Re: [spamdyke-users] /etc/tcp.smtp
So why there is an access-file option? If I would set env vars (like RELAYCLIENT or others) I have to use /etc/tcp.smtp (or other var specified as param in tcpserver). I don't understand the need of this option. d. 2008/10/7 Sam Clippinger [EMAIL PROTECTED]: This behavior is correct. Incoming SMTP connections are accepted by tcpserver, which reads the /etc/tcp.smtp(.cdb) file and sets the environment variable RELAYCLIENT for all connections. Because that variable is set, spamdyke allows the remote server to relay messages. -- Sam Clippinger Davide D'Amico wrote: I am using spamdyke and I have a problem with access file. I use: dflybsd# more /etc/tcp.smtp :allow,RELAYCLIENT= dflybsd# And: dflybsd# more /usr/local/vpopmail/tcp.smtp 127.0.0.1:allow,RELAYCLIENT= :allow This is my spamdyke.conf: dflybsd# more /usr/local/etc/spamdyke.conf log-level=excessive access-file=/usr/local/vpopmail/tcp.smtp local-domains-file=/var/qmail/control/rcpthosts smtp-auth-command=/usr/local/vpopmail/bin/vchkpw /usr/bin/true smtp-auth-level=always-encrypted rejection-text-auth-failure=Utente sconosciuto tls-level=smtp tls-certificate-file=/usr/local/vpopmail/servercert.pem filter-level=normal relay-level=normal max-recipients=40 hostname=dflybsd.sede.televas.it policy-url=http://www.televas.it/sendreport/ And this is my qmail-smtpd/run: #!/bin/sh MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` exec /usr/local/bin/softlimit -m 4000 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD -u 89 -g 89 0 smtp \ /usr/local/vbin/spamdyke --run-as-user vpopmail:vchkpw -f /usr/local/etc/spamdyke.conf \ /var/qmail/bin/qmail-smtpd 21 This server has IP address 10.0.0.242. If I try to relay from 10.0.0.17, it accepts email. Is it the right behaviour? I think no because of /usr/local/vpopmail/tcp.smtp. Ideas? Thanks, d. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Greylist Clean-Up-Script
Hi all! I created a bash-script to analyze and clean up my greylist. Maybe someone needs one which reports what has been done or just check the greylist without deleting. I use this one, because a simple find over 90 Domains and 2k Mailaccounts caused high server load, this step-by-step processing didn't - if there's not a million entries in one domain. ;-) Greetz, Blackbit #!/bin/bash # # What's this: # This script was created to keep the greylist of spamdyke # up 2 date and remove old entries. On a server with 1k mailboxes # it works fine and is in productive use. # # Note: # As this script is removing files whithout any possibility to # undo these deletions, we recommend to try out the script # with set debug-flag below to see what will be purged. # #Location of your greylist greylist=/var/qmail/spamdyke/greylist #Number of days to keep greylist daystodel=28 #Set this this to 1 to see the results without removing any file debug=0 #Report summary in the end report=1 #Everything is set up now, let it run! #nothing needs to be modified below this line (i hope) minstodel=$[$daystodel*1440] for domain in `ls -1 $greylist` do if [ -d $greylist/$domain/. ]; then greylisted=`find $greylist/$domain -type f | wc -l` greysum=$[$greysum+$greylisted] if [ $debug -eq 0 ]; then find $greylist/$domain/ -mmin +$minstodel -size 0k -exec rm {} \; else find $greylist/$domain/ -mmin +$minstodel -size 0k -exec ls -l {} \; fi deleted=`find $greylist/$domain -type f | wc -l` deleted=$[$greylisted-$deleted] if [ $debug -gt 0 ]; then if [ $deleted -gt 0 ]; then echo Domain: $domain $greylisted entries, $[$greylisted-$deleted] entries removed; else echo Domain: $domain, $greylisted entries fi fi purged=$[$purged+$deleted] fi done if [ $report -gt 0 ]; then echo $greysum entries found echo $purged entries removed echo $[$greysum-$purged] entries remain greylisted fi___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] /etc/tcp.smtp
