Sam,
I found this thread on the web from 2011.
https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html
We are now thinking that it might not be TLS but just a timeout. Is it
possible to get better granularity about what condition is timing out?
I have attached my spamdyke config file for reference.
Bruce
On 02/04/2014 12:30 PM, Sam Clippinger wrote:
I apologize for taking so long to reply to your message, I didn't see
it until this morning and didn't have time to respond until now.
Could you provide a link to the thread you read? I don't remember it
offhand and searching my email archives for "timeout" turns up
hundreds of messages.
As far as requiring TLS from your mail clients but not other servers,
I'm not sure how you can do that. How can spamdyke tell the
difference between a mail client and a remote server? If you're just
talking about authentication, you could configure spamdyke to block
authentication on port 25 connections ("smtp-auth-level=none"), which
would force your users to use port 587 in order to authenticate, but
that still wouldn't force them to use TLS. Maybe if you blocked
authentication on port 25, turned off port 587, then required
authentication on port 465 where SSL is mandatory, that might work. I
can't imagine your helpdesk staff would thank you for that change though.
I'm already planning to add a filter to a future version to block
authentication unless SSL/TLS is in use, but I can't give you an ETA
on that.
-- Sam Clippinger
On Feb 3, 2014, at 8:05 PM, Bruce Schreiber <bschrei...@max.md
<mailto:bschrei...@max.md>> wrote:
Problem: TLS reason: TIMEOUT
I read an old thread on this problem, but did not see a solution. What
was the outcome?
# spamdyke -v
spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at)
silence (dot) org
http://www.spamdyke.org/
Use -h for an option summary or see README.html for complete option
details.
# uname -a
Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010
x86_64 x86_64 x86_64 GNU/Linux
In spamdyke.config
tls-level=smtp
tls-certificate-file=/var/qmail/control/servercert.pem
Also, I am confused about one thing. We want to require TLS for SMTP
between QMAIL and the mail client. We do not care about TLS from QMAIL
to another Mail server. If I turn off the SPAMDYKE tls-level, and leave
the tls patch in QMAIL will the client side TLS still work and the
timeout go away?
Bruce
--
Bruce B Schreiber
CTO, MaxMD
2200 Fletcher Ave, 5th Floor
Fort Lee, NJ 07024
201 963 0005 office
917 532 4995 cell
bschrei...@max.md
www.max.md
www.mdEmail.md
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
--
Bruce B Schreiber
CTO, MaxMD
2200 Fletcher Ave, 5th Floor
Fort Lee, NJ 07024
201 963 0005 office
917 532 4995 cell
bschrei...@max.md
www.max.md
www.mdEmail.md
######################################################################################################
#
# spamdyke.config
#
# created: April 15, 2008
# author: Bruce Schreiber
# with thanks to Chris Godwin from Rackspace for his valued input and support
#
# configuration parameters for spamdyke
# for documentation execute spamdyke -h
# local list files will be found in directory /var/qmail/control/Spamdyke/
#
#######################################################################################################
dns-level=aggressive
dns-blacklist-entry=bl.spamcop.net
# Check the remote server's IP address against the realtime blackhole list
# DNSRBL. If it is found, the connection is rejected. Default: do not check any
# DNS RBLs.
# check-dnsrbl may be used multiple times.
# connection-timeout-secs=0
# Forcibly disconnect after a total of SECS seconds, regardless of activity. A
# value of 0 disables this feature. Default: 0.
# SECS must be between (or equal to) 0 and 2147483647.
greeting-delay-secs=3
# Delay sending the SMTP greeting banner SECS seconds to see if the remote
server
# begins sending data early. If it does, the connection is rejected. Default:
no
# delay.
# SECS must be between (or equal to) 0 and 2147483647.
# changed from 5 to 3 2/3/2014 - BBS
hostname=mail.mdemail.md
# Use NAME as the fully qualified domain name of this host. This value is only
# used to create an encrypted challenge during SMTP AUTH challenge-response.
# Default: unknown.server.unknown.domain.
# hostname may only be used once.
idle-timeout-secs=60
# Forcibly disconnect after SECS seconds of inactivity. A value of 0 disables
# this feature. Default: 60.
# SECS must be between (or equal to) 0 and 2147483647.
# set to 60 from 30 on 2/3/2014 - BBS
#
# Blacklist was turned off May 9, 2008 as it is probably redundant - BBS
# turned back on for a limited set Oct 28,2013
#
ip-blacklist-file=/var/qmail/control/Spamdyke/blacklist
# Reject the connection if the remote server's IP address matches an entry in
# FILE. Default: do not search.
# ip-blacklist-file may be used multiple times.
ip-whitelist-file=/var/qmail/control/Spamdyke/whitelist
# If the remote server's IP address matches an entry in FILE, bypass all
filters.
# Default: do not search.
# ip-whitelist-file may be used multiple times.
rdns-whitelist-file=/var/qmail/control/Spamdyke/rdns-whitelist
# Jan 14 2014
# Add whitelist file for unresolvable RDNS
# Shuo Wang
local-domains-file=/var/qmail/control/rcpthosts
# Use FILE as a list of locally hosted domains (to determine if an email
address
# is local or remote). Most often, FILE is /var/qmail/control/rcpthosts.
Default:
# no domains are local.
# local-domains-file may be used multiple times.
log-level=info
# Sets the log level to LEVEL: 0 = none, 1 = errors only, 2 = errors and info,
3
# = errors, info and debug messages, 4 = excessive output. Default when
log-level
# is not given: 1, Default when LEVEL is not given: 2.
# LEVEL must be between (or equal to) 0 and 4.
# No spaces are allowed between 'l' and LEVEL.
# No spaces are allowed and an equals sign is required between log-level and
LEVEL.
log-target=stderr
reject-empty-rdns=true
# Reject the connection if the remote server has no rDNS name. Default: do not
# check for an rDNS name.
reject-ip-in-cc-rdns=true
# Search the remote server's rDNS name for its IP address AND a two-letter
# country code. If both are found, reject the connection. Default: do not
search.
reject-missing-sender-mx=true
# Check the domain name of the sender's email address for a mail exchanger (an
MX
# or an A record). If neither are found, reject the connection. Requires
# "local-domains-file". Default: do not check the sender's mail exchanger.
reject-unresolvable-rdns=true
# Reject the connection if the remote server's rDNS name does not resolve
(search
# for an A record). Default: do not attempt to resolve.
# --tls-level { none | smtp | smtp-no-passthrough | smtps }
# Offer TLS support LEVEL. LEVEL must be one of: none = do not support or allow
# TLS, even if qmail provides it, smtp = support TLS during SMTP if possible
(or
# allow passthrough if not), smtp-no-passthrough = support TLS during SMTP if
# possible but do not allow passthrough, smtps = start TLS as soon as the
# connection starts (SMTPS). If LEVEL is "smtp" and "tls-certificate-file" is
not
# given, TLS traffic will be passed through without decryption. If LEVEL is
# "smtp-no-passthrough" or "smtps", "tls-certificate-file" is required.
Default:
# smtp
# tls-level may only be used once.
tls-level=smtp
tls-certificate-file=/var/qmail/control/servercert.pem
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
