subject:"\[qmailtoaster\] TLS reason\: 503_MAIL_first

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-08 Thread Chris

It was PEBKAC.  My settings are now:

#2020-08-08
#tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp

And I'm getting an A+ from the LuxSci TLS tester.

On Sun, Aug 9, 2020 at 4:11 AM Eric Broch  wrote:

> You can also tell in the mail log (/var/log/maillog) if messages have been
> encrypted, spamdyke will let you know if messages from a certain host are
> using TLS. See this entry:
>
> Aug  8 09:59:45 myhost spamdyke[10388]: TLS_ENCRYPTED from: (unknown) to:
> (unknown) origin_ip: 66.163.185.72 origin_rdns:
> sonic329-10.consmr.mail.ne1.yahoo.com auth: (unknown) encryption:
> TLS_PASSTHROUGH reason: (empty)
> On 8/7/2020 8:51 PM, Chris wrote:
>
>
>
> On Sat, Aug 8, 2020 at 1:26 PM Eric Broch  wrote:
>
>> What version of qmail do you have?
>>
> qmail-1.03-3.2.qt.el7.x86_64
>
>>
>> And, what about the email coming from the qmailtoaster-list? Can you send
>> that header along?
>>
> I send most mailing list emails to my gmail account, so I can communicate
> with the list even if my mail server is down.  :)
>
> -Chris
>
>
>
>> It can depend on the remote host as well. If you have a gmail account
>> send yourself an email from it and send the header along. Here's a header
>> from  a gmail account.
>>
>> Received: from unknown (HELO mail-qk1-f177.google.com) (209.85.222.177)
>>   by myhost.whitehorsetc.com with ESMTPS (ECDHE-RSA-AES128-GCM-SHA256 
>> encrypted)
>>
>>
>> On 8/7/2020 7:12 PM, Chris wrote:
>>
>> When I disabled TLS in spamdyke, I sent myself a message from one of the
>> problematic systems that was known to trigger repeats.  That message's
>> headers indicate qmail did not pick up the TLS encryption:
>>
>> Content-Type: ⁨text/html; charset=UTF-8⁩
>> Mime-Version: ⁨1.0⁩
>> X-Ses-Outgoing: ⁨2020.08.07-54.240.37.249⁩
>> Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
>> s=2ybsbk45dtwlgerewyfzx5qt442lak5j; d=reddit.com; t=1596830148;
>> h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
>> bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
>> b=QrrO2K0wMkJ8uIgTRE1XSNq892ay6s7FXgEnkwZY0KaDDViiUV4h5y5HVYIoZjcv
>> wqZ97y/QgJEKnC98NPGJ9bJJnGbdoHUdaxY+VOx52u6nm8ofu3cS3BQELBuid+PMf2Y
>> E+QOoLacnNtusPmpc1+PVwJKNuIGRsk2pCUmk7os=⁩
>> Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
>> s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1596830148;
>> h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
>> bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
>> b=V18r7xu5iTXqr9kSFDcX/StzbVKQX9nSXcJ/Q4JoHpVRoK5u2sCNikDVVBghOzeT
>> vInG1XcJaOMYMofcCKv0F8TwYAc253AdkK+b5PRn/eE1C2BucNO73/zCggwTSTI6lZG
>> IMPzOiBk77HYMfSH4YEKQWY7dWSqdQGPX0Glf7Wg=⁩
>> Return-Path: ⁨<
>> 01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@amazonses.com
>> >⁩
>> Feedback-Id:
>> ⁨1.us-east-1.UqlFplRllIQtiw+Kq2b87y7uRSu9p66fMici2AQNsMU=:AmazonSES⁩
>> Content-Transfer-Encoding: ⁨7bit⁩
>> Received: ⁨(qmail 8880 invoked by uid 89); 7 Aug 2020 19:56:04 -⁩
>> Received: ⁨by simscan 1.4.0 ppid: 8871, pid: 8873, t: 2.0387s scanners:
>> attach: 1.4.0 clamav: 0.101.4/m:59/d:25897 spam: 3.4.2⁩
>> *Received: ⁨from unknown (HELO a37-249.smtp-out.amazonses.com
>> ) (54.240.37.249) by
>> mail.bayhosting.net  with SMTP; 7 Aug 2020
>> 19:56:02 -⁩*
>> ⁨<
>> 01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@email.amazonses.com
>> >⁩
>> Delivered-To: ⁨ckni...@ghostwheel.com⁩
>> Received-Spf: ⁨pass (mail.bayhosting.net: SPF record at amazonses.com
>> designates 54.240.37.249 as permitted sender)
>>
>>
>>
>> On Sat, Aug 8, 2020 at 12:59 PM Eric Broch 
>> wrote:
>>
>>> That's the nature of spamdyke. See the documentation. I understand why
>>> it was programmed the way it was, with TLS, so that it could, after
>>> decrypting the email, operate spam blocking techniques. With qmail doing
>>> decryption everything that passes through spamdyke is encrypted so
>>> examining the email is not possible.
>>> tls-level   none, smtp smtp-no-passthrough or smtps none: Do not offer
>>> or allow SSL/TLS, even if qmail supports it.
>>>
>>> smtp: If tls-certificate-file is given, offer TLS during the SMTP
>>> conversation and decrypt the traffic. If tls-certificate-file is not
>>> given, allow qmail to offer TLS (if it has been patched to provide TLS) and
>>> pass the encrypted traffic to qmail.
>>>
>>> smtp-no-passthrough: If tls-certificate-file is given, offer TLS during
>>> the SMTP conversation and decrypt the traffic. If tls-certificate-file is
>>> not given, prevent TLS from starting.
>>>
>>> smtps: Initiate a SSL session at the beginning of the connection,
>>> before SMTP begins.
>>>
>>> If tls-level is given multiple times, spamdyke will use the last value
>>> it finds.
>>>
>>> If tls-level is not given, spamdyke will use a value of smtp.
>>>
>>> tls-level is not valid within configuration directories.
>>>
>>> See TLS

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-08 Thread Eric Broch

You can also tell in the mail log (/var/log/maillog) if messages have 
been encrypted, spamdyke will let you know if messages from a certain 
host are using TLS. See this entry:

Aug  8 09:59:45 myhost spamdyke[10388]: TLS_ENCRYPTED from: (unknown) 
to: (unknown) origin_ip: 66.163.185.72 origin_rdns: 
sonic329-10.consmr.mail.ne1.yahoo.com auth: (unknown) encryption: 
TLS_PASSTHROUGH reason: (empty)

On 8/7/2020 8:51 PM, Chris wrote:

On Sat, Aug 8, 2020 at 1:26 PM Eric Broch > wrote:

What version of qmail do you have?

qmail-1.03-3.2.qt.el7.x86_64

And, what about the email coming from the qmailtoaster-list? Can
you send that header along?

I send most mailing list emails to my gmail account, so I can 
communicate with the list even if my mail server is down.  :)

-Chris

It can depend on the remote host as well. If you have a gmail
account send yourself an email from it and send the header along.
Here's a header from  a gmail account.

