The executable error is occurring because the script is marked setuid instead of just executable. The message is incorrect -- I'll fix it in the next version. However (IIRC), I don't believe the setuid bit has any effect on scripts in Linux environments.
The encrypted authentication failure is not a problem, as long as your spamdyke configuration doesn't specify encryption in the "smtp-auth-level" option. spamdyke's "config-test" didn't find any problems with your TLS certificate but you're getting TLS errors when spamdyke actually runs... this looks like a permission problem to me. Try running spamdyke's "config-test" feature again with the "run-as-user" flag to force spamdyke to use the qmaild user instead. spamdyke will likely report it can't access the certificate file. -- Sam Clippinger David Bo Jensen wrote: > Running the config test gave me some ERRORS. I added access-file and > local-domains-file to my config file > in order to remove some of them. Here is my result but remember I was root. > > > :/etc# /usr/local/bin/spamdyke -l -f > /etc/spamdyke-smtps.conf --config-test-smtpauth-username > user --config-test-smtpauth-password password --config-test > /usr/sbin/qmail-smtpd 2>&1 > spamdyke 4.0.10+TLS+CONFIGTEST+DEBUG (C)2008 Sam Clippinger, samc (at) > silence (dot) org > http://www.spamdyke.org/ > > Use -h for an option summary or see README.html for complete option details. > > Testing configuration... > WARNING: Running tests as superuser root(0), group root(0). These test > results may not be valid if the mail server runs as another user. > SUCCESS: spamdyke binary (/usr/local/bin/spamdyke) is not owned by root > and/or is not marked setuid. > INFO: Running command to test capabilities: /usr/sbin/qmail-smtpd > SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer TLS support. > spamdyke will offer, intercept and decrypt TLS traffic. > SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer SMTP AUTH support. > spamdyke will offer and process authentication. > INFO(access-file): Testing file read: /etc/spam-relays > SUCCESS(access-file): Opened for reading: /etc/spam-relays > INFO(config-file): Testing file read: /etc/spamdyke-smtps.conf > SUCCESS(config-file): Opened for reading: /etc/spamdyke-smtps.conf > INFO(local-domains-file): Testing file read: /etc/qmail/rcpthosts > SUCCESS(local-domains-file): Opened for reading: /etc/qmail/rcpthosts > INFO(smtp-auth-level): Examining authentication command: /usr/bin/chkpw.sh > /bin/true > ERROR(smtp-auth-level): File is not executable: /usr/bin/chkpw.sh: Owner > permissions apply but owner executable bit is not set > Is this not good enough? > >>> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh >>> > > > INFO(smtp-auth-level): Running authentication command with unencrypted > input: /usr/bin/chkpw.sh /bin/true > SUCCESS(smtp-auth-level): Authentication succeeded with unencrypted input: > /usr/bin/chkpw.sh /bin/true > INFO(smtp-auth-level): Running authentication command with encrypted input: > /usr/bin/chkpw.sh /bin/true > ERROR: authentication failure (bad username/password, vchkpw uses this to > indicate SMTP access is not allowed): user > ERROR(smtp-auth-level): Authentication failed with encrypted input: > /usr/bin/chkpw.sh /bin/true > Is that a problem? I am using unencrypted login > > INFO(tls-certificate-file): Testing TLS by initializing SSL/TLS library with > certificate and key > SUCCESS(tls-certificate-file): Opened for reading: > /etc/ssl/certs/stunnel.pem > SUCCESS(tls-certificate-file): Certificate and key loaded; SSL/TLS library > successfully initialized > ERROR: Tests complete. Errors detected. > > > > When spamdyke runs as qmaild, my mail client tells me that the connection > was closed and in /var/log/mail.info I get > > > Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to load SSL/TLS > certificate from file: /etc/ssl/certs/stunnel.pem : The operation failed due > to an I/O error, Unexpected EOF found, > error:0200100D:lib(2):func(1):reason(13), > error:20074002:lib(32):func(116):reason(2), > error:140DC002:lib(20):func(220):reason(2) > Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: incorrect SSL/TLS > private key password or SSL/TLS certificate/privatekey > mismatch/etc/ssl/certs/stunnel.pem : A protocol or library failure occurred, > error:140A80B1:lib(20):func(168):reason(177) > Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to initialize > SSL/TLS library > Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to start SMTPS > because TLS support is not available or an SSL/TLS certificate is not > available; closing connection > > > > This is very much the same errors I get if stunnel.pem is wrongly generated. > (ex. missing certificate) > > > > > > ----- Original Message ----- > From: "Sam Clippinger" <s...