[AMaViS-user] Amavisd-new and TLS problem
Hi all, I'm setting up a CentOS box with the next mailserver combination: Postfix+Amavisd-new+ClamAV+Spamassassin An encrypted communications are a requisite, so I've already configured IMAP+SSL (port 993) and SMTP+SSL (port 465). The system works well if I've amavisd-new deactived: Jul 28 13:16:58 mail postfix/smtpd[20202]: initializing the server-side TLS engine Jul 28 13:16:58 mail postfix/smtpd[20202]: connect from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247.221] Jul 28 13:16:58 mail postfix/smtpd[20202]: setting up TLS connection from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247. 221] Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:before/accept initialization Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv2/v3 read client hello A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv3 read client hello B Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv3 read client hello B Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 read client hello B Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write server hello A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write certificate A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write key exchange A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write server done A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 flush data Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv3 read client certificate A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv3 read client certificate A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 read client key exchange A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:error in SSLv3 read certificate verify A Jul 28 13:16:58 mail last message repeated 3 times Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 read finished A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write change cipher spec A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 write finished A Jul 28 13:16:58 mail postfix/smtpd[20202]: SSL_accept:SSLv3 flush data Jul 28 13:16:58 mail postfix/smtpd[20202]: TLS connection established from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247 .221]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 28 13:16:58 mail dovecot: auth(default): client in: AUTH1 PLAIN service=smtpresp=hidden Jul 28 13:16:58 mail dovecot: auth-worker(default): mysql: Connected to localhost (openvispadmin) Jul 28 13:16:58 mail dovecot: auth-worker(default): sql([EMAIL PROTECTED]): query: SELECT password FROM mailbox WHERE username = '[EMAIL PROTECTED]' Jul 28 13:16:58 mail dovecot: auth(default): client out: OK 1 [EMAIL PROTECTED] Jul 28 13:16:58 mail postfix/smtpd[20202]: E5A01D50274: client=221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247.221], sasl_ method=PLAIN, [EMAIL PROTECTED] Jul 28 13:16:59 mail postfix/cleanup[20211]: E5A01D50274: message-id=[EMAIL PROTECTED] Jul 28 13:16:59 mail postfix/qmgr[20200]: E5A01D50274: from=[EMAIL PROTECTED], size=705, nrcpt=1 (queue active) Jul 28 13:16:59 mail postfix/smtpd[20202]: disconnect from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247.221] Jul 28 13:17:03 mail postfix/smtp[20213]: E5A01D50274: to=[EMAIL PROTECTED], relay=gmail-smtp-in.l.google.com[66.249.91.27 ]:25, delay=4.5, delays=0.4/0.01/0.72/3.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1185621423 c22si1389232ika) Jul 28 13:17:03 mail postfix/qmgr[20200]: E5A01D50274: removed But, If I active amavisd-new service: Jul 28 13:19:17 mail postfix/smtpd[20280]: TLS connection established from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247 .221]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 28 13:19:17 mail dovecot: auth(default): client in: AUTH1 PLAIN service=smtpresp=hidden Jul 28 13:19:17 mail dovecot: auth-worker(default): sql([EMAIL PROTECTED]): query: SELECT password FROM mailbox WHERE username = '[EMAIL PROTECTED]' Jul 28 13:19:17 mail dovecot: auth(default): client out: OK 1 [EMAIL PROTECTED] Jul 28 13:19:17 mail postfix/smtpd[20280]: DDF9FD50274: client=221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247.221], sasl_ method=PLAIN, [EMAIL PROTECTED] Jul 28 13:19:18 mail postfix/cleanup[20286]: DDF9FD50274: message-id=[EMAIL PROTECTED] Jul 28 13:19:18 mail postfix/qmgr[20200]: DDF9FD50274: from=[EMAIL PROTECTED], size=707, nrcpt=1 (queue active) Jul 28 13:19:18 mail postfix/smtpd[20280]: disconnect from 221.Red-88-11-247.dynamicIP.rima-tde.net[88.11.247.221] Jul 28 13:19:18 mail postfix/smtpd[20291]: initializing the server-side TLS engine Jul 28 13:19:18 mail postfix/smtpd[20291]: connect from tartarus[127.0.0.1] Jul 28 13:19:18 mail amavis[20277]: (20277-01) Negative SMTP resp to DATA: 530 5.7.0 Must issue a STARTTLS command first Jul 28 13:19:18 mail amavis[20277]: (20277-01) Negative SMTP resp. to QUIT: 530 5.7.0
Re: [AMaViS-user] Amavisd-new and TLS problem
Jordi, An encrypted communications are a requisite, so I've already configured IMAP+SSL (port 993) and SMTP+SSL (port 465). The system works well if I've amavisd-new deactived: Jul 28 13:19:18 mail amavis[20277]: (20277-01) Negative SMTP resp to DATA: 530 5.7.0 Must issue a STARTTLS command first I've tried several options and I'm sure the problem is focused in amavisd-new, so the system works well (as you can se above) if I deactivate it. amavisd-new does not support TLS. If it is installed on the same host as MTA, they are talking to each other over a loopback interface, so there is no need for encryption of that within-a-host traffic. Disable MTA requirement for TLS on its re-entry port 10025. Mark - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] How to manage spam scores?