The access-file option exists for several reasons. While it's true tcpserver uses that file and sets the environment variables, not everyone uses tcpserver (most notably, Plesk uses xinetd instead). Some administrators may have complex configurations that need to use multiple/different files in ways I can't predict. Prior to version 4.0, the access-file option was required in combination with the local-domains-file option so spamdyke could enforce relaying restrictions (version 4.0 added the relay-level flag to make this setting more explicit). The biggest reason, however, is that spamdyke is going to read the file and I didn't want to just hardcode the filename into the program. When in doubt, I prefer to make things configurable and that's what I did. With all of that having been said, most people don't need to use the access-file option. When they do, most people use the value /etc/tcp.smtp so they only have one file to keep updated. -- Sam Clippinger Davide D'Amico wrote: So why there is an access-file option? If I would set env vars (like RELAYCLIENT or others) I have to use /etc/tcp.smtp (or other var specified as param in tcpserver). I don't understand the need of this option. d. 2008/10/7 Sam Clippinger [EMAIL PROTECTED]: This behavior is correct. Incoming SMTP connections are accepted by tcpserver, which reads the /etc/tcp.smtp(.cdb) file and sets the environment variable RELAYCLIENT for all connections. Because that variable is set, spamdyke allows the remote server to relay messages. -- Sam Clippinger Davide D'Amico wrote: I am using spamdyke and I have a problem with access file. I use: dflybsd# more /etc/tcp.smtp :allow,RELAYCLIENT= dflybsd# And: dflybsd# more /usr/local/vpopmail/tcp.smtp 127.0.0.1:allow,RELAYCLIENT= :allow This is my spamdyke.conf: dflybsd# more /usr/local/etc/spamdyke.conf log-level=excessive access-file=/usr/local/vpopmail/tcp.smtp local-domains-file=/var/qmail/control/rcpthosts smtp-auth-command=/usr/local/vpopmail/bin/vchkpw /usr/bin/true smtp-auth-level=always-encrypted rejection-text-auth-failure=Utente sconosciuto tls-level=smtp tls-certificate-file=/usr/local/vpopmail/servercert.pem filter-level=normal relay-level=normal max-recipients=40 hostname=dflybsd.sede.televas.it policy-url=http://www.televas.it/sendreport/ And this is my qmail-smtpd/run: #!/bin/sh MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` exec /usr/local/bin/softlimit -m 4000 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD -u 89 -g 89 0 smtp \ /usr/local/vbin/spamdyke --run-as-user vpopmail:vchkpw -f /usr/local/etc/spamdyke.conf \ /var/qmail/bin/qmail-smtpd 21 This server has IP address 10.0.0.242. If I try to relay from 10.0.0.17, it accepts email. Is it the right behaviour? I think no because of /usr/local/vpopmail/tcp.smtp. Ideas? Thanks, d. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Segfault spamdyke
A little difference to my system is that he'd been told that the segfaults occur in libc-2.3.6.so, but also 0-Addresses. Do you think it's the same bug he hits, does it help us with my server? Looking forward to getting this bug! :-) Sam Clippinger schrieb: Without more information, I would guess that these errors are very likely caused by the same bugs that have been plaguing David Stiller on SLES 10.1 64-bit. I've been working with David for several weeks to identify the source of the crashes and I believe I've finally done it. The latest beta version (published on the spamdyke-dev mailing list today) contains the (latest) fix. If you are so inclined, you could install the latest beta version of spamdyke and see if it solves your issue. Otherwise, upgrade to 4.0.5 as soon as it is available (hopefully soon) and report back if you still see segmentation faults. If you want to collect more information with the version you're using, you can do this: 1) From the command line, run spamdyke -v and look for +EXCESSIVE after the version number. If it's not there, rerun spamdyke's configure script with the --with-excessive-output option, then rerun make. Install the resulting binary. 