Re: [qmailtoaster] dovecot installation questions

[Peter Peltonen]

Hi,

On Mon, Jan 23, 2012 at 5:38 PM, Rajesh M <24x7ser...@24x7server.net> wrote:
> now i have a new box and tried to install dovecot version 2 using
> qmailtoaster rpm
>
> http://wiki.qmailtoaster.com/index.php/Replacing_Courier_IMAP_with_Dovecot_IMAP

So what you have installed is dovecot-2.0.11-2.qtp ?

>
> i followed the instructions as per the above but with default installation
> i am a quite confused because there are so many config files
>
> the config files are all different and i am not sure which options to use

What config files you are unsure about? The ones you should be looking at are:

/etc/dovecot/toaster.conf
/etc/dovecot/local.conf

as those are the ones that the main config file /etc/dovecot/dovecot.conf loads

The ones in conf.d directory are just examples/defaults.

The defaults should work fine though? The only change I've done personally is:

#auth_mechanisms = plain login digest-md5 cram-md5
auth_mechanisms = plain login digest-md5

--> I disabled cram-md5 auth as Horde Imp was having problems with that.

The defaults work quite good for me

>
> i am getting error as such
>
> telnet xxx.xxx.xxx.xxx 143 or port 110 gives error as below
> [root@ns1 conf.d]# tail -f /var/log/dovecot.log
> Jan 23 20:57:38 auth: Fatal: vpopmail: vauth_open() failed
> Jan 23 20:57:38 master: Error: service(auth): command startup failed,
> throttling

Everything worked fine before dovecot installation? You have standard
setup using vpopmail + mysql? Is your database running? You haven't
touched dovecot's toaster.conf and it is loaded?

I don't know much, but it sounds to me that vpopmail cannot
authenticate the user properly for some reason.

> my questions
>
> 1) is there some place to get detailed instructions on the installation or
> if anybody is already using the standard installation successfully then
> can you please post your config file and installation instructions

AFAIK using the default configs from the qmt rpm everything should "just work"?


> 2) how better is dovecot pop3 and pop3 compared to normal pop3 of
> qmailtoaster, are there any known issues ?

Not using pop3 that much, so can't help here.


> my qmail pop3 is working quite nicely but if dovecot is better then i
> could try that.

If you don't have ny problems with it, then I would leave the setup as it is.


Best,
Peter

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.
 
  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] how to SMTPS submission/port 587

[Kalil Costa - Brasilsite]

  
  

I can't block port 25, if I do this I don't receive mail from other
mx mail and my clients are on the internet, anywhere in the world.




Em 23-01-2012 19:57, Postmaster escreveu:

  
  Kalz
  
  Why not using iptables to block any outgoing SMTP connection?
  
  
  iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT 
  
  
  Regards
  Alex
  
  
  
  On 20/01/2012 20:02, Kalil Costa - Brasilsite wrote:
  


Thks Dan, 




I
understand completely, I think I'll work with
  465.
  
  
  And how to lock my users for doesn't to use
port 25 ?   I want
  to receive
  only external
  mails in port 25 and my clients to use port 465.
Is it the correct way ?



thks again Dan.






Em 20-01-2012 15:41, Dan McAllister escreveu:

  
  Kalil (aka: Kalz):
  
  Port 587 ususlly does NOT force the use of SSL/TLS -- the port
  is defined as a "submission" port and is most often used as a
  "replacement" for SMTP in environments that otherwise BLOCK
  port 25 access (like some ISPs do -- allowing port 25 ONLY to
  their own SMTP servers and/or relays).
  
  There is another port - 465 - that is another well-known port
  defined as SMTPS whose specifications match what you want: a
  port that only allows SSL/TLS connections.
  
  OK, that part out of the way, here's how you add one or the
  other (NOTE: I take some shortcuts here -- like using tar
  pipes -- that some may object to... all I can say is that it
  works!)
  
