Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi Sam,
With
TCPREMOTEIP=1.2.3.4 /usr/local/bin/spamdyke -f /etc/spamdyke.conf -l4
--config-test /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
/var/qmail/bin/true
I get the expected result
SUCCESS: /var/qmail/bin/relaylock appears to offer SMTP AUTH support.
spamdyke will observe any authentication and trust its response.
Thanks for your support. I guess I'll just lean back and watch the spam
being held off my system for a while now... :-))
bye, Michael
Sam Clippinger wrote:
relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or
tcp_env) to determine the IP address of the remote server. When
spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1.
relaylock doesn't seem to offer SMTP AUTH to that IP address.
Try this -- set TCPREMOTEIP to another value:
export TCPREMOTEIP=11.22.33.44
Then run the configuration test one more time. The SMTP AUTH test
should succeed.
I see this on my Plesk server when I test with your configuration file:
spamdyke-3.1.1/spamdyke# cat config.txt
log-level=2
local-domains-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=60
graylist-dir=/var/qmail/gray
graylist-min-secs=300
graylist-max-secs=1814400
reject-empty-rdns
reject-unresolvable-rdns
reject-ip-in-cc-rdns
greeting-delay-secs=5
check-dnsrbl=zombie.dnsbl.sorbs.net
check-dnsrbl=dul.dnsbl.sorbs.net
check-dnsrbl=bogons.cymru.com
smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
local-domains-file=/var/qmail/control/rcpthosts
reject-missing-sender-mx
hostname=v31616.vierfpeile.de
tls-certificate-file=/var/qmail/control/servercert.pem
spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44
spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test
/var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
/var/qmail/bin/true
spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org
http://www.spamdyke.org/
Use -h for an option summary or see README.html for complete option details.
Testing configuration...
WARNING: Running tests as superuser root (0), group root (0). These test
results may not be valid if the mail server runs as another user.
INFO: Running command to test capabilities: /var/qmail/bin/relaylock
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the tls-certificate-file flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but
the smtp-auth-command, smtp-auth-command-encryption and/or
access-file flags are in use. This is not necessary and needlessly
creates extra load on the server.
ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray:
No such file or directory
ERROR: Tests complete. Errors detected.
spamdyke-3.1.1/spamdyke#
-- Sam Clippinger
Grimmi Meloni wrote:
Hi Sam,
thank you for your very detailed answer. In fact you were right about
relaylock. I removed it during my tests and forgot to add it during the
config-test. Anyway, I gave it another shot, and I'm still stuck with
the same problem. I used loglevel 4 and got a warning saying:
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
This line is shown directly above the TLS Success and the SMTP-Auth
Warning messages of the test:
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the tls-certificate-file flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH
support. Please use the smtp-auth-command flag or the
smtp-auth-command-encryption flag as well as the access-file and
local-domains-file flags so spamdyke will be able to authenticate
users and correctly allow them to relay.
I decided to run strace and see what's happening. To me it seems like
something goes wrong during the testing of the SMTP Auth capacities?
- strace excerpt -
[ creation of the socket .]
