Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream

[Quinn Comendant via spamdyke-users]

Hi Sam,

Thanks for the thorough reply. 

On 25 Jun 2020 14:50:55, Sam Clippinger via spamdyke-users wrote:
> If tls_read() encountered an error in the 
> OpenSSL library and didn't actually read any data, spamdyke's main 
> loop would see data waiting and call tls_read() again.  That could 
> cause an infinite loop.

I'll upgrade spamdyke, and hope the fix was done.

> There are a few things you could try.  As Bucky Carr pointed out, the 
> softlimit program causes all kinds of problems and leads to very 
> strange errors and crashes.

What are your thought on the RCE in qmail that I mentioned my other email?  
I'll try raising the memory limit a bit.

> You could also try upgrading OpenSSL.

That's the latest version provide by the distro, which has an EOL Nov 30 of 
this year. Rebuilding the server on a new distro is on my todo list.

Thanks again,

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream

[Quinn Comendant via spamdyke-users]

On 24 Jun 2020 23:36:44, Quinn Comendant via spamdyke-users wrote:
> I thought it was a fluke, since I had never seen this in the decade+ 
> I've been managing this server.

Actually, there were a few single instances of this error outside of the 34 
seconds when it blew up. I found four:

  2020-06-25 06:11:16.154545500 spamdyke[20782]: ERROR: unable to start SSL/TLS 
connection: A protocol or library failure occurred, 
error:1408A0C1:lib(20):func(138):reason(193)
  […]
  2020-06-25 11:56:18.666164500 spamdyke[14604]: ERROR: unable to start SSL/TLS 
connection: A protocol or library failure occurred, 
error:1408A0C1:lib(20):func(138):reason(193)
  […]
  2020-06-25 15:19:02.951764500 spamdyke[18632]: ERROR: unable to start SSL/TLS 
connection: A protocol or library failure occurred, 
error:1408A0C1:lib(20):func(138):reason(193)
  […]
  2020-06-25 15:19:13.346393500 spamdyke[18701]: ERROR: unable to start SSL/TLS 
connection: A protocol or library failure occurred, 
error:14094412:lib(20):func(148):reason(1042)

I notice that the reason codes (`reason(193)` and `reason(1042)`) are different 
than the reason in the other 2.8 million lines logged (`reason(255)`). I'm 
guessing those are openssl error codes?

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream

[Quinn Comendant via spamdyke-users]

Hi Bucky,

On 25 Jun 2020 07:12:27, Bucky Carr via spamdyke-users wrote:
> Do you need to use 'softlimit'?

Yes, using softlimit to restrict process memory limit is useful, and in fact 
necessary to prevent this remotely-exploitable vulnerability in qmail:

https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

“TLDR: In 2005, three vulnerabilities were discovered in qmail but were
never fixed because they were believed to be unexploitable in a default
installation. We recently re-discovered these vulnerabilities and were
able to exploit one of them remotely in a default installation.”

The RCE can be mitigated by:

- using softlimit to restrict process memory limit, even on qmail-local
- configure databytes to limit email message size.

or by applying the patches included in the article linked above. 

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream

[Quinn Comendant via spamdyke-users]

Hello all,

Recently, I checked the smtp log files of my qmailtoaster server, and found 
millions of the following error message written to the smtp log:

  spamdyke[4875]: ERROR: unable to read from SSL/TLS stream: A protocol or 
library failure occurred, error:140800FF:lib(20):func(128):reason(255)

I restarted the mail-related services (qmailctl stop && qmailctl start), and 
the errors stopped. I thought it was a fluke, since I had never seen this in 
the decade+ I've been managing this server. However, a few days later, I found 
the same thing. Again, I restarted and the errors stopped.

The really weird thing is that all the errors that were logged (~ 2.8 million 
lines) occurred over 34 seconds (from 2020-06-25 03:47:58 to 2020-06-25 
03:48:36)! I'd guess that only *one* error occurred (memory error? 
buffer-overrun?) which somehow caused an infinite loop of logging. 

Although the last logged error was at 2020-06-25 03:48:36, I didn't discover 
the issue until 2020-06-25 04:10, which means there was at least a 20 minute 
delay between when the log line was time-stamped and when the line was finally 
added to the log, perhaps caused by IO constraints).

So there's a couple issues I'm worried about:

1. why did spamdyke get stuck in an infinite loop?
2. what caused this error in the first place?