  Step 1:  Create the supervise folders to make qmail listen on
  the additional ports
   a) CD to the supervise folder
    cd /var/qmail/supervise
   b) copy the smtp directory tree into a new tree called
  submission (for port 587) and then another called smtp-ssl
  (for port 465)
    for DIR in submission smtp-ssl ; do
    mkdir $DIR
    chown qmaill:qmail $DIR
    chmod 1700 $DIR
    tar cvf - -C smtp . | tar xvf - -C $DIR
  done
   c) Modify the run scripts in the new folders as below
  
   In the SUBMISSION folder:
      BEFORE the exec line at the bottom, add (or modify if
  they already exist) the lines:
    export REQUIRE_AUTH=1
  export SMTPS=0
    ON the exec line at the bottom, change the 25

  (should be right after a 0) to 587
    Notes:
      1) the exec line usually has continuation marks
  (line ends with a \) -- this makes the last several ACTUAL
  lines one VIRTUAL line (and improves readability)
      2) your installation MAY use a variable (e.g.:
  USEPORT) -- if so, look for the line above that ends in "=25"
  and change that one!
   In the SMTPS folder:
      BEFORE the exec line at the bottom, add (or modify if
  they already exist) the lines:
    export REQUIRE_AUTH=1
  export SMTPS=1
    ON the exec line at the bottom, change the 25

  (should be right after a 0) to 465
    Notes:
      1) the exec line usually has continuation marks
  (line ends with a \) -- this makes the last several ACTUAL
  lines one VIRTUAL line (and improves readability)
      2) your installation MAY use a variable (e.g.:
  USEPORT) -- if so, look for the line above that ends in "=25"
  and change that one!
   d) OPTIONALLY:
    If you're UNLIKE like me and you trust users NOT to be
  the SOURCE of SPAM, then you can remove any SPAMDYKE or
  SPAMASSASSIN processing you may have configured for your
  standard (open) SMTP port
  
  I hope this helps!
  
  Dan McAllister
  IT4SOHO
  
  
  
  On 1/20/2012 12:09 PM, Kalil Costa - Brasilsite wrote:
  

Guys,



How to configure my qmailtoaster to use port 587 SMTPS
Submission for my clients and port 25 for other servers
from internet ?   Some like this



--CLIENTS- port smtp/587->
**
        

Re: [qmailtoaster] how to SMTPS submission/port 587

[Kalil Costa - Brasilsite]

  
  


I read that is more simples block my clients with spamdyke using
filters domain 'from' and port 587 allow my clients.






Em 24-01-2012 09:19, Kalil Costa - Brasilsite escreveu:

  
  
  I can't block port 25, if I do this I don't receive mail from
  other mx mail and my clients are on the internet, anywhere in the
  world.
  
  
  
  
  Em 23-01-2012 19:57, Postmaster escreveu:
  

Kalz

Why not using iptables to block any outgoing SMTP connection?


iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT 


Regards
Alex



On 20/01/2012 20:02, Kalil Costa - Brasilsite wrote:

  
  
  Thks Dan, 
  
  
  
  
  I
  understand completely, I think I'll work
  with 465.


And how to lock my users for doesn't to
  use port 25 ?   I
  want to receive only
external mails
  in port 25 and my clients
to use port 465. Is it the correct way
  ?
  
  
  
  thks again Dan.
  
  
  
  
  
  
  Em 20-01-2012 15:41, Dan McAllister escreveu:
  

Kalil (aka: Kalz):

Port 587 ususlly does NOT force the use of SSL/TLS -- the
port is defined as a "submission" port and is most often
used as a "replacement" for SMTP in environments that
otherwise BLOCK port 25 access (like some ISPs do --
allowing port 25 ONLY to their own SMTP servers and/or
relays).

There is another port - 465 - that is another well-known
port defined as SMTPS whose specifications match what you
want: a port that only allows SSL/TLS connections.

OK, that part out of the way, here's how you add one or the
other (NOTE: I take some shortcuts here -- like using tar
pipes -- that some may object to... all I can say is that it
works!)

Step 1:  Create the supervise folders to make qmail listen
on the additional ports
 a) CD to the supervise folder
  cd /var/qmail/supervise
 b) copy the smtp directory tree into a new tree called
submission (for port 587) and then another called smtp-ssl
(for port 465)
  for DIR in submission smtp-ssl ; do
      mkdir $DIR
      chown qmaill:qmail $DIR
      chmod 1700 $DIR
      tar cvf - -C smtp . | tar xvf - -C $DIR
    done
 c) Modify the run scripts in the new folders as
below 
 In the SUBMISSION folder:
    BEFORE the exec line at the bottom, add (or modify
if they already exist) the lines:
  export REQUIRE_AUTH=1
    export SMTPS=0
      ON the exec line at the bottom, change the 25


