Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi Sam, With TCPREMOTEIP=1.2.3.4 /usr/local/bin/spamdyke -f /etc/spamdyke.conf -l4 --config-test /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true I get the expected result SUCCESS: /var/qmail/bin/relaylock appears to offer SMTP AUTH support. spamdyke will observe any authentication and trust its response. Thanks for your support. I guess I'll just lean back and watch the spam being held off my system for a while now... :-)) bye, Michael Sam Clippinger wrote: relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or tcp_env) to determine the IP address of the remote server. When spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1. relaylock doesn't seem to offer SMTP AUTH to that IP address. Try this -- set TCPREMOTEIP to another value: export TCPREMOTEIP=11.22.33.44 Then run the configuration test one more time. The SMTP AUTH test should succeed. I see this on my Plesk server when I test with your configuration file: spamdyke-3.1.1/spamdyke# cat config.txt log-level=2 local-domains-file=/var/qmail/control/rcpthosts max-recipients=5 idle-timeout-secs=60 graylist-dir=/var/qmail/gray graylist-min-secs=300 graylist-max-secs=1814400 reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns greeting-delay-secs=5 check-dnsrbl=zombie.dnsbl.sorbs.net check-dnsrbl=dul.dnsbl.sorbs.net check-dnsrbl=bogons.cymru.com smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true local-domains-file=/var/qmail/control/rcpthosts reject-missing-sender-mx hostname=v31616.vierfpeile.de tls-certificate-file=/var/qmail/control/servercert.pem spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44 spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. Testing configuration... WARNING: Running tests as superuser root (0), group root (0). These test results may not be valid if the mail server runs as another user. INFO: Running command to test capabilities: /var/qmail/bin/relaylock WARNING: command aborted abnormally: /var/qmail/bin/relaylock SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue using the tls-certificate-file flag so spamdyke will be able to filter all traffic. WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but the smtp-auth-command, smtp-auth-command-encryption and/or access-file flags are in use. This is not necessary and needlessly creates extra load on the server. ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray: No such file or directory ERROR: Tests complete. Errors detected. spamdyke-3.1.1/spamdyke# -- Sam Clippinger Grimmi Meloni wrote: Hi Sam, thank you for your very detailed answer. In fact you were right about relaylock. I removed it during my tests and forgot to add it during the config-test. Anyway, I gave it another shot, and I'm still stuck with the same problem. I used loglevel 4 and got a warning saying: WARNING: command aborted abnormally: /var/qmail/bin/relaylock This line is shown directly above the TLS Success and the SMTP-Auth Warning messages of the test: SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue using the tls-certificate-file flag so spamdyke will be able to filter all traffic. WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. I decided to run strace and see what's happening. To me it seems like something goes wrong during the testing of the SMTP Auth capacities? - strace excerpt - [ creation of the socket .] [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000}) [pid 19807] ... write resumed ) = 26 [pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) [pid 19806] write(4, EHLO localhost\r\n, 16) = 16 [pid 19806] time(NULL)
[spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi, I've been using spamdyke for about 2 weeks now, and I'm quite satisfied with the results. Thanks for this great tool. As the subject states, I'm running a Plesk 8.1 based system. Today I upgraded from the 2.6.3 version, to the 3.1.0. The good news is: I got everything working so far. But what made me curious are two things: With the old 2.6.3 I could use the --smtp-auth-command option, with the new 3.1.0 this does not work anymore. Not working anymore in this case means, that I have to remove this option or my client gets an error message. In the logs it looks like authentication is tried twice. Really weired, but since Plesk delivers a SMTP_AUTH capable server, this is no problem - at least my relaying tests all failed when not authenticated. So I think I'm still good. During the trial and error phase of this, I ran the --config-test option of spamdyke. Although smtp authentication works, the config-test gives me this warning: WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. Now I'm wondering why this warning occurs at all. Is it a misconfiguration on my part, or just the config-test failing to detect the SMTP AUTH capabilities of my qmail_smtpd? bye, Michael P.S.: Although offtopic: Can anybody point me to a place where the commandline of qmail_smtpd is explained? Basically I would like to know, why /var/qmail/bin/true has to be in the commandline twice, or even better, what qmail_smtpd in general does with it's parameters? Thanks. - my spamdyke.conf log-level=2 local-domains-file=/var/qmail/control/rcpthosts max-recipients=5 idle-timeout-secs=60 graylist-dir=/var/qmail/gray graylist-min-secs=300 graylist-max-secs=1814400 reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns greeting-delay-secs=5 check-dnsrbl=zombie.dnsbl.sorbs.net check-dnsrbl=dul.dnsbl.sorbs.net check-dnsrbl=bogons.cymru.com #smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true local-domains-file=/var/qmail/control/rcpthosts reject-missing-sender-mx hostname=v31616.vierfpeile.de tls-certificate-file=/var/qmail/control/servercert.pem ---end my spamdyke.conf my xinetd.d config for smtp_psa - server = /var/qmail/bin/tcp-env server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true