Re: [spamdyke-users] Error unable to write to SSL/TLS stream
The timing in those log messages looks very suspicious to me -- it looks like the error occurs after exactly 5 minutes of inactivity. If spamdyke's timeout features are disabled, there must be some other link in your setup enforcing a 5 minute timeout. Just spitballing here, maybe it's a firewall or a load balancer? Is your qmail patched to invoke an external spam scanner or anything? -- Sam Clippinger > On Mar 3, 2021, at 11:22 AM, Alessio Cecchi via spamdyke-users > wrote: > > Hi, > > when a specific company send an email to us we receive the messages many > times, but only if they insert into recipients about 50 email address of the > same domain, if they sent the same email to only one recipients all works > fine. > After some investigation, with "full-log-dir" enabled, we discovered that our > qmail send a "421 timeout" to remote server but when the email is already > accepted, so the remote server try again and so on. > > Debug log, please note the delay from the last . and the error, five minutes > and note that "421 timeout" error was sent before of "250 ok" from qmail: > > > > [...] > 03/02/2021 12:03:00 FROM REMOTE TO CHILD: 3 bytes TLS > . > > 03/02/2021 12:08:01 LOG OUTPUT TLS > ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The > operation failed due to an I/O error, Connection reset by peer > ERROR(output_writeln()@log.c:104): unable to write 37 bytes to file > descriptor 1: Connection reset by peer > > 03/02/2021 12:08:01 FROM SPAMDYKE TO REMOTE: 37 bytes TLS > 421 Timeout. Talk faster next time. > > 03/02/2021 12:08:01 LOG OUTPUT TLS > TIMEOUT from: u...@company.biz <mailto:u...@company.biz> to: > u...@partnercompany.biz <mailto:u...@partnercompany.biz> origin_ip: > 40.107.3.43 origin_rdns: mail-eopbgr30043.outbound.protection.outlook.com > auth: (unknown) encryption: TLS reason: TIMEOUT > > 03/02/2021 12:10:06 FROM CHILD, FILTERED: 28 bytes TLS > 250 ok 1614683406 qp 12548 > > 03/02/2021 12:10:06 - TLS ended and closed > > 03/02/2021 12:10:06 CLOSED > > > So I set the timeout from 600 to 1200 in qmail-smtpd, remove "idle-timeout" > from spamdyke, and disable the softlimit, the error change but the problem is > still present: > > > > > 03/02/2021 13:59:27 FROM REMOTE TO CHILD: 3 bytes TLS > . > > 03/02/2021 14:06:34 LOG OUTPUT TLS > ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The > operation failed due to an I/O error, Connection reset by peer > ERROR(output_writeln()@log.c:104): unable to write 26 bytes to file > descriptor 1: Connection reset by peer > > 03/02/2021 14:06:34 FROM CHILD TO REMOTE: 26 bytes TLS > 250 ok 1614690394 qp 765 > > 03/02/2021 14:06:34 LOG OUTPUT TLS > ALLOWED from: u...@company.biz <mailto:u...@company.biz> to: > u...@partnercompany.biz <mailto:u...@partnercompany.biz> origin_ip: > 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protect > ion.outlook.com auth: (unknown) encryption: TLS reason: > 250_ok_1614690394_qp_765 > [...] > ALLOWED from: us...@company.biz <mailto:us...@company.biz> to: > us...@partnercompany.biz <mailto:us...@partnercompany.biz> origin_ip: > 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protection.outlook.com > auth: (unknown) encryption: TLS reason: 250_ok_1614690394_qp_765 > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > > 03/02/2021 14:06:34 - TLS ended and closed > > 03/02/2021 14:06:34 CLOSED > > > Any suggestions? > > Thanks > -- > Alessio Cecchi > Postmaster @ http://www.qboxmail.it <http://www.qboxmail.it/> > https://www.linkedin.com/in/alessice > <https://www.linkedin.com/in/alessice>___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] how to block from= empty address
I'm sure this has been discussed before, but I don't think spamdyke will block empty senders (I haven't dug through the code to verify this though). Empty sender addresses are used by many mail servers to send bounce messages; blocking them would likely have some bad side effects. For what you're trying to do, take a look at the header blacklist feature. You should be able to block those spam messages with: From:*.sicotti.nl* -- Sam Clippinger > On Feb 13, 2021, at 4:28 PM, Shane Bywater via spamdyke-users > wrote: > > Hi, > > Recently I started receiving spam from addresses that show up in Outlook mail > client as info.qogo...@nwnsoyuqem.sicotti.nl or some other subdomain of > sicotti.nl. I thought I could block these messages by adding @.sicotti.nl to > the sender-blacklist-file but that didn't work. Upon further investigation > in my server logs I see that the "from=" parameter shows nothing (ie. blank) > as can be seen below. I'm guessing that is why my blocking attempt is > failing. How do I block emails with no "from=" information? > > Feb 13 16:42:12 ns3 /var/qmail/bin/relaylock[2062]: /var/qmail/bin/relaylock: > mail from 52.252.134.30:43487 (adsfsdf-i25p.northcentralus.cloudapp.azure.com) > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: Handlers Filter before-queue > for qmail started ... > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: from= > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: to=u...@domain.ca > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: handlers_stderr: > INFO:__main__:No SMTP AUTH and not running in sendmail context (incoming or > unrestricted outgoing mail). SKIP message. > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: handlers_stderr: SKIP > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: SKIP during call 'limit-out' > handler > Feb 13 16:42:13 ns3 check-quota[2071]: Starting the check-quota filter... > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: handlers_stderr: SKIP > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: SKIP during call > 'check-quota' handler > Feb 13 16:42:13 ns3 spf[2072]: Starting the spf filter... > Feb 13 16:42:13 ns3 spf[2072]: SPF status: PASS > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: handlers_stderr: PASS > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: PASS during call 'spf' handler > Feb 13 16:42:13 ns3 qmail-queue-handlers[2065]: starter: submitter[2073] > exited normally > Feb 13 16:42:13 ns3 qmail: 1613252533.502273 new msg 8150512 > Feb 13 16:42:13 ns3 qmail: 1613252533.502305 info msg 8150512: bytes 1852 > from <> qp 2073 uid 2020 > Feb 13 16:42:13 ns3 spamdyke[2053]: ALLOWED from: (unknown) to: > u...@domain.ca origin_ip: 52.252.134.30 origin_rdns: > adsfsdf-i25p.northcentralus.cloudapp.azure.com auth: (unknown) encryption: > (none) reason: $ > > Regards, > Shane Bywater > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] How to hide RBL name in responses
Unfortunately there's no option to hide the RBL name, but you could update the code to hide it. The log message is generated by filter.c on line 1692. If you change the 7th parameter to set_rejection() from this: (tmp_buf[0] != '\0') ? tmp_buf : name_array[rbl_index] to: NULL That should do it. -- Sam Clippinger > On Oct 12, 2020, at 3:57 AM, Alessio Cecchi via spamdyke-users > wrote: > > Hi, > > since many commercial DNSBL are providing access to their RBL with a "key" > (es. 1234abcd.zen.dq.spamhaus.net.) we need to hide the RBL name in the > response in order to not divulgate our secret key. > > Can we customize the text response for IP in RBL with spamdyke and omitting > the specific RBL name? > > I tried with "rejection-text-dns-blacklist" but the RBL is always shown. > > Thanks > -- > Alessio Cecchi > https://www.linkedin.com/in/alessice > <https://www.linkedin.com/in/alessice>___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] FreeBSD 12.1 problems compiling with TLS
The configure script is trying to find the library that contains SSL_library_init() so it'll know what flags to use with gcc. It tries libssl and libcrypto, but obviously that isn't working on your new OS. The source code for the test program is in the config.log file along with the gcc commands it tested. If you could figure out the correct command to compile, we should be able to update the configure script to use it. It might just be a case of libcrypto.so being in an unexpected folder; it's possible just adding the -L flag or setting LIBRARY_PATH might fix it. -- Sam Clippinger > On Oct 22, 2020, at 3:10 PM, Pablo Murillo (rednet) via spamdyke-users > wrote: > > Hi > > I'm upgrading few server from FreeBSD 11.4 to 12.1 and I found that the port > fot SpamDyke is broken, so I compile "manually" and I found a problem with > OpenSSL > Spamdyke is not finding openssl, and openssl is installed > > ./configure --enable-tls --without-debug-output > checking for gcc... gcc > checking whether the C compiler works... yes > ... > checking if openssl/ssl.h will include without additional include > directories... yes > checking for library containing RSA_sign... -lcrypto > checking for library containing SSL_library_init... no > configure: error: in `/root/spamdyke-5.0.1/spamdyke': > configure: error: --enable-tls was given but OpenSSL was not found > > I'm sending the config.log attached > > Pablo Murillo > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream
2.8M lines in 34 seconds? Yikes! Sounds like an infinite loop. It's been a while since I've looked at that code (and I apologize I don't have time to go through it in detail), but that error message is only printed from one place in spamdyke's code. It runs when a TLS/SSL session is active and data is waiting to be read from the network connection. If tls_read() encountered an error in the OpenSSL library and didn't actually read any data, spamdyke's main loop would see data waiting and call tls_read() again. That could cause an infinite loop. If I'm reading the error message correctly, SSL_get_error() must have returned SSL_ERROR_SSL, which is the catch-all code for a protocol or library failure. I think reason 255 is SSL_R_UNKNOWN_STATE, another catch-all error code. There are a few things you could try. As Bucky Carr pointed out, the softlimit program causes all kinds of problems and leads to very strange errors and crashes. If you can remove it, you should. If not, you could try increasing the memory limit (try doubling it) and see if that changes anything. Choosing a memory limit for softlimit is just a guessing game anyway; maybe you need to guess higher? You could also try upgrading OpenSSL. Your version is very old and this spamdyke error may be caused by a bug OpenSSL has already fixed. (Plus, OpenSSL 1.0.1e contains a huge number of serious CVEs which upgrading would fix.) And also you could try upgrading spamdyke. Between versions 4 and 5, I made a lot of changes and the changelog mentions tls_read() specifically. This could be a bug I've already fixed. I hope that helps, good luck! -- Sam Clippinger > On Jun 24, 2020, at 11:36 PM, Quinn Comendant via spamdyke-users > wrote: > > Hello all, > > Recently, I checked the smtp log files of my qmailtoaster server, and found > millions of the following error message written to the smtp log: > > spamdyke[4875]: ERROR: unable to read from SSL/TLS stream: A protocol or > library failure occurred, error:140800FF:lib(20):func(128):reason(255) > > I restarted the mail-related services (qmailctl stop && qmailctl start), and > the errors stopped. I thought it was a fluke, since I had never seen this in > the decade+ I've been managing this server. However, a few days later, I > found the same thing. Again, I restarted and the errors stopped. > > The really weird thing is that all the errors that were logged (~ 2.8 million > lines) occurred over 34 seconds (from 2020-06-25 03:47:58 to 2020-06-25 > 03:48:36)! I'd guess that only *one* error occurred (memory error? > buffer-overrun?) which somehow caused an infinite loop of logging. > > Although the last logged error was at 2020-06-25 03:48:36, I didn't discover > the issue until 2020-06-25 04:10, which means there was at least a 20 minute > delay between when the log line was time-stamped and when the line was > finally added to the log, perhaps caused by IO constraints). > > So there's a couple issues I'm worried about: > > 1. why did spamdyke get stuck in an infinite loop? > 2. what caused this error in the first place? > > Versions: > > OpenSSL 1.0.1e-fips 11 Feb 2013 > spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE > > Spamdyke is executed via the /var/qmail/supervise/smtp/run file: > > QMAILDUID=`id -u vpopmail` > NOFILESGID=`id -g vpopmail` > MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` > SPAMDYKE="/usr/bin/spamdyke" > SPAMDYKE_CONF="/etc/spamdyke.conf" > SMTPD="/var/qmail/bin/qmail-smtpd" > TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" > HOSTNAME=`hostname` > VCHKPW="/home/vpopmail/bin/vchkpw" > REQUIRE_AUTH=0 > > exec /usr/bin/softlimit -m 9900 \ > /usr/bin/tcpserver -R -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ > -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \ > $SPAMDYKE --config-file $SPAMDYKE_CONF \ > $SMTPD $VCHKPW /bin/true 2>&1 > > Thanks! > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Segfault in spamdyke (libc-2.14.1.so) since use of version 5 | *** glibc detected *** /usr/local/bin/spamdyke: double free or corruption (fasttop):
H looks like a bug, but because spamdyke is compiled C, there's almost no way to tell how it happened. If you updated your OS but didn't update spamdyke, I'd suggest making sure you're on the latest version of spamdyke and recompiling it on your updated OS. If you still see crashes, the best way to troubleshoot them would be to find a reliable way to reproduce them -- using spamdyke's "full-log-dir" option to capture the input, for example. Failing that, I could send you some updates for your Makefile to recompile spamdyke with an address sanitizer that will produce must larger (and much more informative) crash messages. -- Sam Clippinger > On Mar 30, 2020, at 7:51 PM, Webtao via spamdyke-users > wrote: > > Hi Sam, > > First of all, thank you for managing spamdyke :-) > > Lately, I updated my Centos 6.5 and suddenly got this error : > > *** glibc detected *** /usr/bin/spamdyke: double free or corruption > (fasttop): 0x0127afe0 *** > === Backtrace: = > /lib64/libc.so.6(+0x75e5e)[0x7fad8a556e5e] > /lib64/libc.so.6(+0x78cad)[0x7fad8a559cad] > /usr/bin/spamdyke[0x41e7f7] > /usr/bin/spamdyke[0x41797e] > /lib64/libc.so.6(__libc_start_main+0x100)[0x7fad8a4ffd20] > /usr/bin/spamdyke[0x402849] > > Do you have any idea to resolve this? > > Thank you for your help, Lenawaii > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Can I get SD going with IndiMail
Yikes! I don't think that's going to be possible. spamdyke was written specifically for qmail and makes a lot of assumptions about how qmail works. For example, the way it controls relaying is by setting an environment variable that qmail checks, tt reads lots of files from /var/qmail that must be in qmail's peculiar formats, etc. It's very unlikely any other mail software is going to work the same way (I would hope not!). As for running spamdyke in a non-proxying mode that can just evaluate the input and return a code, it doesn't currently do that either. I'm not sure how well that would work anyway -- most of spamdyke's filters rely on intercepting the SMTP protocol before the message actually begins, only one or two filters examine the message content itself. I've long wanted to restructure spamdyke to work as a more basic SMTP proxy -- accept an incoming TCP connection and open an outgoing TCP connection, then forward everything along and cut it off if a filter is tripped. That would let it work seamlessly with any email server, not just qmail. That would also provide a chance to rework spamdyke's configuration and remove its dependence on qmail-specific files. It might even be time to reimplement spamdyke in a different language (probably Go). Unfortunately my life has changed dramatically over the last few years and my free time now is measured in (a small number of) minutes per week and spamdyke development is off the table. If anyone else is interested in picking up the torch, I'd be happy to help migrate the project to Github (or similar) and consult if desired. -- Sam Clippinger > On Mar 29, 2020, at 2:32 AM, Philip Rhoades via spamdyke-users > wrote: > > Sam, > > I am gradually getting organised to change my netqmail installation over to > IndiMail: > > http://www.indimail.org > > but have struck problems with getting SD working with it. It looks like SD > is hard-coded to expect stuff to be in: > > /var/qmail > > What files does SD need from qmail? > > Is there a non-SMTP invocation which just takes mail on stdin and outputs the > same on stdout and exists with a return value depending on whether the mail > was spam or not spam? ie exits with some return value? > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] SERVFAIL on dns-server-ip-primary does not fail-over
Sorry, I missed your earlier email. I'll try to answer both questions here. Unless you're setting spamdyke's dns-level option, it should be using the primary servers in order, followed by the secondary servers in order, every time it runs. If you're just setting the three DNS servers and not using any other dns-* options, the logic should look like this: Total DNS query time is 30 seconds (override with dns-timeout-secs) Max number of DNS queries to primary servers before using secondaries is 1 (override with dns-max-retries-primary) Max number of DNS queries total is 3 (override with dns-max-retries-total) Send query packet to 127.0.0.1, wait 10 seconds for a response (total query time divided by max number of queries) If a response is received, use it and stop. Send query packet to 10.128.0.9, wait 10 seconds for a response If a response is received, use it and stop. The number of queries to primary servers is greater than 1, start using secondaries as well Send query packet to 169.254.169.254, wait 10 seconds for a response If a response is received, use it. Otherwise exit with no response. Randomizing the order of the servers would probably be a good idea (or option) I think I didn't do that because I was trying to imitate the behavior of the system resolver library, which uses the servers in /etc/resolv.conf in order every time. Looking at the code in dns.c, spamdyke treats an empty response as "not found" and doesn't check whether it was due to SERVFAIL or NXDOMAIN. If memory serves, I did this because there's no real difference between them as far as spamdyke is concerned. In other words, NXDOMAIN means the domain doesn't exist at all while SERVFAIL means the domain exists but no records can be found (usually because the authoritative servers aren't responding). Either way, the mail should be rejected with a temporary code so the sender will try again later (hoping the problem will resolve itself in the meantime). If the problem persists long enough, the message(s) may bounce. Unfortunately there's no DNS code to indicate the server is malfunctioning and shouldn't be used -- spamdyke expects it to stop sending responses when that happens. -- Sam Clippinger > On Mar 11, 2019, at 6:58 PM, Quinn Comendant via spamdyke-users > wrote: > > We had an incident where both our local caching name servers stopped working. > They returned SERVFAIL (see example below). They were set as the > "dns-server-ip-primary" and our host-provided DNS server was set as the > "dns-server-ip". Because the primaries were failing, I would expect spamdyke > to automatically switch to resolve via the server set under "dns-server-ip". > Instead, spamdyke just rejected all our mail for a few hours with > DENIED_RDNS_MISSING. The host-provide name server was functioning fine. > > This is the config: > >dns-server-ip-primary=127.0.0.1# Local caching name server >dns-server-ip-primary=10.128.0.9 # Another local caching name server >dns-server-ip=169.254.169.254# Host-provided name server > > This is an example response from a query to either of the primary DNS servers: > >{q@oak3~} dig @10.128.0.9 apple.com mx > >; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @10.128.0.9 > apple.com mx >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > >;; QUESTION SECTION: >;apple.com. IN MX > >;; Query time: 15 msec >;; SERVER: 10.128.0.9#53(10.128.0.9) >;; WHEN: Mon Mar 11 05:10:32 2019 >;; MSG SIZE rcvd: 27 > > Am I wrong to expect spamdyke to fail over to the non-primary server on a > SERVFAIL? > > Quinn > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS and LibreSSL
I have no idea -- I've never used LibreSSL. As long as they've only updated the internal library code and not changed the API, it'll probably work fine. -- Sam Clippinger On May 26, 2018, at 2:42 PM, BC via spamdyke-users wrote: > > Will spamdyke compile with TLS using the LibreSSL libraries? > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] ip-whitelist-entry Not Working
Yes and no -- comment delimiters are only allowed at the start of a line, not in the middle (allowing mid-line comments would have required making the config file parser much smarter). However, because the parser is expecting to find an IP address on each line and the line begins with an IP address, it matches. Technically that's a bug... but it's helpful in this case. If the message "FILTER_WHITELIST_IP" is appearing, the IP is matching the entry and the connection is being whitelisted; the message should be getting delivered. What other log messages are you seeing from spamdyke? Are there any DENIED log entries? If you aren't seeing either ALLOWED or DENIED, the client isn't completing the SMTP transaction for some reason. Sometimes this happens when spamdyke injects its output into the SMTP transaction and a client is written to expect a very specific response. I suggest using the full-log-dir option to capture the entire transaction to a file so you can see exactly what each side is sending and where the connection is being broken. -- Sam Clippinger On Jun 3, 2018, at 1:41 PM, Eric Broch via spamdyke-users wrote: > can you have a comment (# philsdiscourse) on your IP whitelist entry line? > maybe, remove '#philsdiscourse' and see what happens. > > > On 6/3/2018 12:05 PM, Philip Rhoades via spamdyke-users wrote: >> People, >> >> I am trying to use my host qmail server as a relay for a docker container >> that is running on the host but mails are not being accepted - I have this >> in spamdyke.conf: >> >> ip-whitelist-entry=172.17.0.6 # philsdiscourse >> >> and I see this in the logs: >> >> Jun 4 03:53:59 prix spamdyke[28801]: FILTER_RDNS_MISSING ip: 172.17.0.6 >> Jun 4 03:53:59 prix spamdyke[28801]: FILTER_WHITELIST_IP ip: 172.17.0.6 >> entry: 172.17.0.6 # philsdiscourse >> >> but there is no ALLOW line that follows and the mail fails to be delivered - >> what am I missing? If I use swaks from the container, mail does get >> delivered OK but that is because spamdyke is being bypassed . . >> >> Thanks, >> >> Phil. > > -- > Eric Broch > White Horse Technical Consulting (WHTC) > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Block senders based on username
Unfortunately no, spamdyke can't block messages based only on the username. It has a wildcard format to block any username at a given domain name but no wildcard to block a given username at any domain. However, if the sender also puts the username in the "From" line of the message, the header blacklist filter could block it. Hopefully that would work for you. -- Sam Clippinger On Oct 15, 2017, at 3:26 PM, mohaa via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Marcin, of course i did and both do not match my situation > If you mean "it is not described, so it doesn't work" - then you are right. > > Regards, > Arne > >> mohaa via spamdyke-users wrote on 15.10.2017 22:02: >>> ist is possible to block senders based on the unsername in their sender >>> address? >>> Like block all sales@ >> RTFM? :) >> https://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS >> + >> https://www.spamdyke.org/documentation/README.html#HEADERS >> Regards, > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Question about headers
Keep in mind that "Received" lines are written in reverse order, so the top line always the newest. Also, "Received" lines are trivial to fake and spammers often do insert fake lines to throw off scanners. But assuming all the lines you sent are genuine, it looks like user 3048 invoked a qmail command somehow (e.g. command line, webmail, spambot) and created a message (line 6), which then connected to a qmail daemon over a network socket and delivered it (line 5). Line 4 shows it arriving at mx2.serversur.net from 204.58.254.207. That IP is not smtp.wpac.com, even though its reverse DNS claims it is. Also, connecting to 204.58.254.207 on port 465 shows a Sendmail greeting banner, not qmail, so it's unlikely lines 5 and 6 were generated by that server. Line 3 shows the message arriving at smtp.wpac.com from 188.33.156.68. The rest of this line seems to match the Sendmail version in the greeting banner on 204.58.254.207. Line 2 shows the message arriving on rng031.serversur.net from 192.168.0.103 -- I'm guessing this is where your edge server delivered to your internal server. Line 1 shows qmail on the internal server accepting the message. Personally, I think lines 3-6 are bogus. The timestamps don't make sense (the message seems to travel forwards and backwards in time), the order of deliveries don't make sense and the DNS records don't match up. If line 4 is correct and the message really passed through mx2.serversur.net twice, the logs on that server should show it. I'd trust your logs, not the message headers. -- Sam Clippinger On Aug 22, 2017, at 2:00 PM, Pablo Murillo <p...@rednetgroup.com> wrote: > Hi > > I´m a little confuse > We have 4 MXs, the names are mx1.serversur.net to mx4, every one has the same > spamdyke.conf and deliver the valid emails using the internal network to the > correspondig server > So ... I have these headers of an email that is SPAM, and now, I´m lost > > For what I see in the 1st Received, the email is generated for the UID of the > user assigned to the domain (this is right, the UID belong to the user we > assigned to the domain) > The 3rd Received is for 204.58.254.207 receiving an email from my MX2 server ? > Is this right ? or I'm misreading the headers ? > > - > Received: (qmail 5105 invoked from network); 22 Aug 2017 13:18:28 - > Received: from unknown (HELO mx2.serversur.net) (192.168.0.103) > by rng031.serversur.net with SMTP; 22 Aug 2017 13:22:18 - > Received: from 10.0.0.40 (user-188-33-156-68.play-internet.pl [188.33.156.68]) > (authenticated bits=0) > by smtp.wpac.com (8.14.4/8.14.4) with ESMTP id v7MDVVfi011904 > (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) > for <siste...@.com.ar>; Tue, 22 Aug 2017 06:32:22 -0700 > Received: from unknown (HELO smtp.wpac.com) (204.58.254.207) > by mx2.serversur.net with SMTP; 22 Aug 2017 13:18:28 - > Received: (qmail 60824 invoked from network); 22 Aug 2017 13:22:18 - > Received: (qmail 60837 invoked by uid 3048); 22 Aug 2017 13:22:18 - > From: <danielplace...@.com.ar> > To: <siste...@.com.ar> > Date: Tue, 22 Aug 2017 11:32:24 -0300 > Message-ID: 198706278.2017822133...@.com.ar > - ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Rejecting Messages by Header Content question