(should be right after a 0) to 587
  Notes:
    1) the exec line usually has continuation marks
(line ends with a \) -- this makes the last several ACTUAL
lines one VIRTUAL line (and improves readability)
    2) your installation MAY use a variable (e.g.:
USEPORT) -- if so, look for the line above that ends in "=25"
and change that one!
 In the SMTPS folder:
    BEFORE the exec line at the bottom, add (or modify
if they already exist) the lines:
  export REQUIRE_AUTH=1
    export SMTPS=1
      ON the exec line at the bottom, change the 25


(should be right after a 0) to 465
  Notes:
    1) the exec line usually has continuation marks
(line ends with a \) -- this makes the last several ACTUAL
lines one VIRTUAL line (and improves readability)
    2) your installation MAY use a variable (e.g.:
USEPORT) -- if so, look for the line above that ends in "=25"
and change that one!
 d) OPTIONALLY:
  If you're UNLIKE like me and you trust users NOT to be
the SOURCE of SPAM, then you can remove any SPAMDYKE or
SPAMASSASSIN processing you may have configured for your
standard (open) SMTP port

I hope this helps!

Dan McAllister
IT4SOHO


  

Re: [qmailtoaster] how to SMTPS submission/port 587

[Tonix (Antonio Nati)]

So if a customer of yours uses as SMTP server another server (i.e. a 
mobile SMTP), and uses his own address as sender, you are going to block 
his emails.


Correct?

Tonino

Il 24/01/2012 12:47, Kalil Costa - Brasilsite ha scritto:



I read that is more simples block my clients with spamdyke using 
filters domain 'from' and port 587 allow my clients.







Em 24-01-2012 09:19, Kalil Costa - Brasilsite escreveu:


I can't block port 25, if I do this I don't receive mail from other 
mx mail and my clients are on the internet, anywhere in the world.





Em 23-01-2012 19:57, Postmaster escreveu:

Kalz

Why not using iptables to block any outgoing SMTP connection?

iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT


Regards
Alex



On 20/01/2012 20:02, Kalil Costa - Brasilsite wrote:


Thks Dan,




I understand completely, I think I'll work with 465.


And how to lock my users for doesn't to use port 25 ? I want to 
receive only external mails in port 25 and my clients to use port 
465. Is it the correct way ?




thks again Dan.






Em 20-01-2012 15:41, Dan McAllister escreveu:

Kalil (aka: Kalz):

Port 587 ususlly does NOT force the use of SSL/TLS -- the port is 
defined as a "submission" port and is most often used as a 
"replacement" for SMTP in environments that otherwise BLOCK port 
25 access (like some ISPs do -- allowing port 25 ONLY to their own 
SMTP servers and/or relays).


There is another port - 465 - that is another well-known port 
defined as SMTPS whose specifications match what you want: a port 
that only allows SSL/TLS connections.


OK, that part out of the way, here's how you add one or the other 
(NOTE: I take some shortcuts here -- like using tar pipes -- that 
some may object to... all I can say is that it works!)


Step 1:  Create the supervise folders to make qmail listen on the 
additional ports

 a) CD to the supervise folder
*  cd /var/qmail/supervise*
 b) copy the smtp directory tree into a new tree called submission 
(for port 587) and then another called smtp-ssl (for port 465)

*  for DIR in submission smtp-ssl ; do
mkdir $DIR
chown qmaill:qmail $DIR
chmod 1700 $DIR
tar cvf - -C smtp . | tar xvf - -C $DIR
  done*
 c) Modify the *run* scripts in the new folders as below
 In the SUBMISSION folder:
BEFORE the exec line at the bottom, add (or modify if they 
already exist) the lines:

*  export REQUIRE_AUTH=1
  export SMTPS=0
*ON the exec line at the bottom, change the *25 *(should be right 
after a 0) to *587*

  Notes:
1) the exec line usually has continuation marks (line 
ends with a \) -- this makes the last several ACTUAL lines one 
VIRTUAL line (and improves readability)
2) your installation MAY use a variable (e.g.: 
USEPORT) -- if so, look for the line above that ends in *"=25*" 
and change that one!