Received: from unknown (HELOmail-qk1-f177.google.com  
) (209.85.222.177)
   bymyhost.whitehorsetc.com    with ESMTPS 
(ECDHE-RSA-AES128-GCM-SHA256 encrypted)

On 8/7/2020 7:12 PM, Chris wrote:

When I disabled TLS in spamdyke, I sent myself a message from one
of the problematic systems that was known to trigger repeats. 
That message's headers indicate qmail did not pick up the TLS
encryption:

Content-Type: ⁨text/html; charset=UTF-8⁩
Mime-Version: ⁨1.0⁩
X-Ses-Outgoing: ⁨2020.08.07-54.240.37.249⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=2ybsbk45dtwlgerewyfzx5qt442lak5j; d=reddit.com
; t=1596830148;

h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
b=QrrO2K0wMkJ8uIgTRE1XSNq892ay6s7FXgEnkwZY0KaDDViiUV4h5y5HVYIoZjcv
wqZ97y/QgJEKnC98NPGJ9bJJnGbdoHUdaxY+VOx52u6nm8ofu3cS3BQELBuid+PMf2Y
E+QOoLacnNtusPmpc1+PVwJKNuIGRsk2pCUmk7os=⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com
; t=1596830148;

h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
b=V18r7xu5iTXqr9kSFDcX/StzbVKQX9nSXcJ/Q4JoHpVRoK5u2sCNikDVVBghOzeT
vInG1XcJaOMYMofcCKv0F8TwYAc253AdkK+b5PRn/eE1C2BucNO73/zCggwTSTI6lZG
IMPzOiBk77HYMfSH4YEKQWY7dWSqdQGPX0Glf7Wg=⁩
Return-Path:
⁨<01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@amazonses.com

>⁩
Feedback-Id:
⁨1.us-east-1.UqlFplRllIQtiw+Kq2b87y7uRSu9p66fMici2AQNsMU=:AmazonSES⁩
Content-Transfer-Encoding: ⁨7bit⁩
Received: ⁨(qmail 8880 invoked by uid 89); 7 Aug 2020 19:56:04 -⁩
Received: ⁨by simscan 1.4.0 ppid: 8871, pid: 8873, t: 2.0387s
scanners: attach: 1.4.0 clamav: 0.101.4/m:59/d:25897 spam: 3.4.2⁩
*Received: ⁨from unknown (HELO a37-249.smtp-out.amazonses.com
) (54.240.37.249) by
mail.bayhosting.net  with SMTP; 7 Aug
2020 19:56:02 -⁩*

⁨<01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@email.amazonses.com

>⁩
Delivered-To: ⁨ckni...@ghostwheel.com
⁩
Received-Spf: ⁨pass (mail.bayhosting.net
: SPF record at amazonses.com
 designates 54.240.37.249 as permitted sender)

On Sat, Aug 8, 2020 at 12:59 PM Eric Broch
mailto:ebr...@whitehorsetc.com>> wrote:

That's the nature of spamdyke. See the documentation. I
understand why it was programmed the way it was, with TLS, so
that it could, after decrypting the email, operate spam
blocking techniques. With qmail doing decryption everything
that passes through spamdyke is encrypted so examining the
email is not possible.

|tls-level| |none|,|smtp||smtp-no-passthrough|or|smtps|
|none|: Do not offer or allow SSL/TLS, even if qmail supports it.

|smtp|: If|tls-certificate-file|is given, offer TLS during
the SMTP conversation and decrypt the traffic.
If|tls-certificate-file|is not given, allow qmail to offer
TLS (if it has been patched to provide TLS) and pass the
encrypted traffic to qmail.

|smtp-no-passthrough|: If|tls-certificate-file|is given,
offer TLS during the SMTP conversation and decrypt the
traffic. If|tls-certificate-file|is not given, prevent TLS
from starting.

|smtps|: Initiate a SSL session at the

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Chris

On Sat, Aug 8, 2020 at 1:26 PM Eric Broch  wrote:

> What version of qmail do you have?
>
qmail-1.03-3.2.qt.el7.x86_64

>
> And, what about the email coming from the qmailtoaster-list? Can you send
> that header along?
>
I send most mailing list emails to my gmail account, so I can communicate
with the list even if my mail server is down.  :)

-Chris



> It can depend on the remote host as well. If you have a gmail account send
> yourself an email from it and send the header along. Here's a header from
> a gmail account.
>
> Received: from unknown (HELO mail-qk1-f177.google.com) (209.85.222.177)
>   by myhost.whitehorsetc.com with ESMTPS (ECDHE-RSA-AES128-GCM-SHA256 
> encrypted)
>
>
> On 8/7/2020 7:12 PM, Chris wrote:
>
> When I disabled TLS in spamdyke, I sent myself a message from one of the
> problematic systems that was known to trigger repeats.  That message's
> headers indicate qmail did not pick up the TLS encryption:
>
> Content-Type: ⁨text/html; charset=UTF-8⁩
> Mime-Version: ⁨1.0⁩
> X-Ses-Outgoing: ⁨2020.08.07-54.240.37.249⁩
> Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=2ybsbk45dtwlgerewyfzx5qt442lak5j; d=reddit.com; t=1596830148;
> h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
> bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
> b=QrrO2K0wMkJ8uIgTRE1XSNq892ay6s7FXgEnkwZY0KaDDViiUV4h5y5HVYIoZjcv
> wqZ97y/QgJEKnC98NPGJ9bJJnGbdoHUdaxY+VOx52u6nm8ofu3cS3BQELBuid+PMf2Y
> E+QOoLacnNtusPmpc1+PVwJKNuIGRsk2pCUmk7os=⁩
> Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1596830148;
> h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
> bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
> b=V18r7xu5iTXqr9kSFDcX/StzbVKQX9nSXcJ/Q4JoHpVRoK5u2sCNikDVVBghOzeT
> vInG1XcJaOMYMofcCKv0F8TwYAc253AdkK+b5PRn/eE1C2BucNO73/zCggwTSTI6lZG
> IMPzOiBk77HYMfSH4YEKQWY7dWSqdQGPX0Glf7Wg=⁩
> Return-Path: ⁨<
> 01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@amazonses.com
> >⁩
> Feedback-Id:
> ⁨1.us-east-1.UqlFplRllIQtiw+Kq2b87y7uRSu9p66fMici2AQNsMU=:AmazonSES⁩
> Content-Transfer-Encoding: ⁨7bit⁩
> Received: ⁨(qmail 8880 invoked by uid 89); 7 Aug 2020 19:56:04 -⁩
> Received: ⁨by simscan 1.4.0 ppid: 8871, pid: 8873, t: 2.0387s scanners:
> attach: 1.4.0 clamav: 0.101.4/m:59/d:25897 spam: 3.4.2⁩
> *Received: ⁨from unknown (HELO a37-249.smtp-out.amazonses.com
> ) (54.240.37.249) by
> mail.bayhosting.net  with SMTP; 7 Aug 2020
> 19:56:02 -⁩*
> ⁨<
> 01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@email.amazonses.com
> >⁩
> Delivered-To: ⁨ckni...@ghostwheel.com⁩
> Received-Spf: ⁨pass (mail.bayhosting.net: SPF record at amazonses.com
> designates 54.240.37.249 as permitted sender)
>
>
>
> On Sat, Aug 8, 2020 at 12:59 PM Eric Broch 
> wrote:
>
>> That's the nature of spamdyke. See the documentation. I understand why it
>> was programmed the way it was, with TLS, so that it could, after decrypting
>> the email, operate spam blocking techniques. With qmail doing decryption
>> everything that passes through spamdyke is encrypted so examining the email
>> is not possible.
>> tls-level   none, smtp smtp-no-passthrough or smtps none: Do not offer
>> or allow SSL/TLS, even if qmail supports it.
>>
>> smtp: If tls-certificate-file is given, offer TLS during the SMTP
>> conversation and decrypt the traffic. If tls-certificate-file is not
>> given, allow qmail to offer TLS (if it has been patched to provide TLS) and
>> pass the encrypted traffic to qmail.
>>
>> smtp-no-passthrough: If tls-certificate-file is given, offer TLS during
>> the SMTP conversation and decrypt the traffic. If tls-certificate-file is
>> not given, prevent TLS from starting.
>>
>> smtps: Initiate a SSL session at the beginning of the connection, before
>> SMTP begins.
>>
>> If tls-level is given multiple times, spamdyke will use the last value
>> it finds.
>>
>> If tls-level is not given, spamdyke will use a value of smtp.
>>
>> tls-level is not valid within configuration directories.
>>
>> See TLS  for
>> details.
>>
>>
>> Qmail will pick up TLS negotiation if spamdyke is disabled. You can check
>> the headers of incoming email to confirm.
>>
>> Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
>>   by myhost.whitehorsetc.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
>>
>> or in older TLS patches
>>
>> Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
>>   by myhost.whitehorsetc.com with SMTP (DHE-RSA-AES256-SHA encrypted);
>>
>>
>>
>>
>> On 8/7/2020 6:36 PM, Chris wrote:
>>
>> Why does 'Setting tls-level=none turns of ALL TLS even in qmail's
>> offering' when it's a spamdyke config file, not qmail?
>>
>> What if I think spamdyke is part of my multi-delivery problem?  If I take
>> spamdyke out of the

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Eric Broch

What version of qmail do you have?

