Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream
Hi Sam, Thanks for the thorough reply. On 25 Jun 2020 14:50:55, Sam Clippinger via spamdyke-users wrote: > If tls_read() encountered an error in the > OpenSSL library and didn't actually read any data, spamdyke's main > loop would see data waiting and call tls_read() again. That could > cause an infinite loop. I'll upgrade spamdyke, and hope the fix was done. > There are a few things you could try. As Bucky Carr pointed out, the > softlimit program causes all kinds of problems and leads to very > strange errors and crashes. What are your thought on the RCE in qmail that I mentioned my other email? I'll try raising the memory limit a bit. > You could also try upgrading OpenSSL. That's the latest version provide by the distro, which has an EOL Nov 30 of this year. Rebuilding the server on a new distro is on my todo list. Thanks again, Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream
On 24 Jun 2020 23:36:44, Quinn Comendant via spamdyke-users wrote: > I thought it was a fluke, since I had never seen this in the decade+ > I've been managing this server. Actually, there were a few single instances of this error outside of the 34 seconds when it blew up. I found four: 2020-06-25 06:11:16.154545500 spamdyke[20782]: ERROR: unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0C1:lib(20):func(138):reason(193) […] 2020-06-25 11:56:18.666164500 spamdyke[14604]: ERROR: unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0C1:lib(20):func(138):reason(193) […] 2020-06-25 15:19:02.951764500 spamdyke[18632]: ERROR: unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0C1:lib(20):func(138):reason(193) […] 2020-06-25 15:19:13.346393500 spamdyke[18701]: ERROR: unable to start SSL/TLS connection: A protocol or library failure occurred, error:14094412:lib(20):func(148):reason(1042) I notice that the reason codes (`reason(193)` and `reason(1042)`) are different than the reason in the other 2.8 million lines logged (`reason(255)`). I'm guessing those are openssl error codes? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream
Hi Bucky, On 25 Jun 2020 07:12:27, Bucky Carr via spamdyke-users wrote: > Do you need to use 'softlimit'? Yes, using softlimit to restrict process memory limit is useful, and in fact necessary to prevent this remotely-exploitable vulnerability in qmail: https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt “TLDR: In 2005, three vulnerabilities were discovered in qmail but were never fixed because they were believed to be unexploitable in a default installation. We recently re-discovered these vulnerabilities and were able to exploit one of them remotely in a default installation.” The RCE can be mitigated by: - using softlimit to restrict process memory limit, even on qmail-local - configure databytes to limit email message size. or by applying the patches included in the article linked above. Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Infinite loop of logged errors: unable to read from SSL/TLS stream
Hello all, Recently, I checked the smtp log files of my qmailtoaster server, and found millions of the following error message written to the smtp log: spamdyke[4875]: ERROR: unable to read from SSL/TLS stream: A protocol or library failure occurred, error:140800FF:lib(20):func(128):reason(255) I restarted the mail-related services (qmailctl stop && qmailctl start), and the errors stopped. I thought it was a fluke, since I had never seen this in the decade+ I've been managing this server. However, a few days later, I found the same thing. Again, I restarted and the errors stopped. The really weird thing is that all the errors that were logged (~ 2.8 million lines) occurred over 34 seconds (from 2020-06-25 03:47:58 to 2020-06-25 03:48:36)! I'd guess that only *one* error occurred (memory error? buffer-overrun?) which somehow caused an infinite loop of logging. Although the last logged error was at 2020-06-25 03:48:36, I didn't discover the issue until 2020-06-25 04:10, which means there was at least a 20 minute delay between when the log line was time-stamped and when the line was finally added to the log, perhaps caused by IO constraints). So there's a couple issues I'm worried about: 1. why did spamdyke get stuck in an infinite loop? 2. what caused this error in the first place? Versions: OpenSSL 1.0.1e-fips 11 Feb 2013 spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE Spamdyke is executed via the /var/qmail/supervise/smtp/run file: QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SPAMDYKE="/usr/bin/spamdyke" SPAMDYKE_CONF="/etc/spamdyke.conf" SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" REQUIRE_AUTH=0 exec /usr/bin/softlimit -m 9900 \ /usr/bin/tcpserver -R -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \ $SPAMDYKE --config-file $SPAMDYKE_CONF \ $SMTPD $VCHKPW /bin/true 2>&1 Thanks! ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] SERVFAIL on dns-server-ip-primary does not fail-over