 In the SMTPS folder:
BEFORE the exec line at the bottom, add (or modify if they 
already exist) the lines:

*  export REQUIRE_AUTH=1
  export SMTPS=1
*ON the exec line at the bottom, change the *25 *(should be right 
after a 0) to *465*

  Notes:
1) the exec line usually has continuation marks (line 
ends with a \) -- this makes the last several ACTUAL lines one 
VIRTUAL line (and improves readability)
2) your installation MAY use a variable (e.g.: 
USEPORT) -- if so, look for the line above that ends in *"=25*" 
and change that one!

 d) OPTIONALLY:
  If you're UNLIKE like me and you trust users NOT to be the 
SOURCE of SPAM, then you can remove any SPAMDYKE or SPAMASSASSIN 
processing you may have configured for your standard (open) SMTP port


I hope this helps!

Dan McAllister
IT4SOHO



On 1/20/2012 12:09 PM, Kalil Costa - Brasilsite wrote:

Guys,



How to configure my qmailtoaster to use port 587 SMTPS Submission 
for my clients and port 25 for other servers from internet ?   
Some like this




--CLIENTS- port smtp/587-> **

*  SERVER  *

--OTHER INTERNET MAIL SERVERS --- port 25---> * QMAILTOASTER *
 
   *   *

--CLIENTS - port 25 ***BLOCKED******



Thanks for help


Kalz

- 
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com) Vickers Consulting Group offers 
Qmailtoaster support and installations. If you need professional 
help with your setup, contact them today! 
- 
Please visit qmailtoaster.com for the latest news, updates, and 
packages. To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoa

Re: [qmailtoaster] how to SMTPS submission/port 587

[Tuan Nguyen Bui]

N

Đã gửi từ iPhone của tôi

Ngày 24-01-2012, vào lúc 18:19, Kalil Costa - Brasilsite 
 viết:

> 
> I can't block port 25, if I do this I don't receive mail from other mx mail 
> and my clients are on the internet, anywhere in the world.
> 
> 
> 
> 
> Em 23-01-2012 19:57, Postmaster escreveu:
>> 
>> Kalz
>> 
>> Why not using iptables to block any outgoing SMTP connection?
>> 
>> iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT 
>> 
>> 
>> Regards
>> Alex
>> 
>> 
>> 
>> On 20/01/2012 20:02, Kalil Costa - Brasilsite wrote:
>>> 
>>> 
>>> Thks Dan, 
>>> 
>>> 
>>> 
>>> 
>>> I understand completely, I think I'll work with 465.
>>> 
>>> 
>>> And how to lock my users for doesn't to use port 25 ?  I want to receive 
>>> only external mails in port 25 and my clients to use port 465. Is it the 
>>> correct way ?
>>> 
>>> 
>>> 
>>> thks again Dan.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Em 20-01-2012 15:41, Dan McAllister escreveu:
 
 Kalil (aka: Kalz):
 
 Port 587 ususlly does NOT force the use of SSL/TLS -- the port is defined 
 as a "submission" port and is most often used as a "replacement" for SMTP 
 in environments that otherwise BLOCK port 25 access (like some ISPs do -- 
 allowing port 25 ONLY to their own SMTP servers and/or relays).
 
 There is another port - 465 - that is another well-known port defined as 
 SMTPS whose specifications match what you want: a port that only allows 
 SSL/TLS connections.
 
 OK, that part out of the way, here's how you add one or the other (NOTE: I 
 take some shortcuts here -- like using tar pipes -- that some may object 
 to... all I can say is that it works!)
 
 Step 1:  Create the supervise folders to make qmail listen on the 
 additional ports
  a) CD to the supervise folder
   cd /var/qmail/supervise
  b) copy the smtp directory tree into a new tree called submission (for 
 port 587) and then another called smtp-ssl (for port 465)
   for DIR in submission smtp-ssl ; do
 mkdir $DIR
 chown qmaill:qmail $DIR
 chmod 1700 $DIR
 tar cvf - -C smtp . | tar xvf - -C $DIR
   done
  c) Modify the run scripts in the new folders as below 
  In the SUBMISSION folder:
 BEFORE the exec line at the bottom, add (or modify if they already 
 exist) the lines:
   export REQUIRE_AUTH=1
   export SMTPS=0
 ON the exec line at the bottom, change the 25 (should be right 
 after a 0) to 587
   Notes:
 1) the exec line usually has continuation marks (line ends 
 with a \) -- this makes the last several ACTUAL lines one VIRTUAL line 
 (and improves readability)
 2) your installation MAY use a variable (e.g.: USEPORT) -- if 
 so, look for the line above that ends in "=25" and change that one!
  In the SMTPS folder:
 BEFORE the exec line at the bottom, add (or modify if they already 
 exist) the lines:
   export REQUIRE_AUTH=1
   export SMTPS=1
 ON the exec line at the bottom, change the 25 (should be right 
 after a 0) to 465
   Notes:
 1) the exec line usually has continuation marks (line ends 
 with a \) -- this makes the last several ACTUAL lines one VIRTUAL line 
 (and improves readability)
 2) your installation MAY use a variable (e.g.: USEPORT) -- if 
 so, look for the line above that ends in "=25" and change that one!
  d) OPTIONALLY:
   If you're UNLIKE like me and you trust users NOT to be the SOURCE of 
 SPAM, then you can remove any SPAMDYKE or SPAMASSASSIN processing you may 
 have configured for your standard (open) SMTP port
 