And, what about the email coming from the qmailtoaster-list? Can you 
send that header along?

It can depend on the remote host as well. If you have a gmail account 
send yourself an email from it and send the header along. Here's a 
header from  a gmail account.

Received: from unknown (HELO mail-qk1-f177.google.com) (209.85.222.177)
  by myhost.whitehorsetc.com with ESMTPS (ECDHE-RSA-AES128-GCM-SHA256 encrypted)

On 8/7/2020 7:12 PM, Chris wrote:
When I disabled TLS in spamdyke, I sent myself a message from one of 
the problematic systems that was known to trigger repeats.  That 
message's headers indicate qmail did not pick up the TLS encryption:

Content-Type: ⁨text/html; charset=UTF-8⁩
Mime-Version: ⁨1.0⁩
X-Ses-Outgoing: ⁨2020.08.07-54.240.37.249⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; 
s=2ybsbk45dtwlgerewyfzx5qt442lak5j; d=reddit.com ; 
t=1596830148; 
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date; 
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=; 
b=QrrO2K0wMkJ8uIgTRE1XSNq892ay6s7FXgEnkwZY0KaDDViiUV4h5y5HVYIoZjcv 
wqZ97y/QgJEKnC98NPGJ9bJJnGbdoHUdaxY+VOx52u6nm8ofu3cS3BQELBuid+PMf2Y 
E+QOoLacnNtusPmpc1+PVwJKNuIGRsk2pCUmk7os=⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; 
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com 
; t=1596830148; 
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID; 
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=; 
b=V18r7xu5iTXqr9kSFDcX/StzbVKQX9nSXcJ/Q4JoHpVRoK5u2sCNikDVVBghOzeT 
vInG1XcJaOMYMofcCKv0F8TwYAc253AdkK+b5PRn/eE1C2BucNO73/zCggwTSTI6lZG 
IMPzOiBk77HYMfSH4YEKQWY7dWSqdQGPX0Glf7Wg=⁩
Return-Path: 
⁨<01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@amazonses.com 
>⁩
Feedback-Id: 
⁨1.us-east-1.UqlFplRllIQtiw+Kq2b87y7uRSu9p66fMici2AQNsMU=:AmazonSES⁩

Content-Transfer-Encoding: ⁨7bit⁩
Received: ⁨(qmail 8880 invoked by uid 89); 7 Aug 2020 19:56:04 -⁩
Received: ⁨by simscan 1.4.0 ppid: 8871, pid: 8873, t: 2.0387s 
scanners: attach: 1.4.0 clamav: 0.101.4/m:59/d:25897 spam: 3.4.2⁩
*Received: ⁨from unknown (HELO a37-249.smtp-out.amazonses.com 
) (54.240.37.249) by 
mail.bayhosting.net  with SMTP; 7 Aug 2020 
19:56:02 -⁩*
⁨<01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@email.amazonses.com 
>⁩

Delivered-To: ⁨ckni...@ghostwheel.com ⁩
Received-Spf: ⁨pass (mail.bayhosting.net : 
SPF record at amazonses.com  designates 
54.240.37.249 as permitted sender)

On Sat, Aug 8, 2020 at 12:59 PM Eric Broch > wrote:

That's the nature of spamdyke. See the documentation. I understand
why it was programmed the way it was, with TLS, so that it could,
after decrypting the email, operate spam blocking techniques. With
qmail doing decryption everything that passes through spamdyke is
encrypted so examining the email is not possible.

|tls-level| |none|,|smtp||smtp-no-passthrough|or|smtps| 
|none|:
Do not offer or allow SSL/TLS, even if qmail supports it.

|smtp|: If|tls-certificate-file|is given, offer TLS during the
SMTP conversation and decrypt the traffic.
If|tls-certificate-file|is not given, allow qmail to offer TLS (if
it has been patched to provide TLS) and pass the encrypted traffic
to qmail.

|smtp-no-passthrough|: If|tls-certificate-file|is given, offer TLS
during the SMTP conversation and decrypt the traffic.
If|tls-certificate-file|is not given, prevent TLS from starting.

|smtps|: Initiate a SSL session at the beginning of the
connection, before SMTP begins.

If|tls-level|is given multiple times, spamdyke will use the last
value it finds.

If|tls-level|is not given, spamdyke will use a value of|smtp|.

|tls-level|is not valid within configuration directories.

SeeTLS for
details.

Qmail will pick up TLS negotiation if spamdyke is disabled. You
can check the headers of incoming email to confirm.

Received: from unknown (HELOmail.qmailtoaster.com  
) (162.213.42.64)
   bymyhost.whitehorsetc.com    with ESMTPS 
(DHE-RSA-AES256-SHA encrypted);

or in older TLS patches

Received: from unknown (HELOmail.qmailtoaster.com  
) (162.213.42.64)
   bymyhost.whitehorsetc.com    with SMTP 
(DHE-RSA-AES256-SHA encrypted);

On 8/7/2020 6:36 PM, Chris wrote:

Why does 'Setting

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Chris

When I disabled TLS in spamdyke, I sent myself a message from one of the
problematic systems that was known to trigger repeats.  That message's
headers indicate qmail did not pick up the TLS encryption:

Content-Type: ⁨text/html; charset=UTF-8⁩
Mime-Version: ⁨1.0⁩
X-Ses-Outgoing: ⁨2020.08.07-54.240.37.249⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=2ybsbk45dtwlgerewyfzx5qt442lak5j; d=reddit.com; t=1596830148;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
b=QrrO2K0wMkJ8uIgTRE1XSNq892ay6s7FXgEnkwZY0KaDDViiUV4h5y5HVYIoZjcv
wqZ97y/QgJEKnC98NPGJ9bJJnGbdoHUdaxY+VOx52u6nm8ofu3cS3BQELBuid+PMf2Y
E+QOoLacnNtusPmpc1+PVwJKNuIGRsk2pCUmk7os=⁩
Dkim-Signature: ⁨v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1596830148;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
bh=hrVase2qeFHtu0bLhsrYTx2n7ISeji9Uin83vE7Xdh4=;
b=V18r7xu5iTXqr9kSFDcX/StzbVKQX9nSXcJ/Q4JoHpVRoK5u2sCNikDVVBghOzeT
vInG1XcJaOMYMofcCKv0F8TwYAc253AdkK+b5PRn/eE1C2BucNO73/zCggwTSTI6lZG
IMPzOiBk77HYMfSH4YEKQWY7dWSqdQGPX0Glf7Wg=⁩
Return-Path: ⁨<
01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@amazonses.com>⁩
Feedback-Id:
⁨1.us-east-1.UqlFplRllIQtiw+Kq2b87y7uRSu9p66fMici2AQNsMU=:AmazonSES⁩
Content-Transfer-Encoding: ⁨7bit⁩
Received: ⁨(qmail 8880 invoked by uid 89); 7 Aug 2020 19:56:04 -⁩
Received: ⁨by simscan 1.4.0 ppid: 8871, pid: 8873, t: 2.0387s scanners:
attach: 1.4.0 clamav: 0.101.4/m:59/d:25897 spam: 3.4.2⁩
*Received: ⁨from unknown (HELO a37-249.smtp-out.amazonses.com
) (54.240.37.249) by
mail.bayhosting.net  with SMTP; 7 Aug 2020
19:56:02 -⁩*
⁨<
01000173ca7e6738-e1b4d416-58b8-47ad-8a02-3c9e2696d0c8-000...@email.amazonses.com
>⁩
Delivered-To: ⁨ckni...@ghostwheel.com⁩
Received-Spf: ⁨pass (mail.bayhosting.net: SPF record at amazonses.com
designates 54.240.37.249 as permitted sender)