2) Add the full-log-dir option to your configuration file. 3) Wait for another segmentation fault 4) Find the log file(s) produced by the crashed spamdyke(s) and email them to me. I'll examine them to see if your crashes look different than the ones I've been chasing. -- Sam Clippinger Thiago Cesar wrote: Hi for all, Iam using Debian, with qmail and spamdyke and in my log I seen something like these: spamdyke[3729]: segfault at 9614a818 ip 7f8e8de792a6 sp 7fff96146728 error 4 in libc-2.3.6.so[7f8e8de05000+121000] spamdyke[26710]: segfault at 0 ip 7fa7f9a1c03b sp 7fff01cec2c8 error 4 in libc-2.3.6.so[7fa7f99a8000+121000] spamdyke[30603]: segfault at 0 ip 7f564d17d076 sp 7fff5544ca28 error 4 in libc-2.3.6.so[7f564d109000+121000] spamdyke[32070]: segfault at ff812ed8 ip 7f7ef753f2a6 sp 7f80ede8 error 4 in libc-2.3.6.so[7f7ef74cb000+121000] spamdyke[11483]: segfault at 0 ip 7fe0fa2b109e sp 7fff0257eb58 error 4 in libc-2.3.6.so[7fe0fa23d000+121000] spamdyke[7549]: segfault at 0 ip 7fa12cee403b sp 7fff351b3788 error 4 in libc-2.3.6.so[7fa12ce7+121000] spamdyke[8630]: segfault at 0 ip 7fa10f00b054 sp 7fff172da8b8 error 4 in libc-2.3.6.so[7fa10ef97000+121000] spamdyke[25503]: segfault at 0 ip 7f4eff92a09e sp 7fff07bfa1d8 error 4 in libc-2.3.6.so[7f4eff8b6000+121000] spamdyke[13349]: segfault at f272fdf8 ip 7fa5ea45e25f sp 7272bd08 error 4 in libc-2.3.6.so[7fa5ea3ea000+121000] if anybody can help me will be gracefull, the strange is the spamdyke continue working, but Iam see these on the log. Thanks for all, Thiago Cesar Diretor TI MSN: [EMAIL PROTECTED] Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Rua Padre Montoya, 581 sala 02 CEP: 85850-000 Foz do Iguaçu - PR Telefone: +55 (45) 3025-5864 / 3027-5864 ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Segfault spamdyke
4.0.5beta4 is now running on my system :) Sam Clippinger schrieb: The reference to libc-2.3.6.so just means that spamdyke is crashing while calling a library function. The segfault message would probably include the name of the function if libc had been compiled with debugging symbols included. Since those symbols are not available, the message can only give the address of the function within the library file. However, if my (latest) theory about these crashes is correct, the library function is memcpy(), which copies a block of data from one location to another in memory. Also, your server is crashing at address 0 as well, it just prints it in a different format (). I don't _know_ if this is the same bug, I just _hope_ that it is. :) -- Sam Clippinger David Stiller wrote: A little difference to my system is that he'd been told that the segfaults occur in libc-2.3.6.so, but also 0-Addresses. Do you think it's the same bug he hits, does it help us with my server? Looking forward to getting this bug! :-) Sam Clippinger schrieb: Without more information, I would guess that these errors are very likely caused by the same bugs that have been plaguing David Stiller on SLES 10.1 64-bit. I've been working with David for several weeks to identify the source of the crashes and I believe I've finally done it. The latest beta version (published on the spamdyke-dev mailing list today) contains the (latest) fix. If you are so inclined, you could install the latest beta version of spamdyke and see if it solves your issue. Otherwise, upgrade to 4.0.5 as soon as it is available (hopefully soon) and report back if you still see segmentation faults. If you want to collect more information with the version you're using, you can do this: 1) From the command line, run spamdyke -v and look for +EXCESSIVE after the version number. If it's not there, rerun spamdyke's configure script with the --with-excessive-output option, then rerun make. Install the resulting binary. 