Any message headers can be filtered. On my own server, most of my filters are for "From" and "Subject", but one very persistent spammer recently forced me to add a "To" filter as well. I try to add as few header filters as possible, but it just depends what the incoming spam looks like. -- Sam Clippinger On Aug 18, 2017, at 12:02 PM, Pablo Murillo (rednet) via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi > > Which are the valid headers to filter ? > > I think, the obviuos ones are: FROM SUBJECT > REPLY-TO > > But.. > > Return-Path: > Message-ID: > Received: > List-* > > Are allowed ? > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Graylisting delivery failure notifications
That's very unusual, it sounds like a setting on their server. It's been a long time, but I remember a setting on old sendmail servers that would send an "advisory message" if an email had been sitting in the queue too long. It was just a "by the way" notice (and it always confused every user who received it), saying the server had failed to deliver the message so far but it would continue trying for X hours. Maybe something like that is happening here -- the message is being stopped by graylisting but the remote server doesn't retry it very often, so it sits in the queue long enough to send a warning to the user? I suppose you could fix it by either reducing the overall graylisting time on your server or by turning off graylisting for messages from their domain (using a configuration directory). -- Sam Clippinger On Aug 18, 2017, at 11:24 AM, Quinn Comendant via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > A client using our Spamdyke-enabled mail server has reported someone sending > them an email received a "bounce" message notifying the sender that the > messages has been graylisted (see the delivery failure notification below). > They did receive the message (graylisting works well for us). > > This is the first time I've heard of a soft failure resulting in a > notification returning to the sender. If graylisting is a common practice, > these notifications must be terribly annoying, however the sender (from the > cdph.ca.gov network) seems surprised by the message. So either: A) > graylisting is not very common, or B) cdph.ca.gov has an uncommon setup that > sends annoying bounce messages. > > If graylisting will result in annoying senders with delivery failure > notifications, I'd prefer to avoid that by disabling graylisting (doesn't > matter who is to blame, what the RFCs say, etc). > > What do y'all think? > > Regards, > Quinn > > The delivery failure notification received: > >> Hi Barb and Steph - >> >> When the email below went out yesterday, the following message was received: >> >> redac...@clientdomain.org... >> Deferred: 421 Your address has been graylisted. Try again later. >> >> redac...@clientdomain.org... >> Deferred: 421 Your address has been graylisted. Try again later. >> >> Patricia <redac...@cdph.ca.gov> >> Care Operations Advisor >> Office of AIDS >> California Department of Public Health > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] for some recipients, skip graylisting
Unfortunately, there really isn't a more elegant way. You could either add them to a recipient whitelist file, which would bypass all filters, or you could use the addresses to create files in a config-dir folder to just turn off graylisting for those addresses. But neither of those options will match a glob pattern, they'll only match a list of specific addresses. Sorry! -- Sam Clippinger On May 19, 2017, at 3:30 PM, Amitai Schleier via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > I use spamdyke's graylisting feature for all incoming mail. I still generally > find it helpful. (Thanks!) > > I have a set of addresses that are purpose-specific and unpublicized, and I'd > like to skip graylisting for messages addressed to these recipients. > > [Spammers, please stop reading here ;-)] > > The recipient addresses I'd like to whitelist match the glob > "schmonz-web-*@schmonz.com". Most of them don't have their own .qmail > instructions, so I can't generate a list of addresses from .qmail files. They > mostly all deliver via a matching .qmail-default (specifically, > .qmail-com-schmonz-web-default). > > I _do_ want to continue graylisting everything else @schmonz.com. > > Do I need to scan my email archive, build up a list of every schmonz-web-foo > recipient I want to whitelist, put them all in a recipient-whitelist-file, > and keep that file up-to-date as I invent new addresses? Or is there a more > elegant way to do what I want? > > Thanks, > > - Amitai > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] reject-sender - Looking for a new feature
That would be pretty challenging to add. spamdyke can already require the sender address to match the domain of the authentication username (reject-sender=authentication-domain-mismatch) but it doesn't read qmail's "assign" file at all. In the long term, the best way to add something like this would probably be to allow spamdyke to run custom commands/scripts that perform additional checks. That would make it much easier to add one-off filters. -- Sam Clippinger On May 9, 2017, at 3:33 PM, Pablo Murillo (rednet) via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi > > I'm looking for an option where the user login with u...@domain.com and > write emails with u...@domain.com.ar , this is beacuse we have many domains > with aliases (Vpopmail aliases) > > The reject-sender=not-local solve part of the problem, but not all > > Is there a chance to have a new option where the same user but with > different domain can be accepted only if the domain is an alias of the login > domain ? > > Vpopmail use the file [QMAIL-DIR]/users/assign to "create" the aliases > domains > > Is too complex ? > > Pablo Murillo > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working
Ah, I should have asked. Yes, that option should work. -- Sam Clippinger On May 5, 2017, at 8:57 AM, Quinn Comendant via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Update: I added `reject-sender=none` to /etc/spamdyke.conf and these errors > started appearing in the log: > >2017-05-05 06:33:46.873563500 ERROR: Unknown configuration file option in > file /etc/spamdyke.conf on line 33: reject-sender > > I realize now this config option is only for spamdyke 5. I'm currently using > spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE. > > So I presume the corresponding config option for version 4 is > `reject-missing-sender-mx`. Would the correct syntax for disabling this in a > spamdyke/_ip_/… directory be like this: > > reject-missing-sender-mx=0 > > ? > > Quinn > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working
That should do it, assuming you also have a line in your main configuration file that says: config-dir=/var/qmail/spamdyke However, from the rDNS name, it looks like that sender could come from a huge list of IPs. You might consider turning off the filter for the domain instead, like this: /var/qmail/spamdyke/_sender_/com/changeyourflight/tz And it's always possible you found a bug. If you still can't make it work with the _sender_ folder, let me know and I'll do some testing too. For what it's worth -- tz.changeyourflight.com doesn't just have no MX records, it has no DNS records at all. I don't see any way that return address could work. https://mxtoolbox.com/SuperTool.aspx?action=a%3atz.changeyourflight.com=toolpage -- Sam Clippinger On May 5, 2017, at 3:24 AM, Quinn Comendant via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > I've gotten this error: > > 2017-05-05 03:16:52.533029500 spamdyke[30324]: DENIED_SENDER_NO_MX from: > bounces+1818979-7ef3-quinn=strangecode[.]c...@tz.changeyourflight.com to: > quinn[@]strangecode[.]com origin_ip: 167.89.72.110 origin_rdns: > o1678972x110.outbound-mail.sendgrid.net auth: (unknown) encryption: TLS > reason: (empty) > > Indeed, "tz.changeyourflight.com" has no MX records. > > I have tried to apply a custom setting for this sender's IP address by adding > a config file at: > > /var/qmail/spamdyke/_ip_/167/89/72/110 > > Containing: > > reject-sender=none > > Then restarting qmail smtp with `qmailctl restart`. > > I've used this method successfully in the past for `reject-empty-rdns=0` and > `reject-unresolvable-rdns=0`. However, it's not working for the > DENIED_SENDER_NO_MX error. The sending error continues to occur. > > Have I set this up wrong? > > Regards, > Quinn > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] SD Stats Report #3 - more spam getting through
Nice spreadsheet! I don't have all the data you do, but just looking at my mail logs going back 1 month (excluding mailing list traffic), I gathered these reject/accept stats. I apologize if the formatting is messed up: Count Percent DENIED_RDNS_RESOLVE 72413 58.29 DENIED_RDNS_MISSING 26924 21.67 ALLOWED 67665.45 DENIED_SENDER_NO_MX 47303.81 DENIED_BLACKLIST_NAME 46303.73 DENIED_GRAYLISTED 33112.67 DENIED_RBL_MATCH20591.66 DENIED_IP_IN_CC_RDNS19361.56 TIMEOUT 776 0.62 DENIED_INVALID_RECIPIENT457 0.37 DENIED_OTHER127 0.10 DENIED_IP_IN_RDNS 71 0.06 DENIED_HEADER_BLACKLISTED 32 0.03 DENIED_SENDER_BLACKLISTED 6 0.00 DENIED_RECIPIENT_BLACKLISTED1 0.00 Total 124239 Clearly I don't run a high traffic server, but: - Numerically, the missing/unresolvable rDNS tests appear to be the most effective, though I haven't checked to see how many of those rejections were for valid email addresses. - For my own peace of mind, blocking subject lines with the header blacklist has been the only way to stop persistent spammers from reaching me via outlook.com and gmail.com, which I'm not willing to block outright. - The rDNS blacklist percentage appears to be very low but it's continually populated by my auto-blacklisting scripts and it's been very effective against organized groups (i.e. not botnets). Even though I rarely add to those scripts, I'm still amazed at how many new domains it catches every day. - I also use another set of scripts to automatically unsubscribe my users from "legitimate" mailing lists when they junk the messages (Gmail does this too). Since my users usually can't tell the difference between "real" spam and "legitimate" spam (and they don't care), those scripts cut down their junk mail without blocking constantcontact.com and exacttarget.com (and others like them). To answer your questions, you can block "To: undisclosed-recipients" with the header blacklist filter, if that's really how it appears in the message headers. Blocking emails with no "To" line in the header isn't something spamdyke can do right now, sorry! -- Sam Clippinger On Apr 18, 2017, at 9:36 PM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > People, > > It has been almost a year since the last report - here is the updated GD > Spreadsheet: > > > https://docs.google.com/spreadsheets/d/1GqinPR2mA0Jz-uTZ2zVJgutpiDl62HNbn2gWGNpd7Tk/pubhtml > > Unfortunately the amount of spam getting through the SD filtering, then seen > by me and being moved to the spam folder has gone up almost five times since > last year . . from the information I have now put more stuff in the black > From and To lists . . > > I think the main problem is that my main email address is finding its way on > to more and more spam lists . . > > How can I: > > - reject mails with no "To:" address > > - reject mails with a "To:" address of: "undisclosed-recipients" > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Custom timeout for IP in DNS RBL
I'm very sorry it's taken me so long to get back to you about this! If you're willing to edit the code, I suggest changing spamdyke.c. Change line 1615 (the first line of an if statement) to this: if ( And change line 1644 (the call to filter_dns_rbl()) to this: if (filter_dns_rbl(current_settings, _settings->current_options->filter_action, _settings->current_options->filter_action_locked, _settings->current_options->rejection, _settings->current_options->rejection_buf, current_settings->current_options->reject_message_buf, MAX_BUF, current_settings->current_options->reject_reason_buf, MAX_BUF) == FILTER_DECISION_DO_FILTER) return_value = FILTER_FLAG_QUIT; And change line 1668 (setting return_value) to this: return_value = (return_value != FILTER_FLAG_QUIT) ? FILTER_FLAG_INTERCEPT : FILTER_FLAG_QUIT; And change line 3400 (an if statement) to this: if (0) Then recompile with "make" and install the new spamdyke binary. With those changes on lines 1615 and 3400, spamdyke will wait until the client sends the recipient addresses to check its filters (including DNS RBLs), the same way it does when a configuration directory is given. However, the changes on lines 1644 and 1668 will make it quit when an RBL is matched, the same way it does when the client sends "QUIT", even if a sender or recipient whitelist is matched. All other rejections should behave normally. Caveat emptor: I haven't tested these suggestions or even attempted to compile them. Good luck! -- Sam Clippinger On Mar 24, 2017, at 10:19 AM, Alessio Cecchi via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Thanks Sam for your answer, > > anyway it is crucial for us to avoid letting the timeout expire after "RCTP > TO" message in case of RBL check. So, even developing a custom patch, we need > something to prevent clients keeping the connection open after "554 Refused. > Your IP address is listed in the RBL at..." message. > > We tried adding a simple exit(0) around line 1695 of filter.c just to test > the behavior but doing that the client is not able to connect anymore. > > Can you suggest a (even dirty) way to workaround it or point me to the proper > direction to investigate it further? > > This is an extract of the handshake message at the end of which we need to > close the communication > > 220 popmx-staging.cloud.net ESMTP > helo example.com > 250 popmx-staging.cloud.net > MAIL FROM: exam...@example.com > 250 Refused. Your IP address is listed in the RBL at cidr.bl > RCPT TO: t...@test.com > 554 Refused. Your IP address is listed in the RBL at cidr.bl > > < we need to close the connection in this moment (when we receive 554 > Refused) instead of waiting for DATA and then waiting the default timeout. > > Thanks for your time. > > Alessio Cecchi > > Il 19/03/2017 20:05, Sam Clippinger via spamdyke-users ha scritto: >> Unfortunately no, spamdyke isn't designed with the idea of different >> timeouts for different reasons. It will always keep the connection open as >> long as there is any chance the message could be allowed. For example, if >> your configuration includes a recipient whitelist and the remote IP is >> blacklisted, spamdyke won't close the connection until the recipients are >> given, just in case one of them is on the whitelist. Even when it's no >> longer possible to match a whitelist, spamdyke still won't close the >> connection because the remote client could sent a RSET command and begin a >> new session. >> >> Your only option is to set a lower idle timeout, anything else would require >> a major refactoring of spamdyke's code. Sorry! >> >> -- Sam Clippinger >> >> >> >> >> On Mar 10, 2017, at 4:11 AM, Alessio Cecchi via spamdyke-users >> <spamdyke-users@spamdyke.org> wrote: >> >>> Hi, >>> >>> some months ago we switch from rblsmtpd to spamdyke in order to have more >>> info in the log about blocked IP. But after switch to spamdyke the number >>> of concurrency incoming SMTP sessions was increased about 10 time. >>> >>> This because with rblsmtpd we set a timeout of 10 seconds and spamdyke have >>> a global timeout that we set at 180 seconds (idle-timeout-secs). So when an >>> IP in blacklist connects to our MX it grabs a qmail-smtpd process for 180 >>> seconds instead of 10. >>> >>> Increasing the number of /var/qmail/control/concurrencyincoming is not a >>> solution because we expose our cluster to receive a number of sessions that >>> we could be unable to manage. >&
Re: [spamdyke-users] Custom timeout for IP in DNS RBL
Unfortunately no, spamdyke isn't designed with the idea of different timeouts for different reasons. It will always keep the connection open as long as there is any chance the message could be allowed. For example, if your configuration includes a recipient whitelist and the remote IP is blacklisted, spamdyke won't close the connection until the recipients are given, just in case one of them is on the whitelist. Even when it's no longer possible to match a whitelist, spamdyke still won't close the connection because the remote client could sent a RSET command and begin a new session. Your only option is to set a lower idle timeout, anything else would require a major refactoring of spamdyke's code. Sorry! -- Sam Clippinger On Mar 10, 2017, at 4:11 AM, Alessio Cecchi via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi, > > some months ago we switch from rblsmtpd to spamdyke in order to have more > info in the log about blocked IP. But after switch to spamdyke the number of > concurrency incoming SMTP sessions was increased about 10 time. > > This because with rblsmtpd we set a timeout of 10 seconds and spamdyke have a > global timeout that we set at 180 seconds (idle-timeout-secs). So when an IP > in blacklist connects to our MX it grabs a qmail-smtpd process for 180 > seconds instead of 10. > > Increasing the number of /var/qmail/control/concurrencyincoming is not a > solution because we expose our cluster to receive a number of sessions that > we could be unable to manage. > > Can spamdyke close a connections with IP in blacklist after a time shorter > than idle-timeout-secs? > > Here an example of timeout: > > with spamdyke > > $ time telnet mx01.mail.net 25 > Trying 192.168.1.135... > Connected to mx01.mail.net. > Escape character is '^]'. > 220 mx01.mail.net ESMTP > helo ciao.com > 250 mx01.mail.net > MAIL FROM: ales...@ciao.it > 250 Refused. Your IP address is listed in the RBL at www.spamhaus.org: > http://www.spamhaus.org/query/bl?ip=19.9.131.86 > RCPT TO: ales...@ciao.com > 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org: > http://www.spamhaus.org/query/bl?ip=19.9.131.86 > > [ here we should close the connection ] > > DATA > 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org: > http://www.spamhaus.org/query/bl?ip=19.9.131.86 > 421 Timeout. Talk faster next time. > Connection closed by foreign host. > > real3m46.105s > user0m0.000s > sys0m0.000s > > with rblsmtpd: > > $ time telnet mx01.mail.net 25 > Trying 192.168.1.135... > Connected to mx01.mail.net. > Escape character is '^]'. > 220 rblsmtpd.local > Connection closed by foreign host. > > real0m10.389s > user0m0.000s > sys0m0.000s > > Thanks > > -- > Alessio Cecchi > Postmaster @ http://www.qboxmail.it > https://www.linkedin.com/in/alessice > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Problem with PLESK Horde Webmail
I assume the users are seeing that error when they try to send emails, not when they're trying to login or read messages? My first guess is that you haven't whitelisted connections from localhost (127.0.0.1), so spamdyke is blocking Horde's attempts to deliver messages. But that's just a guess -- are there any errors in any of the logs that might provide more information? -- Sam Clippinger On Mar 6, 2017, at 1:58 PM, turgut kalfaoğlu via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi there. I recently enabled spamdyke, but when someone uses the horde > webmail, they get an SMTP error 554.. > > Any ideas what to do? > > Many thanks, -turgut > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] no logging
It looks like your /usr/local/psa/var/log/maillog file is just a symlink to /var/log/maillog (not /var/log/messages). Are spamdyke's log messages appearing there? -- Sam Clippinger On Mar 5, 2017, at 11:43 PM, turgut kalfaoğlu via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi there.. I recently noticed in horror that a GUI change that I made via > PLESK 12 had removed my spamdyke from /etc/xinetd.d/smtp_psa > Upon reinstating: > >server_args = -Rt0 /usr/local/bin/spamdyke /var/qmail/bin/relaylock > /usr/sbin/rblsmtpd -r bl.spamcop.net /var/qmail/bin/qmail-smtpd /v > ar/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw > /var/qmail/bin/true > > ... and restarting the machine, I noticed that there is nothing in the logs > about spamdyke... neither in /var/log/messages nor in > /usr/local/psa/var/log/maillog.. > > My spamdyke is fairly default: > #run-as-user=USER[:GROUP] > log-level=verbose > log-target=syslog > #full-log-dir=DIR > > other stuff: > > # ls -ld /var/log/messages > -rw--- 1 root root 6.0M Mar 6 08:40 /var/log/messages > > # ls -ld /usr/local/psa/var/log/maillog > lrwxrwxrwx 1 root root 16 Aug 1 2015 /usr/local/psa/var/log/maillog -> > /var/log/maillog > > # /usr/local/bin/spamdyke -v > spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG (C)2015 Sam Clippinger, samc (at) silence > (dot) org > http://www.spamdyke.org/ > > Use --help for an option summary, --more-help for option details or see > README.html for complete documentation. > > > Any ideas? > Many thanks, -t > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] How can I force users to USE the right SMTPserver ?
A bug! The "not-local" value for "reject-sender" is being bypassed by authentication, which was not the intent. I've created a patch to fix it: http://spamdyke.org/beta/5.0.2/spamdyke-5.0.2-beta1-reject_sender_not_local.patch You can apply it like this: cd /path/to/src/spamdyke-5.0.1 patch -p0 < /path/to/patch/spamdyke-5.0.2-beta1-reject_sender_not_local.patch make Then copy the new binary into place. Thank you very much for reporting this! -- Sam Clippinger On Nov 4, 2016, at 7:24 AM, Sam Clippinger via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > I'm not sure I completely understand your setup, so yes, I think the full log > might be helpful. You can send it to me directly if you don't want to post > it to the list. > > -- Sam Clippinger > > > > > On Nov 1, 2016, at 9:33 AM, Pablo Murillo <p...@rednet.com.ar> wrote: > >> Yes, I hace rcpthosts and morercpthosts for each jail with only the local >> domains >> >> The " reject-sender= not-local " works fine with domains bypassing de MXs >> and sent directly to the server >> >> I activated " log-level=debug " and " full-log-dir " to have more >> information >> >> I noticed that rcpthosts and morercpthosts are not appearing in the "current >> config" >> >> Do you want to see the full-log ? >> >> >> >> - Original Message - From: "Sam Clippinger via spamdyke-users" >> <spamdyke-users@spamdyke.org> >> To: "spamdyke users" <spamdyke-users@spamdyke.org> >> Sent: Tuesday, November 01, 2016 9:14 AM >> Subject: Re: [spamdyke-users] How can I force users to USE the right >> SMTPserver ? >> >> >> It sounds like "reject-sender" is the right option... if it's not working, I >> would look at qmail's configuration. spamdyke uses qmail's rcpthosts and >> morercpthosts files to decide what addresses are "local" -- is there a >> separate copy of qmail for each server/jail with different configurations? >> >> -- Sam Clippinger >> >> >> >> >> On Oct 31, 2016, at 6:07 PM, Pablo Murillo via spamdyke-users >> <spamdyke-users@spamdyke.org> wrote: >> >>> Hi >>> >>> I will try to explain the subject >>> We use Qmail, VpopMail and Spamdyke >>> We have multiple servers with jails with multiple domains, we have smtp >>> servers configured in all the jails, in all the servers >>> Every jail has an smtp server running with auth over spamdyke, and today >>> (after a lot of years) we find that everyone can send mail using the >>> rights >>> credential to any of our servers >>> I know, they are using valid credentials, but if a password is hacked, the >>> spamers can login in every server to send mail using this credential >>> So, the questions is: How can I force the users to use ONLY his smtp to >>> send >>> mails ? >>> >>> I think that " reject-sender = not-local " will work, but, no, only work >>> if >>> the user don't authenticate >>> >>> May be is a filter order ? >>> I asked something similar to this and the solution was that I have to >>> manually change the order in the source code >>> >>> Is there other way ? >>> May be, if the filter order can be altered without changing the source >>> code >>> ? >>> >>> It´s a challenge ? :D >>> >>> >>> Pablo Murillo >>> >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> >> >> >> >> >> >> >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >> > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] How can I force users to USE the right SMTPserver ?
I'm not sure I completely understand your setup, so yes, I think the full log might be helpful. You can send it to me directly if you don't want to post it to the list. -- Sam Clippinger On Nov 1, 2016, at 9:33 AM, Pablo Murillo <p...@rednet.com.ar> wrote: > Yes, I hace rcpthosts and morercpthosts for each jail with only the local > domains > > The " reject-sender= not-local " works fine with domains bypassing de MXs > and sent directly to the server > > I activated " log-level=debug " and " full-log-dir " to have more > information > > I noticed that rcpthosts and morercpthosts are not appearing in the "current > config" > > Do you want to see the full-log ? > > > > - Original Message - From: "Sam Clippinger via spamdyke-users" > <spamdyke-users@spamdyke.org> > To: "spamdyke users" <spamdyke-users@spamdyke.org> > Sent: Tuesday, November 01, 2016 9:14 AM > Subject: Re: [spamdyke-users] How can I force users to USE the right > SMTPserver ? > > > It sounds like "reject-sender" is the right option... if it's not working, I > would look at qmail's configuration. spamdyke uses qmail's rcpthosts and > morercpthosts files to decide what addresses are "local" -- is there a > separate copy of qmail for each server/jail with different configurations? > > -- Sam Clippinger > > > > > On Oct 31, 2016, at 6:07 PM, Pablo Murillo via spamdyke-users > <spamdyke-users@spamdyke.org> wrote: > >> Hi >> >> I will try to explain the subject >> We use Qmail, VpopMail and Spamdyke >> We have multiple servers with jails with multiple domains, we have smtp >> servers configured in all the jails, in all the servers >> Every jail has an smtp server running with auth over spamdyke, and today >> (after a lot of years) we find that everyone can send mail using the >> rights >> credential to any of our servers >> I know, they are using valid credentials, but if a password is hacked, the >> spamers can login in every server to send mail using this credential >> So, the questions is: How can I force the users to use ONLY his smtp to >> send >> mails ? >> >> I think that " reject-sender = not-local " will work, but, no, only work >> if >> the user don't authenticate >> >> May be is a filter order ? >> I asked something similar to this and the solution was that I have to >> manually change the order in the source code >> >> Is there other way ? >> May be, if the filter order can be altered without changing the source >> code >> ? >> >> It´s a challenge ? :D >> >> >> Pablo Murillo >> >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > > > >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] How can I force users to USE the right SMTP server ?