Versions:

  OpenSSL 1.0.1e-fips 11 Feb 2013
  spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE

Spamdyke is executed via the /var/qmail/supervise/smtp/run file:

  QMAILDUID=`id -u vpopmail`
  NOFILESGID=`id -g vpopmail`
  MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
  SPAMDYKE="/usr/bin/spamdyke"
  SPAMDYKE_CONF="/etc/spamdyke.conf"
  SMTPD="/var/qmail/bin/qmail-smtpd"
  TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
  HOSTNAME=`hostname`
  VCHKPW="/home/vpopmail/bin/vchkpw"
  REQUIRE_AUTH=0
  
  exec /usr/bin/softlimit -m 9900 \
   /usr/bin/tcpserver -R -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
   -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
   $SPAMDYKE --config-file $SPAMDYKE_CONF \
   $SMTPD $VCHKPW /bin/true 2>&1

Thanks!

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] SERVFAIL on dns-server-ip-primary does not fail-over

[Quinn Comendant via spamdyke-users]

Hi Sam,

Thanks for the thorough reply. 

How does spamdyke know "If a response is received, [use it and stop]"? During a 
NXDOMAIN and SERVFAIL, no "response" is received (the ANSWER section of the DNS 
response is empty). If the response is empty, doesn't spamdyke then try the 
next name server? Or, can it detect that a response was received successfully, 
just empty?

A setting that rotates between name servers would be very helpful. Spamassassin 
offers this already with its `dns_options rotate` option. Distributing load 
between name servers helps them stay within the limits of DNSBL query limits, 
(i.e., URIBL_BLOCKED).

Quinn


On 13 Mar 2019 13:52:11, Sam Clippinger via spamdyke-users wrote:
> Sorry, I missed your earlier email.  I'll try to answer both questions here.
> 
> Unless you're setting spamdyke's dns-level option, it should be using 
> the primary servers in order, followed by the secondary servers in 
> order, every time it runs.  If you're just setting the three DNS 
> servers and not using any other dns-* options, the logic should look 
> like this:
>   Total DNS query time is 30 seconds (override with dns-timeout-secs)
>   Max number of DNS queries to primary servers before using 
> secondaries is 1 (override with dns-max-retries-primary)
>   Max number of DNS queries total is 3 (override with 
> dns-max-retries-total)
>   Send query packet to 127.0.0.1, wait 10 seconds for a response 
> (total query time divided by max number of queries)
>   If a response is received, use it and stop.
>   Send query packet to 10.128.0.9, wait 10 seconds for a response
>   If a response is received, use it and stop.
>   The number of queries to primary servers is greater than 1, start 
> using secondaries as well
>   Send query packet to 169.254.169.254, wait 10 seconds for a response
>   If a response is received, use it.  Otherwise exit with no response.
> Randomizing the order of the servers would probably be a good idea 
> (or option) I think I didn't do that because I was trying to 
> imitate the behavior of the system resolver library, which uses the 
> servers in /etc/resolv.conf in order every time.
> 
> Looking at the code in dns.c, spamdyke treats an empty response as 
> "not found" and doesn't check whether it was due to SERVFAIL or 
> NXDOMAIN.  If memory serves, I did this because there's no real 
> difference between them as far as spamdyke is concerned.  In other 
> words, NXDOMAIN means the domain doesn't exist at all while SERVFAIL 
> means the domain exists but no records can be found (usually because 
> the authoritative servers aren't responding).  Either way, the mail 
> should be rejected with a temporary code so the sender will try again 
> later (hoping the problem will resolve itself in the meantime).  If 
> the problem persists long enough, the message(s) may bounce.  
> Unfortunately there's no DNS code to indicate the server is 
> malfunctioning and shouldn't be used -- spamdyke expects it to stop 
> sending responses when that happens.
> 
> 
> -- Sam Clippinger
> 
> 
> 
> 
>> On Mar 11, 2019, at 6:58 PM, Quinn Comendant via spamdyke-users 
>>  wrote:
>> 
>> We had an incident where both our local caching name servers stopped 
>> working. They returned SERVFAIL (see example below). They were set 
>> as the "dns-server-ip-primary" and our host-provided DNS server was 
>> set as the "dns-server-ip". Because the primaries were failing, I 
>> would expect spamdyke to automatically switch to resolve via the 
>> server set under "dns-server-ip". Instead, spamdyke just rejected 
>> all our mail for a few hours with DENIED_RDNS_MISSING. The 
>> host-provide name server was functioning fine.
>> 
>> This is the config:
>> 
>>dns-server-ip-primary=127.0.0.1# Local caching name server
>>dns-server-ip-primary=10.128.0.9 # Another local caching name server
>>dns-server-ip=169.254.169.254# Host-provided name server
>> 
>> This is an example response from a query to either of the primary 
>> DNS servers:
>> 
>>{q@oak3~} dig @10.128.0.9 apple.com mx
>> 
>>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> 
>> @10.128.0.9 apple.com mx
>>; (1 server found)
>>;; global options: +cmd
>>;; Got answer:
>>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266
>>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> 
>>;; QUESTION SECTION:
>>;apple.com. IN  MX
>> 
>>;; Query time: 15 msec
>>;; SERVER

