Re: [spamdyke-users] smtp auth
What is ls -la /home/vpopmail/bin/vchkpw and what is the user for the tcpserver? What do you mean with preferring pop-before-smtp over smtp-auth ? You have no configuration file for spamdyke, and I have learned that access-file and local-domains-file must be present. these two option are not specified in your case. - Original Message - From: "Kulkarni Shantanu" To: Sent: Friday, September 25, 2009 6:54 PM Subject: [spamdyke-users] smtp auth > hello, > i am trying smtp auth with spamdyke first time. previously i had used dr. > hoffman's smtp auth patch on few other servers, but frankly i am a bit > old-fashioned, preferring pop-before-smtp over smtp-auth. > > i have netqmail-1.05 (lwq style) install with john simpson's > validrcptto.cdb path > and vpopmail. my run file contains, > > tcpserver ... \ >/var/qmail/bin/spamdyke408 --log-target stderr -lverbose -a 20 \ >--smtp-auth-level always --smtp-auth-command /home/vpopmail/bin/vchkpw > /bin/true \ >/var/qmail/bin/qmail-smtpd > > but when i try, > > $ telnet XX.XXX.XX.XXX 465 > Trying XX.XXX.XX.XXX... > Connected to XX.XXX.XX.XXX > Escape character is '^]'. > Connection closed by foreign host. > > smtp log show, > @40004abcef43191735cc tcpserver: pid 31631 from 59.95.6.138 > @40004abcef4319174954 tcpserver: ok 31631 > mail.xxx.xxx:XX.XXX.XX.XXX:465 :59.95.6.138::55002 > @40004abcef431dbd848c tcpserver: end 31631 status 0 > @40004abcef431dbd9fe4 tcpserver: status: 0/40 > > i have re-read the smtp auth part in the README, but not getting what i > am missing in the run file. some help will be great. > > thanks in advance. > Shantanu > -- > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] I do not get ALLOWED_AUTHENTICATED
I'll bite (What ever that means). Now for smtps, it works I get Sep 25 17:58:35 server spamdyke[12357]: DENIED_ACCESS_DENIED from: u...@mydomain.com to: k...@vip.cybercity.dk origin_ip: 81.27.49.150 origin_rdns: 0x535b3196.boanxx12.dynamic.dsl.tele.dk auth: (unknown) Sep 25 18:00:48 server spamdyke[12361]: ERROR: authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): user But I think I have a problem with ordinary SMTP connection from the local network but I can not test it now I will return to the issue later. - Original Message - From: "Sam Clippinger" To: "spamdyke users" Sent: Friday, September 25, 2009 6:00 PM Subject: Re: [spamdyke-users] I do not get ALLOWED_AUTHENTICATED > The "ALLOWED_AUTHENTICATED" message will only appear in full log files, > not in the syslog messages. When an authenticated connection is > allowed, you will see "ALLOWED" in the syslog and the "auth:" field will > contain the username. > > I should probably reword the documentation to make this more clear. > > -- Sam Clippinger > > David Bo Jensen wrote: >> I only get ALLOWED >> I have >> server:/var/log# cat /etc/spamdyke.conf >> access-file=/etc/spamdyke-relay >> smtp-auth-level=always >> smtp-auth-command=/usr/bin/checkpassword /bin/true >> relay-level=normal >> >> >> >> server:/etc# cat spamdyke-relay >> 192.168.1.:deny >> 127.0.0.1:allow >> :deny >> >> It should deny everything unless then sender authenticates. But >> clients on >> 192.168.1. seem able to send mails which >> only prints ALLOWED in the logfile and not ALLOWED_AUTHENTICATED. >> log-level is info >> >> >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] I do not get ALLOWED_AUTHENTICATED