It sounds like "reject-sender" is the right option... if it's not working, I would look at qmail's configuration. spamdyke uses qmail's rcpthosts and morercpthosts files to decide what addresses are "local" -- is there a separate copy of qmail for each server/jail with different configurations? -- Sam Clippinger On Oct 31, 2016, at 6:07 PM, Pablo Murillo via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi > > I will try to explain the subject > We use Qmail, VpopMail and Spamdyke > We have multiple servers with jails with multiple domains, we have smtp > servers configured in all the jails, in all the servers > Every jail has an smtp server running with auth over spamdyke, and today > (after a lot of years) we find that everyone can send mail using the rights > credential to any of our servers > I know, they are using valid credentials, but if a password is hacked, the > spamers can login in every server to send mail using this credential > So, the questions is: How can I force the users to use ONLY his smtp to send > mails ? > > I think that " reject-sender = not-local " will work, but, no, only work if > the user don't authenticate > > May be is a filter order ? > I asked something similar to this and the solution was that I have to > manually change the order in the source code > > Is there other way ? > May be, if the filter order can be altered without changing the source code > ? > > It´s a challenge ? :D > > > Pablo Murillo > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
Looking at those log messages, I don't think TLS has anything to do with this. spamdyke's log message shows "encryption: (none)", which means TLS is not in use. When spamdyke logs TIMEOUT, it means the remote server held the connection open too long without sending any data at all. Usually that means the software on the remote server is badly written and it's expecting a very specific message before proceeding. Since it isn't getting that message, it just waits until it the connection times out. There's an FAQ about this too: http://www.spamdyke.org/documentation/FAQ.html#TROUBLE3 Documentation on how to adjust spamdyke's timeouts is here: http://www.spamdyke.org/documentation/README.html#TIMEOUTS By default, spamdyke doesn't enforce any timeouts, so another line in your config file must be enabling them. Perhaps simply increasing those values will solve this? If that doesn't help, I'd suggest using spamdyke's full logging feature to capture one of these failed connections. That will show exactly what's data is being sent and how long it's taking. -- Sam Clippinger On Oct 12, 2016, at 2:31 PM, marek--- via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > I read an old thread on this problem, but did not see a solution. > # spamdyke -v > spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc > (at) silence (dot) org > # uname -a > Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 > i686 i686 i386 GNU/Linux > > In spamdyke.config > > tls-level=smtp > tls-certificate-file=/var/qmail/control/servercert.pem > > The problem is TLS TIMEOUT > 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from > <xx...@ergohestia.pl::> remote > rcpt <> : sender accepted > 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: > xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: > smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT > > Add adress to whitelist_senders nothing change :( > > I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same. > I don’t any idea how to make to allow this mail. > > Any help will be appreciated > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Localhost relaying denied
You're right that whitelisting and authentication have no effect on the relay filter. spamdyke allows relaying in three situations: when the RELAYCLIENT environment variable is set, when /etc/tcp.smtp has a matching rule that sets RELAYCLIENT or when a spamdyke option allows relaying. So... have you compared the /etc/tcp.smtp file on the two servers? I'd bet there's a line on the "can send" server that sets RELAYCLIENT for localhost connections and the "can't send" server doesn't have it (note spamdyke does not read this file itself; its CDB version is probably being read by tcp-env). It's been quite a while since I've worked with Plesk but I seem to remember that option is set within the Plesk admin interface. It'd be a good idea to change it there -- otherwise if you change it on disk, it'll probably just get overwritten the next time Plesk saves a change. -- Sam Clippinger On Oct 3, 2016, at 7:58 AM, Faris Raouf via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Dear all, > > I’m absolutely confounded by a problem I’m having after upgrading five > systems from Spamdyke 4.3.1 to 5.0.1 > > On two of them, webmail (running locally, connecting from 127.0.0.1 to > 127.0.0.1 port 25 via smtp, no authentication) works fine and can send > messages. > > On the other three, spamdyke spits out a RELAYING_DENIED and blocks the > connection from 127.0.0.1 when trying to send messages. > > -- > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RDNS_MISSING ip: > 127.0.0.1 > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_WHITELIST_IP ip: > 127.0.0.1 file: /etc/spamdyke.d/whitelist_ip(6) > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RELAYING > > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: DENIED_RELAYING from: (the > rest redacted) > > > > All four systems use Plesk, which has 127.0.0.1 whitelisted for email – no > authentication is required for connections from that IP. > > I have read the upgrade notes, which explain that IPs that are whitelisted in > the ip whitelist (or whatever) file are no longer automatically also allowed > to relay, and obviously that’s at the heart of the problem in some way. > > What I cannot fathom is why two would work, and three would not. They are all > pretty much identical in every way that I can think of. Same Centos 6, same > versions of pretty much everything, very little differences anywhere. > > None of them have any form of relay or smtp auth settings in spamdyke.conf. > All of them do have 127.0.0.1 whitelisted in the ip whitelist file – not that > it makes any difference in 5.0.1 of course. > > Everything is controlled via smtp_psa file via xinetd > > (stuff) > server = /var/qmail/bin/tcp-env > server_args = -Rt0 /usr/local/bin/spamdyke -f > /etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock > /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true > /var/qmail/bin/cmd5checkpw /var/qmail/bin/true > > > So, to resolve the problem, in theory all I have to do is add > ip-relay-entry=127.0.0.1 and indeed that does solve the problem. > > I presume that’s safe enough, given that we do want anything in localhost to > be able to send email without authenticating? > > Is this a common setting? > > But I feel I must get to the bottom of why some work, and some don’t, out of > the box. It seems bonkers, and indicative of something else that might be > wrong. > None of the boxes are accidental open relays. Authentication is most > definitely required to send to non-local addresses. > > At one point I suspected it might have something to do with the webmail > configuration, but I can’t find any differences at all. They are all set to > use smtp to connect to port 25 with no authentication. > > > In the hope that someone may spot an error in my config files, here is one > from a server where webmail can send, and another from a server where webmail > cannot send. > > (--config-tests throws no errors on either of them) > (I do not know what I have qmail-rcpthosts / qmail-morescpthosts.cdb set but > they had been set when using 4.3
Re: [spamdyke-users] spam with rDNS resolving to "localhost"
Adding "localhost" to your rDNS blacklist should work exactly as you expect -- *any* connection that resolves to "localhost" will be blocked. To allow connections from the real local host, you could either whitelist 127.0.0.1 or, if you wanted other filters to remain active for local connections, use a config-dir to remove "localhost" from the blacklist for 127.0.0.1. Incidentally, are you using the reject-unresolvable-rdns filter? That filter has a special exception for "localhost" to allow that name for 127.0.0.1 but block it for all other IPs. -- Sam Clippinger On Aug 9, 2016, at 5:02 AM, Faris Raouf via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Dear all, > > We’re having problems with spam being allowed in from IPs with rDNS resolving > to “localhost”. > This gets past the reject-empty-rdns filter. > > Initially I thought these IPs has no rDNS – using dnsstuff, I get no result > (normally meaning no rDNS). But using host or dig I see the IPs really do > reverse resolve to localhost. > > ** > Example log entry: > > spamdyke[24468]: ALLOWED from: sqozt...@vnnic.net.vn to: > redac...@redacted.tld origin_ip: 113.168.188.219 origin_rdns: localhost auth: > (unknown) encryption: (none) reason: 250_ok_1470423419_qp_24501 > > > *** > Check rDNS: > > # host 113.168.188.219 > 219.188.168.113.in-addr.arpa domain name pointer localhost. > > > # dig -x 113.168.188.219 > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 113.168.188.219 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15578 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;219.188.168.113.in-addr.arpa. IN PTR > > ;; ANSWER SECTION: > 219.188.168.113.in-addr.arpa. 21599 IN PTR localhost. > > ;; Query time: 325 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Tue Aug 9 10:41:58 2016 > ;; MSG SIZE rcvd: 69 > > *** > > > Is figure that it is not safe to add “localhost” in our rdns blacklist file. > Wouldn’t our real, local, localhost 127.0.0.1 potentially get blacklisted? > > Any suggestions as to what to do about this would be much appreciated! > > Errmm.. in the back of my head there is a dim bell ringing about this issue > and so it might have been discussed before. Sorry if I’m asking something > that’s already been covered at some point. Google hasn’t helped in this case. > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fail2ban integration
spamdyke won't log the IP in its current version, but it wouldn't be hard to add. If you want a quick'n'dirty solution right away, you can add it very easily... just edit exec.c and change line 206 to this: SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s %s", username, current_settings->server_ip); Then recompile and replace the spamdyke binary with the new copy. Once it's in place, the "authentication failure" messages should show the IP address right after the username, separated by a space. (NOTE: I haven't compiled or tested this change, proceed with caution...) -- Sam Clippinger On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Sam, > > Is there a way to get spamdyke to log invalid authorizations in a manner that > fail2ban can use? My host has been hit continuously with brute-force > attacks. Unfortunately, the logs only have: > > Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] > ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The > operation failed due to an I/O error, Unexpected EOF found > \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] > FILTER_AUTH_REQUIRED > Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] > ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad > username/password, vchkpw uses this to indicate SMTP access is not allowed): > verizon > > They seem to have a huge list of account names to try and I've got thousands > of attempts just for today. Unfortunately, without any IP address in the > message I can't have fail2ban automatically block these. > > Gary > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
Could probably do that. Or maybe print the matching file/line in the "reason" field, the same way it already does for blacklist matches? -- Sam Clippinger On Jul 22, 2016, at 11:37 AM, Faris Raouf <aster...@raouf.net> wrote: > Hi Sam, > > I just had a chance to have a go with the tests, and just as you expected it > was down to the rDNS of the sender being whitelisted. > I don’t know how many times I’d checked, and missed seeing it J > > Unfortunately I can’t remember why I whitelisted it L It belongs to an ESP. > If they are sending stuff that can’t pass SD’s filters, it doesn’t belong in > anybody’s mailbox. But obviously I needed to whitelist it for some reason at > some point. I will have to have a think about this. > > But this situation inspires me to ask you to consider adding something to the > wishlist: > > When a messages is allowed to pass as a result of being whitelisted, could > there be an option to change the logging so that instead of just ALLOWED it > shows ALLOWED_WL_[type] or maybe WHITELIST_[type] or something along those > lines? > > > > If you can login to ms2 at the command line, you could also try running > spamdyke by hand so you can see more verbose output without flooding your > logs. > ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can't block envelope sender
From what I can see, spamdyke should be blocking those messages. This could be a bug, but first I'd suggest carefully checking your whitelists. In almost every case I've seen like this where a blacklist simply will not work, it turns out to be a whitelist entry that's overriding it. You mentioned your email flows through several different servers before it reaches the user's mailbox... from the message headers, it looks like ms2 is your edge server, is that where the blacklist entry is set? If you can login to ms2 at the command line, you could also try running spamdyke by hand so you can see more verbose output without flooding your logs. You don't need to stop your mail server for this; it won't interfere with any normal operations. First, set an environment variable so spamdyke will think it's getting a connection from a remote server: export TCPREMOTEIP=94.143.105.188 Next create a very small spamdyke config file (can be anywhere, doesn't have to be in /etc) with two options: log-target=stderr log-level=excessive Then find the command line spamdyke is started with (in your "run" file) and run it the same way, but add another "-f" for the new config file AFTER your real config file. (If you're curious why, it's because config options are applied in the order they are read. We want to override those two options for this run, so they need to be read last.) For example, on my server I would run this: spamdyke -f /etc/spamdyke.d/spamdyke.conf -f /tmp/testing.conf -- /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true You should see the SMTP greeting banner just like a mail client does (possibly delayed a few seconds by spamdyke) plus debug messages that would normally go in the logs. Type in these SMTP commands to imitate a client and test the blacklist: EHLO cloudtengroup1.mta.dotmailer.com MAIL FROM:<bo-3ueb-2dqy-yto27-c0...@tooplemail.com> RCPT TO:<redac...@redacted.tld> At that point, you should see either a 250 response if the message is accepted or a 500 response if it is blocked, plus tons of debugging output from spamdyke to show what it's thinking. You can type QUIT or ctrl-C to exit. Hopefully that'll show what's happening. If you can't spot the issue or have trouble deciphering the output, feel free to email it to me privately and I'll take a look. -- Sam Clippinger On Jul 21, 2016, at 6:39 AM, Faris Raouf via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Dear all, > > I'm having a bit of an issue trying to block messages based on the envelope > sender. Basically it doesn't seem to work at all, so I'm obviously doing > something wrong. > > All the other types of blacklists and whitelists seem to work just fine. > > I understand the difference between the "From" and the envelope sender, and > that TLS can be an issue. > > But as far as I'm aware it is the envelope sender that I'm targeting, and in > this case my qmail installation doesn't support TLS so spamdyke is set to > handle the TLS and should be able to read the contents of the message. > > I'm using SpamDyke 5.01 > > Please could someone kindly take a quick look at my log/config/header of an > example email, to see what I'm doing wrong? > > In the example below, the envelope sender I'm trying to block has > (some-reference-or-other)@tooplemail.com as the envelope sender so I'm using > @tooplemail.com in my blacklist_sender file. > > > *** > > Maillog extract: > > Jul 21 10:32:55 ms2 spamd[30006]: spamd: checking message > <2dqy.87yto274c.20160721093145...@tooplemail.com> for qscand:500 > > Jul 21 10:32:57 ms2 spamd[30006]: spamd: result: Y 4 - > BAYES_00,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREE_QUOTE_INS > TANT,HTML_MESSAGE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_1 > 00,RAZOR2_CHECK,RCVD_IN_DNSWL_NONE,SPF_PASS > scantime=1.9,size=55241,user=qscand,uid=500,required_score=3.0,rhost=localho > st,raddr=127.0.0.1,rport=53794,mid=<2DQY.87YTO274C.20160721093145243@tooplem > ail.com>,bayes=0.00,autolearn=no > > Jul 21 10:32:57 ms2 qmail-scanner-queue.pl: qmail-scanner[25272]: > Clear:RC:0(94.143.105.188):SA:1(4.3/3.0): 2.092064 55184 > bo-3ueb-2dqy-yto27-c0...@tooplemail.com redac...@redacted.tld > Why_is_Toople.com_different_to_the_rest? > <2dqy.87yto274c.20160721093145...@tooplemail.com> > 1469093575.25274-0.ms2.redac...@redacted.tld:3611 > orig-ms2.redacted.tld146909357479725272:55184 > 1469093575.25274-1.ms2.redacted.tld:46150 > > Jul 21 10:32:57 ms2 spamdyke[25257]: ALLOWED from: > bo-3ueb-2dqy-yto27-c0...@tooplemail.com to: redac...@redacted.tld origin_ip: > 94.143.105.188 origin_rdns: cloudtengroup1.mta.dotmailer.com auth: (unk
Re: [spamdyke-users] Bug: ./configure doesn't respect --prefix
I'll get that added to the next release, thanks! -- Sam Clippinger On May 10, 2016, at 5:37 AM, Jonas Pasche via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hey there, > > while the configure script of the current version tells that it would be > able to handle an installation prefix ... > > $ ./configure --help | grep prefix | head -1 > --prefix=PREFIX install architecture-independent files in PREFIX > > ... this simply doesn't work, as the install paths in Makefile.in are > hardcoded. I'd suggest the attached patch against the current version of > spamdyke which replaces the hardcoded paths with the variable. Sam, > could you possibly include this in future versions? > > Thanks, > Jonas > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] softlimit error
You're correct that those messages are related to limits, but not the ones softlimit can set. Those messages are about "hard" limits, which are set using the "ulimit" command. I'd guess either BSD has a default hard limit or something on your system is setting them before spamdyke runs. Those limits are extremely high, so there's very little chance they're going to cause any problems, but spamdyke will keep complaining about them as long as log-level is "verbose" or higher. -- Sam Clippinger On May 4, 2016, at 3:04 PM, BC via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > > Now that I've set log-level=excessive, I can see these two errors that > spamdyke is spitting out a lot: > > May 4 13:54:52 Xeon_Right spamdyke[18726]: > ERROR(undo_softlimit()@spamdyke.c:3226): data segment hard limit is less than > infinity, could lead to unexplainable crashes: 34359738368 > May 4 13:54:52 Xeon_Right spamdyke[18726]: > ERROR(undo_softlimit()@spamdyke.c:3244): stack size hard limit is less than > infinity, could lead to unexplainable crashes: 536870912 > > Seems to be a harmless error report. > > Per Sam's suggestion quite some time ago, I quit using the 'softlimit' option > in the tcpserver startup "run" files. Available memory >5GiB free all the > time. Very fast CPU. The email part of the server is very lightly used as > the box is primarily an NAS and for me to play and experiment with > intellectually. > > Had no crashes that I know of - been up for 41+ days since my last > intentional reboot. > > Thoughts? > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] IPv6 Question
Right now, spamdyke has no support for IPv6 at all, so it can't understand that nameserver line. However, the only consequence should be that error message -- it shouldn't have any trouble skipping that line and using the IPv4 nameserver. -- Sam Clippinger On May 4, 2016, at 2:54 PM, BC via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > > Using FreeBSD here. > > In addition to my normal IPv4 connection, I have an IPv6 tunnel set up via > Hurricane Electric. Also use unbound as my local DNS cache resolver for > resolving both IPv4 & IPv6 addresses and it has been doing both for over a > year now. > > spamdyke doesn't seem to like the IPv6 resolver. /var/log/maillog showing > LOTS of lines like this (log-level=info): > > May 4 13:08:56 Xeon_Right spamdyke[18382]: > ERROR(load_resolver_file()@search_fs.c:753): invalid/unparsable nameserver > found: fd00::1 > > My /etc/resolv.conf file contains these two lines: > > nameserver 10.0.0.1 > nameserver fd00::1 > > I didn't think that spamdyke is IPv6 aware? Shouldn't it ignore the second > nameserver line above? > > In hopes of getting some more info about this, I've set log-level=excessive. > > Thoughts? > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Second SD Stats report
Very impressive numbers, thanks for sharing those! Out of curiosity, of the messages that were delivered, how did you judge if they were spam? It sounds like the problem is that spamdyke-qrv is accepting messages to invalid addresses? You can try running spamdyke-qrv manually with the "-v" flag (possibly twice) to see why it's deciding to allow the recipient. Something like this: spamdyke-qrv -v pricom.com.au jackspratt -- Sam Clippinger On May 4, 2016, at 4:39 AM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > People, > > Last year I reported some stats after I had been using SD for about a month > and now I have a second set - unfortunately I forgot to increase the number > of backlogs for logrotate and I lost a few months of data to compare > delivered spam to but the latest stats are from 100 days of data: > > > https://docs.google.com/spreadsheets/d/1GqinPR2mA0Jz-uTZ2zVJgutpiDl62HNbn2gWGNpd7Tk/pubhtml > > There were some changes to the conf file between sets of data but I didn't > keep notes about changes and dates etc however it seems that the proportion > of ALLOWED lines went down a little which suggests more spam was stopped - > but conversely, the proportion of delivered spams compared to SD lines went > up a little - which I don't quite understand . . > > Now I want to try and stop the delivered spams that have invalid email > addresses - I have compiled and installed spamdyke-qrv OK and set > "reject-recipient" to "invalid" but these spams are still getting through and > then being bounced and since the return address is bogus I get a postmaster > message that the bounce has failed eg for the address: > > jackspr...@pricom.com.au > > - suggestions? > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Cannot block sender with header-blacklist-entry or sender-blacklist-entry
Assuming the "ALLOWED" log message you provided is accurate, it looks like the problem is authentication -- all filters are disabled after authentication succeeds. Your log message shows the same username in both the "from" and "auth" fields, which makes me suspect either the user's password has been compromised or the user's PC has been infected with malware. I'd suggest changing the account password so authentication will fail -- spamdyke's filters should work fine after that. -- Sam Clippinger On Mar 23, 2016, at 5:00 AM, Stephen Provis via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi, I'm having trouble blacklisting specific sending email addresses and > would appreciate some advice please. I am using Spamdyke 5.0.1 on Ubuntu > 10.04 and qmail. > > I have tried all of the following rules to block email from a specific email > (for security lets say the email address is j...@smith.fake) but each time > Spamdyke allows the emails through. > > My config file looks like this: > > header-blacklist-entry=From: *<*smith.fake>* > header-blacklist-entry=from:*smith.fake* > header-blacklist-entry=From:*j...@smith.fake* > > sender-blacklist-entry=@smith.fake > sender-blacklist-entry=j...@smith.fake > > #sender-blacklist-file=/tmp/spamdyke.txt > > dns-server-ip=208.67.222.222:53 > log-level=excessive > max-recipients=5 > idle-timeout-secs=300 > reject-empty-rdns > reject-unresolvable-rdns > reject-ip-in-cc-rdns > reject-sender=no-mx > dns-blacklist-entry=b.barracudacentral.org > dns-blacklist-entry=zen.spamhaus.org > rhs-blacklist-entry=fresh.spameatingmonkey.com > > > > # SET THE FILENAME BELOW AND ENABLE BOTH OF THESE OPTIONS > > # Controls the way spamdyke offers and supports TLS or SMTPS. > tls-level=smtp > > # Read SSL certificate from FILE. > tls-certificate-file=/var/qmail/control/servercert.pem > > And the syslog reports the following: > > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: > from=j...@smith.fake > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: > to=some...@somewhere.fake > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: hook_dir = > '/opt/psa/handlers/before-queue' > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: recipient[3] = > 'some...@somewhere.fake' > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: handlers dir = > '/opt/psa/handlers/before-queue/recipient/some...@somewhere.fake' > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail-queue-handlers[6890]: starter: > submitter[6899] exited normally > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail: 1458726477.792849 new msg 32933026 > Mar 23 09:47:57 lvpsxx-xx-xx-xxx qmail: 1458726477.792929 info msg 32933026: > bytes 1269 from <j...@smith.fake> qp 6899 uid 2020 > Mar 23 09:47:57 lvpsxx-xx-xx-xxx spamdyke[6822]: ALLOWED from: > j...@smith.fake to: some...@somewhere.fake origin_ip: xxx.xxx.xxx.xxx > origin_rdns: .xxx.net auth: j...@smith.fake encryption: TLS reason: > 250_ok_1458726477_qp_6890 > > Any assistance would be greatly appreciated. > > Regards, > Stephen > > > > Stephen Provis > Website Developer > Stephen Provis and Co > > t: 07922 195703 > w: www.stephenprovis.com > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] recipient-blacklist-file=FILE with RegExes?