[spamdyke-users] SERVFAIL on dns-server-ip-primary does not fail-over

[Quinn Comendant via spamdyke-users]

We had an incident where both our local caching name servers stopped working. 
They returned SERVFAIL (see example below). They were set as the 
"dns-server-ip-primary" and our host-provided DNS server was set as the 
"dns-server-ip". Because the primaries were failing, I would expect spamdyke to 
automatically switch to resolve via the server set under "dns-server-ip". 
Instead, spamdyke just rejected all our mail for a few hours with 
DENIED_RDNS_MISSING. The host-provide name server was functioning fine.

This is the config:

dns-server-ip-primary=127.0.0.1# Local caching name server
dns-server-ip-primary=10.128.0.9 # Another local caching name server
dns-server-ip=169.254.169.254# Host-provided name server

This is an example response from a query to either of the primary DNS servers:

{q@oak3~} dig @10.128.0.9 apple.com mx

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @10.128.0.9 
apple.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;apple.com. IN  MX

;; Query time: 15 msec
;; SERVER: 10.128.0.9#53(10.128.0.9)
;; WHEN: Mon Mar 11 05:10:32 2019
;; MSG SIZE  rcvd: 27

Am I wrong to expect spamdyke to fail over to the non-primary server on a 
SERVFAIL?

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] rotate between multiple dns-server-ip-primary

[Quinn Comendant via spamdyke-users]

On 28 Feb 2019 15:53:34, Quinn Comendant via spamdyke-users wrote:
> Can spamdyke rotate between multiple dns-server-ip-primary servers, 
> to distribute the load evenly? 

Still wondering about this. I haven't seen any replies. Sam, can you clarify if 
this option exists?

Quinn

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] rotate between multiple dns-server-ip-primary

[Quinn Comendant via spamdyke-users]

Can spamdyke rotate between multiple dns-server-ip-primary servers, to 
distribute the load evenly? 

Because the documentation says "Depending on the number of nameservers and the 
values of dns-max-retries-primary and dns-max-retries-total, some nameservers 
may never be queried" it leads me to believe the primary servers are queried in 
order given in the configuration file.

Q
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Too many links

[Quinn Comendant via spamdyke-users]

I noticed this Spamdyke error message:

ERROR: unable to create directory 
/var/qmail/spamdyke/greylist/example.com/redacted/bounce.nytimes.com: Too many 
links

Indeed this user's greylist directory is full:

# sudo ls -dl /var/qmail/spamdyke/greylist/example.com/redacted/ | awk '{print 
$2}'
32000

In fact, I have lots of users with full and nearly-full greylist directories:

# sudo find /var/qmail/spamdyke/greylist/ -mindepth 2 -maxdepth 2 -type d | 
while read D; do echo "$(sudo ls -dl $D | f2) $(cut -d / -f 7 <<<"$D")@$(cut -d 
/ -f 6 <<<"$D")"; done | sort -rn | head -100
32000 redac...@example.com
32000 redac...@example.com
32000 redac...@example.com
32000 redac...@example.com
32000 redac...@example.com
32000 redac...@example.com
31293 redac...@example.com
30193 redac...@example.com
28559 redac...@example.com
28483 redac...@example.com
[etc…]

What is the best way to solve this? I suspect this is a pretty common issue. I 
wonder if there is a way to remove only seldom-seen senders, perhaps using a 
last-accessed timestamp on the directories? And doing monthly pruning via cron?

Thanks,
Quinn

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
https://spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Graylisting delivery failure notifications

[Quinn Comendant via spamdyke-users]

A client using our Spamdyke-enabled mail server has reported someone sending 
them an email received a "bounce" message notifying the sender that the 
messages has been graylisted (see the delivery failure notification below). 
They did receive the message (graylisting works well for us).

This is the first time I've heard of a soft failure resulting in a notification 
returning to the sender. If graylisting is a common practice, these 
notifications must be terribly annoying, however the sender (from the 
cdph.ca.gov network) seems surprised by the message. So either: A) graylisting 
is not very common, or B) cdph.ca.gov has an uncommon setup that sends annoying 
bounce messages.