All right, but I think I don't see any authentication failure notification either when the password is incorrect. It would be nice to see if somebody on my local network repeatingly tries to login. "only appear in full log files" you mean only when the full-log-dir is set? - Original Message - From: "Sam Clippinger" To: "spamdyke users" Sent: Friday, September 25, 2009 6:00 PM Subject: Re: [spamdyke-users] I do not get ALLOWED_AUTHENTICATED > The "ALLOWED_AUTHENTICATED" message will only appear in full log files, > not in the syslog messages. When an authenticated connection is > allowed, you will see "ALLOWED" in the syslog and the "auth:" field will > contain the username. > > I should probably reword the documentation to make this more clear. > > -- Sam Clippinger > > David Bo Jensen wrote: >> I only get ALLOWED >> I have >> server:/var/log# cat /etc/spamdyke.conf >> access-file=/etc/spamdyke-relay >> smtp-auth-level=always >> smtp-auth-command=/usr/bin/checkpassword /bin/true >> relay-level=normal >> >> >> >> server:/etc# cat spamdyke-relay >> 192.168.1.:deny >> 127.0.0.1:allow >> :deny >> >> It should deny everything unless then sender authenticates. But >> clients on >> 192.168.1. seem able to send mails which >> only prints ALLOWED in the logfile and not ALLOWED_AUTHENTICATED. >> log-level is info >> >> >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] I can hardly make a SMTPS connection
Running the config test gave me some ERRORS. I added access-file and local-domains-file to my config file in order to remove some of them. Here is my result but remember I was root. :/etc# /usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf --config-test-smtpauth-username user --config-test-smtpauth-password password --config-test /usr/sbin/qmail-smtpd 2>&1 spamdyke 4.0.10+TLS+CONFIGTEST+DEBUG (C)2008 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. Testing configuration... WARNING: Running tests as superuser root(0), group root(0). These test results may not be valid if the mail server runs as another user. SUCCESS: spamdyke binary (/usr/local/bin/spamdyke) is not owned by root and/or is not marked setuid. INFO: Running command to test capabilities: /usr/sbin/qmail-smtpd SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer TLS support. spamdyke will offer, intercept and decrypt TLS traffic. SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer SMTP AUTH support. spamdyke will offer and process authentication. INFO(access-file): Testing file read: /etc/spam-relays SUCCESS(access-file): Opened for reading: /etc/spam-relays INFO(config-file): Testing file read: /etc/spamdyke-smtps.conf SUCCESS(config-file): Opened for reading: /etc/spamdyke-smtps.conf INFO(local-domains-file): Testing file read: /etc/qmail/rcpthosts SUCCESS(local-domains-file): Opened for reading: /etc/qmail/rcpthosts INFO(smtp-auth-level): Examining authentication command: /usr/bin/chkpw.sh /bin/true ERROR(smtp-auth-level): File is not executable: /usr/bin/chkpw.sh: Owner permissions apply but owner executable bit is not set Is this not good enough? >> -rwSr-x--- 1 root qmaild38 2009-09-24 21:26 chkpw.sh INFO(smtp-auth-level): Running authentication command with unencrypted input: /usr/bin/chkpw.sh /bin/true SUCCESS(smtp-auth-level): Authentication succeeded with unencrypted input: /usr/bin/chkpw.sh /bin/true INFO(smtp-auth-level): Running authentication command with encrypted input: /usr/bin/chkpw.sh /bin/true ERROR: authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): user ERROR(smtp-auth-level): Authentication failed with encrypted input: /usr/bin/chkpw.sh /bin/true Is that a problem? I am using unencrypted login INFO(tls-certificate-file): Testing TLS by initializing SSL/TLS library with certificate and key SUCCESS(tls-certificate-file): Opened for reading: /etc/ssl/certs/stunnel.pem SUCCESS(tls-certificate-file): Certificate and key loaded; SSL/TLS library successfully initialized ERROR: Tests complete. Errors detected. When spamdyke runs as qmaild, my mail client tells me that the connection was closed and in /var/log/mail.info I get Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to load SSL/TLS certificate from file: /etc/ssl/certs/stunnel.pem : The operation failed due to an I/O error, Unexpected EOF found, error:0200100D:lib(2):func(1):reason(13), error:20074002:lib(32):func(116):reason(2), error:140DC002:lib(20):func(220):reason(2) Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: incorrect SSL/TLS private key password or SSL/TLS certificate/privatekey