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26
unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000})
[pid 19807] ... write resumed ) = 26
[pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, EHLO localhost\r\n, 16) = 16
[pid 19806] time(NULL)
[spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi, I've been using spamdyke for about 2 weeks now, and I'm quite satisfied with the results. Thanks for this great tool. As the subject states, I'm running a Plesk 8.1 based system. Today I upgraded from the 2.6.3 version, to the 3.1.0. The good news is: I got everything working so far. But what made me curious are two things: With the old 2.6.3 I could use the --smtp-auth-command option, with the new 3.1.0 this does not work anymore. Not working anymore in this case means, that I have to remove this option or my client gets an error message. In the logs it looks like authentication is tried twice. Really weired, but since Plesk delivers a SMTP_AUTH capable server, this is no problem - at least my relaying tests all failed when not authenticated. So I think I'm still good. During the trial and error phase of this, I ran the --config-test option of spamdyke. Although smtp authentication works, the config-test gives me this warning: WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. Now I'm wondering why this warning occurs at all. Is it a misconfiguration on my part, or just the config-test failing to detect the SMTP AUTH capabilities of my qmail_smtpd? bye, Michael P.S.: Although offtopic: Can anybody point me to a place where the commandline of qmail_smtpd is explained? Basically I would like to know, why /var/qmail/bin/true has to be in the commandline twice, or even better, what qmail_smtpd in general does with it's parameters? Thanks. - my spamdyke.conf log-level=2 local-domains-file=/var/qmail/control/rcpthosts max-recipients=5 idle-timeout-secs=60 graylist-dir=/var/qmail/gray graylist-min-secs=300 graylist-max-secs=1814400 reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns greeting-delay-secs=5 check-dnsrbl=zombie.dnsbl.sorbs.net check-dnsrbl=dul.dnsbl.sorbs.net check-dnsrbl=bogons.cymru.com #smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true local-domains-file=/var/qmail/control/rcpthosts reject-missing-sender-mx hostname=v31616.vierfpeile.de tls-certificate-file=/var/qmail/control/servercert.pem ---end my spamdyke.conf my xinetd.d config for smtp_psa - server = /var/qmail/bin/tcp-env server_args = -Rt0 /usr/local/bin/spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true my xinetd.d config for smtp_psa - ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Plesk is such a queer duck. I like its control panel but it sure does some screwy things to the system configuration. I see something in your spamdyke configuration file that could be causing the SMTP AUTH problem. You have the following line commented out: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true This is actually two commands -- smtp_auth and cmd5checkpw. They should be given on two separate lines and they should offer encrypted authentication: smtp-auth-command-encryption=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true I suspect the authentication is failing because cmd5checkpw is the program that can actually process your credentials but it's not being started (because your configuration file lists it as a parameter to smtp_auth). However, you're correct that you don't need it with 3.0.0 and later -- spamdyke now automatically detects successful authentication without running the commands itself. Next, your config-test is giving strange results because you probably used this command: spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd Plesk doesn't patch qmail-smtpd to provide SMTP AUTH, so spamdyke can't see it. Instead, Plesk uses relaylock for that purpose. You should really test with: spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true With that command line, the SMTP AUTH banners will appear and spamdyke won't complain about it any more. So in summary, you can either use Plesk's relaylock OR you can use spamdyke's smtp-auth-command-encryption directive. Using both is unnecessary and wastes server resources. If you have some users (or servers) that need to relay without authenticating, continue using relaylock. If you don't, create an empty access file and use spamdyke's smtp-auth-command-encryption and access-file instead of relaylock. It's a bit more efficient. To answer your last question about qmail-smtpd's command line, it doesn't have one by default. Most of the time, when you see command line options passed to qmail-smtpd, you're looking at a patched version of qmail-smtpd. (In Plesk's case, the extra options are not parameters to qmail-smtpd, they're actually parameters to relaylock.) Typically, any parameters are commands to process SMTP AUTH attempts. The authentication commands always come in pairs -- the auth command and a true command. This is a holdover from DJB's original checkpassword program, which runs the second command if the authentication is successful. I think his intent was that successful authentications could have side-effects, such as logging or unlocking resources. The password-checking