2) Add the full-log-dir option to your configuration file. 3) Wait for another segmentation fault 4) Find the log file(s) produced by the crashed spamdyke(s) and email them to me. I'll examine them to see if your crashes look different than the ones I've been chasing. -- Sam Clippinger Thiago Cesar wrote: Hi for all, Iam using Debian, with qmail and spamdyke and in my log I seen something like these: spamdyke[3729]: segfault at 9614a818 ip 7f8e8de792a6 sp 7fff96146728 error 4 in libc-2.3.6.so[7f8e8de05000+121000] spamdyke[26710]: segfault at 0 ip 7fa7f9a1c03b sp 7fff01cec2c8 error 4 in libc-2.3.6.so[7fa7f99a8000+121000] spamdyke[30603]: segfault at 0 ip 7f564d17d076 sp 7fff5544ca28 error 4 in libc-2.3.6.so[7f564d109000+121000] spamdyke[32070]: segfault at ff812ed8 ip 7f7ef753f2a6 sp 7f80ede8 error 4 in libc-2.3.6.so[7f7ef74cb000+121000] spamdyke[11483]: segfault at 0 ip 7fe0fa2b109e sp 7fff0257eb58 error 4 in libc-2.3.6.so[7fe0fa23d000+121000] spamdyke[7549]: segfault at 0 ip 7fa12cee403b sp 7fff351b3788 error 4 in libc-2.3.6.so[7fa12ce7+121000] spamdyke[8630]: segfault at 0 ip 7fa10f00b054 sp 7fff172da8b8 error 4 in libc-2.3.6.so[7fa10ef97000+121000] spamdyke[25503]: segfault at 0 ip 7f4eff92a09e sp 7fff07bfa1d8 error 4 in libc-2.3.6.so[7f4eff8b6000+121000] spamdyke[13349]: segfault at f272fdf8 ip 7fa5ea45e25f sp 7272bd08 error 4 in libc-2.3.6.so[7fa5ea3ea000+121000] if anybody can help me will be gracefull, the strange is the spamdyke continue working, but Iam see these on the log. Thanks for all, Thiago Cesar Diretor TI MSN: [EMAIL PROTECTED] Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Rua Padre Montoya, 581 sala 02 CEP: 85850-000 Foz do Iguaçu - PR Telefone: +55 (45) 3025-5864 / 3027-5864 ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Segfault spamdyke
Hi! I use spamdyke Debian packages: http://peter.nameservice.mobi/download/debian/dists/unstable/main/binary-i386/spamdyke/ Maybe you can try these deb package, when you have trouble with your spamdyke? - Peter Am Mittwoch, den 08.10.2008, 15:07 -0300 schrieb Thiago Cesar: Hi for all, Iam using Debian, with qmail and spamdyke and in my log I seen something like these: spamdyke[3729]: segfault at 9614a818 ip 7f8e8de792a6 sp 7fff96146728 error 4 in libc-2.3.6.so[7f8e8de05000+121000] spamdyke[26710]: segfault at 0 ip 7fa7f9a1c03b sp 7fff01cec2c8 error 4 in libc-2.3.6.so[7fa7f99a8000+121000] spamdyke[30603]: segfault at 0 ip 7f564d17d076 sp 7fff5544ca28 error 4 in libc-2.3.6.so[7f564d109000+121000] spamdyke[32070]: segfault at ff812ed8 ip 7f7ef753f2a6 sp 7f80ede8 error 4 in libc-2.3.6.so[7f7ef74cb000+121000] spamdyke[11483]: segfault at 0 ip 7fe0fa2b109e sp 7fff0257eb58 error 4 in libc-2.3.6.so[7fe0fa23d000+121000] spamdyke[7549]: segfault at 0 ip 7fa12cee403b sp 7fff351b3788 error 4 in libc-2.3.6.so[7fa12ce7+121000] spamdyke[8630]: segfault at 0 ip 7fa10f00b054 sp 7fff172da8b8 error 4 in libc-2.3.6.so[7fa10ef97000+121000] spamdyke[25503]: segfault at 0 ip 7f4eff92a09e sp 7fff07bfa1d8 error 4 in libc-2.3.6.so[7f4eff8b6000+121000] spamdyke[13349]: segfault at f272fdf8 ip 7fa5ea45e25f sp 7272bd08 error 4 in libc-2.3.6.so[7fa5ea3ea000+121000] if anybody can help me will be gracefull, the strange is the spamdyke continue working, but Iam see these on the log. Thanks for all, Thiago Cesar Diretor TI MSN: [EMAIL PROTECTED] Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Rua Padre Montoya, 581 sala 02 CEP: 85850-000 Foz do Iguaçu - PR Telefone: +55 (45) 3025-5864 / 3027-5864 ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Updated Spamdyke Statistics Script
where can i get this script? On Tue, Oct 7, 2008 at 8:38 PM, Felix Buenemann [EMAIL PROTECTED] wrote: On 07.10.2008 20:41 Uhr, Arthur Girardi wrote: Hi Felix, Making use of the opportunity, I'd like to suggest you changing line 25 of your script where it reads: if( m/spamdyke/ ){ to if( m/spamdyke\[/ ){ so it only use spamdike processes' lines, because if not it will also catch qmail log lines, for example, messages from this very list, and end up putting up lines like these in the report: 509 ERROR 387 TIMEOUT 21 [EMAIL PROTECTED] ªHA‡o\' AKµ(R);Õ åw–Û/ Thx, those regex are still from the old script I based this on. The pattern extraction used there is not very perlish using split etc. and could easily be compressed into a single regex. However as a quick fix I'd use: if( m/spamdyke\[\d+\]: / ){ which is even a bit stricter than your proposed patch. Cheers Arthur Girardi -- Felix ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] DKIM etc.