mismatch/etc/ssl/certs/stunnel.pem : A protocol or library failure occurred, error:140A80B1:lib(20):func(168):reason(177) Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to initialize SSL/TLS library Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to start SMTPS because TLS support is not available or an SSL/TLS certificate is not available; closing connection This is very much the same errors I get if stunnel.pem is wrongly generated. (ex. missing certificate) - Original Message - From: "Sam Clippinger" To: "spamdyke users" Sent: Friday, September 25, 2009 5:54 PM Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection > OK, I guess I'll bite... why can't you replace `id -u root` with `id -u > qmaild`? Do you get errors? Does it crash? Does it malfunction? I > really want to help, but you're not giving enough information to work > with. > > Have you tried running spamdyke's "config-test" feature to look for > problems? > > -- Sam Clippinger > > David Bo Jensen wrote: >> I solved the problem with >> >> server:/# cat /etc/spamdyke-smtps.conf >> log-level=verbose >> tls-level=smtps >> tls-certificate-file=/etc/ssl/certs/stunnel.pem >> filter-level=require-auth >> smtp-auth-level=ondemand >> smtp-auth-command=/usr/bin/chkpw.sh /bin/true >> relay-level=normal >> >> please notice the "filter-level", further more I have >> >> server:/etc# cat tcp.smtps >> :allow,RELAYCLIENT="" >> >> However I have another issue. First look at >> >> server:/etc/ssl/certs# ls -la stunnel.pem >> -rw-r- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >> >> and /usr/bin >> -rwxr-xr-x 1 root root 12360 2007-06-30 11:52 checkpas
[spamdyke-users] smtp auth
hello, i am trying smtp auth with spamdyke first time. previously i had used dr. hoffman's smtp auth patch on few other servers, but frankly i am a bit old-fashioned, preferring pop-before-smtp over smtp-auth. i have netqmail-1.05 (lwq style) install with john simpson's validrcptto.cdb path and vpopmail. my run file contains, tcpserver ... \ /var/qmail/bin/spamdyke408 --log-target stderr -lverbose -a 20 \ --smtp-auth-level always --smtp-auth-command /home/vpopmail/bin/vchkpw /bin/true \ /var/qmail/bin/qmail-smtpd but when i try, $ telnet XX.XXX.XX.XXX 465 Trying XX.XXX.XX.XXX... Connected to XX.XXX.XX.XXX Escape character is '^]'. Connection closed by foreign host. smtp log show, @40004abcef43191735cc tcpserver: pid 31631 from 59.95.6.138 @40004abcef4319174954 tcpserver: ok 31631 mail.xxx.xxx:XX.XXX.XX.XXX:465 :59.95.6.138::55002 @40004abcef431dbd848c tcpserver: end 31631 status 0 @40004abcef431dbd9fe4 tcpserver: status: 0/40 i have re-read the smtp auth part in the README, but not getting what i am missing in the run file. some help will be great. thanks in advance. Shantanu -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] I do not get ALLOWED_AUTHENTICATED
The "ALLOWED_AUTHENTICATED" message will only appear in full log files, not in the syslog messages. When an authenticated connection is allowed, you will see "ALLOWED" in the syslog and the "auth:" field will contain the username. I should probably reword the documentation to make this more clear. -- Sam Clippinger David Bo Jensen wrote: > I only get ALLOWED > I have > server:/var/log# cat /etc/spamdyke.conf > access-file=/etc/spamdyke-relay > smtp-auth-level=always > smtp-auth-command=/usr/bin/checkpassword /bin/true > relay-level=normal > > > > server:/etc# cat spamdyke-relay > 192.168.1.:deny > 127.0.0.1:allow > :deny > > It should deny everything unless then sender authenticates. But > clients on > 192.168.1. seem able to send mails which > only prints ALLOWED in the logfile and not ALLOWED_AUTHENTICATED. > log-level is info > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] I can hardly make a SMTPS connection