my xinetd.d config for smtp_psa - ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Plesk is such a queer duck. I like its control panel but it sure does some screwy things to the system configuration. I see something in your spamdyke configuration file that could be causing the SMTP AUTH problem. You have the following line commented out: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true This is actually two commands -- smtp_auth and cmd5checkpw. They should be given on two separate lines and they should offer encrypted authentication: smtp-auth-command-encryption=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true I suspect the authentication is failing because cmd5checkpw is the program that can actually process your credentials but it's not being started (because your configuration file lists it as a parameter to smtp_auth). However, you're correct that you don't need it with 3.0.0 and later -- spamdyke now automatically detects successful authentication without running the commands itself. Next, your config-test is giving strange results because you probably used this command: spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd Plesk doesn't patch qmail-smtpd to provide SMTP AUTH, so spamdyke can't see it. Instead, Plesk uses relaylock for that purpose. You should really test with: spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true With that command line, the SMTP AUTH banners will appear and spamdyke won't complain about it any more. So in summary, you can either use Plesk's relaylock OR you can use spamdyke's smtp-auth-command-encryption directive. Using both is unnecessary and wastes server resources. If you have some users (or servers) that need to relay without authenticating, continue using relaylock. If you don't, create an empty access file and use spamdyke's smtp-auth-command-encryption and access-file instead of relaylock. It's a bit more efficient. To answer your last question about qmail-smtpd's command line, it doesn't have one by default. Most of the time, when you see command line options passed to qmail-smtpd, you're looking at a patched version of qmail-smtpd. (In Plesk's case, the extra options are not parameters to qmail-smtpd, they're actually parameters to relaylock.) Typically, any parameters are commands to process SMTP AUTH attempts. The authentication commands always come in pairs -- the auth command and a true command. This is a holdover from DJB's original checkpassword program, which runs the second command if the authentication is successful. I think his intent was that successful authentications could have side-effects, such as logging or unlocking resources. The password-checking program could be generic (i.e. only check the password) and the second command could perform the side-effect. In practice, this hasn't happened. People have simply written password-checking programs that perform the side-effects internally. true is used as the side-effect command because it's small and fast. For more information on checkpassword (but not much more), see DJB's site: http://cr.yp.to/checkpwd/interface.html -- Sam Clippinger Grimmi Meloni wrote: Hi, I've been using spamdyke for about 2 weeks now, and I'm quite satisfied with the results. Thanks for this great tool. As the subject states, I'm running a Plesk 8.1 based system. Today I upgraded from the 2.6.3 version, to the 3.1.0. The good news is: I got everything working so far. But what made me curious are two things: With the old 2.6.3 I could use the --smtp-auth-command option, with the new 3.1.0 this does not work anymore. Not working anymore in this case means, that I have to remove this option or my client gets an error message. In the logs it looks like authentication is tried twice. Really weired, but since Plesk delivers a SMTP_AUTH capable server, this is no problem - at least my relaying tests all failed when not authenticated. So I think I'm still good. During the trial and error phase of this, I ran the --config-test option of spamdyke. Although smtp authentication works, the config-test gives me this warning: WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. Now I'm wondering why this warning occurs at all. Is it a misconfiguration on my part, or just the config-test failing to detect the SMTP AUTH capabilities of my qmail_smtpd? bye, Michael P.S.: Although offtopic: Can anybody point me to a place where the commandline of qmail_smtpd is
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi Sam, thank you for your very detailed answer. In fact you were right about relaylock. I removed it during my tests and forgot to add it during the config-test. Anyway, I gave it another shot, and I'm still stuck with the same problem. I used loglevel 4 and got a warning saying: WARNING: command aborted abnormally: /var/qmail/bin/relaylock This line is shown directly above the TLS Success and the SMTP-Auth Warning messages of the test: SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue using the tls-certificate-file flag so spamdyke will be able to filter all traffic. WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. I decided to run strace and see what's happening. To me it seems like something goes wrong during the testing of the SMTP Auth capacities? - strace excerpt - [ creation of the socket .] [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000}) [pid 19807] ... write resumed ) = 26 [pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) [pid 19806] write(4, EHLO localhost\r\n, 16) = 16 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ... [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1200, 0}) [pid 19807] read(0, EHLO localhost\r\n, 1024) = 16 [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 250-myserver.mydomain.com\r\n250-STARTTLS..., 64 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {29, 