Ah... you're confusing the "sender" address with the "From" address. The sender address is what appears in the logs. The From address is what appears in the message headers and is also what you see in your mail client. The two are completely separate and spammers usually supply different (bogus) values for them. To block both of the examples you gave, add these lines to your sender-blacklist-file (not your header-blacklist-file): @brewster.com @nice.com That should do it! More info here: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS -- Sam Clippinger On Dec 29, 2015, at 11:54 PM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > People, > > I thought of starting a new thread but the question relates to this > discussion so I thought I would revive it - see inline comments: > > > On 2015-06-21 04:57, Philip Rhoades via spamdyke-users wrote: >> Sam, >> On 2015-06-21 03:12, Sam Clippinger via spamdyke-users wrote: >>> Regex support is on the (rather lengthy) to-do list, but frankly it's >>> not a very high priority -- there's a lot of low-hanging fruit that >>> would be of much more benefit right now. Plus, since I'm not one of >>> the 10 people in the world who completely understands regexes, I doubt >>> I would actually use them myself; I'd rather add globbing support, >>> which I do understand. :) >> OK, no worries - SD is going well so far so I may not need some of the >> mechanisms that I used in my own setup - we'll see how things go. >>> spamdyke's header filter runs at connection time, as all of its >>> filters do. If a header line matches a blacklisted pattern, the entire >>> message is rejected (the sending server receives an error code, qmail >>> never sees the message). >> Right - thanks for the clarification. > > > One annoying spammer continues to get their mail through but I don't > understand why - my header-blacklist-file includes these two lines in it: > > [FR][re][op][ml]*:*brewster.com* > [FR][re][op][ml]*:*nice.com* > > but the first one works and the second one doesn't!: > > /var/log/maillog-20151230:Dec 29 17:08:43 prix spamdyke[15684]: > DENIED_HEADER_BLACKLISTED from: smartdel...@brewster.com to: > p...@pricom.com.au origin_ip: 23.253.183.234 origin_rdns: > mail-183-234.mailgun.info auth: (unknown) encryption: (none) reason: > /usr/local/bin/srejector2/spamdyke_blacklist_header.txt:11 > > /var/log/maillog-20151230:Dec 29 17:08:00 prix spamdyke[15609]: ALLOWED from: > support.a...@nice.com to: mailer-dae...@pricom.com.au origin_ip: > 192.114.148.4 origin_rdns: mailil.nice.com auth: (unknown) encryption: (none) > reason: 250_ok_1451369280_qp_15628 > > I have even saved the file in vim a couple of times and restarted qmail a > couple of times but no change in the behaviour - what could the explanation > be? > > Thanks, > > Phil. > > >>> On Jun 19, 2015, at 9:09 PM, Philip Rhoades via spamdyke-users >>> <spamdyke-users@spamdyke.org> wrote: >>>> Sam, >>>> See inline comments: >>>> On 2015-06-20 11:53, Sam Clippinger via spamdyke-users wrote: >>>>> You're correct spamdyke does not support regexes for any of its >>>>> options, but you can use a wildcard in a sender or recipient >>>>> white/blacklist file to match entire domains by prefixing the line >>>>> with an @ symbol. For example: >>>>> @example.com [1] [1] >>>> Yep, saw that - is it possible to support regexes in the future? >>>>> Full documentation here: >>> http://www.spamdyke.org/documentation/README.html#REJECTING_RECIPIENTS >>>>> [2] >>>>> [2] >>>>> BUT! Be careful -- the "To" and "From" lines in the message header >>>>> are >>>>> not the same as the "sender" and "recipient". The sender and >>>>> recipient >>>>> are part of SMTP, the To and From lines are part of the message >>>>> data >>>>> and are completely unrelated. Think of it this way: when a letter >>>>> is >>>>> sent through the post office, the name on the outside of the >>>>> envelope >>>>> tells the postman which mailbox gets the envelope (or where to >>>>> send it >>>>> back to) but top of the letter inside may have a completely >>>>> unrelated >>>>> letterhead and salutation. Whenever spamdyke's >>>>> options/documentation &g
Re: [spamdyke-users] Progress Report
Unfortunately I haven't spent any time on either of those things yet. I've spent a significant amount of time trying to get the recipient validation feature working but kinda lost steam a month or two ago. I'm gonna get back on the horse here soon. Can I just say again for the record that I'm still amazed people still use Solaris at all, much less OpenIndiana? :) -- Sam Clippinger On Dec 15, 2015, at 7:10 PM, Gary Gendel via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Sam, > > I've started a discussion on the OpenIndiana developer's mailing list about > Spamdyke and generated a lot of interest. I know you're working on divorcing > Spamdyke from Qmail and also supporting IPv6. How is this work progressing? > It seems that IPv6 seems to be a sticky point for deployment. > > Gary > > > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Receiving from other Mailservers with StartTLS on port 25 failed
I don't see anything in your config file that looks like a problem. Since it's working for some connections and not others, I'd guess it's something about those mailservers -- they're expecting some response (or something) that spamdyke isn't sending, so the connection stalls. Can you try enabling the "full-log-option" to capture the data from one of these failed connections? -- Sam Clippinger On Dec 14, 2015, at 8:29 AM, Arne Metzger <mo...@foni.net> wrote: > Hi Sam, > > sorry for the delayed reply. > > My config files are attached below. But i can't provide any log file data - > the only hint i see in /var/log/maillog is an entry "relaylock: ..." any > nothing more. Spamdyke doesn't seem to notice the connection. > > # cat /etc/spamdyke5.conf > log-level=verbose > log-target=syslog > dns-level=normal > filter-level=normal > smtp-auth-level=ondemand-encrypted > smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true > /var/qmail/bin/cmd5checkpw /var/qmail/bin/true > relay-level=normal > tls-certificate-file=/var/qmail/control/servercert.pem > idle-timeout-secs=300 > greeting-delay-secs=0 > tls-level=smtp > max-recipients=20 > policy-url=http://www.shjjv.de/home/spamfilter > > reject-empty-rdns > reject-ip-in-cc-rdns > reject-unresolvable-rdns > ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/rdns-keyword-blacklist > ip-in-rdns-keyword-whitelist-file=/var/qmail/spamdyke/rdns-keyword-whitelist > > ip-blacklist-file=/var/qmail/spamdyke/ip-blacklist > rdns-blacklist-file=/var/qmail/spamdyke/rdns-blacklist > ip-whitelist-file=/var/qmail/spamdyke/ip-whitelist > rdns-whitelist-file=/var/qmail/spamdyke/rdns-whitelist > > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=dnsbl.inps.de > dns-blacklist-entry=ix.dnsbl.manitu.net > dns-blacklist-entry=bl.spamcannibal.org > rhs-blacklist-entry=fresh.spameatingmonkey.com > #dns-whitelist-entry=list.dnswl.org > > header-blacklist-file=/var/qmail/spamdyke/header-blacklist > > reject-sender=no-mx > reject-recipient=same-as-sender > > sender-whitelist-file=/var/qmail/spamdyke/sender-whitelist > sender-blacklist-file=/var/qmail/spamdyke/sender-blacklist > > graylist-dir=/var/qmail/spamdyke/graylist > graylist-level=always-create-dir > graylist-min-secs=300 > graylist-max-secs=1814400 > qmail-rcpthosts-file=/var/qmail/control/rcpthosts > > # cat /etc/spamdyke5_smtps.conf > log-level=verbose > log-target=syslog > dns-level=normal > filter-level=normal > smtp-auth-level=ondemand-encrypted > smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true > /var/qmail/bin/cmd5checkpw /var/qmail/bin/true > relay-level=normal > tls-certificate-file=/var/qmail/control/servercert.pem > idle-timeout-secs=300 > greeting-delay-secs=0 > #151117he > tls-level=smtps > tls-certificate-file=/var/qmail/control/servercert.pem > max-recipients=20 > policy-url=http://www.shjjv.de/home/spamfilter > > reject-empty-rdns > reject-ip-in-cc-rdns > reject-unresolvable-rdns > ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/rdns-keyword-blacklist > ip-in-rdns-keyword-whitelist-file=/var/qmail/spamdyke/rdns-keyword-whitelist > > ip-blacklist-file=/var/qmail/spamdyke/ip-blacklist > rdns-blacklist-file=/var/qmail/spamdyke/rdns-blacklist > ip-whitelist-file=/var/qmail/spamdyke/ip-whitelist > rdns-whitelist-file=/var/qmail/spamdyke/rdns-whitelist > > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=dnsbl.inps.de > dns-blacklist-entry=ix.dnsbl.manitu.net > dns-blacklist-entry=bl.spamcannibal.org > rhs-blacklist-entry=fresh.spameatingmonkey.com > #dns-whitelist-entry=list.dnswl.org > > header-blacklist-file=/var/qmail/spamdyke/header-blacklist > > reject-sender=no-mx > reject-recipient=same-as-sender > > sender-whitelist-file=/var/qmail/spamdyke/sender-whitelist > sender-blacklist-file=/var/qmail/spamdyke/sender-blacklist > > graylist-dir=/var/qmail/spamdyke/graylist > graylist-level=always-create-dir > graylist-min-secs=300 > graylist-max-secs=1814400 > qmail-rcpthosts-file=/var/qmail/control/rcpthosts > > Best regards, > Arne > > Am 25.11.2015 um 02:51 schrieb Sam Clippinger via spamdyke-users: >> It's hard to say what the problem might be without more information. Could >> you post your spamdyke config file? Also, if you use the full-log-dir >> option, spamdyke will capture everything that happens into a log file for >> each connection, which should show exactly what's going on. >> >> -- Sam Clippinger >> >> >> >> >> On Nov 19, 2015, at 2:41 AM, Arne Metzger via spamdyke-users >> <spamdyke-users@spa
Re: [spamdyke-users] Receiving from other Mailservers with StartTLS on port 25 failed
It's hard to say what the problem might be without more information. Could you post your spamdyke config file? Also, if you use the full-log-dir option, spamdyke will capture everything that happens into a log file for each connection, which should show exactly what's going on. -- Sam Clippinger On Nov 19, 2015, at 2:41 AM, Arne Metzger via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Hi, > > i am using tls-level = smtp for standard smtp connections (for smtps on port > 465 i use a seperate configugartion file with tls-level = smtps) > > Some mails from specific mailservers were not handled by spamdyke, there was > just an relaylock entry in maillog, nothing more. > > My hosters support staff also tried to send mail with StartTLS on port 25 and > got the same result: relaylock entry and nothing more. > > Spamdyke seems not to offer StartTLS on port 25, thus delivering fails and > the sending server does not try to deliver without encryption. So the email > ist not delivered at all. > > Has anyone heard about that? Any hints? Or more information needed? > Using spamdyke 5.0.1 on ubuntu 14.04 > > Best regards, > Arne > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
I guess so, but remember the wildcarding uses globbing, not regexes. What I mean is: using "?*" is equivalent to just "*". Also, the line has to contain at least one colon or spamdyke won't use it (message headers always use a colon to separate the field name from the value). Why not just use multiple entries in the file? If either one matches, the message will be blocked and it'd be easier to understand: From: *@skysoft.com Reply-To: *@skysoft.com -- Sam Clippinger On Oct 2, 2015, at 4:34 AM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > On 2015-10-02 15:42, Philip Rhoades via spamdyke-users wrote: >> Sam, >> On 2015-09-26 01:12, Sam Clippinger via spamdyke-users wrote: >>> The header blacklist file has a different format from the sender >>> blacklist file, so just copying entries from one to the other won't >>> work. You need to provide a pattern that matches the line(s) in the >>> message header -- in your mail client, you should have an option to >>> "view message source" or "view raw headers" that will show you what it >>> looks like. In this specific case, you probably want this: >>> Reply-To: *@skysoft.com [3]* >>> The format is case insensitive and uses globbing for wildcards, so * >>> will match multiple characters and [] will match a set or range of >>> characters, just like the bash command prompt. The filter will ignore >>> any lines in the file that don't contain a colon. Full details here: >>> http://www.spamdyke.org/documentation/README.html#HEADERS [4] >> So if I wanted to block the same address for both From: and Reply-To: >> I could use: >> [fr][re][op][ml].*@skysoft.com > > > [fr][re][op][ml]?*@skysoft.com > > so "*" doesn't repeat only "[ml]" ? > > >> ? >> Thanks, >> Phil. >>> For testing, you certainly can use telnet -- I do it all the time. >>> Just make sure the host you telnet from isn't blocked or whitelisted >>> for some other reason (most folks whitelist localhost, for example). >>> -- Sam Clippinger >>> On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-users >>> <spamdyke-users@spamdyke.org> wrote: >>>> Sam, >>>> On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: >>>>> Actually, no. The sender-blacklist-* and recipient-blacklist-* >>>>> filters >>>>> operate on different data from the header-blacklist-* filters. The >>>>> reason is because the sender and recipient addresses are given >>>>> during >>>>> the SMTP protocol and aren't part of the message itself -- the >>>>> addresses you see in your mail client are the From and To entries >>>>> from >>>>> the message header. The first paragraph here explains in a little >>>>> more >>>>> detail: >>>> http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS >>>>> [1] >>>>> [1] >>>> Yes, sorry, I should have realised that . . >>>>> Put another way, the sender address doesn't have to match the >>>>> "From" >>>>> address visible in the mail client -- well-behaved mail clients >>>>> make >>>>> them the same, but that's a courtesy and not a requirement. The >>>>> Reply-To address is part of the message header and, again, is only >>>>> a >>>>> convention used by well-behaved clients. If you've ever been Bcc'd >>>>> on >>>>> a message, you've seen this in action -- the sender's mail client >>>>> gave >>>>> your address as a recipient but didn't put your address on the >>>>> "To" >>>>> line in the message header. >>>> Right, so, some follow up questions: I moved the following from the >>>> sender-blacklist to the header-blacklist: >>>> @iskysoft.com [2] >>>> - first in the conf file then later into a separate >>>> header-blacklist-file with all the massaged addresses from my old >>>> setup - but the sender above still seems to be getting through. I >>>> thought the "@" was supposed to act like a wild card? Am I still >>>> doing something wrong? >>>> When I add addresses etc to blacklists etc, is there any way of >>>> doing a test myself to see that the block is working? Using a telnet >>>> to port 25 on my qmail server and manually pasting
Re: [spamdyke-users] Blocking "Reply-To:" addresses
The header blacklist file has a different format from the sender blacklist file, so just copying entries from one to the other won't work. You need to provide a pattern that matches the line(s) in the message header -- in your mail client, you should have an option to "view message source" or "view raw headers" that will show you what it looks like. In this specific case, you probably want this: Reply-To: *@skysoft.com* The format is case insensitive and uses globbing for wildcards, so * will match multiple characters and [] will match a set or range of characters, just like the bash command prompt. The filter will ignore any lines in the file that don't contain a colon. Full details here: http://www.spamdyke.org/documentation/README.html#HEADERS For testing, you certainly can use telnet -- I do it all the time. Just make sure the host you telnet from isn't blocked or whitelisted for some other reason (most folks whitelist localhost, for example). -- Sam Clippinger On Sep 25, 2015, at 1:31 AM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Sam, > > > On 2015-09-15 07:27, Sam Clippinger via spamdyke-users wrote: >> Actually, no. The sender-blacklist-* and recipient-blacklist-* filters >> operate on different data from the header-blacklist-* filters. The >> reason is because the sender and recipient addresses are given during >> the SMTP protocol and aren't part of the message itself -- the >> addresses you see in your mail client are the From and To entries from >> the message header. The first paragraph here explains in a little more >> detail: >> http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS >> [1] > > > Yes, sorry, I should have realised that . . > > >> Put another way, the sender address doesn't have to match the "From" >> address visible in the mail client -- well-behaved mail clients make >> them the same, but that's a courtesy and not a requirement. The >> Reply-To address is part of the message header and, again, is only a >> convention used by well-behaved clients. If you've ever been Bcc'd on >> a message, you've seen this in action -- the sender's mail client gave >> your address as a recipient but didn't put your address on the "To" >> line in the message header. > > > Right, so, some follow up questions: I moved the following from the > sender-blacklist to the header-blacklist: > > @iskysoft.com > > - first in the conf file then later into a separate header-blacklist-file > with all the massaged addresses from my old setup - but the sender above > still seems to be getting through. I thought the "@" was supposed to act > like a wild card? Am I still doing something wrong? > > When I add addresses etc to blacklists etc, is there any way of doing a test > myself to see that the block is working? Using a telnet to port 25 on my > qmail server and manually pasting header lines is not a real test is it? > > Thanks, > > Phil. > > >> -- Sam Clippinger >> On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users >> <spamdyke-users@spamdyke.org> wrote: >>> Sam, >>> On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: >>>> I'm not entirely sure I understand your question... if the >>>> Reply-To >>>> address is always the same, you should be able to block it using >>>> the >>>> header blacklist filter. >>> Ah . . OK - I will try that but doesn't that mean that: >>> sender-blacklist-entry >>> is redundant - ie: >>> header-blacklist-entry >>> should cover everything? >>> Thanks, >>> Phil. >>>> If you're wanting to compare the Reply-To >>>> address to the From address or the sender address, spamdyke >>>> doesn't >>>> have that ability. >>> -- Sam Clippinger >>> On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users >>> <spamdyke-users@spamdyke.org> wrote: >>> People, >>> One variety of spam that is successfully delivered to me has a >>> different "From:" addresses but the same "Reply-To:" address - I >>> can't see a way of blocking these mails in the conf file via the >>> "Reply-To:" address - is it possible? >>> Thanks, >>> Phil. >>> -- >>> Philip Rhoades >>> PO Box 896 >>> Cowra NSW 2794 >>> Australia >>> E-mail: p...@pricom.com.au >>> ___ >>> sp
Re: [spamdyke-users] Blocking "Reply-To:" addresses
Actually, no. The sender-blacklist-* and recipient-blacklist-* filters operate on different data from the header-blacklist-* filters. The reason is because the sender and recipient addresses are given during the SMTP protocol and aren't part of the message itself -- the addresses you see in your mail client are the From and To entries from the message header. The first paragraph here explains in a little more detail: http://www.spamdyke.org/documentation/README.html#REJECTING_SENDERS Put another way, the sender address doesn't have to match the "From" address visible in the mail client -- well-behaved mail clients make them the same, but that's a courtesy and not a requirement. The Reply-To address is part of the message header and, again, is only a convention used by well-behaved clients. If you've ever been Bcc'd on a message, you've seen this in action -- the sender's mail client gave your address as a recipient but didn't put your address on the "To" line in the message header. -- Sam Clippinger On Sep 13, 2015, at 9:20 PM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Sam, > > > On 2015-09-14 11:38, Sam Clippinger via spamdyke-users wrote: >> I'm not entirely sure I understand your question... if the Reply-To >> address is always the same, you should be able to block it using the >> header blacklist filter. > > > Ah . . OK - I will try that but doesn't that mean that: > > sender-blacklist-entry > > is redundant - ie: > > header-blacklist-entry > > should cover everything? > > Thanks, > > Phil. > > >> If you're wanting to compare the Reply-To >> address to the From address or the sender address, spamdyke doesn't >> have that ability. > > >> -- Sam Clippinger >> On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users >> <spamdyke-users@spamdyke.org> wrote: >>> People, >>> One variety of spam that is successfully delivered to me has a >>> different "From:" addresses but the same "Reply-To:" address - I >>> can't see a way of blocking these mails in the conf file via the >>> "Reply-To:" address - is it possible? >>> Thanks, >>> Phil. >>> -- >>> Philip Rhoades >>> PO Box 896 >>> Cowra NSW 2794 >>> Australia >>> E-mail: p...@pricom.com.au >>> ___ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> ___ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Blocking "Reply-To:" addresses
I'm not entirely sure I understand your question... if the Reply-To address is always the same, you should be able to block it using the header blacklist filter. If you're wanting to compare the Reply-To address to the From address or the sender address, spamdyke doesn't have that ability. -- Sam Clippinger On Sep 13, 2015, at 4:11 PM, Philip Rhoades via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > People, > > One variety of spam that is successfully delivered to me has a different > "From:" addresses but the same "Reply-To:" address - I can't see a way of > blocking these mails in the conf file via the "Reply-To:" address - is it > possible? > > Thanks, > > Phil. > -- > Philip Rhoades > > PO Box 896 > Cowra NSW 2794 > Australia > E-mail: p...@pricom.com.au > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Weird behavior with TLS and auth-level=always
I'm having trouble reproducing this problem. I've tried running spamdyke with this config against both patched qmail and my own smtpdummy (in the tests folder) and both of them show the AUTH lines in every case. How did you install qmail? Is this netqmail or Plesk or QTP or? -- Sam Clippinger On Aug 24, 2015, at 11:42 AM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org wrote: Sam, Yes I'm on 5.0.1. I've paired the configuration file down to: qmail-rcpthosts-file=/var/qmail/control/rcpthosts recipient-validation-command=/usr/local/bin/spamdyke-qrv reject-recipient=invalid max-recipients=5 idle-timeout-secs=300 tls-level=smtp-no-passthrough tls-certificate-file=/usr/local/etc/ssl/certs/dovecot.pem tls-privatekey-file=/usr/local/etc/ssl/private/dovecot.pem filter-level=require-auth smtp-auth-level=always smtp-auth-command=/usr/local/bin/checkpassword-pam -s smtp /bin/true If I comment out the smpt-auth-level so it uses qmail, I get the STARTTLS, this way I don't. I'm still trying to figure out the qmail auth failure. This one is a real head-stratcher. It's timing out so it looks like the pipe isn't connecting to checkpasswd-pam. I tried hard-coding the string that was sent (and works fine on external checkpasswd-pam tests) but it still times out. However, spamdyke's auth works fine which is how I discovered the above problem. Gary On 08/24/2015 12:26 PM, Sam Clippinger via spamdyke-users wrote: What version of spamdyke are you using? I fixed a bug related to this in 5.0.1... that doesn't mean there isn't another bug, I just want to make sure you're on that version before I spend time chasing a bug that's already fixed. :) If you are on 5.0.1, could you post your configuration file that shows how to reproduce this? That'll probably save me quite a bit of time. -- Sam Clippinger On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org wrote: Sam, If I use qmail with smtp auth, then spamdyke announces STARTTLS capabilities, but if I have spamdyke do it then it doesn't. It's there and works, but it isn't announced in the ehlo response. gary@abby ~ openssl s_client -starttls smtp -crlf -connect tardis.genashor.com:587 -starttls smtp CONNECTED(0003) didn't found starttls in server response, try anyway... depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA I'm trying to use spamdyke for auth because qmail auth doesn't seem to work for me. If I test checkpassword-pam outside it works, but from qmail it just hangs for a few seconds than then fails. I'll figure it out but I wanted to report this quirk. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Weird behavior with TLS and auth-level=always
What version of spamdyke are you using? I fixed a bug related to this in 5.0.1... that doesn't mean there isn't another bug, I just want to make sure you're on that version before I spend time chasing a bug that's already fixed. :) If you are on 5.0.1, could you post your configuration file that shows how to reproduce this? That'll probably save me quite a bit of time. -- Sam Clippinger On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org wrote: Sam, If I use qmail with smtp auth, then spamdyke announces STARTTLS capabilities, but if I have spamdyke do it then it doesn't. It's there and works, but it isn't announced in the ehlo response. gary@abby ~ openssl s_client -starttls smtp -crlf -connect tardis.genashor.com:587 -starttls smtp CONNECTED(0003) didn't found starttls in server response, try anyway... depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA I'm trying to use spamdyke for auth because qmail auth doesn't seem to work for me. If I test checkpassword-pam outside it works, but from qmail it just hangs for a few seconds than then fails. I'll figure it out but I wanted to report this quirk. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Some stats after a couple of months; NotInFromWhiteList; Calling External Program
Pretty cool, thanks for reporting that! At this point, spamdyke doesn't support hooking in external scripts during processing. I very much want to make that happen however, since it would make it possible to invoke SpamAssassin or ClamAV within the delivery process. That's probably a couple of versions away unfortunately. -- Sam Clippinger On Aug 22, 2015, at 5:40 AM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: People, Here are some stats after a couple of months of happy Spamdyke usage - thanks! If I had remembered to set the logrotate number higher I would have had more data but I think the last 31 days is sufficient to illustrate some things: Total spamdyke lines in maillog files for the last 31 days: 54838 Total spamdyke ALLOWED lines in maillog files for the last 31 days: 12278 (22.4%) Total spam / phishing messages that were delivered: 165 100% Valid To email address: 105 64% No To email address: 19 12% Undisclosed Recipients: 159% Mailer Daemon bounces:138% Invalid To email address: 127% Valid To email address but NO Subject and NO From: 11% I could stop the 64% Valid To email address spams if I had a NotInFromWhiteList facility - at the expense of annoying people sometimes with failed messages and them receiving a If you are a real mailer . . note - like my previous Qmail + GreyLite + Ruby script (that was called via qmail-qfilter) setup. Except for Mailer Daemon bounces ands Valid To email address but NO SUBJECT and NO FROM, I don't even know how the other mails actually get delivered at all . . I notice the processing that spamdyke does is slower for me to send mail compared to my previous setup - but I guess it is doing more work too . . Is there any way for me to call a modified version of my old Ruby script from spamdyke as the last bit of processing before allowing an email through? Thanks again! Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Disable SSLv3 in spamdyke