On Sat, Aug 8, 2020 at 12:59 PM Eric Broch  wrote:

> That's the nature of spamdyke. See the documentation. I understand why it
> was programmed the way it was, with TLS, so that it could, after decrypting
> the email, operate spam blocking techniques. With qmail doing decryption
> everything that passes through spamdyke is encrypted so examining the email
> is not possible.
> tls-level   none, smtp smtp-no-passthrough or smtps none: Do not offer or
> allow SSL/TLS, even if qmail supports it.
>
> smtp: If tls-certificate-file is given, offer TLS during the SMTP
> conversation and decrypt the traffic. If tls-certificate-file is not
> given, allow qmail to offer TLS (if it has been patched to provide TLS) and
> pass the encrypted traffic to qmail.
>
> smtp-no-passthrough: If tls-certificate-file is given, offer TLS during
> the SMTP conversation and decrypt the traffic. If tls-certificate-file is
> not given, prevent TLS from starting.
>
> smtps: Initiate a SSL session at the beginning of the connection, before
> SMTP begins.
>
> If tls-level is given multiple times, spamdyke will use the last value it
> finds.
>
> If tls-level is not given, spamdyke will use a value of smtp.
>
> tls-level is not valid within configuration directories.
>
> See TLS  for
> details.
>
>
> Qmail will pick up TLS negotiation if spamdyke is disabled. You can check
> the headers of incoming email to confirm.
>
> Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
>   by myhost.whitehorsetc.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
>
> or in older TLS patches
>
> Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
>   by myhost.whitehorsetc.com with SMTP (DHE-RSA-AES256-SHA encrypted);
>
>
>
>
> On 8/7/2020 6:36 PM, Chris wrote:
>
> Why does 'Setting tls-level=none turns of ALL TLS even in qmail's
> offering' when it's a spamdyke config file, not qmail?
>
> What if I think spamdyke is part of my multi-delivery problem?  If I take
> spamdyke out of the equation in smtp/run how do I get qmail to pick up the
> TLS negotiation?
>
> On Sat, Aug 8, 2020 at 12:28 PM Eric Broch 
> wrote:
>
>> I'm not sure I like how spamdyke handles tls, though I don't know another
>> way one would do it.
>>
>> Setting tls-level=none turns of ALL TLS even in qmail's offering.
>>
>> If you want qmail to handle TLS comment the certificate file:
>>
>> #tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> However, if you do this, spamdyke (I think) will not work anymore because
>> all traffic through it is now encrypted (you could check if I'm correct on
>> the spamdyke mailing list).
>> On 8/7/2020 6:13 PM, Chris wrote:
>>
>> I know I'm responding to a really old thread here, but I stumbled upon
>> this trying to solve another issue.
>>
>> When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and reboot,
>> I now

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Eric Broch

That's the nature of spamdyke. See the documentation. I understand why 
it was programmed the way it was, with TLS, so that it could, after 
decrypting the email, operate spam blocking techniques. With qmail doing 
decryption everything that passes through spamdyke is encrypted so 
examining the email is not possible.


|tls-level| 		|none|,|smtp||smtp-no-passthrough|or|smtps| 	|none|: Do 
not offer or allow SSL/TLS, even if qmail supports it.


|smtp|: If|tls-certificate-file|is given, offer TLS during the SMTP 
conversation and decrypt the traffic. If|tls-certificate-file|is not 
given, allow qmail to offer TLS (if it has been patched to provide TLS) 
and pass the encrypted traffic to qmail.


|smtp-no-passthrough|: If|tls-certificate-file|is given, offer TLS 
during the SMTP conversation and decrypt the traffic. 
If|tls-certificate-file|is not given, prevent TLS from starting.


|smtps|: Initiate a SSL session at the beginning of the connection, 
before SMTP begins.


If|tls-level|is given multiple times, spamdyke will use the last value 
it finds.


If|tls-level|is not given, spamdyke will use a value of|smtp|.

|tls-level|is not valid within configuration directories.

SeeTLS for details.



Qmail will pick up TLS negotiation if spamdyke is disabled. You can 
check the headers of incoming email to confirm.


Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
  by myhost.whitehorsetc.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);

or in older TLS patches

Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
  by myhost.whitehorsetc.com with SMTP (DHE-RSA-AES256-SHA encrypted);



On 8/7/2020 6:36 PM, Chris wrote:
Why does 'Setting tls-level=none turns of ALL TLS even in qmail's 
offering' when it's a spamdyke config file, not qmail?


What if I think spamdyke is part of my multi-delivery problem?  If I 
take spamdyke out of the equation in smtp/run how do I get qmail to 
pick up the TLS negotiation?


On Sat, Aug 8, 2020 at 12:28 PM Eric Broch > wrote:


I'm not sure I like how spamdyke handles tls, though I don't know
another way one would do it.

Setting tls-level=none turns of ALL TLS even in qmail's offering.

If you want qmail to handle TLS comment the certificate file:

#tls-certificate-file=/var/qmail/control/servercert.pem

However, if you do this, spamdyke (I think) will not work anymore
because all traffic through it is now encrypted (you could check
if I'm correct on the spamdyke mailing list).

On 8/7/2020 6:13 PM, Chris wrote:

I know I'm responding to a really old thread here, but I stumbled
upon this trying to solve another issue.

When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and
reboot, I now completely fail the SMTP TLS checker at
https://luxsci.com/smtp-tls-checker
It would appear that qmail isn't doing the tls at all.

Where are the settings to telling qmail to handle the tls? Is it
in the run file, or elsewhere?

On Wed, Jun 19, 2019 at 3:14 AM Eric Broch
mailto:ebr...@whitehorsetc.com>> wrote:

In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.

tls-level=none

allow qmail to do the tls and see if it works.


On 6/18/2019 9:07 AM, Rajesh M wrote:

eric

in the spamdyke.conf i can see this
tls-certificate-file=/var/qmail/control/servercert.pem

also i am using the
/var/qmail/control/servercert.pem
for domain key signing of outgoing emails.

rajesh

- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To:qmailtoaster-list@qmailtoaster.com  

Sent: Tue, 18 Jun 2019 08:52:13 -0600
Subject:

So you have spamdyke doing the TLS?

On 6/18/2019 8:38 AM, Rajesh M wrote:

Hi

ISSUE 1
all of a sudden we are receiving error on one of our servers for one 
specific sender domain (sending from microsoft server)

the sender domain is not able to send emails to the recepient domain on 
our server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)

06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from:rethish.n...@sender.com    
to:nominati...@dxb.recepient.com    origin_ip: 
40.107.69.126 origin_rdns:mail-eopbgr690126.outbound.protection.outlook.com  
  auth: (unknown) encryption: TLS 
reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
operation failed due to an I/O error,

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Chris

Why does 'Setting tls-level=none turns of ALL TLS even in qmail's offering'
when it's a spamdyke config file, not qmail?

What if I think spamdyke is part of my multi-delivery problem?  If I take
spamdyke out of the equation in smtp/run how do I get qmail to pick up the
TLS negotiation?