 I hope this helps!
 
 Dan McAllister
 IT4SOHO
 
 
 
 On 1/20/2012 12:09 PM, Kalil Costa - Brasilsite wrote:
> 
> Guys,
> 
> 
> 
> How to configure my qmailtoaster to use port 587 SMTPS Submission for my 
> clients and port 25 for other servers from internet ?   Some like this
> 
> 
> 
> --CLIENTS- port smtp/587-> **
> * 
>  SERVER  *
> --OTHER INTERNET MAIL SERVERS --- port 25---> * 
> QMAILTOASTER * 
> * 
>   *
> --CLIENTS - port 25 ***BLOCKED****** 
> 
> 
> 
> Thanks for help
> 
> 
> Kalz
> 
> -
>  Qmailtoaster is sponsored by Vickers Consulting Group 
> (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster 
> support and installations. If you need pro

Re: [qmailtoaster] Sanesecurity, spamassassin & spamdyke

[Casey Price]

Any takers on this one? The problem is definitely on my SA1 box (you can 
see spamd start hogging memory and eating up the processor and notice a 
constant heavy load when you view the stats with htop, or "w".


There isn't really much on the wiki regarding SaneSecurity, so I was 
hoping for some insight in configuring it and tuning it for better 
performance. So, while this is one piece to the problem, the other issue 
is that when messages are flagged by SaneSecurity, they are rejected by 
SA1 (primary spamassassin box) when GW1 (primary spamdyke box - all mail 
hits this server, then is passed to SA1 using smtproutes) attempts to 
pass the mail to the next hop. What this means is that I end up with 
several thousand messages in my queue every  day on GW1, and they end up 
being something like this:


15107007 (9, L)
  Return-path: #@[]
  From: mailer-dae...@gateway1.smileglobal.com
  To: postmas...@gateway1.smileglobal.com
  Subject: failure notice
  Date: 25 Jan 2012 00:50:42 -
  Size: 23018 bytes

 --
Hi. This is the qmail-send program at gateway1.smileglobal.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
User and password not set, continuing without authentication.
 69.7.35.24 failed after I sent the message.
Remote host said: 554 Your email was rejected because it contains the 
Sanesecurity.Jurlbl.5049.UNOFFICIAL virus




Hoping someone can shed some light on this for me and help me figure out 
a better solution.


Thanks,

Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 

On 1/19/12 6:12 PM, Casey Price wrote:

Hi guys,

Lately I've been noticing the queue on one of my gateway servers 
(running QMT with spamdyke) has been growing quite large on a daily 
basis. Once mail hits this server it is passed on to my SA box which 
also runs QMT with clamav & spamassassin.


I recently used the qtp-install-sanesecurity script, and while it 
appears to be properly identifying mail, it ends up rejecting the mail 
as it is being passed on from the gateway server.


So it ends up back in the gateway queue and just sits there. Is there 
a way I can prevent the SA box from rejecting and sending the mail 
back to the gateway box? It would be nice if it just deleted the mail.


I'm using simscan on the SA box as well. Any recommendations? I 
previously had the following options enabled in spamdyke, but ended up 
turning them off because many of my customers were complaining about 
not receiving their mail...


reject-ip-in-cc-rdns
reject-unresolvable-rdns

Thanks

--
Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 

[qmailtoaster] Re: Sanesecurity, spamassassin & spamdyke

[Eric Shubert]

The stock QMT configuration scans the message while the perimeter smtp 
session is still active, which allows it to simply reject the message 
(not accepting it), because it's coming directly from the sender's 
server. In this case, the sender's server is responsible for creating a 
bounce message to the sender.