@silence.org> > To: "spamdyke users" <spamdyke-users@spamdyke.org> > Sent: Friday, September 25, 2009 5:54 PM > Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection > > > >> OK, I guess I'll bite... why can't you replace `id -u root` with `id -u >> qmaild`? Do you get errors? Does it crash? Does it malfunction? I >> really want to help, but you're not giving enough information to work >> with. >> >> Have you tried running spamdyke's "config-test" feature to look for >> problems? >> >> -- Sam Clippinger >> >> David Bo Jensen wrote: >> >>> I solved the problem with >>> >>> server:/# cat /etc/spamdyke-smtps.conf >>> log-level=verbose >>> tls-level=smtps >>> tls-certificate-file=/etc/ssl/certs/stunnel.pem >>> filter-level=require-auth >>> smtp-auth-level=ondemand >>> smtp-auth-command=/usr/bin/chkpw.sh /bin/true >>> relay-level=normal >>> >>> please notice the "filter-level", further more I have >>> >>> server:/etc# cat tcp.smtps >>> :allow,RELAYCLIENT="" >>> >>> However I have another issue. First look at >>> >>> server:/etc/ssl/certs# ls -la stunnel.pem >>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >>> >>> and /usr/bin >>> -rwxr-xr-x 1 root root 12360 2007-06-30 11:52 checkpassword >>> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh >>> >>> chkpw.sh is a wrapper for checkpassword >>> >>> In /etc/init.d/qmail >>> >>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >>> --exec /usr/bin/tcpserver -- -R -H \ >>> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >>> smtps >>> \ >>> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >>> | $logger &" >>> >>> >>> ($rblsmtpd2 is spamdyke see the whole file below.) >>> I cannot replace `id -u root` with `id -u qmaild` why? It would be nice >>> if >>> spamdyke didn't have to run with root permissions for SSL connections. >>> I am using debian etch 2.6.18. Please also notice my other thread about >>> missing loggings for authentication. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> server:/usr/bin# cat /etc/init.d/qmail >>> #!/bin/bash >>> # >>> # /etc/init.d/qmail : start or stop the qmail mail subsystem. >>> # >>> # Written by Christian Hudon <chr...@debian.org> >>> # Currently maintained by Jon Marler <jmar...@debian.org> >>> # >>> # Configuration >>> # >>> >>> >>> # set default delivery method >>> >>> #alias_empty="|/usr/sbin/qmail-procmail" # procmail delivery to >>> /var/spool/mail >>> alias_empty="./Maildir/" # This uses qmail prefered ~/Maildir/ >>> directory >>> # You may want to maildirmake >>> /etc/skel/Maildir >>> #alias_empty="./Mailbox" # This uses Mailbox file in users $HOME >>> >>> logger="splogger qmail 2" # facility mail == 2 >>> #logger="|accustamp >>/var/log/qmail.log" # If you have accustamp >>> installed. >>> #logger=">>/var/log/qmail.log" # Does not give timing info. >>> >>> # If you uncommented one of the lines that appends to /var/log/qmail.log, >>> you >>> # need to uncomment the following two lines. >>> #touch /var/log/qmail.log >>> #chown qmaill /var/log/qmail.log >>> >>> # If you want to use one or more of the Relay Black Lists, uncomment >>> # the appropriate lines. >>> >>> rblmsg= >>> rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf" >>> rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" >>> #rblmsg=" (with rblsmtpd)" >>> #rblsmtpd="/usr/bin/rblsmtpd -r list.dsbl.org -r relays.ordb.org" >>> >>> # >>> # End of configuration >>> # >>> >>> test -x /usr/sbin/qmail-start || exit 0 >>> test -x /usr/sbin/qmail-send || exit 0 >>> >>> case "$1" in >>> start) >>> echo -n "Starting mail-transfer agent: qmail" $rblmsg >>> sh -c "start-stop-daemon --start --quiet --user qmails \ >>> --exec /usr/sbin/qmail-send \ >>> --startas /usr/sbin/qmail-start -- \"$alias_empty\" >>> $logger >>> &" >>> # prevent denial-of-service attacks, with ulimit >>> ulimit -v 16384 >>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>> --pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \ >>> --exec /usr/bin/tcpserver -- -R -H \ >>> -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 >>> smtp >>> \ >>> $rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \ >>> | $logger &" >>> >>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >>> --exec /usr/bin/tcpserver -- -R -H \ >>> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >>> smtps >>> \ >>> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >>> | $logger &" >>> >>> >>> >>> #Uncomment the following lines to automatically start the pop3 >>> server >>> sh -c "start-stop-daemon --start --quiet --user root \ >>> --pidfile /var/run/tcpserver_pop3d.pid --make-pidfile \ >>> --exec /usr/bin/tcpserver -- -R -H \ >>> 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ >>> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >>> >>> sh -c "start-stop-daemon --start --quiet --user root \ >>> --pidfile /var/run/tcpserver_pop3sd.pid --make-pidfile \ >>> --exec /usr/bin/tcpserver -- -R -H \ >>> 0 995 /usr/bin/stunnel -f -l /usr/sbin/qmail-popup -- >>> qmail-popup `hostname`.`dnsdomainname` \ >>> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >>> >>> echo "." >>> ;; >>> stop) >>> echo -n "Stopping mail-transfer agent: qmail" $rblmsg >>> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>> start-stop-daemon --user >>> qmails --stop --quiet --oknodo --exec >>> /usr/sbin/qmail-send >>> start-stop-daemon --user >>> qmaild --stop --quiet --oknodo --pidfile >>> /var/run/tcpserver_smtpd.pid --exec >>> /usr/bin/tcpserver >>> start-stop-daemon --user >>> qmaild --stop --quiet --oknodo --pidfile >>> /var/run/tcpserver_smtpsd.pid --exec /usr/bin/tcpserver >>> # Uncomment the following line if you have enabled the pop3 >>> server >>> start-stop-daemon --user >>> root --stop --quiet --oknodo --pidfile >>> /var/run/tcpserver_pop3d.pid --exec /usr/bin/tcpserver >>> start-stop-daemon --user >>> root --stop --quiet --oknodo --pidfile >>> /var/run/tcpserver_pop3sd.pid --exec /usr/bin/tcpserver >>> # Wait until the timeout for qmail processes to die. >>> count=120 >>> numdots=0 >>> while ([ $count != 0 ]) do >>> let count=$count-1 >>> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>> echo -n . >>> let numdots=$numdots+1 >>> sleep 1 >>> else >>> count=0 >>> fi >>> done >>> >>> # If it's not dead yet, kill it. >>> # if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>> # echo -n " TIMEOUT!" >>> # kill -KILL `pidof /usr/sbin/qmail-send` >>> # else >>> case $numdots in >>> 0) echo "." ;; >>> 1) echo ;; >>> *) echo " done." ;; >>> esac >>> # fi >>> else >>> echo " not running."; >>> fi >>> >>> ;; >>> restart) >>> $0 stop >>> $0 start >>> ;; >>> cdb) >>> echo "Rebuilding tcp.smtp.cdb." >>> cd /etc >>> tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp >>> ;; >>> flush) >>> /usr/sbin/qmail-tcpok >>> start-stop-daemon --stop --quiet --oknodo --signal ALRM --exec >>> /usr/sbin/qmail-send >>> echo "Queue flushed." >>> ;; >>> stat) >>> /usr/sbin/qmail-qread >>> /usr/sbin/qmail-qstat >>> ;; >>> reload|force-reload) >>> echo "Reloading 'locals' and 'virtualdomains' control files." >>> start-stop-daemon --stop --quiet --oknodo --signal HUP --exec >>> /usr/sbin/qmail-send >>> ;; >>> *) >>> echo 'Usage: /etc/init.d/qmail >>> {start|stop|stat|cdb|restart|reload}' >>> exit 1 >>> esac >>> >>> exit 0 >>> >>> >>> >>> >>> ----- Original Message ----- >>> From: "Sam Clippinger" <s...@silence.org> >>> To: "spamdyke users" <spamdyke-users@spamdyke.org> >>> Sent: Friday, September 25, 2009 5:34 AM >>> Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection >>> >>> >>> >>> >>>> I don't think I understand enough about your setup to answer this >>>> question. Could you post your full startup script and full spamdyke >>>> configuration file? Also, what operating system and version are you >>>> using? Have you tried running spamdyke's "config-test" feature? Is >>>> spamdyke logging any errors? >>>> >>>> -- Sam Clippinger >>>> >>>> David Bo Jensen wrote: >>>> >>>> >>>>> It seems to be a client (I am using Outlook express) issue changing the >>>>> port >>>>> to 465 and removing unlinit somewhat solved the issue. >>>>> >>>>> But in I have >>>>> grep spamdyke /var/log/mail.info >>>>> Sep 22 07:46:17 server spamdyke[4311]: ALLOWED from: d...@elektronik.dk >>>>> to: >>>>> d...@vip.cybercity.dk origin_ip: 127.0.0.1 origin_rdns: (unknown) auth: >>>>> (unknown) >>>>> >>>>> It doesn't ask for authentication 127.0.0.1 is enveloped in the ssl >>>>> protocol. In fact in many cases users will be able to use my server as >>>>> open >>>>> relay. That is not what intended >>>>> >>>>> >>>>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> spamdyke-users@spamdyke.org >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >>> >> _______________________________________________ >> spamdyke-users mailing list >> spamdyke-users@spamdyke.org >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