On Sat, Aug 8, 2020 at 12:28 PM Eric Broch  wrote:

> I'm not sure I like how spamdyke handles tls, though I don't know another
> way one would do it.
>
> Setting tls-level=none turns of ALL TLS even in qmail's offering.
>
> If you want qmail to handle TLS comment the certificate file:
>
> #tls-certificate-file=/var/qmail/control/servercert.pem
>
> However, if you do this, spamdyke (I think) will not work anymore because
> all traffic through it is now encrypted (you could check if I'm correct on
> the spamdyke mailing list).
> On 8/7/2020 6:13 PM, Chris wrote:
>
> I know I'm responding to a really old thread here, but I stumbled upon
> this trying to solve another issue.
>
> When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and reboot,
> I now completely fail the SMTP TLS checker at
> https://luxsci.com/smtp-tls-checker
> It would appear that qmail isn't doing the tls at all.
>
> Where are the settings to telling qmail to handle the tls? Is it in the
> run file, or elsewhere?
>
> On Wed, Jun 19, 2019 at 3:14 AM Eric Broch 
> wrote:
>
>> In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.
>>
>> tls-level=none
>>
>> allow qmail to do the tls and see if it works.
>>
>>
>> On 6/18/2019 9:07 AM, Rajesh M wrote:
>>
>> eric
>>
>> in the spamdyke.conf i can see this
>> tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> also i am using the
>> /var/qmail/control/servercert.pem
>> for domain key signing of outgoing emails.
>>
>> rajesh
>>
>> - Original Message -
>> From: Eric Broch [mailto:ebr...@whitehorsetc.com ]
>> To: qmailtoaster-list@qmailtoaster.com
>> Sent: Tue, 18 Jun 2019 08:52:13 -0600
>> Subject:
>>
>> So you have spamdyke doing the TLS?
>>
>> On 6/18/2019 8:38 AM, Rajesh M wrote:
>>
>> Hi
>>
>> ISSUE 1
>> all of a sudden we are receiving error on one of our servers for one 
>> specific sender domain (sending from microsoft server)
>>
>> the sender domain is not able to send emails to the recepient domain on our 
>> server. The email bounces with the following error
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
>> origin_ip: 40.107.69.126 origin_rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) 
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
>> QUIT
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
>> operation failed due to an I/O error, Connection reset by peer
>> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
>> descriptor 1: Connection reset by peer
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
>> 221 ns1.HOSTNAME.com
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
>> operation failed due to an I/O error, Unexpected EOF found
>>
>> 06/18/2019 19:33:16 - TLS ended and closed
>>
>>
>> the error log of spamdyke  full-log-dir is give below follows
>>
>>
>> ISSUE 2
>> also i noted that spamdyke log mentions as such
>> reset address space soft limit to infinity: please stop using the softlimit 
>> program
>>
>> What exactly does this mean. What is the alternative to prevent large files 
>> should i disable softlimit program in
>> /usr/bin/softlimit -m 6400 \
>> in the smtp run file
>>
>> require your kind help in resolving the above 2 issues
>>
>> thanks
>> rajesh
>>
>> 06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 
>> 19829
>>
>> 06/18/2019 19:32:54 CURRENT ENVIRONMENT
>> PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
>> PWD=/var/qmail/supervise/smtp
>> SHLVL=0
>> PROTO=TCP
>> TCPLOCALIP=103.241.181.154
>> TCPLOCALPORT=25
>> TCPLOCALHOST=ns1.HOSTNAME.com
>> TCPREMOTEIP=40.107.69.126
>> TCPREMOTEPORT=42264
>> BADMIMETYPE=
>> BADLOADERTYPE=M
>> QMAILQUEUE=/var/qmail/bin/simscan
>> CHKUSER_START=ALWAYS
>> CHKUSER_RCPTLIMIT=50
>> CHKUSER_WRONGRCPTLIMIT=10
>> NOP0FCHECK=1
>> DKQUEUE=/var/qmail/bin/qmail-queue.orig
>> DKVERIFY=DEGIJKfh
>> DKSIGN=/var/qmail/control/domainkeys/%/private
>>
>> 06/18/2019 19:32:54 CURRENT CONFIG
>> config-file=/etc/spamdyke/spamdyke.conf
>> dns-blacklist-entry=zen.spamhaus.org
>> full-log-dir=/var/log/spamdyke
>> graylist-dir=/var/spamdyke/graylist
>> graylist-max-secs=2678400
>> graylist-min-secs=180
>> header-blacklist-entry=From:*>,*<*
>> idle-timeout-secs=600
>> ip-blacklist-file=/etc/spamdyke/blacklist_ip
>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
>> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
>>

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Eric Broch

I'm not sure I like how spamdyke handles tls, though I don't know 
another way one would do it.


Setting tls-level=none turns of ALL TLS even in qmail's offering.

If you want qmail to handle TLS comment the certificate file:

#tls-certificate-file=/var/qmail/control/servercert.pem

However, if you do this, spamdyke (I think) will not work anymore 
because all traffic through it is now encrypted (you could check if I'm 
correct on the spamdyke mailing list).


On 8/7/2020 6:13 PM, Chris wrote:
I know I'm responding to a really old thread here, but I stumbled upon 
this trying to solve another issue.


When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and 
reboot, I now completely fail the SMTP TLS checker at 
https://luxsci.com/smtp-tls-checker

It would appear that qmail isn't doing the tls at all.

Where are the settings to telling qmail to handle the tls? Is it in 
the run file, or elsewhere?


On Wed, Jun 19, 2019 at 3:14 AM Eric Broch > wrote:


In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.

tls-level=none

allow qmail to do the tls and see if it works.


On 6/18/2019 9:07 AM, Rajesh M wrote:

eric

in the spamdyke.conf i can see this
tls-certificate-file=/var/qmail/control/servercert.pem

also i am using the
/var/qmail/control/servercert.pem
for domain key signing of outgoing emails.

rajesh

- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To:qmailtoaster-list@qmailtoaster.com  

Sent: Tue, 18 Jun 2019 08:52:13 -0600
Subject:

So you have spamdyke doing the TLS?

On 6/18/2019 8:38 AM, Rajesh M wrote:

Hi

ISSUE 1
all of a sudden we are receiving error on one of our servers for one 
specific sender domain (sending from microsoft server)

the sender domain is not able to send emails to the recepient domain on our 
server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)

06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from:rethish.n...@sender.com    
to:nominati...@dxb.recepient.com    origin_ip: 
40.107.69.126 origin_rdns:mail-eopbgr690126.outbound.protection.outlook.com  
  auth: (unknown) encryption: TLS 
reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
operation failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
descriptor 1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221ns1.HOSTNAME.com  
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found

06/18/2019 19:33:16 - TLS ended and closed


the error log of spamdyke  full-log-dir is give below follows


ISSUE 2
also i noted that spamdyke log mentions as such
reset address space soft limit to infinity: please stop using the softlimit 
program

What exactly does this mean. What is the alternative to prevent large files 
should i disable softlimit program in
/usr/bin/softlimit -m 6400 \
in the smtp run file

require your kind help in resolving the above 2 issues

thanks
rajesh

06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 
19829

06/18/2019 19:32:54 CURRENT ENVIRONMENT
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
PWD=/var/qmail/supervise/smtp
SHLVL=0
PROTO=TCP
TCPLOCALIP=103.241.181.154
TCPLOCALPORT=25
TCPLOCALHOST=ns1.HOSTNAME.com  
TCPREMOTEIP=40.107.69.126
TCPREMOTEPORT=42264
BADMIMETYPE=
BADLOADERTYPE=M
QMAILQUEUE=/var/qmail/bin/simscan
CHKUSER_START=ALWAYS
CHKUSER_RCPTLIMIT=50
CHKUSER_WRONGRCPTLIMIT=10
NOP0FCHECK=1
DKQUEUE=/var/qmail/bin/qmail-queue.orig
DKVERIFY=DEGIJKfh
DKSIGN=/var/qmail/control/domainkeys/%/private

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org  
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2020-08-07 Thread Chris

I know I'm responding to a really old thread here, but I stumbled upon this
trying to solve another issue.

When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and reboot, I
now completely fail the SMTP TLS checker at
https://luxsci.com/smtp-tls-checker
It would appear that qmail isn't doing the tls at all.

Where are the settings to telling qmail to handle the tls? Is it in the run
file, or elsewhere?

