sep 7, 2013, at 3:18 PM, Marc Gregel wrote: Hi :-) These days where the NSA is watching us I decided to make my server as secure as possible. For qmail it means to use TLS with strong encryption - openssl with - ciphers EDHS:DE for example. The original QMAIL without spamdyke works fine: openssl s_client -starttls smtp -connect localhost:25 shows me this: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 Great! Now I enable spamdyke and test it again... Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Ok, not that good... maybe just a wrong cipher list? So I specified it a little bit more (works fine with qmail only): openssl s_client -starttls smtp -connect localhost:25 -cipher 'DH' Ups, an error: CONNECTED(0003) 139820346807976:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: I already tried to add dhparam to the qmail servercert (mentioned here http://permalink.gmane.org/gmane.mail.spam.spamdyke.user/3226 ) but that didnt't change anything... I also tested with tls-cipher-list param at the conf file - same error. And at the maillog this: A protocol or library failure occurred, error:140E6118:lib(20):func( 230):reason(280) Is it possible that there's a bug in spamdyke with strong encryption? Thanks for your help, Marc ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] SMTP Auth Problem
Arne, maybe you can try to set log-level=debug an watch the mail-log for useful infos... 2014-03-18 10:02 GMT+01:00 Arne.Metzger mo...@foni.net: Ok, problem must be spamdyke. I removed spamdyke from smtp_psa and smtps_psa and auth works fine. So, where is my misconfiguration? Am 18.03.2014 08:25, schrieb Arne.Metzger: Hi Folks, no hints? I am still confused about this issue, since all worked perfect sind monday... Am 17.03.2014 15:54, schrieb Arne.Metzger: Here are my config files, i use two spamdyke-configs, on for tls and one for non-tls spamdyke5tls.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns #rdns ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords #reject-missing-sender-mx reject-sender=no-mx #reject-sender=not-local #reject-sender=authentication-domain-mismatch reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns #reject-identical-sender-recipient reject-recipient=same-as-sender reject-recipient=invalid #dns dns-blacklist-file=/var/qmail/spamdyke/blacklist_rbl #dns-blacklist-entry=ix.dnsbl.manitu.net #dns-blacklist-entry=zen.spamhaus.org #dns-blacklist-entry=dnsbl-1.uceprotect.net #dns-blacklist-entry=bl.spamcannibal.org #dns-blacklist-entry=bl.spamcop.net #dns-blacklist-entry=no-more-funn.moenstedt.dk #dns-whitelist-entry=list.dnswl.org config-mysql-database=spamdyke config-mysql-username=spamdyke config-mysql-password=spamdyke spamdyke5.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand-encrypted #tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns #rdns ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords #reject-missing-sender-mx reject-sender=no-mx #reject-sender=not-local reject-sender=authentication-domain-mismatch reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns #reject-identical-sender-recipient reject-recipient=same-as-sender reject-recipient=invalid #dns dns-blacklist-file=/var/qmail/spamdyke/blacklist_rbl #dns-blacklist-entry=ix.dnsbl.manitu.net #dns-blacklist-entry=zen.spamhaus.org #dns-blacklist-entry=b.barracudacentral.org #dns-blacklist-entry=dnsbl-1.uceprotect.net #dns-blacklist-entry=bl.spamcannibal.org #dns-blacklist-entry=bl.spamcop.net #dns-blacklist-entry=no-more-funn.moenstedt.dk #dns-whitelist-entry=list.dnswl.org config-mysql-database=spamdyke config-mysql-username=spamdyke
Re: [spamdyke-users] SMTP Auth Problem
Maybe this here, let me quote http://www.spamdyke.org/documentation/Changelog.txt NOT BACKWARDS COMPATIBLE: Renamed the option local-domains-file to qmail-rcpthosts-file. The naming has always been confusing, since qmail distinguishes between domains that should be accepted by qmail-smtpd during SMTP (rcpthosts) and domains that are actually hosted locally with mailboxes on the local filesystem (locals). These options have always meant the former, but now that spamdyke needs to know both lists of domains, it's time to rename them. This option is also now allowed in configuration directories. 2014-03-18 11:30 GMT+01:00 Arne.Metzger mo...@foni.net: In the meantime i switched back to 4.3.1, which works like a charm! Here is my config for 4.3.1 - what did i do wrong during update to 5.0.0? log-level=verbose local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand-encrypted filter-level=normal config-dir=/var/qmail/spamdyke/config.d graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns policy-url=http://www.shjjv.de/Spamfilter.547.0.html sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=zen.spamhaus.org reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns reject-identical-sender-recipient Am 18.03.2014 11:18, schrieb Marc Gregel: Arne, maybe you can try to set log-level=debug an watch the mail-log for useful infos... 2014-03-18 10:02 GMT+01:00 Arne.Metzger mo...@foni.net: Ok, problem must be spamdyke. I removed spamdyke from smtp_psa and smtps_psa and auth works fine. So, where is my misconfiguration? Am 18.03.2014 08:25, schrieb Arne.Metzger: Hi Folks, no hints? I am still confused about this issue, since all worked perfect sind monday... Am 17.03.2014 15:54, schrieb Arne.Metzger: Here are my config files, i use two spamdyke-configs, on for tls and one for non-tls spamdyke5tls.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns #rdns ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords #reject-missing-sender-mx reject-sender=no-mx #reject-sender=not-local #reject-sender=authentication-domain-mismatch reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns #reject-identical-sender-recipient reject-recipient=same-as-sender reject-recipient=invalid #dns dns-blacklist-file=/var/qmail/spamdyke/blacklist_rbl #dns-blacklist-entry=ix.dnsbl.manitu.net #dns-blacklist-entry=zen.spamhaus.org #dns-blacklist-entry=dnsbl-1.uceprotect.net #dns-blacklist-entry=bl.spamcannibal.org #dns-blacklist-entry=bl.spamcop.net #dns-blacklist-entry=no-more-funn.moenstedt.dk #dns-whitelist-entry=list.dnswl.org config-mysql-database
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
Eric, at the moment I use the same file the normal qmail installation use. spamdyke.conf: tls-dhparams-file=/var/qmail/control/dh1024.pem 2014-03-28 20:08 GMT+01:00 Eric Shubert e...@shubes.net: On 02/05/2014 06:34 AM, Marc Gregel wrote: Just for the records: With Version 5.0.0 and the new option tls-dhparams-file everything works great, TLS uses the strong cipher suites now! Thank you :-) Marc, What key length are you using in your dhparams file? -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
