Re: Qpsmtpd - Apache
Thanks for all of the help everybody. The solution I finally came up with was to set the MaxClients variable. On an interesting note though, I did some tests with apache using the prefork and worker mpm's and it turns out that qpsmtpd runs very nice under both, but scales better on the worker mpm. Here is my config (using the worker mpm) for anybody that is interested: - START CONFIG -- User smtpd Group users Listen 0.0.0.0:25 HostnameLookups On ServerName HOSTNAME LoadModule perl_module modules/mod_perl.so ErrorLog /hd/apache/error_log TransferLog /hd/apache/access_log LogLevel warn PidFile /var/run/httpd.pid ScoreBoardFile /var/run/apache_status StartServers30 MinSpareThreads 10 MaxClients 90 ThreadsPerChild 30 Perl use lib qw( /home/smtpd/qpsmtpd/lib ); use Apache::Qpsmtpd; /Perl VirtualHost _default_:25 PerlSetVar QpsmtpdDir /home/smtpd/qpsmtpd/ PerlModule Apache::Qpsmtpd PerlProcessConnectionHandler Apache::Qpsmtpd PerlSetVar qpsmtpd.loglevel 7 /VirtualHost -- END CONFIG --- While it is possible to just set the MaxClients way up, in my testing when apache got up around 130 connections it just couldn't recover nicely. Don't really know why, but the box (vmware session) would just hang. Hope this helps somebody out there. Ed. On Thu, 05 Oct 2006 11:32:25 -0500, Peter Eisch wrote: In my instances I couldn't figure out the right number for limiting connections. It got problematic when roadwarrior SMTP AUTH users were unable to connect reliably. Is the specific problem you're looking to solve simply connection limits or is there a different situation that you want connection limits to solve? If may anticipate the answer as being the latter I keep the system from drowning from massive waves by using the loadcheck plugin. They can then take the plethora of connections but when spamd starts sucking cpu to service the connected MTAs, it will just fire back a soft error. I've had very good experiences from this approach as well as when I was running the tcpserver framework. If you are specifically looking to limit connections, I'm sorry but I have no solution. peter
Apache - Qpsmtpd - TLS
Ok.. Now that I have everything working with apache and qpsmtpd I'm wanting to throw tls into the mix as well. I've got the certs and keys built, however, when I issue a STARTTLS command I get the following: 250-PIPELINING 250-8BITMIME 250 STARTTLS STARTTLS 220 Go ahead with TLS 500 TLS Negotiation Failed quit and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 98. Is there an issue with trying to create an SSL socket inside apache? Does anybody have this working? Thanks, Ed
Re: Apache - Qpsmtpd - TLS
What client are you trying to use? What's in the error log above and below that line? Have you tried to bump up the logging level by uncommenting the debug constants after the use IO::Socket::SSL line? When I did that I found that the issue I was having (this was with plain old tcpserver, YMMV) was that client and server couldn't agreee on a cipher - qpsmtpd is restricted to openssl's HIGH quality ciphers by default. To change this check out the qpsmtpd-0.3x branch with a revision 663 and modify config/tls_ciphers. For example, I have: # for available ciphers and format, see: #http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS # versamail 3.x requires either RC4-MD5 or RC4-SHA # openssl default is DEFAULT, but qpsmtpd uses HIGH as default HIGH:RC4-SHA:RC4-MD5 But this was determined by painstakingly determining which cipher versamail needed. Your best bet is to change that to ALL, and see if that works (if it doesn't, it's something else altogether). See http://www.nntp.perl.org/group/perl.qpsmtpd/5584 and followups. For more. But again, with the IO::Socket::SSL debug stuff enabled, you should see something useful above or near the mysterious Could not create SSL socket error which should send you down the right path in all cases. Good luck let us know what you find. Brian On Oct 6, 2006, at 3:21 PM, Ed McLain wrote: Ok.. Now that I have everything working with apache and qpsmtpd I'm wanting to throw tls into the mix as well. I've got the certs and keys built, however, when I issue a STARTTLS command I get the following: 250-PIPELINING 250-8BITMIME 250 STARTTLS STARTTLS 220 Go ahead with TLS 500 TLS Negotiation Failed quit and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd// plugins/tls line 98. Is there an issue with trying to create an SSL socket inside apache? Does anybody have this working? Thanks, Ed
Heads up for users of spamhaus
http://wordtothewise.com/Spamhaus_ICANN_order.html If you're using sbl-xbl, consider temporarily switching to cbl until this blows over.