program could be generic (i.e. only check the password) and the second command could perform the side-effect. In practice, this hasn't happened. People have simply written password-checking programs that perform the side-effects internally. true is used as the side-effect command because it's small and fast. For more information on checkpassword (but not much more), see DJB's site: http://cr.yp.to/checkpwd/interface.html -- Sam Clippinger Grimmi Meloni wrote: Hi, I've been using spamdyke for about 2 weeks now, and I'm quite satisfied with the results. Thanks for this great tool. As the subject states, I'm running a Plesk 8.1 based system. Today I upgraded from the 2.6.3 version, to the 3.1.0. The good news is: I got everything working so far. But what made me curious are two things: With the old 2.6.3 I could use the --smtp-auth-command option, with the new 3.1.0 this does not work anymore. Not working anymore in this case means, that I have to remove this option or my client gets an error message. In the logs it looks like authentication is tried twice. Really weired, but since Plesk delivers a SMTP_AUTH capable server, this is no problem - at least my relaying tests all failed when not authenticated. So I think I'm still good. During the trial and error phase of this, I ran the --config-test option of spamdyke. Although smtp authentication works, the config-test gives me this warning: WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH support. Please use the smtp-auth-command flag or the smtp-auth-command-encryption flag as well as the access-file and local-domains-file flags so spamdyke will be able to authenticate users and correctly allow them to relay. Now I'm wondering why this warning occurs at all. Is it a misconfiguration on my part, or just the config-test failing to detect the SMTP AUTH capabilities of my qmail_smtpd? bye, Michael P.S.: Although offtopic: Can anybody point me to a place where the commandline of qmail_smtpd is
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
Hi Sam,
thank you for your very detailed answer. In fact you were right about
relaylock. I removed it during my tests and forgot to add it during the
config-test. Anyway, I gave it another shot, and I'm still stuck with
the same problem. I used loglevel 4 and got a warning saying:
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
This line is shown directly above the TLS Success and the SMTP-Auth
Warning messages of the test:
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the tls-certificate-file flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH
support. Please use the smtp-auth-command flag or the
smtp-auth-command-encryption flag as well as the access-file and
local-domains-file flags so spamdyke will be able to authenticate
users and correctly allow them to relay.
I decided to run strace and see what's happening. To me it seems like
something goes wrong during the testing of the SMTP Auth capacities?
- strace excerpt -
[ creation of the socket .]
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26
unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000})
[pid 19807] ... write resumed ) = 26
[pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, EHLO localhost\r\n, 16) = 16
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ...
[pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
{1200, 0})
[pid 19807] read(0, EHLO localhost\r\n, 1024) = 16
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 250-myserver.mydomain.com\r\n250-STARTTLS..., 64
unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {29, 999000})
[pid 19807] ... write resumed ) = 64
[pid 19806] read(5, 250-myserver.mydomain.com\r\n250-STARTTLS...,
4069) = 64
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, QUIT\r\n, 6) = 6
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ...
[pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
{1200, 0})
[pid 19807] read(0, QUIT\r\n, 1024) = 6
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 221 myserver.mydomain.com\r\n, 20 unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {30, 0})
[pid 19807] ... write resumed ) = 20
[pid 19806] read(5, 221 myserver.mydomain.com\r\n, 4005) = 20
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ...
[pid 19807] exit_group(0) = ?
Process 19807 detached
... select resumed ) = 1 (in [5], left {29, 999000})
read(5, , 3985) = 0
close(5)= 0
time(NULL) = 1194975400
select(8, [7], [], NULL, {30, 0}) = 1 (in [7], left {30, 0})
read(7, , 3985) = 0
close(7)= 0
time(NULL) = 1194975400
close(4)= 0
wait4(19807, 0x7fbfff0a5c, WNOHANG, NULL) = 0
kill(19807, SIGKILL)= 0
write(2, WARNING: command aborted abnorma..., 61WARNING: command
aborted abnormally: /var/qmail/bin/relaylock) = 61
- strace excerpt -
I don't know if it is the right approach to the problem, but maybe it
will give you some clue?
I also tried to imitate what I see in the log above by telnetting my
system manually, because the strace only shows the first few bytes of
each read operation:
myserver:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myserver.mydomain.com ESMTP
EHLO localhost
250-myserver.mydomain.com
250-STARTTLS
250-PIPELINING
250 8BITMIME
QUIT
221 myserver.mydomain.com
Connection closed by foreign host.