I don't know why GW1 is bouncing the message to the postmaster@gw1 
instead of the original sender, but perhaps it tried and cannot.


The way you have things set up, the SA1 host needs to go ahead and 
accept the message from GW1, and then generate a bounce to the original 
sender. This is not a very good way of handling things, as it 
contributes to backscatter (bounces with forged return addresses). That 
being said, I think there may be a way to configure qmail and simscan 
such that a message gets bounced (returned to sender) instead of refused 
(leaving the sending server (GW1) to deal with it), but I don't know 
about how to do, and would recommend against this configuration.


When the message is denied at the perimeter, there is no bounced message 
(from you), and a good chance there will be less backscatter. If you 
really have more traffic than a single host can deal with (which is 
quite a lot), then there's probably a better way to distribute the load. 
I would let the scanning be done on (or from) the gateway server, which 
handles the smtp sessions, and find another way to divvy up the load if 
required.


Sorry I can't be of more help than this. If you gave us some idea of how 
many domains and accounts and messages you're talking about, we might 
get some better idea.


--
-Eric 'shubes'

On 01/24/2012 06:43 PM, Casey Price wrote:

Any takers on this one? The problem is definitely on my SA1 box (you can
see spamd start hogging memory and eating up the processor and notice a
constant heavy load when you view the stats with htop, or "w".

There isn't really much on the wiki regarding SaneSecurity, so I was
hoping for some insight in configuring it and tuning it for better
performance. So, while this is one piece to the problem, the other issue
is that when messages are flagged by SaneSecurity, they are rejected by
SA1 (primary spamassassin box) when GW1 (primary spamdyke box - all mail
hits this server, then is passed to SA1 using smtproutes) attempts to
pass the mail to the next hop. What this means is that I end up with
several thousand messages in my queue every day on GW1, and they end up
being something like this:

15107007 (9, L)
Return-path: #@[]
From: mailer-dae...@gateway1.smileglobal.com
To: postmas...@gateway1.smileglobal.com
Subject: failure notice
Date: 25 Jan 2012 00:50:42 -
Size: 23018 bytes

--
Hi. This is the qmail-send program at gateway1.smileglobal.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
User and password not set, continuing without authentication.
 69.7.35.24 failed after I sent the message.
Remote host said: 554 Your email was rejected because it contains the
Sanesecurity.Jurlbl.5049.UNOFFICIAL virus



Hoping someone can shed some light on this for me and help me figure out
a better solution.

Thanks,

Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 

On 1/19/12 6:12 PM, Casey Price wrote:

Hi guys,

Lately I've been noticing the queue on one of my gateway servers
(running QMT with spamdyke) has been growing quite large on a daily
basis. Once mail hits this server it is passed on to my SA box which
also runs QMT with clamav & spamassassin.

I recently used the qtp-install-sanesecurity script, and while it
appears to be properly identifying mail, it ends up rejecting the mail
as it is being passed on from the gateway server.

So it ends up back in the gateway queue and just sits there. Is there
a way I can prevent the SA box from rejecting and sending the mail
back to the gateway box? It would be nice if it just deleted the mail.

I'm using simscan on the SA box as well. Any recommendations? I
previously had the following options enabled in spamdyke, but ended up
turning them off because many of my customers were complaining about
not receiving their mail...

reject-ip-in-cc-rdns
reject-unresolvable-rdns

Thanks

--
Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsult

[qmailtoaster] Re: Sanesecurity, spamassassin & spamdyke

[Eric Shubert]

Here's a setup that I like:

http://www.shupp.org/maps/ispcluster.html

Notice that spamd scanning is offloaded, but it's done while the smtp 
(mx) session stays open, so that messages can be rejected, not bounced.


I'm glad this link is still up. I just found out that Bill appears to 
have taken most of his Qmail stuff down. Would someone care to get 
Bill's permission first, then put this up on the wiki? I think this is 
worthy.


--
-Eric 'shubes'


On 01/24/2012 06:43 PM, Casey Price wrote:

Any takers on this one? The problem is definitely on my SA1 box (you can
see spamd start hogging memory and eating up the processor and notice a
constant heavy load when you view the stats with htop, or "w".