I think you can test it by using the openssl client from the command line: openssl s_client -ssl3 -connect SERVERNAME:PORT If it connects and you see Protocol: SSLv3, it's not disabled. If you see sslv3 alert handshake failure and it doesn't connect, you're done! -- Sam Clippinger On Aug 20, 2015, at 7:28 AM, Alessio Cecchi via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, I'm running spadyke 5 in front of a Qmail without TLS patch. My Qmail acts only as MX so I'm not interesting into smtp authentication via TLS, but I need TLS to send e receiv encrypted email from others servers. But my MX also accept SSLv3 and I would like to disable it. So I inset in spamdyke.conf: tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL but I'm not sure if the list of cipher is correct. Can somebody help me? Thanks -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] deprecation of qmail
Yep, that sounds familiar. If you need more reasons, I've also been seeing the big DNS packet problem on my own server (but haven't fixed it yet): https://productforums.google.com/forum/#!msg/apps/mIGTQVZiFxo/ULesU7hOo6wJ The patch is available here: http://www.memoryhole.net/qmail/#oversize-dns -- Sam Clippinger On Aug 20, 2015, at 8:18 AM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org wrote: Sam, I'm convinced I just spent a day trying to get the qmail package from netbsd-pkgsrc running on OmniOS. There were messed up dependencies and the installation mixed up the qmail users and group permissions royally. It ended up being netqmail which wasn't what I expected. The installation didn't set up the queue properly and it tool me hours to work through most of the issues with this package. Bottom line is that I've decided to remove that package and just take a tarball from my OpenIndiana installation. If I run into problems it will be easier to build replacement binaries from source. If you provide spamdyke as a smtp proxy I have no objections. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] 5.0.1 - make warning fscanf on Ubuntu 14.04 LTS
They're just warnings that I'm not checking the return value of a call to fscanf(). fscanf() reads data from a file into one or more variables; its return value shows how many variables were assigned. In the case of those lines, I'm using fscanf() to simply skip over any carriage return or newline characters at the end of a line and not assigning anything to any variables. That's why I'm not checking the return value -- I don't care about the actual data, I just want to move forward to the start of the next line. So the warnings are completely harmless. But I don't like my code to generate warnings, so I'll get it fixed in the next version and add Ubuntu 14.04 to my list of test systems. Thanks for reporting this! -- Sam Clippinger On Aug 19, 2015, at 5:42 AM, Arne Metzger via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, i am trying to make spamdyke on ubuntu 14.04. Make show several warnings ~/spamdyke-5.0.1/spamdyke# ./configure checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for stdint.h... (cached) yes checking sys/inttypes.h usability... no checking sys/inttypes.h presence... no checking for sys/inttypes.h... no checking for sys/types.h... (cached) yes checking for stdint.h... (cached) yes checking for sys/inttypes.h... (cached) no checking whether time.h and sys/time.h may both be included... yes checking for int16_t... no checking for int32_t... no checking for int64_t... no checking for uint16_t... no checking for uint32_t... no checking for uint64_t... no checking for dirent.h that defines DIR... yes checking for library containing opendir... none required checking for struct dirent.d_type... yes checking whether DT_WHT is declared... yes checking whether S_IFWHT is declared... no checking whether INADDR_LOOPBACK is declared... yes checking whether to include debugging symbols (for gdb)... no checking for strip... strip spamdyke checking whether to include excessive debugging output... no checking whether to include some debugging output... yes checking whether to compile with address sanitizer... no checking whether to include configuration tests... yes checking if openssl/ssl.h will include without additional include directories... yes checking for library containing RSA_sign... -lcrypto checking for library containing SSL_library_init... -lssl checking for OpenSSL libraries (for TLS support)... yes checking for library containing inet_aton... none required checking for library containing bind... none required checking for library containing inet_ntoa... none required checking for library containing getopt_long... none required checking whether anonymous inner functions are supported by default... yes checking whether struct option is defined in getopt.h... yes checking whether GCC diagnostic pragma directives are supported... yes checking whether pid_t is an unsigned int or an unsigned long... unsigned int checking whether uid_t is an unsigned int or an unsigned long... unsigned int checking whether gid_t is an unsigned int or an unsigned long... unsigned int checking whether time_t is an int or a long... long checking whether int64_ts are supported in a test program... yes checking whether printf()/scanf() uses %ld for 64-bit integers... yes checking whether __func__ is available... yes checking whether socklen_t is available... yes checking whether RLIMIT_AS is available... yes configure: creating ./config.status config.status: creating Makefile config.status: creating config.h config.status: config.h is unchanged ~/spamdyke-5.0.1/spamdyke# make gcc -Wall -O2 -funsigned-char -c spamdyke.c gcc -E -Wall -O2 -funsigned-char configuration.c | gcc -Wall -O2 -funsigned-char -x c -c -o configuration.o - gcc -Wall -O2 -funsigned-char -c dns.c gcc -Wall -O2 -funsigned-char -c environment.c gcc -Wall -O2 -funsigned-char -c usage.c gcc -Wall -O2 -funsigned-char -c search_fs.c search_fs.c: In function 'search_file': search_fs.c:347:15: warning: ignoring return value of 'fscanf', declared with attribute warn_unused_result [-Wunused-result] fscanf
Re: [spamdyke-users] Spamdyke auth problems resolved
That's good to know, thanks for posting that info. I'm always amazed to hear people still use Solaris any more... I endured it a few years ago because ZFS was worth the pain, but finally had to abandon it because it was impossible to get security updates without an enterprise contract. spamdyke's next version is nearly ready but I'm still running tests. It fixes the recipient validation code in spamdyke-qrv when vpopmail is being used, which has increased the number of test scripts to 4-6 million (from about 200K-300K). So it's taking a lot longer to test (about 2 weeks straight on 20 EC2 instances). They say familiarity breeds contempt, and lately I've become very familiar with vpopmail's code, so it's very hard to regard it with anything but contempt. I'll write up a complete rant about it later; for now I'll just say I will never install it on a new server again and I'm giving serious thought to deleting it from my current server. If anyone out there has vpopmail running on a server where users can edit their own .qmail files inside their mail folders, be very very afraid. Crashes and fork bombs are easy to do and cooking up a denial of service attack would probably be simple. I haven't been looking for exploitable holes, but I'm positive they're in there. Anyway, sadly spamdyke's next version doesn't include any earth-shattering features but it does add one small thing -- the ability to block authorization attempts unless SSL/TLS is active. IPv6 is certainly on my radar, but frankly I'm far more interested in adding a real proxy mode to spamdyke so it will work with other mail servers beyond qmail. Qmail has become an anachronism and I'm convinced it's time to let it go. If spamdyke can forward connections from port 25 to port X while doing all the filtering it does now, it should work nicely with just about any other mail server. -- Sam Clippinger On Aug 18, 2015, at 12:03 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org wrote: I use port 22 for non-auth mail and 587 for TLS with auth mail. On 587 I ended up using postfix because I could never get spamdyke working. It always failed valid authorizations. I was putting together a new server and I decided to take another look. The problem ended up in the checkpassword-pam module on Illumos (Solaris). Illumos (and possibly other Unix derivatives) require that pam has PAM_TTY set before starting a session. The checkpassword-pam module doesn't do this. I posted a bug report but my solution was to add the following code just before opening the pam session (in pam-support.c). retval = pam_set_item(pamh, PAM_TTY, /dev/null); if (retval != PAM_SUCCESS) { fatal(Setting PAM_TTY failed: %s, pam_strerror(pamh, retval)); return 1; } I just thought I'd send this information along in case anyone else was having issues with spamdyke authorization. Sam, How's the next gen version coming? Will it support IPv6? Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] sorry, that domain isn't in my list of allowed rcpthosts
I agree. qmail is rejecting your recipient address because it's not a local address and you don't have permission to relay. If you authenticate first, qmail should accept the message. -- Sam Clippinger On Aug 9, 2015, at 11:42 AM, Galatis via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, You're Not trying to senden local Mail Butter remote mail. Ort Do you expect yoursite.com Server should handle hotmail.com? Andreas Wer Rechtschreibfehler findet kann sie behalten. Ursprüngliche Nachricht Von: turgut kalfaoğlu via spamdyke-users spamdyke-users@spamdyke.org Datum: 08.08.2015 9:19 AM (GMT+01:00) An: spamdyke-users@spamdyke.org Betreff: [spamdyke-users] sorry, that domain isn't in my list of allowed rcpthosts Hello. On my new PLESK 12 server I'm having no luck either with qmail or spamdyke accepting local mail. Basically TELNET to port 25, or 587, and when I paste something like: 220 pluto.kalfaoglu.net ESMTP HELO mail.kalfaoglu.net MAIL FROM: x...@kalfaoglu.net RCPT TO: a...@hotmail.com DATA From: x...@kalfaoglu.net To: a...@hotmail.com Data: 2/2/2016 Subject: hi.. bla blabla. 250 pluto.kalfaoglu.net 250 ok 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) /var/qmail/control/me contains pluto.kalfaoglu.net rcpthosts contains pluto.kalfaoglu.net , and kalfaoglu.net virtualdomains contains entries like (which I added manually to see if they help): pluto.kalfaoglu.net:pluto.kalfaoglu.net kalfaoglu.net:kalfaoglu.net kalfaoglu.com:kalfaoglu.com hostname is pluto.kalfaoglu.com -- tested. hosts file contains: 127.0.0.1 localhost 176.9.64.42pluto.kalfaoglu.netpluto # # IPv6 ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts #2a01:4f8:150:822f::2pluto.kalfaoglu.netpluto Finally /etc/xinetd.d/smtp_psa looks like: service smtp { socket_type = stream protocol= tcp wait= no disable= no user= root flags= IPv6 per_source= 4 cps= 20 5 instances = 50 env = SMTPAUTH=1 POPAUTH=1 SHORTNAMES=1 server = /var/qmail/bin/tcp-env server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relayloc k /usr/sbin/rblsmtpd -r bl.spamcop.net /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmai l/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true And it still won't work.. What else can I try? I'm at my wits end.. Many thanks, -turgut ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Whitelist an IP for the DENIED_RDNS_MISSING error?
Actually, spamdyke is correct -- that IP does not have a valid reverse DNS name. When I look up 10.221.34.64.in-addr.arpa, no PTR records are returned, only one CNAME record: mail.lassosoft.com. Queries for mail.lassosoft.com also return no PTR records, only A records. This setup is not valid; the best way to fix it would be to change the record for 10.221.34.64.in-addr.arpa from a CNAME to a PTR with the same value. I'm guessing whoever created the existing record didn't really understand how rDNS works and created a record that seemed close enough. But to answer your question, yes! It is possible to turn off the rDNS filters for just that one IP. The feature you need is a configuration directory. Create a folder structure on the server like this: /some/path/_ip_/64/34/221 Then create a file in the deepest folder named 10: /some/path/_ip_/64/34/221/10 In that file, add the lines to turn off the rDNS filters: reject-empty-rdns=0 reject-unresolvable-rdns=0 Last, add a line to your main spamdyke config file to use the configuration directory: config-dir=/some/path That should do it! Full documentation of the configuration directory feature is here: http://spamdyke.org/documentation/README.html#CONFIGURATION_DIR -- Sam Clippinger On Aug 5, 2015, at 7:16 PM, Quinn Comendant via spamdyke-users spamdyke-users@spamdyke.org wrote: We're experiencing blocked email due to a DENIED_RDNS_MISSING error, although the domain PTR records do resolve: $ dig -x 64.34.221.10 +short mail.lassosoft.com. Error: 2015-08-05 18:56:56.452648500 spamdyke[5681]: DENIED_RDNS_MISSING from: donotre...@lassosoft.com to: u...@example.com origin_ip: 64.34.221.10 origin_rdns: (unknown) auth: (unknown) encryption: TLS reason: (empty) I've seen the recent thread on this where Sam explains that it could be DNS issues (https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg02009.html). My question is, can we whitelist an IP for the DENIED_RDNS_MISSING error? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can spamdyke reject emails with improper from and to fields?
spamdyke should already be blocking messages to recipients with no domain name -- that particular feature is not configurable. But it doesn't check the To line in the message headers by default. You should be able to block them using the header blacklist filter, something like this: To: *@ As for why the header blacklist filter isn't working for you, it's hard to say without more information. Could you post your configuration file? Have you tried running the config-test feature to look for errors in your configuration? If you could capture a full log (full-log-dir) from one of the connections that should be blocked, it would show exactly what spamdyke is doing (or not doing) at every step. -- Sam Clippinger On Jun 27, 2015, at 11:55 AM, Shane Bywater via spamdyke-users spamdyke-users@spamdyke.org wrote: -- Message: 1 Date: Wed, 24 Jun 2015 15:40:10 + From: Shane Bywater sh...@apexia.ca To: spamdyke-users@spamdyke.org spamdyke-users@spamdyke.org Subject: [spamdyke-users] can spamdyke reject emails with improper from andto fields? Message-ID: c2615c1606841d429fe282c972131c7b31f1e...@s11maild020n2.sh11.lan Content-Type: text/plain; charset=us-ascii Hi, Does anyone know if spamdyke can reject an email if it contains improper from and to fields (for example no from address)? I get hundreds of entries daily in the maillog file as shown below and would rather qmail not even try to send a bounce message to such emails. Jun 24 11:31:15 qmail-queue-handlers[20290]: Handlers Filter before-queue for qmail started ... Jun 24 11:31:15 qmail-queue-handlers[20290]: from= Jun 24 11:31:15 qmail-queue-handlers[20290]: to=%from_email Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Incorrect recipient mailname : %from_email Jun 24 11:31:15 qmail: 1435159875.553019 warning: trouble injecting bounce message, will try later Note: I'm using spamdyke 5.0.1 on a Plesk 10.4 CentOS 6 server. BTW thanks to Sam for continuing to develop and improve spamdyke. Regards, Shane Bywater -- Message: 2 Date: Wed, 24 Jun 2015 11:24:47 -0500 From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Subject: Re: [spamdyke-users] can spamdyke reject emails with improper fromand to fields? Message-ID: b47b331a-febc-4a20-9b7a-af7c99945...@silence.org Content-Type: text/plain; charset=us-ascii It can do this in a limited fashion right now. If the improper To field is always To: %from_email (or something from a known set of bad values), you could use the header blacklist filter to block it. But at present, there's no way to block a message with a missing header line. -- Sam Clippinger Hi, Is there a way to use spamdyke (header blacklist?) to block emails with no domain in the email address (ie. tksofxpwfhc@). Also, it doesn't seem like the header-blacklist file is even being used by Spamdyke as I have setup my /var/spamdyke/header-blacklist-file to contain Subject: hhh (minus the quotes) and when I send myself an email from an external email address with such the subject line containing hhh it passes through without Spamdyke blocking it. In my spamdyke.conf file I have header-blacklist-file=/var/spamdyke/header-blacklist-file and it has the same permissions as the other spamdyke files in such a directory. I also tried entering header-blacklist-entry=Subject: hhh in my spamdyke.conf file but that email was allowed through as well. My sending email address is not whitelisted and there is no spamdyke messages appearing in the maillog file. What could I be doing wrong? Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] can spamdyke reject emails with improper from and to fields?
It can do this in a limited fashion right now. If the improper To field is always To: %from_email (or something from a known set of bad values), you could use the header blacklist filter to block it. But at present, there's no way to block a message with a missing header line. -- Sam Clippinger On Jun 24, 2015, at 10:40 AM, Shane Bywater via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, Does anyone know if spamdyke can reject an email if it contains improper from and to fields (for example no from address)? I get hundreds of entries daily in the maillog file as shown below and would rather qmail not even try to send a bounce message to such emails. Jun 24 11:31:15 qmail-queue-handlers[20290]: Handlers Filter before-queue for qmail started ... Jun 24 11:31:15 qmail-queue-handlers[20290]: from= Jun 24 11:31:15 qmail-queue-handlers[20290]: to=%from_email Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Unable to get sender domain by sender mailname Jun 24 11:31:15 qmail-queue-handlers[20290]: Incorrect recipient mailname : %from_email Jun 24 11:31:15 qmail: 1435159875.553019 warning: trouble injecting bounce message, will try later Note: I'm using spamdyke 5.0.1 on a Plesk 10.4 CentOS 6 server. BTW thanks to Sam for continuing to develop and improve spamdyke. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Help me to understand 503 MAIL first
This is correct, with one small addition -- the MAIL first message is not coming from spamdyke. That message is being generated by qmail, which is why spamdyke logs it with DENIED_OTHER. If you want to figure out exactly what's going on, you could turn on spamdyke's full logging to capture the entire session. It will generate a log file for every connection, so you'll have to search to find the one you want, but it'll show every byte that goes through and exactly what spamdyke does with it (along with plenty of other debugging data). There is a remote possibility this sender's software is sending the MAIL FROM command in a way spamdyke can't parse, causing it to eat the input and never send it to qmail, but the full log would show it either way. The option to enable that feature is full-log-dir. -- Sam Clippinger On Jun 22, 2015, at 11:32 AM, Angus McIntyre via spamdyke-users spamdyke-users@spamdyke.org wrote: On 2015-06-22 11:55, Alessio Cecchi via spamdyke-users wrote: one sender (and only this one) is unable to send email to my users, this is the error in spamdyke log: Jun 22 05:47:37 mx01 spamdyke[1066]: DENIED_OTHER from: i...@domain.net to: j...@domain.com origin_ip: 98.18.75.3 origin_rdns: static-98-18-75-3.optusnet.com.au auth: (unknown) encryption: TLS reason: 503_MAIL_first_(#5.5.1) The sender said that is unable to send email only to me so the problem is mine ... How can I solve this problem or how can I demonstrate that is a sender problem? My understanding is that 503 MAIL first occurs when the other side is using badly implemented software that sends SMTP commands out of order. Normally, the SMTP transaction should go something like (with Spamdyke's responses indented for clarity): HELO bar.com 220 baz.com MAIL FROM: u...@bar.com 250 OK RCPT TO: u...@baz.com 250 OK and so on. If the other side starts with: RCPT TO: u...@baz.com Then Spamdyke will respond: 503 MAIL first (#5.5.1) In other words, Spamdyke is saying You should have sent the command MAIL first. I believe that this is what's happening in your case. From my reading of: https://tools.ietf.org/html/rfc821#page-37 Spamdyke is actually right to do this. A client that leads off with an out-of-order command is not following the SMTP protocol. Because SMTP is a stateful protocol, sending out-of-order commands could lead an MTA to end up in an inconsistent state, and mail could be lost. I don't know exactly what the other user's client is sending, but from my experimentation it looks most likely that it's sending RCPT before anything else. If it sent another command, such as DATA, or an unrecognized command such as QUUX, Spamdyke would give a different error. Because this is a fairly fundamental error on the part of the remote client, I would not expect it to be possible to configure Spamdyke to handle this case. Obviously, if he's able to deliver mail to other destinations, then other MTAs must be more forgiving. Nevertheless, it looks to me as if Spamdyke is following RFC821, and his software is not. Sam Clippinger can probably confirm whether or not this is the case, and whether there's anything you can do about it. But it looks to me as if the other guy's software is broken, and it's his problem, not yours. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] recipient-blacklist-file=FILE with RegExes?
Regex support is on the (rather lengthy) to-do list, but frankly it's not a very high priority -- there's a lot of low-hanging fruit that would be of much more benefit right now. Plus, since I'm not one of the 10 people in the world who completely understands regexes, I doubt I would actually use them myself; I'd rather add globbing support, which I do understand. :) spamdyke's header filter runs at connection time, as all of its filters do. If a header line matches a blacklisted pattern, the entire message is rejected (the sending server receives an error code, qmail never sees the message). -- Sam Clippinger On Jun 19, 2015, at 9:09 PM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: Sam, See inline comments: On 2015-06-20 11:53, Sam Clippinger via spamdyke-users wrote: You're correct spamdyke does not support regexes for any of its options, but you can use a wildcard in a sender or recipient white/blacklist file to match entire domains by prefixing the line with an @ symbol. For example: @example.com [1] Yep, saw that - is it possible to support regexes in the future? Full documentation here: http://www.spamdyke.org/documentation/README.html#REJECTING_RECIPIENTS [2] BUT! Be careful -- the To and From lines in the message header are not the same as the sender and recipient. The sender and recipient are part of SMTP, the To and From lines are part of the message data and are completely unrelated. Think of it this way: when a letter is sent through the post office, the name on the outside of the envelope tells the postman which mailbox gets the envelope (or where to send it back to) but top of the letter inside may have a completely unrelated letterhead and salutation. Whenever spamdyke's options/documentation refer to a sender or a recipient, it means the name on the outside of the envelope. The user never sees those values in their mail client unless the sender chooses to use those values in the To and From fields. Spammers typically fake all sender/recipient/To/From fields, but other software does too for perfectly legitimate reasons (e.g. mailing lists, autoresponders). Right. If you want to block based on the To and From lines the user sees in their mail client, you should look at spamdyke's header blacklist filter: http://www.spamdyke.org/documentation/README.html#HEADERS [3] In that case the mail has already been accepted? When I was using the qmail-qfilter+Ruby script method - my understanding of it at least - was that my Ruby script could process the header and body of the email and exit with a particular error code if the mail was bad and this would terminate the SMTP negotiation with that error message (eg drop the mail silently). So in this case I was able to look at all the header fields as well as the mail body and do whatever I wanted before accepting the mail. Header filtering doesn't support regexes either, but it does use globbing to allow more wildcard options. Right. Thanks, Phil. On Jun 19, 2015, at 7:47 PM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: People, As well as using GreyLite I have done my own thing for many years with qmail-qfilter and a Ruby script (it started off as a Ruby learning exercise . . ) - anyway for my white and black lists I was able to have in the plain text files things like: ad...@phillipsfinancial.com.au administrator@(booksjournals.com(|.au)|(prix.|)pricom.com.au|qps.com.au) adwords-noreply america.com ecolife where if any of those particular regexes appeared in the To: or From: or whatever, they could be allowed or blocked or whatever - I am guessing that eg the recipient-blacklist-file=FILE only allows for full email addresses? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users Links: -- [1] http://example.com [2] http://www.spamdyke.org/documentation/README.html#REJECTING_RECIPIENTS [3] http://www.spamdyke.org/documentation/README.html#HEADERS ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Softlimit messages
IMHO, everyone should delete the softlimit program from their servers immediately. Not that I have a strong opinion on the matter or anything. :) The softlimit program seems like a good idea -- set an upper limit on the amount of RAM a program can use, to guard against memory leaks (but not buffer overflows). In practice however, it causes far far more problems than it causes. When a program hits the limit, it always happens inside a library function and not the application itself. So the user sees strange errors from glibc or OpenSSL functions that are never related to memory allocation. Those errors always look like real bugs, because there's never any indication the limit was hit. There's also no way to even estimate how much memory is correct. Does anyone really understand how many libraries a program loads and how much memory they need? spamdyke uses OpenSSL and on some systems, separate libraries for math and DNS functions. Unpatched qmail doesn't use many libraries, but if patches have been applied to allow TLS or authentication, it may use many (who uses unpatched qmail anyway?). If vpopmail is in use, it may need MySQL, depending on how it was compiled. If the server is configured to use stack guarding or memory profiling, the virtual memory use could be astronomical. Every guide I've ever read says to use trial-and-error to find the lowest value that appears to work, then double (or triple) it. Crazy! I've spent way way too much time trying to track down bugs that were caused by softlimit and I finally reached my own limit this year. That's why spamdyke 5.0.1 examines the limits it starts with and, if it can, resets them. It can't undo hard limits set by the ulimit program, but it can (and does) undo softlimit. -- Sam Clippinger On Jun 20, 2015, at 2:05 PM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: People, I played around with the logging verbosity and found if I used debug mode I saw suggestions (commands!?) in the log about remove the softlimit function from the start script for qmail-smtpd - while I was trying to sort out the last bug that was preventing eQmail from working, I did actually do that - is the softlimit function even necessary these days on a lightly loaded server with 8GB RAM? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] recipient-blacklist-file=FILE with RegExes?