Re: Apache - Qpsmtpd - TLS
Ed McLain wrote: and I get this in the apache error log: TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 98. I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n No idea if it's related and haven't had a chance to debug. Anyone know where Apache creates the SSL context? Regards James Turnbull P.S. Also drop the last / on your PerlSetVar QpsmtpdDir statement - that's what's causing the // in the error line. -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Heads up for users of spamhaus
On Oct 6, 2006, at 16:09, James Turnbull wrote: The order is essentially meaningless though isn't it? The associated judgement is unenforceable because Spamhaus isn't under the jurisdiction of US law - it's a UK entity. If Linhardt wants to stop them he is going to have to file the same case in a UK court and the laws regarding spam in the UK are considerably different. The court order is for ICANN and/or Tucows to suspend or hold www.Spamhaus.org, whatever that means. - ask -- http://www.askbjoernhansen.com/ PGP.sig Description: This is a digitally signed message part
Re: Apache - Qpsmtpd - TLS
On Oct 6, 2006, at 15:39, Ed McLain wrote: What client are you trying to use? Straight telnet How do you speak SSL then? :-) That's a little like programming with cat /dev/sda1. - ask -- http://askask.com/ - http://develooper.com/
Re: Apache - Qpsmtpd - TLS
Just as a full test I ran swaks against it and here are the results: === Trying x.x.x.x:25... === Connected to x.x.x.x. - 220 tmx1.testnet.com ESMTP qpsmtpd 0.32 ready; send us your mail, but not your spam. - EHLO tested - 250-tmx1.testnet.com Hi [x.x.x.x] [x.x.x.x] - 250-PIPELINING - 250-8BITMIME - 250 STARTTLS - STARTTLS - 220 Go ahead with TLS *** TLS startup failed (error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) - QUIT ** Negotiation Failed ** 500 Unrecognized command === Connection closed with remote host. Also, I upgraded the plugin to the newest one in SVN, enabled full debugging, set the tls_ciphers to: HIGH:RC4-SHA:RC4-MD5, and here is the output in the apache error logs: SSL accept attempt failederror::lib(0):func(0):reason(0) at /home/smtpd/qpsmtpd//plugins/tls line 158 TLS failed: Could not create SSL socket: at /home/smtpd/qpsmtpd//plugins/tls line 158. And here is the qpsmtpd logs: Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Connection from [x.x.x.x][x.x.x.x] Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Plugins already loaded Oct 6 21:13:06 tmx1 qpsmtpd[4684]: Loaded logging/syslog loglevel LOGDEBUG Oct 6 21:13:06 tmx1 qpsmtpd[4684]: loading plugins from /home/smtpd/qpsmtpd//plugins Oct 6 21:13:06 tmx1 qpsmtpd[4684]: ciphers: Qpsmtpd::Plugin::tls=HASH(0x95991ec)-tls_ciphers Oct 6 21:13:07 tmx1 qpsmtpd[4684]: loadcheck Oct 6 21:13:07 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:07 tmx1 qpsmtpd[4684]: check_earlytalker Oct 6 21:13:08 tmx1 qpsmtpd[4684]: remote host said nothing spontaneous, proceeding Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: check_spamhelo Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command 'starttls' Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: logging::denylog Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '\200|^A^C^A Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Oct 6 21:13:08 tmx1 qpsmtpd[4684]: count_unrecognized_commands Oct 6 21:13:08 tmx1 qpsmtpd[4684]: Unrecognized command '^G Oct 6 21:13:08 tmx1 qpsmtpd[4684]: tls Hope this helps some. Thanks, Ed. On Fri, 06 Oct 2006 17:16:58 -0700, Ask Bjørn Hansen wrote: On Oct 6, 2006, at 15:39, Ed McLain wrote: What client are you trying to use? Straight telnet How do you speak SSL then? :-) That's a little like programming with cat /dev/sda1. - ask
patch: auth_secure_conditions
Howdy. The below patch allows a qpsmtpd admin to configure which authentication mechanisms s/he wants to allow over unsecured connections, and define what secure/unsecure connections are. The config.sample file should explain it pretty well, but for the lazy, here is a small sample config (sans comments), which should give you the basic gist of it: ssl ip 10. ip 192.168. ip 127. fallback CRAM-MD5 Note: This supersedes and breaks config/tls_before_auth - I don't think that config is very widespread since the last release didn't use it, but I'd be happy to refactor this patch, if other folks think it is necessary, to re-enable config/tls_before_auth, or at least die and instruct the admin to use the new format. auth_secure_conditions.patch Description: Binary data config.sample-auth_secure_conditions Description: Binary data Cheers, Brian Szymanski [EMAIL PROTECTED]
Re: Heads up for users of spamhaus
On 6-Oct-06, at 7:09 PM, James Turnbull wrote: Matt Sergeant wrote: http://wordtothewise.com/Spamhaus_ICANN_order.html If you're using sbl-xbl, consider temporarily switching to cbl until this blows over. The order is essentially meaningless though isn't it? The associated judgement is unenforceable because Spamhaus isn't under the jurisdiction of US law - it's a UK entity. If Linhardt wants to stop them he is going to have to file the same case in a UK court and the laws regarding spam in the UK are considerably different. That was indeed the prediction of the previous judgement in the same case [*], however this escalates it to ICANN and TUCOWS (who have both been contacted to ensure that nothing drastic is done). Matt. [*] http://www.spamhaus.org/legal/index.lasso
Re: Apache - Qpsmtpd - TLS
James Turnbull wrote: I had similar problems and got an error message in the main Apache error_log of: [Sat Oct 07 09:40:45 2006] [error] Could not create SSL context: Permission denied at /home/smtpd/plugins/tls line 79.\n I fixed this issue - SSL debug revealed it was permissions on the keys - which is odd because the keys were owned by the smtpd user that Apache::Qpsmtpd is running as, which also has read permissions to the files. I had to also add group read permissions to get this to work. Not sure why those permissions would be needed. Regards James Turnbull -- James Turnbull [EMAIL PROTECTED] --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/159059/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x0C42DF40) signature.asc Description: OpenPGP digital signature
Re: Heads up for users of spamhaus
The order was to ICANN regarding the domain name. It is a curious situation though. Waitman James Turnbull wrote: Matt Sergeant wrote: http://wordtothewise.com/Spamhaus_ICANN_order.html If you're using sbl-xbl, consider temporarily switching to cbl until this blows over. The order is essentially meaningless though isn't it? The associated judgement is unenforceable because Spamhaus isn't under the jurisdiction of US law - it's a UK entity. If Linhardt wants to stop them he is going to have to file the same case in a UK court and the laws regarding spam in the UK are considerably different. Regards James Turnbull