On Wed, Jun 19, 2019 at 3:14 AM Eric Broch  wrote:

> In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.
>
> tls-level=none
>
> allow qmail to do the tls and see if it works.
>
>
> On 6/18/2019 9:07 AM, Rajesh M wrote:
>
> eric
>
> in the spamdyke.conf i can see this
> tls-certificate-file=/var/qmail/control/servercert.pem
>
> also i am using the
> /var/qmail/control/servercert.pem
> for domain key signing of outgoing emails.
>
> rajesh
>
> - Original Message -
> From: Eric Broch [mailto:ebr...@whitehorsetc.com ]
> To: qmailtoaster-list@qmailtoaster.com
> Sent: Tue, 18 Jun 2019 08:52:13 -0600
> Subject:
>
> So you have spamdyke doing the TLS?
>
> On 6/18/2019 8:38 AM, Rajesh M wrote:
>
> Hi
>
> ISSUE 1
> all of a sudden we are receiving error on one of our servers for one specific 
> sender domain (sending from microsoft server)
>
> the sender domain is not able to send emails to the recepient domain on our 
> server. The email bounces with the following error
> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
> origin_ip: 40.107.69.126 origin_rdns: 
> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) encryption: 
> TLS reason: 503_MAIL_first_(#5.5.1)
> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
> QUIT
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
> operation failed due to an I/O error, Connection reset by peer
> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
> descriptor 1: Connection reset by peer
> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
> 221 ns1.HOSTNAME.com
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
>
> 06/18/2019 19:33:16 - TLS ended and closed
>
>
> the error log of spamdyke  full-log-dir is give below follows
>
>
> ISSUE 2
> also i noted that spamdyke log mentions as such
> reset address space soft limit to infinity: please stop using the softlimit 
> program
>
> What exactly does this mean. What is the alternative to prevent large files 
> should i disable softlimit program in
> /usr/bin/softlimit -m 6400 \
> in the smtp run file
>
> require your kind help in resolving the above 2 issues
>
> thanks
> rajesh
>
> 06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 19829
>
> 06/18/2019 19:32:54 CURRENT ENVIRONMENT
> PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
> PWD=/var/qmail/supervise/smtp
> SHLVL=0
> PROTO=TCP
> TCPLOCALIP=103.241.181.154
> TCPLOCALPORT=25
> TCPLOCALHOST=ns1.HOSTNAME.com
> TCPREMOTEIP=40.107.69.126
> TCPREMOTEPORT=42264
> BADMIMETYPE=
> BADLOADERTYPE=M
> QMAILQUEUE=/var/qmail/bin/simscan
> CHKUSER_START=ALWAYS
> CHKUSER_RCPTLIMIT=50
> CHKUSER_WRONGRCPTLIMIT=10
> NOP0FCHECK=1
> DKQUEUE=/var/qmail/bin/qmail-queue.orig
> DKVERIFY=DEGIJKfh
> DKSIGN=/var/qmail/control/domainkeys/%/private
>
> 06/18/2019 19:32:54 CURRENT CONFIG
> config-file=/etc/spamdyke/spamdyke.conf
> dns-blacklist-entry=zen.spamhaus.org
> full-log-dir=/var/log/spamdyke
> graylist-dir=/var/spamdyke/graylist
> graylist-max-secs=2678400
> graylist-min-secs=180
> header-blacklist-entry=From:*>,*<*
> idle-timeout-secs=600
> ip-blacklist-file=/etc/spamdyke/blacklist_ip
> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
> ip-whitelist-file=/etc/spamdyke/whitelist_ip
> log-level=info
> max-recipients=100
> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
> reject-empty-rdns=1
> reject-sender=no-mx
> reject-sender=authentication-domain-mismatch
> reject-unresolvable-rdns=1
> relay-level=normal
> sender-blacklist-file=/etc/spamdyke/blacklist_senders
> sender-whitelist-file=/etc/spamdyke/whitelist_senders
> tls-certificate-file=/var/qmail/control/servercert.pem
>
> 06/18/2019 19:32:54 - Remote IP = 40.107.69.126
>
> 06/18/2019 19:32:54 CURRENT CONFIG
> config-file=/etc/spamdyke/spamdyke.conf
> dns-blacklist-entry=zen.spamhaus.org
> dns-server-ip-primary=8.8.8.8
> full-log-dir=/var/log/spamdyke
> graylist-dir=/var/spamdyke/graylist
> graylist-max-secs=2678400
> graylist-min-secs=180
> header-blacklist-entry=From:*>,*<*
> idle-timeout-secs=600
>

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Remo Mattei

Hi Rajesh, 
I was using the TLS in the spamdyke.conf and I just removed it and it working 
just fine. You maybe facing different issues. 



Remo 

> On Jun 18, 2019, at 9:16 AM, Rajesh M <24x7ser...@24x7server.net> wrote:
> 
> remo
> 
> Were you facing the same issue ?
> 
> Could you please explain in detail the exact steps you followed
> 
> thanks,
> rajesh
> 
> - Original Message -
> From: r...@mattei.org [mailto:r...@mattei.org]
> To: qmailtoaster-list@qmailtoaster.com
> Sent: Tue, 18 Jun 2019 09:13:26 -0700
> Subject:
> 
> I just tested on mine I recalled you do not have to restart the service and 
> it works just fine
> 
>> Il giorno 18 giu 2019, alle ore 09:01, Rajesh M <24x7ser...@24x7server.net> 
>> ha scritto:
>> 
>> hello
>> 
>> it does not work
>> 
>> i get the same error.
>> 
>> auth: (unknown) encryption: (none) reason: 503_MAIL_first_(#5.5.1)
>> 
>> rajesh
>> 
>> 
>> - Original Message -
>> From: Eric Broch [mailto:ebr...@whitehorsetc.com]
>> To: qmailtoaster-list@qmailtoaster.com
>> Sent: Tue, 18 Jun 2019 09:25:59 -0600
>> Subject:
>> 
>> yes,
>> 
>> tls-level=none
>> 
>>> On 6/18/2019 9:19 AM, Rajesh M wrote:
>>> tls-level=smtp ?
>> 
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread remo

I just tested on mine I recalled you do not have to restart the service and it 
works just fine

> Il giorno 18 giu 2019, alle ore 09:01, Rajesh M <24x7ser...@24x7server.net> 
> ha scritto:
> 
> hello
> 
> it does not work
> 
> i get the same error.
> 
> auth: (unknown) encryption: (none) reason: 503_MAIL_first_(#5.5.1)
> 
> rajesh
> 
> 
> - Original Message -
> From: Eric Broch [mailto:ebr...@whitehorsetc.com]
> To: qmailtoaster-list@qmailtoaster.com
> Sent: Tue, 18 Jun 2019 09:25:59 -0600
> Subject: 
> 
> yes,
> 
> tls-level=none
> 
>> On 6/18/2019 9:19 AM, Rajesh M wrote:
>> tls-level=smtp ?
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
> 
> 
> -
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Rajesh M

hello

it does not work

i get the same error.

 auth: (unknown) encryption: (none) reason: 503_MAIL_first_(#5.5.1)

rajesh


- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Tue, 18 Jun 2019 09:25:59 -0600
Subject:

yes,

tls-level=none

On 6/18/2019 9:19 AM, Rajesh M wrote:
> tls-level=smtp ?

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Eric Broch


yes,

tls-level=none

On 6/18/2019 9:19 AM, Rajesh M wrote:

tls-level=smtp ?


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Rajesh M

eric

should i comment the line in the spamdyke.conf
tls-level=smtp ?

#tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp

also please do note that this issue is occurring only for emails received from 
one single external domain.

rajesh


- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Tue, 18 Jun 2019 09:14:27 -0600
Subject:

In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.

tls-level=none

allow qmail to do the tls and see if it works.


