Thanks Sam. I will investigate ASAP.
You're right that whitelisting and authentication have no effect on the relay filter. spamdyke allows relaying in three situations: when the RELAYCLIENT environment variable is set, when /etc/tcp.smtp has a matching rule that sets RELAYCLIENT or when a spamdyke option allows relaying. So... have you compared the /etc/tcp.smtp file on the two servers? I'd bet there's a line on the "can send" server that sets RELAYCLIENT for localhost connections and the "can't send" server doesn't have it (note spamdyke does not read this file itself; its CDB version is probably being read by tcp-env). It's been quite a while since I've worked with Plesk but I seem to remember that option is set within the Plesk admin interface. It'd be a good idea to change it there -- otherwise if you change it on disk, it'll probably just get overwritten the next time Plesk saves a change. -- Sam Clippinger On Oct 3, 2016, at 7:58 AM, Faris Raouf via spamdyke-users <spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org> > wrote: Dear all, I'm absolutely confounded by a problem I'm having after upgrading five systems from Spamdyke 4.3.1 to 5.0.1 On two of them, webmail (running locally, connecting from 127.0.0.1 to 127.0.0.1 port 25 via smtp, no authentication) works fine and can send messages. On the other three, spamdyke spits out a RELAYING_DENIED and blocks the connection from 127.0.0.1 when trying to send messages. -------------- Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RDNS_MISSING ip: 127.0.0.1 Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_WHITELIST_IP ip: 127.0.0.1 file: /etc/spamdyke.d/whitelist_ip(6) Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RELAYING Oct 3 12:07:38 hostnameredacted spamdyke[4927]: DENIED_RELAYING from: (the rest redacted) ---------------- All four systems use Plesk, which has 127.0.0.1 whitelisted for email - no authentication is required for connections from that IP. I have read the upgrade notes, which explain that IPs that are whitelisted in the ip whitelist (or whatever) file are no longer automatically also allowed to relay, and obviously that's at the heart of the problem in some way. What I cannot fathom is why two would work, and three would not. They are all pretty much identical in every way that I can think of. Same Centos 6, same versions of pretty much everything, very little differences anywhere. None of them have any form of relay or smtp auth settings in spamdyke.conf. All of them do have 127.0.0.1 whitelisted in the ip whitelist file - not that it makes any difference in 5.0.1 of course. Everything is controlled via smtp_psa file via xinetd (stuff) server = /var/qmail/bin/tcp-env server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true So, to resolve the problem, in theory all I have to do is add ip-relay-entry=127.0.0.1 and indeed that does solve the problem. I presume that's safe enough, given that we do want anything in localhost to be able to send email without authenticating? Is this a common setting? But I feel I must get to the bottom of why some work, and some don't, out of the box. It seems bonkers, and indicative of something else that might be wrong. None of the boxes are accidental open relays. Authentication is most definitely required to send to non-local addresses. At one point I suspected it might have something to do with the webmail configuration, but I can't find any differences at all. They are all set to use smtp to connect to port 25 with no authentication. In the hope that someone may spot an error in my config files, here is one from a server where webmail can send, and another from a server where webmail cannot send. (--config-tests throws no errors on either of them) (I do not know what I have qmail-rcpthosts / qmail-morescpthosts.cdb set but they had been set when using 4.3.1 using the old syntax so I thought I'd bring them over since I knew that configuration worked) ***************** CAN SEND: log-level=info qmail-rcpthosts-file=/var/qmail/control/rcpthosts max-recipients=5 idle-timeout-secs=60 greeting-delay-secs=11 ip-blacklist-file=/etc/spamdyke.d/blacklist_ip sender-blacklist-file=/etc/spamdyke.d/blacklist_sender rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient ip-whitelist-file=/etc/spamdyke.d/whitelist_ip rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient sender-whitelist-file=/etc/spamdyke.d/whitelist_sender tls-certificate-file=/var/qmail/control/servercert.pem tls-level=smtp config-dir-search=all-recipient config-dir=/etc/spamdyke.d/configdir config-dir=/etc/spamdyke.d/individuals config-dir=/var/qmail/conf.d #configs in the above directories are recipient-based only and enable/disable dns blacklists and reject-empty-rdns type things dns-blacklist-entry=zen.spamhaus.org <http://zen.spamhaus.org> dns-blacklist-entry=bl.spamcop.net <http://bl.spamcop.net> reject-empty-rdns ************************************ CANNOT SEND log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts qmail-morercpthosts-cdb=/var/qmail/control/morercpthosts.cdb #*** I have tried removing the above two lines - makes no difference to webmail sending max-recipients=5 idle-timeout-secs=60 greeting-delay-secs=6 ip-blacklist-file=/etc/spamdyke.d/blacklist_ip sender-blacklist-file=/etc/spamdyke.d/blacklist_sender rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient ip-whitelist-file=/etc/spamdyke.d/whitelist_ip rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient sender-whitelist-file=/etc/spamdyke.d/whitelist_sender tls-certificate-file=/var/qmail/control/servercert.pem tls-level=smtp dns-blacklist-entry=zen.spamhaus.org <http://zen.spamhaus.org> dns-blacklist-entry=bl.spamcop.net <http://bl.spamcop.net> dns-blacklist-entry=b.barracudacentral.org <http://b.barracudacentral.org> reject-empty-rdns=1 reject-unresolvable-rdns=1 config-dir=/etc/spamdyke.d/configdir config-dir=/etc/spamdyke.d/individuals #configs in the above two are recipient-based only and enable/disable dns blacklists and reject-empty-rdns type things. config-dir-search=all-recipient *****************
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