If graylisting will result in annoying senders with delivery failure 
notifications, I'd prefer to avoid that by disabling graylisting (doesn't 
matter who is to blame, what the RFCs say, etc).

What do y'all think? 

Regards,
Quinn

The delivery failure notification received:

> Hi Barb and Steph - 
> 
> When the email below went out yesterday, the following message was received:
> 
> redac...@clientdomain.org...
> Deferred: 421 Your address has been graylisted. Try again later.
> 
> redac...@clientdomain.org...
> Deferred: 421 Your address has been graylisted. Try again later.
> 
> Patricia 
> Care Operations Advisor
> Office of AIDS
> California Department of Public Health
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working

[Quinn Comendant via spamdyke-users]

On Fri, 5 May 2017 10:15:36 -0500, Sam Clippinger via spamdyke-users wrote:
> Ah, I should have asked.  Yes, that option should work.

Thanks Sam.

BTW, I created a script to automate creating the custom sender configuration 
files using the _ip_ and _sender_ directory structures:
https://gist.github.com/quinncomendant/4e62a0e4ab82d7b6fe0dc3947510c4c7

Use it like:

sudo spamdyke-sender-conf 111.222.333.444
…or:
sudo spamdyke-sender-conf tz.changeyourflight.com

It may need customization for different systems. I'm using qmailtoaster.org's 
implementation. 

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working

[Quinn Comendant via spamdyke-users]

Update: I added `reject-sender=none` to /etc/spamdyke.conf and these errors 
started appearing in the log:

2017-05-05 06:33:46.873563500 ERROR: Unknown configuration file option in 
file /etc/spamdyke.conf on line 33: reject-sender

I realize now this config option is only for spamdyke 5. I'm currently using 
spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE.

So I presume the corresponding config option for version 4 is 
`reject-missing-sender-mx`. Would the correct syntax for disabling this in a 
spamdyke/_ip_/… directory be like this:

reject-missing-sender-mx=0

?

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working

[Quinn Comendant via spamdyke-users]

I've gotten this error:

2017-05-05 03:16:52.533029500 spamdyke[30324]: DENIED_SENDER_NO_MX from: 
bounces+1818979-7ef3-quinn=strangecode[.]c...@tz.changeyourflight.com to: 
quinn[@]strangecode[.]com origin_ip: 167.89.72.110 origin_rdns: 
o1678972x110.outbound-mail.sendgrid.net auth: (unknown) encryption: TLS reason: 
(empty)

Indeed, "tz.changeyourflight.com" has no MX records.

I have tried to apply a custom setting for this sender's IP address by adding a 
config file at:

/var/qmail/spamdyke/_ip_/167/89/72/110

Containing:

reject-sender=none

Then restarting qmail smtp with `qmailctl restart`.

I've used this method successfully in the past for `reject-empty-rdns=0` and 
`reject-unresolvable-rdns=0`. However, it's not working for the 
DENIED_SENDER_NO_MX error. The sending error continues to occur.

Have I set this up wrong?

Regards,
Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Whitelist an IP for the DENIED_RDNS_MISSING error?

[Quinn Comendant via spamdyke-users]

On Wed, 5 Aug 2015 20:02:51 -0500, Sam Clippinger via spamdyke-users wrote:
 But to answer your question, yes!  It is possible to turn off the 
 rDNS filters for just that one IP.  The feature you need is a 
 configuration directory.  Create a folder structure on the server 
 like this:
   /some/path/_ip_/64/34/221
 […]

Ooh, that's clever! I've done, and we'll see.

Thx,
Q
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Whitelist an IP for the DENIED_RDNS_MISSING error?

[Quinn Comendant via spamdyke-users]

We're experiencing blocked email due to a DENIED_RDNS_MISSING error, although 
the domain PTR records do resolve:

  $ dig -x 64.34.221.10 +short
  mail.lassosoft.com.

Error:

  2015-08-05 18:56:56.452648500 spamdyke[5681]: DENIED_RDNS_MISSING from: 
donotre...@lassosoft.com to: u...@example.com origin_ip: 64.34.221.10 
origin_rdns: (unknown) auth: (unknown) encryption: TLS reason: (empty)

I've seen the recent thread on this where Sam explains that it could be DNS 
issues 
(https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg02009.html). 

My question is, can we whitelist an IP for the DENIED_RDNS_MISSING error?

Quinn
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users