You're correct spamdyke does not support regexes for any of its options, but you can use a wildcard in a sender or recipient white/blacklist file to match entire domains by prefixing the line with an @ symbol. For example: @example.com Full documentation here: http://www.spamdyke.org/documentation/README.html#REJECTING_RECIPIENTS BUT! Be careful -- the To and From lines in the message header are not the same as the sender and recipient. The sender and recipient are part of SMTP, the To and From lines are part of the message data and are completely unrelated. Think of it this way: when a letter is sent through the post office, the name on the outside of the envelope tells the postman which mailbox gets the envelope (or where to send it back to) but top of the letter inside may have a completely unrelated letterhead and salutation. Whenever spamdyke's options/documentation refer to a sender or a recipient, it means the name on the outside of the envelope. The user never sees those values in their mail client unless the sender chooses to use those values in the To and From fields. Spammers typically fake all sender/recipient/To/From fields, but other software does too for perfectly legitimate reasons (e.g. mailing lists, autoresponders). If you want to block based on the To and From lines the user sees in their mail client, you should look at spamdyke's header blacklist filter: http://www.spamdyke.org/documentation/README.html#HEADERS Header filtering doesn't support regexes either, but it does use globbing to allow more wildcard options. -- Sam Clippinger On Jun 19, 2015, at 7:47 PM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: People, As well as using GreyLite I have done my own thing for many years with qmail-qfilter and a Ruby script (it started off as a Ruby learning exercise . . ) - anyway for my white and black lists I was able to have in the plain text files things like: ad...@phillipsfinancial.com.au administrator@(booksjournals.com(|.au)|(prix.|)pricom.com.au|qps.com.au) adwords-noreply america.com ecolife where if any of those particular regexes appeared in the To: or From: or whatever, they could be allowed or blocked or whatever - I am guessing that eg the recipient-blacklist-file=FILE only allows for full email addresses? Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Moving from GreyLite
I'm not familiar with GreyLite at all, but connection-time means spamdyke does its work while the message is still coming into your mail server -- while the connection with the sending server is active. This is as opposed to filtering messages in the mail queue, after the remote server is no longer connected (and believes the message has been delivered). The advantage of a connection-time filter is the remote server sees the rejection and the spam is never stored on your server at all. Rejecting messages after they've been queued requires either sending a bounce message or delivering it to a user's Junk folder. This distinction comes up a lot around qmail regarding recipient validation. By itself, qmail does not validate recipients when messages are accepted. Any username at a valid domain is accepted, then bounced later if the address turns out to be invalid. This leads to the problem of backscatter spam -- spammers deliberately send messages to invalid addresses and set the from address to their intended target. A qmail server will bounce the message (complete with spam or virus) to the victim. For qmail to validate recipients at connection time requires a patch or a filter like spamdyke. -- Sam Clippinger On Jun 19, 2015, at 5:21 AM, Philip Rhoades via spamdyke-users spamdyke-users@spamdyke.org wrote: People, I have been using GreyLite for many years but it hasn't been supported for quite a while - I think it is time to update to SpamDyke . . but I have some questions - first one: I looked at the SpamDyke web site and it is still not clear to me - it says 'connection-time means spamdyke evaluates and rejects spam while the remote server is still delivering it' - does this mean it does it at the TCP / mail envelope level? ie so it would be the same as GreyLite? GL blocks and forces possibly bad mails to be resent some time later which many spammers don't attempt . . Thanks, Phil. -- Philip Rhoades PO Box 896 Cowra NSW 2794 Australia E-mail: p...@pricom.com.au ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Need help for customizing reject message
Yes, all of the rejection messages can be customized. Each message is controlled by an option that begins with rejection-text. For example, the message you gave can be changed with the option rejection-text-ip-in-cc-rdns. The full list of rejection message options is here: http://www.spamdyke.org/documentation/README.html#SMTP_ERROR -- Sam Clippinger On Jun 12, 2015, at 9:06 AM, Agence Webtao via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi everybody, Do you know a way to customize reject message? for exemple this one: Refused. Your reverse DNS entry contains your IP address and a country code. I run spamdyke with Qmail on CentOS. I will appreciate any help, thanks :-) Lénaïc ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Log helo with log-level=info
At present, spamdyke does not log the HELO name and there's no easy way to configure it to do so. I've been intending to make the logging more configurable to allow admins to capture information like this (and also the Subject or other headers) but haven't gotten it done yet. Hopefully I'll be able to add it soon. -- Sam Clippinger On Jun 12, 2015, at 4:42 AM, Alessio Cecchi via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, I'm running spamdyke 5.0.1 and works very well, but I have a request. Can spamdyke log the helo sent from the remote server? For example: spamdyke[10250]: ALLOWED from: newslet...@domain.com to: ales...@domain.it origin_ip: 85.11.212.124 origin_rdns: eg-c-7-124.domain.net helo: mx.domains.com auth: (unknown) encryption: (none) reason: 250_ok_1434101245_qp_10301 see helo: mx.domains.com. The helo is usefull but also mandatory if you want to send your log as feed to DNSBL organizations to improve their spam detection (and this would be a benefit for all users). Can the helo add via configuration or require some coding? -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Just tried 5.0.1 but something is still missing
Anything's possible hard to say. Could you post your config file? Have you tried running the config-test command? -- Sam Clippinger On May 19, 2015, at 12:49 AM, Les Fenison via spamdyke-users spamdyke-users@spamdyke.org wrote: I finally got around to installing version 5.0.1 and then with excitement I did a telnet to port 25 and typed ehlo hoping to see that long awaited 250-STARTTLS and... it wasn't there. Did I miss something in the configuration switches or settings? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] New version: spamdyke 5.0.1
spamdyke lives! spamdyke version 5.0.1 is now available: http://www.spamdyke.org/ This version fixes a ton of bugs, including a number of access violations that can lead to crashes. Most importantly, the recipient validation feature now works correctly (and has been exhaustively tested). Version 5.0.1 is backwards-compatible with version 5.0.0; simply replacing the old binary with the new one should be safe. -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Segfault in spamdyke (libc-2.14.1.so) since use of version 5 | *** glibc detected *** /usr/local/bin/spamdyke: double free or corruption (fasttop):
Wow Gentoo, really? Every time I consider Gentoo, I start getting flashbacks of installing Slackware 1.2 from floppy disks back in the elder days. Nevertheless, I tried installing Gentoo to try to duplicate your environment and gave up about halfway through the install guide... I can't remember how far I got, but it was one of the pages in the low 500's, I think. :)Anyway, I've spent the last couple days hunting bugs and I've found a few that might be responsible for these errors. Could you try applying this patch and see if it resolves the segfaults? It should apply cleanly to spamdyke 5.0.0: cd /path/to/src/spamdyke-5.0.0 patch -p1 spamdyke-5.0.0-segfault.patch makeThen install the new binary over the old one.If this doesn't fix your crashes, at least it'll fix a lot of other potential ones! spamdyke-5.0.0-segfault.patch Description: Binary data -- Sam Clippinger On Apr 9, 2015, at 11:05 PM, Konstantin via spamdyke-users spamdyke-users@spamdyke.org wrote:Hi Everyone!On a virtual gentoo server I currently have:ebuild: dev-libs/openssl-1.0.1l-r1OpenSSL 1.0.1l 15 Jan 2015ebuild: sys-devel/gcc-4.8.4gcc (Gentoo 4.8.4 p1.4, pie-0.6.1) 4.8.4ebuild: sys-libs/glibc-2.20-r2glibc 2.20ebuild: sys-kernel/gentoo-sources-3.17.7custom build kernel 3.17.7-gentoo-domUNot sure about /etc/xinetd.d/smtps_psa since I don't have it but unning process looks like this:10821 ? S 4:07 /usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtp.cdb -c 40 -u 201 -g 200 0.0.0.0 smtp spamdyke -f /etc/spamdyke/spamdyke.conf /var/qmail/bin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/trueLet me know if I can provide you something more relevant, Sam.-- BR,KonstantinOn 2015-04-09 20:27, Sam Clippinger via spamdyke-users wrote:I've been looking through the many log files you sent, thank for beingso thorough! From what I can see in the files you and Konstantin havesent, it looks like the problem lies somewhere in the TLS/SSL cleanuproutine. In your log files, all of the crashes seem to happen justafter a client fails to connect with SMTPS due to a cipher negotiationproblem. There are only four different OpenSSL error codes beinglogged, which translate as: error:1406B0CB:SSL routines:GET_CLIENT_MASTER_KEY:peer error nocipher error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocolversionThose appear to be the only connections that are crashing, otherconnections that successfully negotiate their TLS/SSL sessions seem tobe fine.I haven't had any success in reproducing this bug yet, but I'm stillworking on it. I'm curious about some of the versions on your serverthough -- could you send me the version numbers of OpenSSL, gcc andthe kernel you're running? Could you also send me your/etc/xinetd.d/smtps_psa file (the one that starts spamdyke for SMTPS)?I'd like to see how it's being started so I can try to simulate it.Thanks!-- Sam ClippingerOn Apr 7, 2015, at 5:44 PM, Dirk via spamdyke-usersspamdyke-users@spamdyke.org wrote:Dear Sam,at first thank you for glorious work with spamdyke! I'm using itsinceseveral years and it's very helpful to me.At 30th march 2015 I've done an upgrade to version 5 (previous: last4version). Since then I often get a segfault in spamdyke:Tue Apr 7 12:05:19 2015] spamdyke[13607]: segfault at 14 ip7f60ce1e3ba8 sp 7fff6bac3ce0 error 4 inlibc-2.14.1.so[7f60ce19b000+187000][Tue Apr 7 12:16:20 2015] spamdyke[13959]: segfault at 14 ip7fe1145bdba8 sp 7fffa6426b90 error 4 inlibc-2.14.1.so[7fe114575000+187000][Tue Apr 7 12:47:31 2015] spamdyke[15309]: segfault at 14 ip7f9971e49ba8 sp 7fffa03aad20 error 4 inlibc-2.14.1.so[7f9971e01000+187000][Tue Apr 7 15:30:51 2015] spamdyke[21795]: segfault at 14 ip7fb0cac66ba8 sp 7fff209aa400 error 4 inlibc-2.14.1.so[7fb0cac1e000+187000][Tue Apr 7 16:13:02 2015] spamdyke[23130]: segfault at 14 ip7f47bd14eba8 sp 7fff5b5fd1e0 error 4 inlibc-2.14.1.so[7f47bd106000+187000][Tue Apr 7 17:22:50 2015] spamdyke[26691]: segfault at 14 ip7f24e499bba8 sp 7fff0cbd2060 error 4 inlibc-2.14.1.so[7f24e4953000+187000][Tue Apr 7 22:37:46 2015] spamdyke[6768]: segfault at 14 ip7fcd7c1ffba8 sp 7fff0fd874f0 error 4 inlibc-2.14.1.so[7fcd7c1b7000+187000][Tue Apr 7 22:37:48 2015] spamdyke[6775]: segfault at 1a ip7fb2f498eba8 sp 7fff6f12c380 error 4 inlibc-2.14.1.so[7fb2f4946000+187000][Tue Apr 7 22:37:49 2015] spamdyke[6780]: segfault at 1a ip7f4e9ee6fba8 sp 7fff517bbbd0 error 4 inlibc-2.14.1.so[7f4e9ee27000+187000][Tue Apr 7 22:38:11 2015] spamdyke[6764]: segfault at c ip7ffc08375ba8sp 7fff0c363ba0 error 4 in libc-2.14.1.so[7ffc0832d000+187000][Tue Apr 7 23:15:12 2015] spamdyke[10219]: segfault at 14 ip7ff1e6e54ba8 sp 7fffad8b0870 error 4 inlibc-2.14.1.so[7ff1e6e0c000+187000][Tue Apr 7 23:30:42 2015] spamdyke[10658]: segfault at 14 ip7f7e5db7eba8 sp 7fff00aa9eb0 error 4 inlibc
Re: [spamdyke-users] TLS problems
Yes you did and I'm sorry I didn't find a solution then. Having more available time now, I'd like to take another shot. Looking over the logs you sent me last year, I believe the crashes you were seeing are different from the ones reported earlier this week. In the spamdyke.conf file you sent, you're using the ip-relay-file option and I think it's very likely spamdyke is crashing while trying to parse that file. If you still have it, could you send me that file so I can test against it? -- Sam Clippinger On Apr 10, 2015, at 1:49 PM, Steve Cole via spamdyke-users spamdyke-users@spamdyke.org wrote: On 2015-04-10 02:52 AM, Les Fenison via spamdyke-users wrote: I am running spamdyke version 5.0.0+TLS+CONFIGTEST+DEBUG with Plesk's qmail and trying to do TLS. I don't know what I am doing so please correct me if I am debugging this wrong... Using openssl to verify the connection, it seems to connect OK but email clients claim that starttls is not supported. From the command line I see this which tells me it actually is working except for the second line. Is this normal? I reported these problems over a year ago. Just FYI. ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Vesrion 5.0.0 reject-sender=no-mx overriding based on source IP address
I think I found the problem here. It's definitely a bug in the configuration parsing code! Options that can take multiple pre-defined values like reject-sender are cumulative -- they only add more values, they don't subtract. So when spamdyke finds none in the configuration directory, it adds none to the existing value of no-mx. Since none has a value of zero, nothing happens. Trying to unset no-mx by using a value of !no-mx doesn't work either. But simply clearing the value seems to work fine. So for now, I'd suggest changing the 1 file in your configuration directory to use this line instead: reject-sender=!!! That will reset the reject-sender option to zero (none), which is what you want. I'll include a real fix for this in the next version. Still trying to find the segfault, that's a deeper rabbit hole... -- Sam Clippinger On Apr 8, 2015, at 12:35 AM, Konstantin via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi Everyone, On Apr 6, 2015, at 12:45 AM, Konstantin via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi Sam, Thank you very much for what you are doing. I'm testing spamdyke 5.0.0 now and I found spamdyke-qrv feature very useful. Sometimes it crashes, but still usable. :) I'm trying to make some exceptions for emails that comes from a certain IP subnets using config-dir=/etc/spamdyke/config.d mail spamdyke # cat /etc/spamdyke/config.d/_ip_/10/1 reject-empty-rdns=0 reject-sender=none And it doesn't seem working for me. Did I missed something? On 2015-04-07 18:06, Sam Clippinger via spamdyke-users wrote: It's hard to say without more information. From what you've shown, it looks like the reject-empty-dns and reject-sender filters should be deactivated for any connections from 10.1.x.x. But if that's not working, could you post your full config and some log messages? I'd also suggest running the config-test feature to look for problems; sometimes it's as simple as permissions on a folder. You are correct. Instead of creating MX records and resolvable PTR records for every local server I'm just trying to skip these checks when connecton comes from a certain IP addresses. My current spamdyke configuration is: --- log-level=verbose tls-certificate-file=/var/qmail/control/servercert.pem graylist-level=always graylist-dir=/var/tmp/spamdyke/graylist graylist-exception-ip-file=/etc/spamdyke/graylist-exception-ip-file graylist-exception-rdns-file=/etc/spamdyke/graylist-exception-rdns-file graylist-max-secs=3369600 graylist-min-secs=50 reject-empty-rdns reject-unresolvable-rdns reject-sender=no-mx rejection-text-recipient-same-as-sender rhs-blacklist-entry=sbl-xbl.spamhaus.org greeting-delay-secs=0 max-recipients=100 connection-timeout-secs=1800 idle-timeout-secs=120 config-dir=/etc/spamdyke/config.d rdns-blacklist-file=/etc/spamdyke/rdns-keyword-blacklist-file ip-blacklist-file=/etc/spamdyke/ip-blacklist-file reject-recipient=invalid recipient-validation-command=/usr/local/bin/spamdyke-qrv --- I don't think that file/directory permissions issue happens in my case. As long as I'm seeing from excessive logs spamdyke reads the change: DEBUG(process_config_dir()@configuration.c:4469): searching for config dir at /etc/spamdyke/config.d/_ip_ DEBUG(process_config_dir()@configuration.c:4496): searching for config file or dir at /etc/spamdyke/config.d/_ip_/10/1/5/4 DEBUG(process_config_dir()@configuration.c:4496): searching for config file or dir at /etc/spamdyke/config.d/_ip_/10/1/5 DEBUG(process_config_dir()@configuration.c:4496): searching for config file or dir at /etc/spamdyke/config.d/_ip_/10/1 DEBUG(process_config_dir()@configuration.c:4509): reading configuration file: /etc/spamdyke/config.d/_ip_/10/1 EXCESSIVE(process_config_file()@configuration.c:4351): set configuration option reject-empty-rdns from file /etc/spamdyke/config.d/_ip_/10/1, line 1: 0 EXCESSIVE(process_config_file()@configuration.c:4351): set configuration option reject-sender from file /etc/spamdyke/config.d/_ip_/10/1, line 2: none I'll send you my excessive log output personally if you have a time to look at it. -- BR, Konstantin ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] DENIED_RDNS_RESOLVE Question
The error DENIED_RDNS_RESOLVE means spamdyke found an rDNS name, but the name it found doesn't forward-resolve to an IP address (any IP address). So even though compxroads.com has an IP, m1.compxroads.com does not, so spamdyke rejected it. -- Sam Clippinger On Mar 24, 2015, at 4:03 PM, Denny Jones via spamdyke-users spamdyke-users@spamdyke.org wrote: Hello, Here's the log entry I'm getting: Mar 24 08:16:09 michael spamdyke[12081]: DENIED_RDNS_RESOLVE from: em...@domina.com to: ema...@domina2.com origin_ip: 173.10.76.81 origin_rdns: m1.compxroads.com auth: (unknown) encryption: TLS reason: (empty) Seems like it shouldn't list a domain if it can't resolve t he RDNS. I'm I missing something here? NOTE: If I do a reverse look up on 173.10.76.81 I get: compxroads.com Is the error because the origin RDNS is m1.compxroads.com? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Spamdyke answers with incomplete SMTP message
You're quite correct -- this is a bug in version 5.0.0. I've got it fixed in the next version, hopefully to be released very soon. -- Sam Clippinger On Feb 2, 2015, at 1:38 PM, Heiko Bornholdt via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi, I’m trying to replace my Spamdyke 4.3 with 5.0. I want to disable SSLv3 because of POODLE. I’m using Ubuntu 12.04 LTS and have Spamdyke compiled from source without any special configuration. root@andromeda:~# spamdyke --version spamdyke 5.0.0+TLS+CONFIGTEST+DEBUG (C)2014 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ This is my run-script: root@andromeda:~# cat /etc/service/qmail-relay-submit/run #!/bin/sh QMAILUID=`id -u qmaild` NOFILESGID=`id -g qmaild` exec tcpserver -v -HPR -u $QMAILUID -g $NOFILESGID 0 587 spamdyke -f /etc/spamdyke-587.conf /usr/sbin/qmail-smtpd 21 I have problems with submitting messages via SMTP. I have debugged the problem with swaks and tcpdump, and so I have discovered, that with my configuration Spamdyke is sending incomplete SMTP answers. From my local computer I run: [heiko@dhcp-172-21-37-9 ~]$ swaks -t he...@bornholdt.it -f he...@andromeda.bornholdt.it --server andromeda.bornholdt.it:587 --auth --auth-user=heiko Password: s3cr3t === Trying andromeda.bornholdt.it:587... === Connected to andromeda.bornholdt.it. - 220 andromeda.bornholdt.it ESMTP - EHLO dhcp-172-21-37-9.wlan.uni-hamburg.de.local ** Timeout (30 secs) waiting for server response - HELO dhcp-172-21-37-9.wlan.uni-hamburg.de.local - 250 andromeda.bornholdt.it *** Host did not advertise authentication - QUIT - 221 andromeda.bornholdt.it === Connection closed with remote host. And on the server: root@andromeda:~# tcpflow -i any -C -e port 587 tcpflow[9428]: listening on any 220 andromeda.bornholdt.it ESMTP EHLO dhcp-172-21-37-9.wlan.uni-hamburg.de.local 250-andromeda.bornholdt.it 250-PIPELINING 250-8BITMIME 250-AUTH LOGIN PLAIN 250-STARTTLS Nothing happens for 30 seconds and then the client aborts because of a timeout. My configuration: root@andromeda:~# cat /etc/spamdyke-587.conf log-level=verbose log-target=stderr smtp-auth-level=always smtp-auth-command=/usr/bin/checkvpw /usr/local/bin/heiko-smtp-auth-logger maildir hostname-file=/var/lib/qmail/control/me tls-level=smtp tls-certificate-file=/etc/qmail/servercert.pem tls-privatekey-file=/etc/qmail/servercert.pem tls-cipher-list=kEDH:AESGCM:HIGH:+MEDIUM:TLSv1:+ALL:!RC4:!SEED:!IDEA:!RC2:!3DES:!DES:!MD5:!DSS:!aNULL:!eNULL:!ECDSA:!ECDH:!PSK:!SRP tls-dhparams-file=/etc/ssl/private/dhparam2048.pem qmail-morercpthosts-cdb=/var/lib/qmail/control/morercpthosts.cdb qmail-rcpthosts-file=/dev/null Log: root@andromeda:~# cat /var/log/qmail/qmail-relay-submit/current | tai64nlocal 2015-02-02 18:33:29.206085500 tcpserver: status: 1/40 2015-02-02 18:33:29.206143500 tcpserver: pid 11591 from 134.100.17.1 2015-02-02 18:33:29.212386500 tcpserver: ok 11591 static.199.121.76.144.clients.your-server.de::::144.76.121.199:587 ::::134.100.17.1::57359 2015-02-02 18:33:29.213511500 spamdyke[11591]: ERROR(load_resolver_file()@search_fs.c:752): invalid/unparsable nameserver found: 2a01:4f8:0:a111::add:9898 2015-02-02 18:33:29.213579500 spamdyke[11591]: ERROR(load_resolver_file()@search_fs.c:752): invalid/unparsable nameserver found: 2a01:4f8:0:a102::add: 2015-02-02 18:33:29.213609500 spamdyke[11591]: ERROR(load_resolver_file()@search_fs.c:752): invalid/unparsable nameserver found: 2a01:4f8:0:a0a1::add:1010 2015-02-02 18:33:59.323577500 tcpserver: end 11591 status 0 2015-02-02 18:33:59.323578500 tcpserver: status: 0/40 I think, the problem is, that the server will send “250-STARTTLS” and not “250 STARTTLS” (missing hyphen). So the client thinks, that the message is not complete and waits for the next line. Best regards, Heiko ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Problems Using spamdyke-qrv With Aliases In Alias Domain
This is correct -- spamdyke-qrv has a bug that doesn't correctly validate forward addresses that are not hosted locally. I hope to have a new version of spamdyke available very soon that will fix this problem (and several others). Just need to get all the test scripts to run successfully... -- Sam Clippinger On Jan 10, 2015, at 9:40 AM, Martin H. Sluka via spamdyke-users spamdyke-users@spamdyke.org wrote: Hi Konstantin, I have difficulties using spamdyke-qrv in combination with aliases on aliased domains with vpopmail. For example when I'm creating a new domain original-domain.com with alias domain alias-domain.com and then after creating forward al...@original-domain.com I expect to be receiving email on al...@alias-domain.com as well. But spamdyke-qrv filters it. :( maybe it's the bug explained here: http://comments.gmane.org/gmane.mail.spam.spamdyke.user/4055 At least, this one caused trouble at our site in connection with forwardings to remote addresses in .qmail files. Any ideas how to fix it? The following patch works for me as a workaround: --- spamdyke-5.0.0/spamdyke-qrv/validate-qrv.c 2014-01-27 23:28:00.0 +0100 +++ spamdyke-5.0.0/spamdyke-qrv/validate-qrv.c.patched 2014-12-30 01:30:37.405723118 +0100 @@ -1247,14 +1247,8 @@ break; case 47: - if (((return_value = validate(current_settings, qmail_lines[current_line] + ((qmail_lines[current_line][0] == QMAIL_FORWARD_START_CHAR) ? 1 : 0), (qmail_lines[current_line][i] == '@') ? (i - 1) : i, (qmail_lines[current_line][i] == '@') ? (qmail_lines[current_line] + i + 1) : , forwarded + 1)) == DECISION_VALID) || - (return_value == DECISION_ERROR)) -continue_processing = 0; - else -{ -current_line++; -current_step = 37; -} + return_value = DECISION_UNKNOWN; + continue_processing = 0; break; default: That is, instead of trying to recursively resolve aliases, I just consider their status as unknown, which lets spamdyke accept messages by default. If that does not work for you, please send the output of spamdyke-qrv -vv alias-domain.com alias to the list (assuming that you have configured and compiled spamdyke-qrv --with-excessive-output). Regards, Martin -- ___ _ Martin H. Sluka \ mailto:mar...@sluka.de / ASCII ribbon ( ) Breite Straße 3 \ tel +49-700-19751024 / campaign - against X D-90552 Röthenbach \-- http://unf.ug ---/ HTML email vcards / \ ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Error in log
Definitely a bug! That space in the error message before the colon (unable to open keywords file :) is where it's supposed to print the filename it's trying to open. So either it's got a blank filename in its list of keyword files and these errors are harmless noise, or it's not loading your keyword file at all and the filter isn't working. I assume you're on the latest version? Would you mind sending me your complete configuration file? I'd like to be able to reproduce this so I can be sure I've got it fixed. -- Sam Clippinger On Nov 27, 2014, at 8:21 PM, Les Fenison l...@deltatechnicalservices.com wrote: I keep seeing this error in the log every few minutes... Nov 27 18:03:32 zeus spamdyke[28831]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:28 zeus spamdyke[7028]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:29 zeus spamdyke[7051]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:34 zeus spamdyke[7080]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory In my conf file I have... ip-in-rdns-keyword-blacklist-entry=dyn ip-in-rdns-keyword-blacklist-entry=dynamic ip-in-rdns-keyword-blacklist-entry=dhcp ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns-keyword-blacklist.conf In /etc/spamdyke.d I do have a file called ip-in-rdns-keyword-blacklist.conf So it does exist. The permissions are exactly as they are for all my other config files in the same directory. I don't understand why I am getting this error. Les Fenison www.DeltaTechnicalServices.com l...@deltatechnicalservices.com (503) 610-8747 ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Error in log