There isn't really much on the wiki regarding SaneSecurity, so I was
hoping for some insight in configuring it and tuning it for better
performance. So, while this is one piece to the problem, the other issue
is that when messages are flagged by SaneSecurity, they are rejected by
SA1 (primary spamassassin box) when GW1 (primary spamdyke box - all mail
hits this server, then is passed to SA1 using smtproutes) attempts to
pass the mail to the next hop. What this means is that I end up with
several thousand messages in my queue every day on GW1, and they end up
being something like this:

15107007 (9, L)
Return-path: #@[]
From: mailer-dae...@gateway1.smileglobal.com
To: postmas...@gateway1.smileglobal.com
Subject: failure notice
Date: 25 Jan 2012 00:50:42 -
Size: 23018 bytes

--
Hi. This is the qmail-send program at gateway1.smileglobal.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
User and password not set, continuing without authentication.
 69.7.35.24 failed after I sent the message.
Remote host said: 554 Your email was rejected because it contains the
Sanesecurity.Jurlbl.5049.UNOFFICIAL virus



Hoping someone can shed some light on this for me and help me figure out
a better solution.

Thanks,

Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 

On 1/19/12 6:12 PM, Casey Price wrote:

Hi guys,

Lately I've been noticing the queue on one of my gateway servers
(running QMT with spamdyke) has been growing quite large on a daily
basis. Once mail hits this server it is passed on to my SA box which
also runs QMT with clamav & spamassassin.

I recently used the qtp-install-sanesecurity script, and while it
appears to be properly identifying mail, it ends up rejecting the mail
as it is being passed on from the gateway server.

So it ends up back in the gateway queue and just sits there. Is there
a way I can prevent the SA box from rejecting and sending the mail
back to the gateway box? It would be nice if it just deleted the mail.

I'm using simscan on the SA box as well. Any recommendations? I
previously had the following options enabled in spamdyke, but ended up
turning them off because many of my customers were complaining about
not receiving their mail...

reject-ip-in-cc-rdns
reject-unresolvable-rdns

Thanks

--
Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook 




-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Sanesecurity, spamassassin & spamdyke

[Casey Price]

On 1/24/12 6:43 PM, Eric Shubert wrote:
The stock QMT configuration scans the message while the perimeter smtp 
session is still active, which allows it to simply reject the message 
(not accepting it), because it's coming directly from the sender's 
server. In this case, the sender's server is responsible for creating 
a bounce message to the sender.


I don't know why GW1 is bouncing the message to the postmaster@gw1 
instead of the original sender, but perhaps it tried and cannot.


The way you have things set up, the SA1 host needs to go ahead and 
accept the message from GW1, and then generate a bounce to the 
original sender. This is not a very good way of handling things, as it 
contributes to backscatter (bounces with forged return addresses). 
That being said, I think there may be a way to configure qmail and 
simscan such that a message gets bounced (returned to sender) instead 
of refused (leaving the sending server (GW1) to deal with it), but I 
don't know about how to do, and would recommend against this 
configuration.
I agree with you on this one...I don't really like the way things are 
setup up at the moment. This is how things were setup when I took over, 
so I'm thinking I'd like to do away with my SA1 & SA2 boxes and just 
beef up the two GW boxes and run spamassassin on them. Right now it is 
inefficient, because the bounces end up back in the GW queues and just 
waste resources.
When the message is denied at the perimeter, there is no bounced 
message (from you), and a good chance there will be less backscatter. 
If you really have more traffic than a single host can deal with 
(which is quite a lot), then there's probably a better way to 
distribute the load. I would let the scanning be done on (or from) the 
gateway server, which handles the smtp sessions, and find another way 
to divvy up the load if required.
Yeah, the method you are suggesting makes much more sense and seems like 
it would be much more effective and less-resource intensive overall 
compared to our current config.
Sorry I can't be of more help than this. If you gave us some idea of 
how many domains and accounts and messages you're talking about, we 
might get some better idea.
No worries Eric...I appreciate the insight! We have a few hundred 
domains with several thousand users.


Oh and thanks for sending that link...I've been to that page before, but 
not in awhile. Anyone come across good documentation on setting up spamd 
on a separate machine and then using the spamc client?


Casey Price

Smile Global Technical Support
Submit or check trouble tickets http://billing.smileglobal.com
www.smileglobal.com 

Follow us on Twitter 
Find us on Facebook