On 6/18/2019 9:07 AM, Rajesh M wrote:
> eric
>
> in the spamdyke.conf i can see this
> tls-certificate-file=/var/qmail/control/servercert.pem
>
> also i am using the
> /var/qmail/control/servercert.pem
> for domain key signing of outgoing emails.
>
> rajesh
>
> - Original Message -
> From: Eric Broch [mailto:ebr...@whitehorsetc.com]
> To: qmailtoaster-list@qmailtoaster.com
> Sent: Tue, 18 Jun 2019 08:52:13 -0600
> Subject:
>
> So you have spamdyke doing the TLS?
>
> On 6/18/2019 8:38 AM, Rajesh M wrote:
>> Hi
>>
>> ISSUE 1
>> all of a sudden we are receiving error on one of our servers for one 
>> specific sender domain (sending from microsoft server)
>>
>> the sender domain is not able to send emails to the recepient domain on our 
>> server. The email bounces with the following error
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
>> origin_ip: 40.107.69.126 origin_rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) 
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
>> QUIT
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
>> operation failed due to an I/O error, Connection reset by peer
>> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
>> descriptor 1: Connection reset by peer
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
>> 221 ns1.HOSTNAME.com
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
>> operation failed due to an I/O error, Unexpected EOF found
>>
>> 06/18/2019 19:33:16 - TLS ended and closed
>>
>>
>> the error log of spamdyke  full-log-dir is give below follows
>>
>>
>> ISSUE 2
>> also i noted that spamdyke log mentions as such
>> reset address space soft limit to infinity: please stop using the softlimit 
>> program
>>
>> What exactly does this mean. What is the alternative to prevent large files 
>> should i disable softlimit program in
>> /usr/bin/softlimit -m 6400 \
>> in the smtp run file
>>
>> require your kind help in resolving the above 2 issues
>>
>> thanks
>> rajesh
>>
>> 06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 
>> 19829
>>
>> 06/18/2019 19:32:54 CURRENT ENVIRONMENT
>> PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
>> PWD=/var/qmail/supervise/smtp
>> SHLVL=0
>> PROTO=TCP
>> TCPLOCALIP=103.241.181.154
>> TCPLOCALPORT=25
>> TCPLOCALHOST=ns1.HOSTNAME.com
>> TCPREMOTEIP=40.107.69.126
>> TCPREMOTEPORT=42264
>> BADMIMETYPE=
>> BADLOADERTYPE=M
>> QMAILQUEUE=/var/qmail/bin/simscan
>> CHKUSER_START=ALWAYS
>> CHKUSER_RCPTLIMIT=50
>> CHKUSER_WRONGRCPTLIMIT=10
>> NOP0FCHECK=1
>> DKQUEUE=/var/qmail/bin/qmail-queue.orig
>> DKVERIFY=DEGIJKfh
>> DKSIGN=/var/qmail/control/domainkeys/%/private
>>
>> 06/18/2019 19:32:54 CURRENT CONFIG
>> config-file=/etc/spamdyke/spamdyke.conf
>> dns-blacklist-entry=zen.spamhaus.org
>> full-log-dir=/var/log/spamdyke
>> graylist-dir=/var/spamdyke/graylist
>> graylist-max-secs=2678400
>> graylist-min-secs=180
>> header-blacklist-entry=From:*>,*<*
>> idle-timeout-secs=600
>> ip-blacklist-file=/etc/spamdyke/blacklist_ip
>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
>> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
>> ip-whitelist-file=/etc/spamdyke/whitelist_ip
>> log-level=info
>> max-recipients=100
>> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
>> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
>> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
>> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
>> reject-empty-rdns=1
>> reject-sender=no-mx
>> reject-sender=authentication-domain-mismatch
>> reject-unresolvable-rdns=1
>> relay-level=normal
>> sender-blacklist-file=/etc/spamdyke/blacklist_senders
>> sender-whitelist-file=/etc/spamdyke/whitelist_senders
>> tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> 06/18/2019 19:32:54 - Remote IP = 40.107.69.126
>>
>> 06/18/2019 19:32:54 CURRENT CONFIG
>> config-file=/etc/spamdyke/spamdyke.conf
>> dns-blacklist-entry=zen.spamhaus.org
>> dns-server-ip-primary=8.8.8.8
>> full-log-dir=/var/log/spamdyke
>> graylist-dir=/var/spamdyke/graylist
>> graylist-max-secs=2678400
>> graylist-min-secs=180
>>

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Eric Broch


In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.

tls-level=none

allow qmail to do the tls and see if it works.


On 6/18/2019 9:07 AM, Rajesh M wrote:

eric

in the spamdyke.conf i can see this
tls-certificate-file=/var/qmail/control/servercert.pem

also i am using the
/var/qmail/control/servercert.pem
for domain key signing of outgoing emails.

rajesh

- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Tue, 18 Jun 2019 08:52:13 -0600
Subject:

So you have spamdyke doing the TLS?

On 6/18/2019 8:38 AM, Rajesh M wrote:

Hi

ISSUE 1
all of a sudden we are receiving error on one of our servers for one specific 
sender domain (sending from microsoft server)

the sender domain is not able to send emails to the recepient domain on our 
server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)

06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
origin_ip: 40.107.69.126 origin_rdns: 
mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) encryption: 
TLS reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation 
failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file descriptor 
1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221 ns1.HOSTNAME.com
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation 
failed due to an I/O error, Unexpected EOF found

06/18/2019 19:33:16 - TLS ended and closed


the error log of spamdyke  full-log-dir is give below follows


ISSUE 2
also i noted that spamdyke log mentions as such
reset address space soft limit to infinity: please stop using the softlimit 
program

What exactly does this mean. What is the alternative to prevent large files 
should i disable softlimit program in
/usr/bin/softlimit -m 6400 \
in the smtp run file

require your kind help in resolving the above 2 issues

thanks
rajesh

06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 19829

06/18/2019 19:32:54 CURRENT ENVIRONMENT
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
PWD=/var/qmail/supervise/smtp
SHLVL=0
PROTO=TCP
TCPLOCALIP=103.241.181.154
TCPLOCALPORT=25
TCPLOCALHOST=ns1.HOSTNAME.com
TCPREMOTEIP=40.107.69.126
TCPREMOTEPORT=42264
BADMIMETYPE=
BADLOADERTYPE=M
QMAILQUEUE=/var/qmail/bin/simscan
CHKUSER_START=ALWAYS
CHKUSER_RCPTLIMIT=50
CHKUSER_WRONGRCPTLIMIT=10
NOP0FCHECK=1
DKQUEUE=/var/qmail/bin/qmail-queue.orig
DKVERIFY=DEGIJKfh
DKSIGN=/var/qmail/control/domainkeys/%/private

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem

06/18/2019 19:32:54 - Remote IP = 40.107.69.126

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
dns-server-ip-primary=8.8.8.8
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Rajesh M

eric

in the spamdyke.conf i can see this
tls-certificate-file=/var/qmail/control/servercert.pem

also i am using the
/var/qmail/control/servercert.pem
for domain key signing of outgoing emails.

rajesh

- Original Message -
From: Eric Broch [mailto:ebr...@whitehorsetc.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Tue, 18 Jun 2019 08:52:13 -0600
Subject:

So you have spamdyke doing the TLS?