Found the problem -- very obscure! The structure of your configuration file is tickling a small bug so it adds an empty value to the end of the list of ip-in-rdns-keyword files. The filter is running normally and I don't see any way this bug could possibly add anything but a blank value to the end of the list, so the error messages are just noise. If you remove the comment lines from your configuration file, the error messages should stop. Fixing this bug also uncovered a related bug that would throw an error (and stop spamdyke) if a line in the configuration file contains only a single space. I thought I'd already fixed that before, but apparently not. Thanks for reporting this! I'm currently testing the next version and hope to release it next week with some important fixes to spamdyke-qrv. -- Sam Clippinger On Nov 28, 2014, at 12:14 PM, Les Fenison l...@deltatechnicalservices.com wrote: Here is the config file. -- Original Message -- From: Sam Clippinger s...@silence.org To: spamdyke users spamdyke-users@spamdyke.org Sent: 11/28/2014 9:19:46 AM Subject: Re: [spamdyke-users] Error in log Definitely a bug! That space in the error message before the colon (unable to open keywords file :) is where it's supposed to print the filename it's trying to open. So either it's got a blank filename in its list of keyword files and these errors are harmless noise, or it's not loading your keyword file at all and the filter isn't working. I assume you're on the latest version? Would you mind sending me your complete configuration file? I'd like to be able to reproduce this so I can be sure I've got it fixed. -- Sam Clippinger On Nov 27, 2014, at 8:21 PM, Les Fenison l...@deltatechnicalservices.com wrote: I keep seeing this error in the log every few minutes... Nov 27 18:03:32 zeus spamdyke[28831]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:28 zeus spamdyke[7028]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:29 zeus spamdyke[7051]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory Nov 27 18:14:34 zeus spamdyke[7080]: ERROR(check_ip_in_rdns_keyword()@filter.c:919): unable to open keywords file : No such file or directory In my conf file I have... ip-in-rdns-keyword-blacklist-entry=dyn ip-in-rdns-keyword-blacklist-entry=dynamic ip-in-rdns-keyword-blacklist-entry=dhcp ip-in-rdns-keyword-blacklist-file=/etc/spamdyke.d/ip-in-rdns-keyword-blacklist.conf In /etc/spamdyke.d I do have a file called ip-in-rdns-keyword-blacklist.conf So it does exist. The permissions are exactly as they are for all my other config files in the same directory. I don't understand why I am getting this error. Les Fenison www.DeltaTechnicalServices.com l...@deltatechnicalservices.com (503) 610-8747 ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Avoiding greylisting delays by making many exceptions
Very interesting, thanks for running these trials! I've currently got graylisting enabled on my own server, but I've been considering turning it off. An interesting statistic to look at, I think, would be the number of connections blocked by graylisting that don't eventually return with a successful delivery. In other words, the number of spambots that are actually deterred by the graylist filter. -- Sam Clippinger On Nov 20, 2014, at 3:27 AM, Quinn Comendant qu...@strangecode.com wrote: On Tue, 04 Nov 2014 08:05:22 -0700, BC wrote: At the suggestion of others here, I turned OFF greylisting last year, after having used it for years before that. My spam level didn't increase one bit. I think the RBL sites are pretty good at identifying spam originations, so I use that method now. So to check the usefulness of greylisting, I've done a rough study on our server. I've run three ten-day periods with different configurations, and processed the logs for each period using David Ramsden's SpamAssassin logfile analyser script [1]. The difference between greylisting enabled or disabled, all other configuration the same, is 2x the amount of messages received. During the period of greylisting, no false positives were reported by our users although they said their spam load was significantly reduced. It's hard to know from these number what the actual change in spam is, but I would venture to interpret the results and say greylisting is still helpful. You can see my spamdyke configuration here [2]. = Config 1: SA + rblsmtpd Total messages:Ham: Spam: % Spam: 90824 56264 34560 38.05% Average spam score: 11.34/4.78 Average ham score : -0.01/4.85 = Config 2: SA + spamdyke (no greylisting) Total messages:Ham: Spam: % Spam: 78271 63730 14541 18.58% Average spam score: 10.00/4.80 Average ham score : -0.05/4.85 = Config 3: sa + spamdyke + greylisting Total messages:Ham: Spam: % Spam: 39676 31763 7913 19.94% Average spam score: 13.31/4.84 Average ham score : -0.84/4.85 [1] http://www.sourcefiles.org/Log_Analyzers/sa-stats.pl [2] http://pastie.org/private/bzncofm9e0vhbez8kacnka Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Error on Qmail Toaster Install
Yikes, that's no good! I'll get that fixed in the next version, thanks for reporting this! -- Sam Clippinger On Nov 4, 2014, at 1:55 AM, Quinn Comendant qu...@strangecode.com wrote: [This is a reply to https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03900.html—I don't have the original messages to this post probably won't thread correctly.] When running `spamdyke --config-test` I experienced a `free(): invalid pointer` error similar to Jeff's, but found the problem: my morercpthosts file started with a blank line, then a line starting with a #, a bit like this: --- #example.com host1.com host2.com host3.com … --- Here's the error output: http://pastebin.com/d2tt8ah2 The solution was to delete these two useless lines from morercpthosts and it worked. spamdyke could catch this error if it parsed the file in a smarter way (accepting only lines with valid domains or displaying an error if unacceptable characters were found. Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] broken hunter_seeker URL
Looks like some Apache config entries didn't make it to the new server when I set it up, sorry about that. I've got them in place now, so those links should work now. I don't actually use the spamtrap script myself any more, it's just too I/O intensive with large amounts of email. The hunter_seeker script still works great for me, though it's important to add new filters periodically as you notice new spammers becoming effective. -- Sam Clippinger On Nov 4, 2014, at 8:53 PM, Quinn Comendant qu...@strangecode.com wrote: Sam, The URLs for hunter_seeker and spamtrap you offered us in 2013 are broken: http://www.spamdyke.org/releases/hunter_seeker/ http://www.spamdyke.org/releases/spamtrap/ Has this project moved? And is this script still as effective as it was? I'd like to know its current status before implementing it. Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] broken hunter_seeker URL
I just recreated the tarball to include the new scripts I've created recently. It's available on the site now. -- Sam Clippinger On Nov 5, 2014, at 8:11 AM, Gary Gendel g...@genashor.com wrote: Sam, Do you have a repository of your current filters that you're willing to share? Or do I need to download the hunter_seeker package periodically? Gary On 11/05/2014 09:08 AM, Sam Clippinger wrote: Looks like some Apache config entries didn't make it to the new server when I set it up, sorry about that. I've got them in place now, so those links should work now. I don't actually use the spamtrap script myself any more, it's just too I/O intensive with large amounts of email. The hunter_seeker script still works great for me, though it's important to add new filters periodically as you notice new spammers becoming effective. -- Sam Clippinger On Nov 4, 2014, at 8:53 PM, Quinn Comendant qu...@strangecode.com wrote: Sam, The URLs for hunter_seeker and spamtrap you offered us in 2013 are broken: http://www.spamdyke.org/releases/hunter_seeker/ http://www.spamdyke.org/releases/spamtrap/ Has this project moved? And is this script still as effective as it was? I'd like to know its current status before implementing it. Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Questions about qrv
Nope, you don't need those files. spamdyke-qrv will use them if they exist, otherwise it will assume the default values. However, if you're using Plesk you don't need spamdyke-qrv at all. The built-in Plesk filters already check for valid recipients before they allow a message to be accepted. -- Sam Clippinger On May 30, 2014, at 5:11 PM, Les Fenison l...@deltatechnicalservices.com wrote: According to the list of files in the docs, I am missing some. Is it necessary to have them all? I am missing these... /var/qmail/control/envnoathost /var/qmail/control/percenthack I am running the Plesk version of qmail which doesn't provide those files. I have specified the path to the spamdyke-qrv file and not seeing any error messages in config-test I get an error when specifying multiple choices for reject-recipient. Is it not possible to use multiple? I want to reject same-as-sender, invalid, and unavailable. How can I specify multiple options? I have tried reject-recipient=same-as-sender, invalid, unavailable which gives me Illegal value for option reject-recipient: invalid, same-as-sender, unavailable (must be one of none, same-as-sender, invalid, unavailable) Debugging qrv??? I am having trouble using config-test. It always hangs and then consumes major CPU and disk resources. The output always looks like this before it hangs. spamdyke 5.0.0+TLS+CONFIGTEST+DEBUG (C)2014 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use --help for an option summary, --more-help for option details or see README.html for complete documentation. WARNING: Running tests as superuser root(0), group root(0). These test results may not be valid if the mail server runs as another user. SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support but spamdyke will intercept and decrypt the TLS traffic so all of its filters can operate. ERROR: /var/qmail/bin/relaylock appears to offer SMTP AUTH support. spamdyke will observe any authentication and trust its response. The smtp-auth-command option was given but will be ignored. SUCCESS(config-file): Opened for reading: /etc/spamdyke.conf SUCCESS(dns-resolv-conf): Opened for reading: /etc/resolv.conf SUCCESS(graylist-exception-ip-file): Opened for reading: /etc/spamdyke.d/graylist-exception-rdns.conf SUCCESS(graylist-exception-rdns-file): Opened for reading: /etc/spamdyke.d/graylist-exception-ip.conf ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] modifying way that filters are shown in log files
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... When I test the earlytalker filter by itself from the command line, it appears to work: root@patched:/usr/local/src/spamdyke-5.0.0/spamdyke# ./spamdyke --log-target stderr -linfo -e 10 ../tests/smtpdummy/smtpdummy helo me 220 smtpdummy ESMTP 250 HELO received mail from:f...@bar.com 250 Refused. You are not following the SMTP protocol. rcpt to:b...@foo.com 554 Refused. You are not following the SMTP protocol. spamdyke[4199]: DENIED_EARLYTALKER from: f...@bar.com to: b...@foo.com origin_ip: 0.0.0.0 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) quit 221 Refused. You are not following the SMTP protocol. So if your connections aren't being whitelisted, there may be a bug where the earlytalker filter is failing when combined with some other option(s). Could you send me your spamdyke configuration file so I can try to reproduce your setup and nail it down? -- Sam Clippinger On Mar 13, 2014, at 3:03 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I disabled all whitelist options in spamdyke.conf and restarted spamdyke. Confirmed no whitelist filters continued to be displayed in the maillog file and also confirmed that only FILTER_EARLYTALKER delay: 5 was found but still no DENIED_EARLYTALKER entries. I even checked back in maillog files from 2012 and found the same result. It just can't be an authenticated user from so many different IPs (100s) from such a long period of time as my server would certainly be listed in multiple DNS blacklists (it's currently not in any). If anyone else has the same issue I would be curious if it has anything to do with Plesk being involved. If there are no other recommendations maybe I'll try installing Spamdyke 5.0.0 unless anyone has had issues using it on a Plesk 10.4.4, CentoOS 6 server. All comments are welcomed. Regards, Shane Bywater -- Message: 1 Date: Wed, 12 Mar 2014 17:28:58 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: a70266f0-2742-4c3b-9820-adc66fe9f...@silence.org Content-Type: text/plain; charset=us-ascii If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- next part -- An HTML attachment was scrubbed... URL: http://www.spamdyke.org/mailman/private/spamdyke-users/attachments
Re: [spamdyke-users] SMTP Auth Problem
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... Did you ever get this issue resolved? The only thing that jumps out to me is the way you've formatted your smtp-auth-command option -- you've got two commands on a single line, which means only the first one will be executed. Try breaking it up into two lines, like this: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true Also, the error messages you sent show the user is trying to authenticate with the username webmaster. Is that legal on your server? Most Plesk servers require authenticating with the full email address as the username. -- Sam Clippinger On Mar 18, 2014, at 5:30 AM, Arne.Metzger mo...@foni.net wrote: In the meantime i switched back to 4.3.1, which works like a charm! Here is my config for 4.3.1 - what did i do wrong during update to 5.0.0? log-level=verbose local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand-encrypted filter-level=normal config-dir=/var/qmail/spamdyke/config.d graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns policy-url=http://www.shjjv.de/Spamfilter.547.0.html sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=zen.spamhaus.org reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns reject-identical-sender-recipient Am 18.03.2014 11:18, schrieb Marc Gregel: Arne, maybe you can try to set log-level=debug an watch the mail-log for useful infos... 2014-03-18 10:02 GMT+01:00 Arne.Metzger mo...@foni.net: Ok, problem must be spamdyke. I removed spamdyke from smtp_psa and smtps_psa and auth works fine. So, where is my misconfiguration? Am 18.03.2014 08:25, schrieb Arne.Metzger: Hi Folks, no hints? I am still confused about this issue, since all worked perfect sind monday... Am 17.03.2014 15:54, schrieb Arne.Metzger: Here are my config files, i use two spamdyke-configs, on for tls and one for non-tls spamdyke5tls.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns #rdns ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords #reject-missing-sender-mx reject-sender=no-mx #reject-sender=not-local #reject-sender=authentication-domain-mismatch reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns #reject-identical-sender-recipient reject-recipient=same-as-sender reject-recipient=invalid #dns dns-blacklist-file=/var/qmail/spamdyke/blacklist_rbl #dns-blacklist-entry=ix.dnsbl.manitu.net #dns-blacklist-entry=zen.spamhaus.org #dns-blacklist-entry=dnsbl-1.uceprotect.net #dns-blacklist-entry=bl.spamcannibal.org
Re: [spamdyke-users] Mails with Wildcard Recipient
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... Is *@domain.tld being logged as the recipient in the spamdyke logs? Or are you seeing that as the To line in the message header? If it's in the logs, you should be able to just add *@domain.tld to your recipient blacklist file -- spamdyke doesn't use * as a wildcard character, so it will interpret that entry literally and block it. If it's in the message header, you should be able to stop it using the header blacklisting feature; you'll just have to be sure to escape the * character so it doesn't match every recipient. -- Sam Clippinger On Mar 21, 2014, at 10:40 AM, Lutz Petersen l...@shlink.de wrote: Hi, today we got some astonishing Mails - such Recipients: *@domain.tld Does anyone know how to prevent this ? Lutz Petersen ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... I'll update the docs, thanks for the tip! As for how the key size of the DH key relates to well, anything at all, I honestly have no idea. The OpenSSL documentation is extremely frustrating to use -- I suspect it was only written because someone was told you can't go home until you write some docs, not because they actually intended to convey any useful information (or confidence in their product). The only man page I found even slightly helpful was this one: https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html Anyway, the key length parameter you're seeing in the qmail patch is used when the callback function is used (SSL_CTX_set_tmp_dh_callback()). When OpenSSL uses the supplied callback, it provides the key length as a parameter. The examples on the OpenSSL site (and the qmail patch) use the key length to choose a PEM file. spamdyke doesn't use that function, it uses SSL_CTX_set_tmp_dh() instead, which allows it to provide a DH key when the TLS session is created. Avoiding the callback is (very slightly) less efficient but simplifies spamdyke's code (and configuration) quite a bit. But from what I can grok from the OpenSSL docs, the key spamdyke loads is not used directly for securing the connection; it's used for creating the key that actually does secure the connection (through a magical, completely unexplained process). I'm not sure the client ever sees the DH key used by spamdyke, I think it's used as a seed for the ephemeral key. Or maybe for signing the ephemeral key. Or something else only OpenSSL coders understand. If you can figure it out, I'd love to know how it works. In my testing, running openssl from the command will connect to spamdyke using DH ephemeral keys when spamdyke's DH key is 2048 bits. Of course, most of my testing has been done by connecting to/from the same box, obviously running the same version of OpenSSL. It would be interesting to try running spamdyke with different sizes of DH keys to/from different hosts to see if/when the connections fail. It may also be possible to provide a bunch of different keys in the same file by simply concatenating them -- the PEM format allows that. As for the list of default ciphers, my understanding is that the list is created when OpenSSL is compiled, so it can be different for each distro/update/host. So there is no standard list, though there are some very common ciphers that are probably in everyone's default list. The only way to find your server's default list is to run openssl ciphers from the command line. -- Sam Clippinger On Mar 28, 2014, at 1:47 PM, Eric Shubert e...@shubes.net wrote: Marc ( Sam), Would you please elaborate a little on this? I'm trying to straighten things up on QMail-Toaster and could use a little help. I'm far from an openssl expert, but I'm learning. ;) The qmail TLS patch that's presently in place (Frederik Vermeulen - qmail-tls 20060104 http://inoa.net/qmail-tls/) is a little outdated. It has provisions for rsa512.pem along with dh512.pem and dh1024.pem files. I see that rsa key exchange is now disabled by default, so that code is dead. I'm wondering though about dh512.pem vs dh1024.pem files. These are generated by the openssl dhparam command for the respective key lengths. From the patch code, I see that a key length parameter is given to the callback function, which controls which pem file is used. Here's the callback function from the patch: +DH *tmp_dh_cb(SSL *ssl, int export, int keylen) +{ + if (!export) keylen = 1024; + if (keylen == 512) { +FILE *in = fopen(control/dh512.pem, r); +if (in) { + DH *dh = PEM_read_DHparams(in, NULL, NULL, NULL); + fclose(in); + if (dh) return dh; +} + } + if (keylen == 1024) { +FILE *in = fopen(control/dh1024.pem, r); +if (in) { + DH *dh = PEM_read_DHparams(in, NULL, NULL, NULL); + fclose(in); + if (dh) return dh; +} + } + return DH_generate_parameters(keylen, DH_GENERATOR_2, NULL, NULL); +} I'm at a loss determining where this keylen comes from. I'm not finding where it's set or determined. I'm also wondering, should 2048 and 4096 key lengths also be included? They are mentioned in the man page (http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html) Notes section, but not in the code examples found there. How are the multiple key lengths implemented (distinguished) in the tls-dhparams-file option of the spamdyke configuration? Thanks for your help with this. I'm learning a lot. P.S. Sam, the documentation refers to openssl dhparams. Should be openssl dhparam (no S in dhparam). P.P.S. Sam, the documentation says the default list of ciphers is usually fine. What *is* the default list? Same as what the openssl ciphers command returns
Re: [spamdyke-users] modifying way that filters are shown in log files
If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
I only use b.barracudacentral.org, zen.spamhaus.org and fresh.spameatingmonkey.com, plus my private list that's generated by the hunter_seeker script. My logs from just today show Barracuda is responsible for 90% of the RBL rejections. Spamhaus generated 10% and Spam Eating Monkey is 0%. My private list has blocked about 4.5 times more connections today than the DNS RBLs. Lutz, I don't understand your animosity towards Barracuda Central, but my own experience has shown it's a very effective list. Looking at the to/from addresses on the connections it's blocked today, I'd say those connections were all spam. When I install a new server for a customer and they begin complaining about spam, I add b.barracudacentral.org and the complaints stop. When one of my customers' email accounts is compromised and used for sending spam, Barracuda is usually the second RBL to notice (CBL is almost always first). When I request delisting, it's usually done within a few hours. Obviously your experience has been different, but I have no complaints. -- Sam Clippinger On Mar 9, 2014, at 8:30 AM, Gary Gendel g...@genashor.com wrote: I tend to agree. The lists I've chosen have been the result of many years of tuning. Actually shlink.org wasn't even in my radar and isn't on many of the multi-rbl test sites so I need to test it. I'd be curious to hear about Sam's blacklist setup. Gary On 03/09/2014 09:24 AM, Dossy Shiobara wrote: Again, as I said: this is from my own personal experience, but after having started using since 2 Dec 2013, it's consistently been giving good results, and I have yet to encounter a single false positive. I'm not saying anyone else should use the DNSBL, but I will say that anyone who blindly listens to my or your assertions without doing their own testing ... gets exactly what they deserve. On 3/9/14 3:54 AM, Lutz Petersen wrote: Funny, based on my own empirical evidence, Barracuda Central's DNSBL yields the best results. 99% of this Hits are false positives: 6956 81.35% b.barracudacentral.org You are talking simply nonsense ! ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke segfaulting on auth
Sorry it took so long to respond to this one... What OS are you on? Does this happen every time, or just for some connections? If you can reproduce it reliably, it'd be very helpful if you could recompile spamdyke with excessive output (./configure --with-excessive-output) and run it with the full-log-dir option enabled to capture the full log of everything that's happening. That log would show everything about how spamdyke is configured, the environment, inputs and outputs, etc. I could use that to reproduce the problem and find the bug. -- Sam Clippinger On Feb 26, 2014, at 1:12 PM, Steve Cole co...@itconsul.com wrote: Testing auth, I set up the following tcpserver line: /usr/bin/tcpserver -R -H -c 400 -g 65534 -u 89 1X9.2XX.2.XX 125 /usr/local/bin/spamdyke-5.0.0 -lexcessive --log-target stderr -f /etc/spamdyke.conf.v5 /var/qmail/bin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true Not using qmail-smtpd patch for auth, attempting to use spamdyke for auth. This line works great for 4.3.1 and has been in production for years on the same system. I did the testing from a shell to open a new port and use it. TLS connects fine and if I use a tcp relay IP file (-x option to tcpserver) then everything proceeds normally, so it's not TLS causing the segfault AFAICT. Here's the specific segfault: Feb 26 14:02:56 kernel: spamdyke-5.0.0[10230]: segfault at 1 ip 7fa9661de244 sp 7fffcc40cdf0 error 4 in libc-2.17.so[7fa966193000+1a3000] The binary is made with ./configure --enable-tls with debug and config-test on (4.3.1 naturally has them turned off for binary size decrease but works either way). ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RBLs
Honestly, the RBL that seems to do the most good these days for me is the Barracuda Central list (b.barracudacentral.org). I also use Spamhaus, Spamcop and Spam Eating Monkey, but together those three don't catch even a tenth of what Barracuda catches. -- Sam Clippinger On Mar 6, 2014, at 6:05 PM, BC bc...@purgatoire.org wrote: One of the RBLs I'm using is bl.mailspike.net. Today they started listing an IP which 100 other blacklists don't have listed. Then it delisted it, then it put it back, then delisted it again - all over the course of a couple of hours. Now blacklisted again. What other free, RBL services are you guys using? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] timeout results in duplicates