OK, I guess I'll bite... why can't you replace `id -u root` with `id -u qmaild`? Do you get errors? Does it crash? Does it malfunction? I really want to help, but you're not giving enough information to work with. Have you tried running spamdyke's "config-test" feature to look for problems? -- Sam Clippinger David Bo Jensen wrote: > I solved the problem with > > server:/# cat /etc/spamdyke-smtps.conf > log-level=verbose > tls-level=smtps > tls-certificate-file=/etc/ssl/certs/stunnel.pem > filter-level=require-auth > smtp-auth-level=ondemand > smtp-auth-command=/usr/bin/chkpw.sh /bin/true > relay-level=normal > > please notice the "filter-level", further more I have > > server:/etc# cat tcp.smtps > :allow,RELAYCLIENT="" > > However I have another issue. First look at > > server:/etc/ssl/certs# ls -la stunnel.pem > -rw-r- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem > > and /usr/bin > -rwxr-xr-x 1 root root 12360 2007-06-30 11:52 checkpassword > -rwSr-x--- 1 root qmaild38 2009-09-24 21:26 chkpw.sh > > chkpw.sh is a wrapper for checkpassword > > In /etc/init.d/qmail > > sh -c "start-stop-daemon --start --quiet --user qmaild \ > --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps > \ > $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ > | $logger &" > > > ($rblsmtpd2 is spamdyke see the whole file below.) > I cannot replace `id -u root` with `id -u qmaild` why? It would be nice if > spamdyke didn't have to run with root permissions for SSL connections. > I am using debian etch 2.6.18. Please also notice my other thread about > missing loggings for authentication. > > > > > > > > > > > > server:/usr/bin# cat /etc/init.d/qmail > #!/bin/bash > # > # /etc/init.d/qmail : start or stop the qmail mail subsystem. > # > # Written by Christian Hudon > # Currently maintained by Jon Marler > # > # Configuration > # > > > # set default delivery method > > #alias_empty="|/usr/sbin/qmail-procmail" # procmail delivery to > /var/spool/mail > alias_empty="./Maildir/" # This uses qmail prefered ~/Maildir/ > directory > # You may want to maildirmake > /etc/skel/Maildir > #alias_empty="./Mailbox"# This uses Mailbox file in users $HOME > > logger="splogger qmail 2" # facility mail == 2 > #logger="|accustamp >>/var/log/qmail.log" # If you have accustamp > installed. > #logger=">>/var/log/qmail.log" # Does not give timing info. > > # If you uncommented one of the lines that appends to /var/log/qmail.log, > you > # need to uncomment the following two lines. > #touch /var/log/qmail.log > #chown qmaill /var/log/qmail.log > > # If you want to use one or more of the Relay Black Lists, uncomment > # the appropriate lines. > > rblmsg= > rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf" > rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" > #rblmsg=" (with rblsmtpd)" > #rblsmtpd="/usr/bin/rblsmtpd -r list.dsbl.org -r relays.ordb.org" > > # > # End of configuration > # > > test -x /usr/sbin/qmail-start || exit 0 > test -x /usr/sbin/qmail-send || exit 0 > > case "$1" in > start) > echo -n "Starting mail-transfer agent: qmail" $rblmsg > sh -c "start-stop-daemon --start --quiet --user qmails \ > --exec /usr/sbin/qmail-send \ > --startas /usr/sbin/qmail-start -- \"$alias_empty\" $logger > &" > # prevent denial-of-service attacks, with ulimit > ulimit -v 16384 > sh -c "start-stop-daemon --start --quiet --user qmaild \ > --pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 smtp > \ > $rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \ > | $logger &" > > sh -c "start-stop-daemon --start --quiet --user qmaild \ > --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 smtps > \ > $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ > | $logger &" > > > > #Uncomment the following lines to automatically start the pop3 > server > sh -c "start-stop-daemon --start --quiet --user root \ > --pidfile /var/run/tcpserver_pop3d.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ > /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" > > sh -c "start-stop-daemon --start --quiet --user root \ > --pidfile /var/run/tcpserver_pop3sd.pid --make-pidfile \ > --exec /usr/bin/tcpserver -- -R -H \ > 0 995 /usr/bin/stunne