999000}) [pid 19807] ... write resumed ) = 64 [pid 19806] read(5, 250-myserver.mydomain.com\r\n250-STARTTLS..., 4069) = 64 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) [pid 19806] write(4, QUIT\r\n, 6) = 6 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ... [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1200, 0}) [pid 19807] read(0, QUIT\r\n, 1024) = 6 [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 221 myserver.mydomain.com\r\n, 20 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {30, 0}) [pid 19807] ... write resumed ) = 20 [pid 19806] read(5, 221 myserver.mydomain.com\r\n, 4005) = 20 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ... [pid 19807] exit_group(0) = ? Process 19807 detached ... select resumed ) = 1 (in [5], left {29, 999000}) read(5, , 3985) = 0 close(5)= 0 time(NULL) = 1194975400 select(8, [7], [], NULL, {30, 0}) = 1 (in [7], left {30, 0}) read(7, , 3985) = 0 close(7)= 0 time(NULL) = 1194975400 close(4)= 0 wait4(19807, 0x7fbfff0a5c, WNOHANG, NULL) = 0 kill(19807, SIGKILL)= 0 write(2, WARNING: command aborted abnorma..., 61WARNING: command aborted abnormally: /var/qmail/bin/relaylock) = 61 - strace excerpt - I don't know if it is the right approach to the problem, but maybe it will give you some clue? I also tried to imitate what I see in the log above by telnetting my system manually, because the strace only shows the first few bytes of each read operation: myserver:~ # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 myserver.mydomain.com ESMTP EHLO localhost 250-myserver.mydomain.com 250-STARTTLS 250-PIPELINING 250 8BITMIME QUIT 221 myserver.mydomain.com Connection closed by foreign host. I'm far from being a SMTP crack, but shouldn't there be a line announcing my SMTP_AUTH capabilities as well? bye, Michael Sam Clippinger wrote: Plesk is such a queer duck. I like its control panel but it sure does some screwy things to the system configuration. I see something in your spamdyke configuration file that could be causing the SMTP AUTH problem. You have the following line commented out: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true This is actually two commands -- smtp_auth and cmd5checkpw. They should be given on two
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or tcp_env) to determine the IP address of the remote server. When spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1. relaylock doesn't seem to offer SMTP AUTH to that IP address. Try this -- set TCPREMOTEIP to another value: export TCPREMOTEIP=11.22.33.44 Then run the configuration test one more time. The SMTP AUTH test should succeed. I see this on my Plesk server when I test with your configuration file: spamdyke-3.1.1/spamdyke# cat config.txt log-level=2 local-domains-file=/var/qmail/control/rcpthosts max-recipients=5 idle-timeout-secs=60 graylist-dir=/var/qmail/gray graylist-min-secs=300 graylist-max-secs=1814400 reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns greeting-delay-secs=5 check-dnsrbl=zombie.dnsbl.sorbs.net check-dnsrbl=dul.dnsbl.sorbs.net check-dnsrbl=bogons.cymru.com smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true local-domains-file=/var/qmail/control/rcpthosts reject-missing-sender-mx hostname=v31616.vierfpeile.de tls-certificate-file=/var/qmail/control/servercert.pem spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44 spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. Testing configuration... WARNING: Running tests as superuser root (0), group root (0). These test results may not be valid if the mail server runs as another user. INFO: Running command to test capabilities: /var/qmail/bin/relaylock WARNING: command aborted abnormally: /var/qmail/bin/relaylock SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue using the tls-certificate-file flag so spamdyke will be able to filter all traffic. WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but the smtp-auth-command, smtp-auth-command-encryption and/or access-file flags are in use. This is not necessary and needlessly creates extra load on the server. ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray: No such file or directory ERROR: Tests complete. Errors detected. spamdyke-3.1.1/spamdyke# -- Sam Clippinger Grimmi Meloni wrote: Hi Sam, thank you for your very detailed answer. In fact you were right about relaylock. I removed it during my tests and forgot to add it during the config-test. Anyway, I gave it another shot, and I'm still stuck with the same problem. I used loglevel 4 and got a warning saying: WARNING: command aborted abnormally: /var/qmail/bin/relaylock This line is shown directly above the TLS Success and the SMTP-Auth Warning messages of the test: SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue using the tls-certificate-file flag so spamdyke will be able to filter all traffic. WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. I decided to run strace and see what's happening. To me it seems like something goes wrong during the testing of the SMTP Auth capacities? - strace excerpt - [ creation of the socket .] [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000}) [pid 19807] ... write resumed ) = 26 [pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) [pid 19806] write(4, EHLO localhost\r\n, 16) = 16 [pid 19806] time(NULL) = 1194975400 [pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ... [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left {1200, 0}) [pid 19807] read(0, EHLO localhost\r\n, 1024) = 16 [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left {1200, 0}) [pid 19807] write(1, 250-myserver.mydomain.com\r\n250-STARTTLS..., 64 unfinished ... [pid 19806] ... select resumed ) = 1 (in [5], left {29, 999000}) [pid 19807] ... write resumed ) = 64 [pid 19806] read(5, 250-myserver.mydomain.com\r\n250-STARTTLS..., 4069) = 64 [pid 19806] time(NULL)