I'm far from being a SMTP crack, but shouldn't there be a line
announcing my SMTP_AUTH capabilities as well?
bye, Michael
Sam Clippinger wrote:
Plesk is such a queer duck. I like its control panel but it sure does
some screwy things to the system configuration.
I see something in your spamdyke configuration file that could be
causing the SMTP AUTH problem. You have the following line commented out:
smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
This is actually two commands -- smtp_auth and cmd5checkpw. They should
be given on two
Re: [spamdyke-users] config-test does not recognize Plesk SMTP_AUTH
relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or
tcp_env) to determine the IP address of the remote server. When
spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1.
relaylock doesn't seem to offer SMTP AUTH to that IP address.
Try this -- set TCPREMOTEIP to another value:
export TCPREMOTEIP=11.22.33.44
Then run the configuration test one more time. The SMTP AUTH test
should succeed.
I see this on my Plesk server when I test with your configuration file:
spamdyke-3.1.1/spamdyke# cat config.txt
log-level=2
local-domains-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=60
graylist-dir=/var/qmail/gray
graylist-min-secs=300
graylist-max-secs=1814400
reject-empty-rdns
reject-unresolvable-rdns
reject-ip-in-cc-rdns
greeting-delay-secs=5
check-dnsrbl=zombie.dnsbl.sorbs.net
check-dnsrbl=dul.dnsbl.sorbs.net
check-dnsrbl=bogons.cymru.com
smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
local-domains-file=/var/qmail/control/rcpthosts
reject-missing-sender-mx
hostname=v31616.vierfpeile.de
tls-certificate-file=/var/qmail/control/servercert.pem
spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44
spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test
/var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
/var/qmail/bin/true
spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org
http://www.spamdyke.org/
Use -h for an option summary or see README.html for complete option details.
Testing configuration...
WARNING: Running tests as superuser root (0), group root (0). These test
results may not be valid if the mail server runs as another user.
INFO: Running command to test capabilities: /var/qmail/bin/relaylock
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the tls-certificate-file flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but
the smtp-auth-command, smtp-auth-command-encryption and/or
access-file flags are in use. This is not necessary and needlessly
creates extra load on the server.
ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray:
No such file or directory
ERROR: Tests complete. Errors detected.
spamdyke-3.1.1/spamdyke#
-- Sam Clippinger
Grimmi Meloni wrote:
Hi Sam,
thank you for your very detailed answer. In fact you were right about
relaylock. I removed it during my tests and forgot to add it during the
config-test. Anyway, I gave it another shot, and I'm still stuck with
the same problem. I used loglevel 4 and got a warning saying:
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
This line is shown directly above the TLS Success and the SMTP-Auth
Warning messages of the test:
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the tls-certificate-file flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH
support. Please use the smtp-auth-command flag or the
smtp-auth-command-encryption flag as well as the access-file and
local-domains-file flags so spamdyke will be able to authenticate
users and correctly allow them to relay.
I decided to run strace and see what's happening. To me it seems like
something goes wrong during the testing of the SMTP Auth capacities?
- strace excerpt -
[ creation of the socket .]
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 220 myserver.mydomain.com ESMTP\r\n, 26
unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {29, 926000})
[pid 19807] ... write resumed ) = 26
[pid 19806] read(5, 220 myserver.mydomain.com ESMTP\r\n, 4095) = 26
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, EHLO localhost\r\n, 16) = 16
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} unfinished ...
[pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
{1200, 0})
[pid 19807] read(0, EHLO localhost\r\n, 1024) = 16
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, 250-myserver.mydomain.com\r\n250-STARTTLS..., 64
unfinished ...
[pid 19806] ... select resumed ) = 1 (in [5], left {29, 999000})
[pid 19807] ... write resumed ) = 64
[pid 19806] read(5, 250-myserver.mydomain.com\r\n250-STARTTLS...,
4069) = 64
[pid 19806] time(NULL)