Justin Kim wrote: Gary wrote: Justin wrote: Hello Everyone, I am using amavis with postfix+mysql setup. Amavis is scanning messages and is reinjecting messages to postfix through smtp. I would like to know how can I manage spam scores so that certain domain like yahoo.com is not getting high score. My user requested that there are false positive when it is sent from specific yahoo.com account. Please help! Justin One way would be to use @score_sender_maps. If you don't have this in amavisd.conf then look for it in amavisd.conf-sample under the heading: # ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING Look at both the per-recipient and site-wide examples and place your entries in the appropriate position(s). Another possibly method is to determine exactly what particular rule is causing the false positive and then zero out the score of that rule in local.cf. score SOME_YAHOO_RULE 0 What version of SA? Gary V Thanks Gary, My SA version is 3.1.8 on redhat. Amavisd-new version 2.4.5 I couldn't find the yahoo score on /usr/share/spamassassin/50_scores.cf Spam scores are: X-Spam-Flag: YES X-Spam-Score: 6.116 X-Spam-Level: ** X-Spam-Status: Yes, score=6.116 tagged_above=-999 required=5 tests=[BIZ_TLD=1.169, DNS_FROM_RFC_ABUSE=0.479, DNS_FROM_RFC_POST=1.44, DNS_FROM_RFC_WHOIS=0.879, HTML_10_20=0.945, HTML_MESSAGE=0.001, MAILTO_TO_SPAM_ADDR=0.276, MSGID_FROM_MTA_ID=0.927] I do not know if I am on the right track to 0 out yahoo scores. MSGID_FROM_MTA_ID is intriguing. are you sure the mail came from yahoo? consider enabling Bayes and training on errors. You can lower the scores of DNS_FROM_RFC_* just enough so that the score gets below 5. Or you can write meta rules to cancel these if the sending domain is yahoo and the like (maybe too much work though). if you get enough legitimate mail related to .biz domains, you may consider lowering the score of BIZ_TLD. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] Postfix + Amavisd-new + Amavisd-milter (Net::Server 'listen' default)
David Schweikert wrote: On Fri, Jul 27, 2007 at 17:52:58 +0200, Mark Martinec wrote: The problem is that even though I properly limited the number of amavisd connections in amavisd-milter, amavisd does have a listen backlog (queuing of connecting clients) of maximum 5 clients. That is, if I have configured to use at most 10 amavisd processes and by chance 6 amavisd-milter processes try to establish a connection simultaneously, it will fail. I don't see why it would be 5. The program flow goes like: amavisd leaves Net::Server's option 'listen' at a default. Net::Server.pm turns undef into 128: $prop-{listen} = Socket::SOMAXCONN() unless defined($prop-{listen}) $prop-{listen} =~ /^\d{1,3}$/; Funnily enough, Socket::SOMAXCONN() returns 5 on Solaris, but I am pretty sure that it is not the real limit. It probably comes from SOMAXCONN in /usr/include/sys/socket.h, but I don't think that it is the real limit. I have: [EMAIL PROTECTED]:~$ ndd /dev/tcp tcp_conn_req_max_q 1024 Maybe Net::Server should be fixed instead? It probably would be even better to fix Socket::SOMAXCONN... I don't know if there is a faster way to find out the real SOMAXCONN than running ndd though. In the mean time, it would be nice however to have a $listen_queue_size option in Amavisd-new :-) One catch there, which I'd call a Net::Server bug: If one sets the $listen_queue_size to 1024 (as you say is a default on Solaris), the Net::Server tests the value of a 'listen' option and sees the number has more than three digits, and will silently give you the Socket::SOMAXCONN default, which is a 5 on Solaris! Without a warning! I think that Net::Server should: - log a warning or call 'die' if the 'listen' option is invalid and is not a 0 or undef (or an empty string); - allow values of up to 1024 at least; - maybe even provide a more sensible default on Solaris, instead of a problematic Socket::SOMAXCONN; I'm CCing this to Paul Seamons. I'd ask at least for a logged warning. Btw, this thread is archived at: http://marc.info/?t=118553883800013r=1 Mark - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/