On Fri, Oct 3, 2008 at 5:52 PM, Eric Shubert [EMAIL PROTECTED] wrote: Felix Buenemann wrote: Hi, I agree with Arthur and Bgs in that SPF is a smarter thing to check, because it can be done without checking headers and currently has a much wider disribution base. IMHO the only way to properly reject DKIM failed mail is at the end of the DATA command, which is exactly how eg. simscan rejects virii or spam mail. So IMHO DKIM verification is something to do for a queue-handler not a frot end smtp handler, that is geared for high performance. (This is based on the assumtion, that spamdyke deals with 99% of the scam with very little cpu time, thus reducing server load and leaving more in depth checks to those mails that slip through spamdyke's already tight web.) -- Felix Good thinking, Felix. Some things just don't belong in spamdyke as is. -- -Eric 'shubes' I am not sure if this has been implemented, but this should be at the top, right? Fix the DNS spoofing bug by randomizing the outbound port with every query. Try not to panic about it like CERT/CC did. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] DKIM etc.
Well, not necessarily. At the moment, spamdyke is only vulnerable to a very small part of the DNS spoofing attack. Most of the danger Dan Kaminsky discovered comes from caching -- a vulnerable host could cache incorrect DNS data sent by the attacker. spamdyke doesn't cache DNS information, so that's a moot point. To be completely honest, there is a small danger that spamdyke could receive spoofed responses from an attacker, if the attacker sends packets with the correct ID numbers to the correct port before the real nameserver could respond. The chances of success are very, very low (but not zero) because each spamdyke process uses a different UDP port for its DNS traffic, which only remains open while the process is running. Also, the starting IDs for the queries are chosen randomly by each process. It's not like a BIND server that uses the same port for thousands of queries and increments its IDs in a predictable pattern. If someone did manage to spoof responses to a spamdyke process, the most they could achieve would be an incorrect result for an RBL or rDNS query. As a result, if a message were accepted improperly, the only consequence is one piece of spam being delivered. Alternatively, if a legitimate message were rejected improperly, the sender would receive a bounce or the remote server would retry later (depending on the filter and the attacker's data). There's no way to corrupt or intercept email with this attack. So, I plan to look at randomizing the query ports. It's not a complex change, so it'll probably be in the next feature-release or two. Because the risk is so low, I may not implement it if the overhead is too high. Either way, I plan to remain calmer than CERT/CC did. :) -- Sam Clippinger slamp slamp wrote: On Fri, Oct 3, 2008 at 5:52 PM, Eric Shubert [EMAIL PROTECTED] wrote: Felix Buenemann wrote: Hi, I agree with Arthur and Bgs in that SPF is a smarter thing to check, because it can be done without checking headers and currently has a much wider disribution base. IMHO the only way to properly reject DKIM failed mail is at the end of the DATA command, which is exactly how eg. simscan rejects virii or spam mail. So IMHO DKIM verification is something to do for a queue-handler not a frot end smtp handler, that is geared for high performance. (This is based on the assumtion, that spamdyke deals with 99% of the scam with very little cpu time, thus reducing server load and leaving more in depth checks to those mails that slip through spamdyke's already tight web.) -- Felix Good thinking, Felix. Some things just don't belong in spamdyke as is. -- -Eric 'shubes' I am not sure if this has been implemented, but this should be at the top, right? Fix the DNS spoofing bug by randomizing the outbound port with every query. Try not to panic about it like CERT/CC did. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users