On 6/18/2019 8:38 AM, Rajesh M wrote:
> Hi
>
> ISSUE 1
> all of a sudden we are receiving error on one of our servers for one specific 
> sender domain (sending from microsoft server)
>
> the sender domain is not able to send emails to the recepient domain on our 
> server. The email bounces with the following error
> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
> origin_ip: 40.107.69.126 origin_rdns: 
> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) encryption: 
> TLS reason: 503_MAIL_first_(#5.5.1)
> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
> QUIT
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
> operation failed due to an I/O error, Connection reset by peer
> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
> descriptor 1: Connection reset by peer
> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
> 221 ns1.HOSTNAME.com
> 06/18/2019 19:33:16 LOG OUTPUT TLS
> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
> operation failed due to an I/O error, Unexpected EOF found
>
> 06/18/2019 19:33:16 - TLS ended and closed
>
>
> the error log of spamdyke  full-log-dir is give below follows
>
>
> ISSUE 2
> also i noted that spamdyke log mentions as such
> reset address space soft limit to infinity: please stop using the softlimit 
> program
>
> What exactly does this mean. What is the alternative to prevent large files 
> should i disable softlimit program in
> /usr/bin/softlimit -m 6400 \
> in the smtp run file
>
> require your kind help in resolving the above 2 issues
>
> thanks
> rajesh
>
> 06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 19829
>
> 06/18/2019 19:32:54 CURRENT ENVIRONMENT
> PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
> PWD=/var/qmail/supervise/smtp
> SHLVL=0
> PROTO=TCP
> TCPLOCALIP=103.241.181.154
> TCPLOCALPORT=25
> TCPLOCALHOST=ns1.HOSTNAME.com
> TCPREMOTEIP=40.107.69.126
> TCPREMOTEPORT=42264
> BADMIMETYPE=
> BADLOADERTYPE=M
> QMAILQUEUE=/var/qmail/bin/simscan
> CHKUSER_START=ALWAYS
> CHKUSER_RCPTLIMIT=50
> CHKUSER_WRONGRCPTLIMIT=10
> NOP0FCHECK=1
> DKQUEUE=/var/qmail/bin/qmail-queue.orig
> DKVERIFY=DEGIJKfh
> DKSIGN=/var/qmail/control/domainkeys/%/private
>
> 06/18/2019 19:32:54 CURRENT CONFIG
> config-file=/etc/spamdyke/spamdyke.conf
> dns-blacklist-entry=zen.spamhaus.org
> full-log-dir=/var/log/spamdyke
> graylist-dir=/var/spamdyke/graylist
> graylist-max-secs=2678400
> graylist-min-secs=180
> header-blacklist-entry=From:*>,*<*
> idle-timeout-secs=600
> ip-blacklist-file=/etc/spamdyke/blacklist_ip
> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
> ip-whitelist-file=/etc/spamdyke/whitelist_ip
> log-level=info
> max-recipients=100
> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
> reject-empty-rdns=1
> reject-sender=no-mx
> reject-sender=authentication-domain-mismatch
> reject-unresolvable-rdns=1
> relay-level=normal
> sender-blacklist-file=/etc/spamdyke/blacklist_senders
> sender-whitelist-file=/etc/spamdyke/whitelist_senders
> tls-certificate-file=/var/qmail/control/servercert.pem
>
> 06/18/2019 19:32:54 - Remote IP = 40.107.69.126
>
> 06/18/2019 19:32:54 CURRENT CONFIG
> config-file=/etc/spamdyke/spamdyke.conf
> dns-blacklist-entry=zen.spamhaus.org
> dns-server-ip-primary=8.8.8.8
> full-log-dir=/var/log/spamdyke
> graylist-dir=/var/spamdyke/graylist
> graylist-max-secs=2678400
> graylist-min-secs=180
> header-blacklist-entry=From:*>,*<*
> idle-timeout-secs=600
> ip-blacklist-file=/etc/spamdyke/blacklist_ip
> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
> ip-whitelist-file=/etc/spamdyke/whitelist_ip
> log-level=info
> max-recipients=100
> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
> reject-empty-rdns=1
> reject-sender=no-mx
> reject-sender=authentication-domain-mismatch
> reject-unresolvable-rdns=1
> relay-level=normal
>

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Eric Broch


So you have spamdyke doing the TLS?

On 6/18/2019 8:38 AM, Rajesh M wrote:

Hi

ISSUE 1
all of a sudden we are receiving error on one of our servers for one specific 
sender domain (sending from microsoft server)

the sender domain is not able to send emails to the recepient domain on our 
server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)

06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
origin_ip: 40.107.69.126 origin_rdns: 
mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) encryption: 
TLS reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation 
failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file descriptor 
1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221 ns1.HOSTNAME.com
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation 
failed due to an I/O error, Unexpected EOF found

06/18/2019 19:33:16 - TLS ended and closed


the error log of spamdyke  full-log-dir is give below follows


ISSUE 2
also i noted that spamdyke log mentions as such
reset address space soft limit to infinity: please stop using the softlimit 
program

What exactly does this mean. What is the alternative to prevent large files 
should i disable softlimit program in
/usr/bin/softlimit -m 6400 \
in the smtp run file

require your kind help in resolving the above 2 issues

thanks
rajesh

06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 19829

06/18/2019 19:32:54 CURRENT ENVIRONMENT
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
PWD=/var/qmail/supervise/smtp
SHLVL=0
PROTO=TCP
TCPLOCALIP=103.241.181.154
TCPLOCALPORT=25
TCPLOCALHOST=ns1.HOSTNAME.com
TCPREMOTEIP=40.107.69.126
TCPREMOTEPORT=42264
BADMIMETYPE=
BADLOADERTYPE=M
QMAILQUEUE=/var/qmail/bin/simscan
CHKUSER_START=ALWAYS
CHKUSER_RCPTLIMIT=50
CHKUSER_WRONGRCPTLIMIT=10
NOP0FCHECK=1
DKQUEUE=/var/qmail/bin/qmail-queue.orig
DKVERIFY=DEGIJKfh
DKSIGN=/var/qmail/control/domainkeys/%/private

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem

06/18/2019 19:32:54 - Remote IP = 40.107.69.126

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
dns-server-ip-primary=8.8.8.8
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem

06/18/2019 19:32:54 - Remote rDNS = 
mail-eopbgr690126.outbound.protection.outlook.com

06/18/2019 19:32:54 LOG OUTPUT
DEBUG(filter_rdns_missing()@filter.c:947): checking for missing rDNS; rdns: 
mail-eopbgr690126.outbound.protection.outlook.com
DEBUG(filter_rdns_whitelist_file()@filter.c:1055): searching rDNS whitelist 
file(s); rdns: mail-eopbgr690126.outbound.protection.outlook.com
DEBUG(filter_rdns_blacklist_file()@filter.c:1159): searching rDNS blacklist 
file(s); rdns:

[qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

2019-06-18 Thread Rajesh M

Hi

ISSUE 1
all of a sudden we are receiving error on one of our servers for one specific 
sender domain (sending from microsoft server)

the sender domain is not able to send emails to the recepient domain on our 
server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)

06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
origin_ip: 40.107.69.126 origin_rdns: 
mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) encryption: 
TLS reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation 
failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file descriptor 
1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221 ns1.HOSTNAME.com
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation 
failed due to an I/O error, Unexpected EOF found

06/18/2019 19:33:16 - TLS ended and closed


the error log of spamdyke  full-log-dir is give below follows


ISSUE 2
also i noted that spamdyke log mentions as such
reset address space soft limit to infinity: please stop using the softlimit 
program

What exactly does this mean. What is the alternative to prevent large files 
should i disable softlimit program in
/usr/bin/softlimit -m 6400 \
in the smtp run file

require your kind help in resolving the above 2 issues

thanks
rajesh

06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 19829

06/18/2019 19:32:54 CURRENT ENVIRONMENT
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
PWD=/var/qmail/supervise/smtp
SHLVL=0
PROTO=TCP
TCPLOCALIP=103.241.181.154
TCPLOCALPORT=25
TCPLOCALHOST=ns1.HOSTNAME.com
TCPREMOTEIP=40.107.69.126
TCPREMOTEPORT=42264
BADMIMETYPE=
BADLOADERTYPE=M
QMAILQUEUE=/var/qmail/bin/simscan
CHKUSER_START=ALWAYS
CHKUSER_RCPTLIMIT=50
CHKUSER_WRONGRCPTLIMIT=10
NOP0FCHECK=1
DKQUEUE=/var/qmail/bin/qmail-queue.orig
DKVERIFY=DEGIJKfh
DKSIGN=/var/qmail/control/domainkeys/%/private

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem

06/18/2019 19:32:54 - Remote IP = 40.107.69.126

06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org
dns-server-ip-primary=8.8.8.8
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem

06/18/2019 19:32:54 - Remote rDNS = 
mail-eopbgr690126.outbound.protection.outlook.com

06/18/2019 19:32:54 LOG OUTPUT
DEBUG(filter_rdns_missing()@filter.c:947): checking for missing rDNS; rdns: 
mail-eopbgr690126.outbound.protection.outlook.com
DEBUG(filter_rdns_whitelist_file()@filter.c:1055): searching rDNS whitelist 
file(s); rdns: mail-eopbgr690126.outbound.protection.outlook.com
DEBUG(filter_rdns_blacklist_file()@filter.c:1159): searching rDNS blacklist 
file(s); rdns: mail-eopbgr690126.outbound.protection.outlook.com
DEBUG(filter_ip_whitelist()@filter.c:1228):

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

[qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

18 matches

Site Navigation

Mail list logo

Footer information