I think I understand. You're using simscan to run ClamAV and SpamAssassin during the delivery process, so the message will be rejected immediately if either of those tests fails. If one of the tests takes too long, spamdyke times out. Unfortunately I still don't see how to do anything about this. The scanner must be being started after the mail client finishes sending the message data and before qmail responds with 250 to indicate it was accepted. From spamdyke's point of view, there's no way it can tell why the data stopped flowing or why there's been no response from qmail -- it could be due to a slow scanner, a failing hard drive, high load, low memory, a blocked filesystem call or a million other reasons. There's just no way to determine if the delay will end soon or ever -- if something is deadlocked it's possible there will never be any response. Linux systems can get into exactly that situation when an NFS server disappears, for example. I would like to eventually add hooks to spamdyke to call external filters like SpamAssassin, so it could trigger these scans itself instead of using simscan to do it. If that were done, spamdyke be able to close/kill SpamAssassin if it took too long, then continue accepting the message. Until that day however, I think the only solution is to increase your idle timeout setting. -- Sam Clippinger On Feb 8, 2014, at 4:34 PM, Eric Shubert e...@shubes.net wrote: On 02/08/2014 02:40 PM, Sam Clippinger wrote: I'm a little unclear here -- what scanning are you doing and when does it take place? I'm not crystal clear either about exactly how everything's happening. Simscan is invoking clamav and spamassassin. Simscan is implemented via QMAILQUEUE=/var/qmail/bin/simscan. How can spamdyke tell the difference between a delay caused by something on your server versus a delay from the remote sender? I've no idea. I'm guessing that simscan isn't given control until the message is completely received. It's at that point, when the message has been completely received but not yet queued, that I think the idle timeout should be disabled. The problem appears to be that when when spamdyke does idle timeout, the qmail-queue process can still successfully deliver a message (when it's past the point described above). spamdyke should only initiate a timeout when it can (still) keep a message from being delivered. Here's a sample from the log which might make things a little clearer: 02-07 14:15:14 tcpserver: status: 1/100 02-07 14:15:14 tcpserver: pid 19001 from 70.58.xxx169 02-07 14:15:14 tcpserver: ok 19001 tacs-mail.datamatters.us:192.168.73.7:25 :70.58.xxx.169::44872 02-07 14:15:23 CHKUSER accepted sender: from x...@x.com:: remote ..com:unknown:70.58.xxx.169 rcpt : sender accepted 02-07 14:15:23 CHKUSER accepted any rcpt: from x...@.com:: remote ..com:unknown:70.58.xxx.169 rcpt x...@.com : accepted any recipient for this domain 02-07 14:15:23 policy_check: remote x...@.com - local x...@.com (UNAUTHENTICATED SENDER) 02-07 14:15:23 policy_check: policy allows transmission 02-07 14:16:25 spamdyke[19001]: TIMEOUT from: x...@.com to: x...@.com origin_ip: 70.58.xxx.169 origin_rdns: .com auth: (unknown) encryption: TLS reason: TIMEOUT 02-07 14:17:58 simscan:[19002]:CLEAN (5.50/12.00):154.6404s:***SPAM*** Fwd_ 70.58.xxx.169:x...@.com:x...@.com 02-07 14:17:58 tcpserver: end 19001 status 0 Usually, the simscan message comes before spamdyke. BL is that the message is delivered, and the sender is notified of a failure, causing duplicates in the inbox. Thanks Sam. Gotta run. -- Sam Clippinger On Feb 7, 2014, at 4:37 PM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: With spamdyke 4.3.1, I've come across an email which takes an inordinate amount of time to scan, for whatever reason. I had idle-timeout=60, so spamdyke would timeout the session, and a minute or so later the scan completes, and the message is delivered. This causes duplicates though, as the sender isn't aware of the successful delivery. I've bumped up the idle-timeout to 180, which I expect will remedy the situation. I wonder, though, if this setting could or should be suspended during the time which spamdyke is waiting for delivery to happen. Perhaps there should be 2 settings - one for the incoming side and one for the delivery side? I like keeping this setting on the low side to keep senders from tying up incoming processes, yet the setting doesn't seem to make any sense when waiting for scanning/delivery, especially when spamdyke can't cancel that part of things. Thanks Sam. -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Exempt Domain from RDNs Checks
Yes, this is completely possible. The feature you're looking for is a configuration directory -- it'll let you turn different options on or off for different domains (and other conditions). http://www.spamdyke.org/documentation/FAQ.html#FEATURE8 -- Sam Clippinger On Feb 7, 2014, at 4:23 PM, Denny Jones lhweb...@aol.com wrote: My understanding of the RNDs whitelist options is that it allows for allowing/denying the SENDING domain. I need to make a entire domain that is hosted on MY mail server not use RDNs checks for incoming mail while keeping other domains I host in tact. Is this possible? Thanks, Denny ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] The order of things
That's a tricky issue. The short answer is the list given here: http://spamdyke.org/documentation/FAQ.html#FEATURE1 The longer answer is that spamdyke will continue running as long as it needs to, in order to determine that no whitelists are going to be matched. For example, if you use a recipient whitelist, spamdyke needs to keep running until the recipient(s) are given, just in case a whitelisted one is used. Otherwise, rejecting the connection because of a missing rDNS name might block someone who should be allowed to connect. That being said, once a filter has been triggered, the remaining filters are skipped. So if the missing rDNS filter is going to reject the connection but is forced to wait until the recipient(s) are given, the RBL filters won't run at all. -- Sam Clippinger On Feb 5, 2014, at 3:50 AM, Lawrence spamdyke.ad...@freeman.me.uk wrote: Morning Sam What order do the filters run in? your set order? or do they get processed in the order they are in the config file? The reason I ask is that I would like to to process the blacklists first before the rbl's as it will save some time. Regards Lawrence ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
I apologize for taking so long to reply to your message, I didn't see it until this morning and didn't have time to respond until now. Could you provide a link to the thread you read? I don't remember it offhand and searching my email archives for timeout turns up hundreds of messages. As far as requiring TLS from your mail clients but not other servers, I'm not sure how you can do that. How can spamdyke tell the difference between a mail client and a remote server? If you're just talking about authentication, you could configure spamdyke to block authentication on port 25 connections (smtp-auth-level=none), which would force your users to use port 587 in order to authenticate, but that still wouldn't force them to use TLS. Maybe if you blocked authentication on port 25, turned off port 587, then required authentication on port 465 where SSL is mandatory, that might work. I can't imagine your helpdesk staff would thank you for that change though. I'm already planning to add a filter to a future version to block authentication unless SSL/TLS is in use, but I can't give you an ETA on that. -- Sam Clippinger On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote: Problem: TLS reason: TIMEOUT I read an old thread on this problem, but did not see a solution. What was the outcome? # spamdyke -v spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. # uname -a Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem Also, I am confused about one thing. We want to require TLS for SMTP between QMAIL and the mail client. We do not care about TLS from QMAIL to another Mail server. If I turn off the SPAMDYKE tls-level, and leave the tls patch in QMAIL will the client side TLS still work and the timeout go away? Bruce -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with 5.0.0
I'm not sure... are you getting any errors from spamdyke in the server's mail log? Also, if you run spamdyke -v on the server, does the version number show +TLS? Could you post your spamdyke config file? Does anything different happen if you try the same test from a different host (e.g. so it's not localhost:25 but mail.domain.com:25)? It works fine on my server on both port 25 (TLS) and port 465 (SSL), not that that helps. :) -- Sam Clippinger On Feb 3, 2014, at 3:05 PM, Marc Gregel m...@gregel.net wrote: Hi there, after upgrading from 4.3.1 to 5.0.0 I can't use TLS anymore: (TLS-LEVEL=SMTP) No idea where to start the debug, because when I switch back to 4.3.1 everything works fine again. I tried the Version with MYSQL from @Haggy too - same problem, same error. That's the output: openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) didn't found starttls in server response, try anyway... write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 369 bytes and written 354 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any idea anyone? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Invalid recipient returned for .qmail-user files
Yes, I'm sorry I forgot to mention the recompiling. I get so used to having spamdyke compiled with excessive output that I tend to forget most people don't compile that way. :) But you're 100% correct -- it's definitely a big bug. I'll get that fixed pronto! Until then, I'd have to recommend everyone NOT use the spamdyke-qrv program for recipient validation. -- Sam Clippinger On Feb 3, 2014, at 10:10 AM, Stephen Marley step...@nxds.com wrote: Hi Sam I’ve done some more testing on the problem I have and it seems that if a .qmail-user file contains an external forwarding address, then spamdyke-qrv looks for the external domain in the virtualdomains file, which it doesn’t find, and returns invalid address. Is there something I need to do to make this work? BTW, I had to reconfigure ’spamdyke-qrv with “—with-excessive-output” and use –vv to get any debug information. I’m not sure if that’s what you intended: I would have thought –vv should work with no configuration options. Also a single –v doesn’t generate any extra output. In any case, here is some edited debug output from an example: Example: $ cat .qmail-bob b...@someremotedomain.com # spamdyke-qrv –vv example.com bob QRV-EXCESSIVE(read_file()@fs-qrv.c:370): opened file for reading: /home/e/x/example/.qmail-bob QRV-EXCESSIVE(read_file()@fs-qrv.c:390): read 27 bytes from /home/e/x/example/.qmail-bob, line 1: b...@someremotedomain.com ... QRV-EXCESSIVE(validate()@validate-qrv.c:350): did not find recipient domain someremotedomain.com in virtualdomains file /var/qmail/control/virtualdomains ... QRV-EXCESSIVE(validate@validate-qrv.c:900): INVALID RECIPIENT recipient: b...@example.com resolved username: example-bob Stephen From: spamdyke-users-boun...@spamdyke.org [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Sam Clippinger Sent: 02 February 2014 19:45 To: spamdyke users Subject: Re: [spamdyke-users] Invalid recipient returned for .qmail-user files Try running spamdyke-qrv with a -vv flag (two verbose levels). It will show exactly which files it's parsing and how it's proceeding through the flowchart (in the documentation folder). If you have any trouble interpreting the output (it is very verbose), feel free to send it to me privately. -- Sam Clippinger On Feb 1, 2014, at 5:05 PM, Stephen Marley step...@nxds.com wrote: Hi I’ve just installed Spamdyke 5.0.0 and the spamdyke-qrv program is incorrectly returning invalid recipient for addresses with .qmail- files that forward to other valid addresses. For example: /home/e/x/example is home directory for example.com with .qmail-bob file owned by root containing a valid forward address. /home/e/x/example/users/alice contains Maildir folder spamdyke-qrv example.com alice returns 1 (valid) spamdyke-qrv example.com bob returns 2 (invalid) How can I find out what’s going wrong? Stephen ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] denied rdns filter messages
You're right about the first one (164.177.131.207) -- the rDNS name exists, so the reject-empty-rdns filter doesn't stop it. But the rDNS name doesn't have an A record, so the reject-unresolvable-rdns filter blocks it. Unless I'm missing something, this is how those filters are supposed to work. From my testing, the second example you gave (38.127.167.2) seems to work. spamdyke chases down the CNAME correctly and finds rodan.lastpass.com. That name has an A record, so it should work. Was that scenario a one-time rejection or does it happen every time? If you want an easy way to see exactly what spamdyke's doing, you can run these tests from the command line without having to wait for those servers to reconnect. First, recompile spamdyke with excessive output: ./configure --with-excessive-output make (You don't have to install the new binary, you can just run it where it is.) Then, set your IP address to the one you want to test (assuming a bash shell here): export TCPREMOTEIP=164.177.131.207 Then start the recompiled spamdyke from the command line. It'll do all of its rDNS lookups before it expects any input, so you can just hit CTRL-C when you see the 220 greeting from qmail: ./spamdyke --log-target stderr -lexcessive -r -R /var/qmail/bin/qmail-smtpd Most of the output will be from the DNS code -- you should be able to see exactly what packets spamdyke sends to which nameservers and what the responses are. -- Sam Clippinger On Feb 3, 2014, at 7:09 AM, Lawrence spamdyke.ad...@freeman.me.uk wrote: Gents. I have also been troubleshooting a couple of legitimate hosts that are being blocked. Just to clarify my process can I test the following with the group? Scenario A I think this is a valid denied. LOG section: Jan 28 12:01:35 flobix spamdyke[1841]: FILTER_RDNS_RESOLVE ip: 164.177.131.207 rdns: 398878-prod-batch01.oyster.tfl.gov.uk Jan 28 12:01:35 flobix spamdyke[1841]: DENIED_RDNS_RESOLVE from: autorespo...@tfl.gov.uk to: xxxremove...@freeman.me.uk origin_ip: 164.177.131.207 origin_rdns: 398878-prod-batch01.oyster.tfl.gov.uk auth: (unknown) encryption: (none) reason: (empty) Here are the results of the test done manually; Reverse test nslookup 164.177.131.207 RESULT 207.131.177.164.in-addr.arpa name = 398878-prod-batch01.Oyster.tfl.gov.uk. OKAY Forward test nslookup 398878-prod-batch01.Oyster.tfl.gov.uk RESULT ** server can't find 398878-prod-batch01.Oyster.tfl.gov.uk: NXDOMAIN FAILED So I assume the denied was the follup forward after reverse? (I have email tfl and rackspace about their missing a records) I have temporarily whitelisted the server to receive this mail Scenario B I think this is a false positive. Log Section: Jan 28 21:46:05 flobix spamdyke[8024]: DENIED_RDNS_MISSING from: www-d...@lastpass.com to: xxxremove...@freeman.me.uk origin_ip: 38.127.167.2 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) Results of manual testing; nslookup 38.127.167.2 RESULT Non-authoritative answer: 2.167.127.38.in-addr.arpa canonical name = 38.127.167.2.LastPass.com. 38.127.167.2.LastPass.com name = rodan.LastPass.com. nslookup rodan.LastPass.com RESULT Non-authoritative answer: Name: rodan.LastPass.com Address: 38.127.167.2 Now this dies resolve but to a cname record but that is quite common these days for telplate based dns services and might also be the case if you have a load balance mail server setup that has 2 nodes but uses a cnmae of mail.blablabla.com So why is this failing? My Config: filter-level=normal greeting-delay-secs=2 max-recipients=5 reject-empty-rdns reject-ip-in-cc-rdns reject-sender=no-mx reject-unresolvable-rdns dns-level=normal log-level=verbose #config-dir=/etc/spamdyke.d idle-timeout-secs=120 reject-recipient=same-as-sender ip-blacklist-file=/etc/spamdyke/blacklist_ip recipient-blacklist-file=/etc/spamdyke/recipient_blacklist sender-blacklist-file=/etc/spamdyke/sender_blacklist ip-in-rdns-keyword-blacklist-entry=dynamic ip-whitelist-entry=80.177.27.115 ip-whitelist-entry=83.244.151.218 ip-whitelist-file=/etc/spamdyke/whitelist_ip dns-blacklist-entry=zen.spamhaus.org dns-blacklist-entry=bl.spamcop.net qmail-rcpthosts-file=/var/qmail/control/rcpthosts dns-max-retries-primary=5 ip-relay-entry=80.177.27.115 p.s. I have a new addition of tailling the maillog, is this normal, will it pass? :) Regards Lawrence ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
To my knowledge, that issue was never solved. Dossy Shiobara sent a followup here: https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03208.html But nothing after that. Can you tell if your sender has anything in common with what Dossy and Ron figured out? If you use spamdyke's full-log-dir feature to capture one of these timeouts, you'll be able to see exactly where the SMTP protocol stops. You should probably recompile spamdyke with excessive output first so you'll get as much detail as possible: ./configure --with-excessive-output make Then replace your existing spamdyke binary with the new one. -- Sam Clippinger On Feb 4, 2014, at 3:34 PM, Bruce Schreiber bschrei...@max.md wrote: Sam, I found this thread on the web from 2011. https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html We are now thinking that it might not be TLS but just a timeout. Is it possible to get better granularity about what condition is timing out? I have attached my spamdyke config file for reference. Bruce On 02/04/2014 12:30 PM, Sam Clippinger wrote: I apologize for taking so long to reply to your message, I didn't see it until this morning and didn't have time to respond until now. Could you provide a link to the thread you read? I don't remember it offhand and searching my email archives for timeout turns up hundreds of messages. As far as requiring TLS from your mail clients but not other servers, I'm not sure how you can do that. How can spamdyke tell the difference between a mail client and a remote server? If you're just talking about authentication, you could configure spamdyke to block authentication on port 25 connections (smtp-auth-level=none), which would force your users to use port 587 in order to authenticate, but that still wouldn't force them to use TLS. Maybe if you blocked authentication on port 25, turned off port 587, then required authentication on port 465 where SSL is mandatory, that might work. I can't imagine your helpdesk staff would thank you for that change though. I'm already planning to add a filter to a future version to block authentication unless SSL/TLS is in use, but I can't give you an ETA on that. -- Sam Clippinger On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote: Problem: TLS reason: TIMEOUT I read an old thread on this problem, but did not see a solution. What was the outcome? # spamdyke -v spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. # uname -a Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem Also, I am confused about one thing. We want to require TLS for SMTP between QMAIL and the mail client. We do not care about TLS from QMAIL to another Mail server. If I turn off the SPAMDYKE tls-level, and leave the tls patch in QMAIL will the client side TLS still work and the timeout go away? Bruce -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md spamdyke.config___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with 5.0.0
That particular option went away in version 5.0.0, along with a few others. It should be renamed to qmail-rcpthosts-file. The full list of backwards-incompatible changes is here: http://www.spamdyke.org/documentation/UPGRADING_version_4_to_version_5.txt -- Sam Clippinger On Feb 4, 2014, at 3:12 PM, Marc Gregel m...@gregel.net wrote: Gz... after like one million hours I found the error - telnet is my new friend. I will blame @HAGGY for the error: === telnet localhost 465 ... ERROR(process_config_file()@configuration.c:4430): Unknown configuration file option in file /etc/spamdyke.conf on line 625: local-domains-file Connection closed by foreign host. === The option local-domains-file came with the MySQL-Version... not sure what it really does?! @Haggy??? 2014-02-04 Sam Clippinger s...@silence.org: I'm not sure... are you getting any errors from spamdyke in the server's mail log? Also, if you run spamdyke -v on the server, does the version number show +TLS? Could you post your spamdyke config file? Does anything different happen if you try the same test from a different host (e.g. so it's not localhost:25 but mail.domain.com:25)? It works fine on my server on both port 25 (TLS) and port 465 (SSL), not that that helps. :) -- Sam Clippinger On Feb 3, 2014, at 3:05 PM, Marc Gregel m...@gregel.net wrote: Hi there, after upgrading from 4.3.1 to 5.0.0 I can't use TLS anymore: (TLS-LEVEL=SMTP) No idea where to start the debug, because when I switch back to 4.3.1 everything works fine again. I tried the Version with MYSQL from @Haggy too - same problem, same error. That's the output: openssl s_client -starttls smtp -connect localhost:25 CONNECTED(0003) didn't found starttls in server response, try anyway... write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 369 bytes and written 354 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any idea anyone? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Invalid recipient returned for .qmail-user files
Try running spamdyke-qrv with a -vv flag (two verbose levels). It will show exactly which files it's parsing and how it's proceeding through the flowchart (in the documentation folder). If you have any trouble interpreting the output (it is very verbose), feel free to send it to me privately. -- Sam Clippinger On Feb 1, 2014, at 5:05 PM, Stephen Marley step...@nxds.com wrote: Hi I’ve just installed Spamdyke 5.0.0 and the spamdyke-qrv program is incorrectly returning invalid recipient for addresses with .qmail- files that forward to other valid addresses. For example: /home/e/x/example is home directory for example.com with .qmail-bob file owned by root containing a valid forward address. /home/e/x/example/users/alice contains Maildir folder spamdyke-qrv example.com alice returns 1 (valid) spamdyke-qrv example.com bob returns 2 (invalid) How can I find out what’s going wrong? Stephen ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] RDNS WhiteList Not Working
Well, don't add the IP to the rDNS whitelist file; that won't do any good. You want to add it to the IP whitelist file instead. :) But overall, it looks like spamdyke is having trouble reversing that IP address and it's timing out most of the time. When it times out, you get the rejection (this is exactly why spamdyke sends a temporary rejection for rDNS failures, so the remote server will try again). I would suggest looking at your DNS setup. If you aren't running a caching nameserver on your mail server, you should definitely install one and change /etc/resolv.conf to use 127.0.0.1 as the only nameserver. If you are already running a caching nameserver, you might try using the dns-timeout-secs option to increase the DNS timeouts. The default is 30 seconds, maybe try 60 and see if this problem goes away? If all else fails, you can try recompiling spamdyke with excessive output and enabling full logging with the full-log-dir option. A full log file from one of these failed connections will show all the details of the DNS queries (packets sent, packets received), which would make it easy to figure out exactly where the failure is taking place. It easily could be a bug! -- Sam Clippinger On Jan 31, 2014, at 5:18 PM, Denny Jones lhweb...@aol.com wrote: Not to point directly to a bug but I have been working on this issue for quite some time so I'm pretty sure it'll keep on occurring. Also, I only pasted 2 lines from the log file. In reality there are many of DENIED_RDNS_MISSING entries with a few ALLOWED entries throughout. In other words, spamdyke will reject a bunch attempts and then allow one to come through and then go back to denying them only to allow another one later. There's no real pattern to speak of. To be clear, all the entries point to the same IP. I guess I could just add the IP to the whitelist_rdns file to fix this? My concern is that redglue might have many sending IP's and I'll have add everyone of them to the file. I'm not sure how to go about finding that information out. Thanks for the reply! -Original Message- From: Eric Shubert e...@shubes.net To: spamdyke-users spamdyke-users@spamdyke.org Sent: Fri, Jan 31, 2014 4:59 pm Subject: Re: [spamdyke-users] RDNS WhiteList Not Working On 01/31/2014 03:32 PM, Denny Jones wrote: I'm using SpamDyke 4.3.1 I have whitelisted gfoxconsulting.com in whitelist_rdns (I simply added gfoxconsulting.com to that file) I have the whitelist_rdns file indicated correctly in the spamdyke.conf file: rdns-whitelist-file=/etc/spamdyke/whitelist_rdns ...but I still, this domain (gfoxconsulting.com) being rejected: Jan 31 09:58:04 michael spamdyke[13182]: DENIED_RDNS_MISSING from: l...@gfoxconsulting.com to: al...@texasalliance.org origin_ip: 208.123.81.4 origin_rdns: (unknown) auth: (unknown) encryption: TLS reason: (empty) However on the very next log line I get: Jan 31 10:08:35 michael spamdyke[15441]: ALLOWED from: l...@gfoxconsulting.com to: al...@texasalliance.org origin_ip: 208.123.81.4 origin_rdns: exch01.redglue.com auth: (unknown) encryption: TLS reason: 250_ok_1391184515_qp_15469 What is going on here? Thanks, Denny ___ I think you're perhaps missing how rdns whitelisting works. rDNS is a name which is associated with an ip address. In the first instance, the rDNS record is missing, so there's no name to match to (origin_rdns = (unknown)). There's no way to use rdns whitelisting to let this one through. You'd need to whitelist something else, like either the IP address (good choice) or the sender domain (not recommended). It's possible (even likely) that someone at redglue.com discovered that there was no rdns for this IP, and it was fixed sometime before 10:08 (the missing message could have resulted from a cached lookup). It's also possible that there's an obscure bug in spamdyke. This is unlikely, but it's been known to happen occasionally with odd DNS configurations. I'd call this an odd rDNS configuration: $ host 208.123.81.4 4.81.123.208.in-addr.arpa is an alias for 4.255-0.81.123.208.in-addr.arpa. 4.255-0.81.123.208.in-addr.arpa domain name pointer exch01.redglue.com. $ There's a cname record pointing to the ptr record. Usually the rdns name is a ptr record, not a cname (ttbomk). Sam will know the bottom line here. -- -Eric 'shubes' ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Small difference in 5.0.0
That wasn't an intentional change -- I'll look into it. Thanks for reporting this! -- Sam Clippinger On Jan 31, 2014, at 9:40 AM, Gary Gendel g...@genashor.com wrote: Sam, Not an issue but you should mark down that 5.0.0 treats the spawned program argument differently than 4.x. In 5.0.0 I have to explicitly specify the fully qualified path to qmail-smtpd where 4.x found it in the PATH. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Off topic: Monitoring and reporting
I know many of you have the same problem I do with monitoring and reporting -- you need to collect data on pretty much everything and make it presentable (usually to a boss), but you don't have time to install the needed sensors, software, databases, etc. There's a simple solution out there: Graphstat. Easy, simple, convincing graphs are just a click away. They're really handy for display on publicly visible monitors -- everyone loves a good graph! Anyway, check it out: http://www.graphstat.org/ -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] New version: spamdyke 5.0.0
Just when you thought it was safe to go back in the water... spamdyke version 5.0.0 is now available! Get it here: http://www.spamdyke.org/ This version is a major update that adds 12 new options, renames 3 options and removes 5 options. The meaning of whitelisted is changed to allow whitelisted connections to bypass spamdyke's filters but not to automatically relay (unless allowed for some other reason). DNS searches for valid sender domains will now prioritize MX records before A records. Full recipient validation is now available. Sender addresses can be rejected if they don't match the username given during authentication (or if the domain doesn't match). Lots of bug fixes too! Because of all the changes to spamdyke's options, version 5.0.0 is not backwards compatible with previous versions. Be sure to read the documentation before upgrading! -- Sam Clippinger ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users