Hi Sam, Thanks for the thorough reply. How does spamdyke know "If a response is received, [use it and stop]"? During a NXDOMAIN and SERVFAIL, no "response" is received (the ANSWER section of the DNS response is empty). If the response is empty, doesn't spamdyke then try the next name server? Or, can it detect that a response was received successfully, just empty? A setting that rotates between name servers would be very helpful. Spamassassin offers this already with its `dns_options rotate` option. Distributing load between name servers helps them stay within the limits of DNSBL query limits, (i.e., URIBL_BLOCKED). Quinn On 13 Mar 2019 13:52:11, Sam Clippinger via spamdyke-users wrote: > Sorry, I missed your earlier email. I'll try to answer both questions here. > > Unless you're setting spamdyke's dns-level option, it should be using > the primary servers in order, followed by the secondary servers in > order, every time it runs. If you're just setting the three DNS > servers and not using any other dns-* options, the logic should look > like this: > Total DNS query time is 30 seconds (override with dns-timeout-secs) > Max number of DNS queries to primary servers before using > secondaries is 1 (override with dns-max-retries-primary) > Max number of DNS queries total is 3 (override with > dns-max-retries-total) > Send query packet to 127.0.0.1, wait 10 seconds for a response > (total query time divided by max number of queries) > If a response is received, use it and stop. > Send query packet to 10.128.0.9, wait 10 seconds for a response > If a response is received, use it and stop. > The number of queries to primary servers is greater than 1, start > using secondaries as well > Send query packet to 169.254.169.254, wait 10 seconds for a response > If a response is received, use it. Otherwise exit with no response. > Randomizing the order of the servers would probably be a good idea > (or option) I think I didn't do that because I was trying to > imitate the behavior of the system resolver library, which uses the > servers in /etc/resolv.conf in order every time. > > Looking at the code in dns.c, spamdyke treats an empty response as > "not found" and doesn't check whether it was due to SERVFAIL or > NXDOMAIN. If memory serves, I did this because there's no real > difference between them as far as spamdyke is concerned. In other > words, NXDOMAIN means the domain doesn't exist at all while SERVFAIL > means the domain exists but no records can be found (usually because > the authoritative servers aren't responding). Either way, the mail > should be rejected with a temporary code so the sender will try again > later (hoping the problem will resolve itself in the meantime). If > the problem persists long enough, the message(s) may bounce. > Unfortunately there's no DNS code to indicate the server is > malfunctioning and shouldn't be used -- spamdyke expects it to stop > sending responses when that happens. > > > -- Sam Clippinger > > > > >> On Mar 11, 2019, at 6:58 PM, Quinn Comendant via spamdyke-users >> wrote: >> >> We had an incident where both our local caching name servers stopped >> working. They returned SERVFAIL (see example below). They were set >> as the "dns-server-ip-primary" and our host-provided DNS server was >> set as the "dns-server-ip". Because the primaries were failing, I >> would expect spamdyke to automatically switch to resolve via the >> server set under "dns-server-ip". Instead, spamdyke just rejected >> all our mail for a few hours with DENIED_RDNS_MISSING. The >> host-provide name server was functioning fine. >> >> This is the config: >> >>dns-server-ip-primary=127.0.0.1# Local caching name server >>dns-server-ip-primary=10.128.0.9 # Another local caching name server >>dns-server-ip=169.254.169.254# Host-provided name server >> >> This is an example response from a query to either of the primary >> DNS servers: >> >>{q@oak3~} dig @10.128.0.9 apple.com mx >> >>; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> >> @10.128.0.9 apple.com mx >>; (1 server found) >>;; global options: +cmd >>;; Got answer: >>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266 >>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >> >>;; QUESTION SECTION: >>;apple.com. IN MX >> >>;; Query time: 15 msec >>;; SERVER
[spamdyke-users] SERVFAIL on dns-server-ip-primary does not fail-over
We had an incident where both our local caching name servers stopped working. They returned SERVFAIL (see example below). They were set as the "dns-server-ip-primary" and our host-provided DNS server was set as the "dns-server-ip". Because the primaries were failing, I would expect spamdyke to automatically switch to resolve via the server set under "dns-server-ip". Instead, spamdyke just rejected all our mail for a few hours with DENIED_RDNS_MISSING. The host-provide name server was functioning fine. This is the config: dns-server-ip-primary=127.0.0.1# Local caching name server dns-server-ip-primary=10.128.0.9 # Another local caching name server dns-server-ip=169.254.169.254# Host-provided name server This is an example response from a query to either of the primary DNS servers: {q@oak3~} dig @10.128.0.9 apple.com mx ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @10.128.0.9 apple.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52266 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;apple.com. IN MX ;; Query time: 15 msec ;; SERVER: 10.128.0.9#53(10.128.0.9) ;; WHEN: Mon Mar 11 05:10:32 2019 ;; MSG SIZE rcvd: 27 Am I wrong to expect spamdyke to fail over to the non-primary server on a SERVFAIL? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] rotate between multiple dns-server-ip-primary
On 28 Feb 2019 15:53:34, Quinn Comendant via spamdyke-users wrote: > Can spamdyke rotate between multiple dns-server-ip-primary servers, > to distribute the load evenly? Still wondering about this. I haven't seen any replies. Sam, can you clarify if this option exists? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] rotate between multiple dns-server-ip-primary
Can spamdyke rotate between multiple dns-server-ip-primary servers, to distribute the load evenly? Because the documentation says "Depending on the number of nameservers and the values of dns-max-retries-primary and dns-max-retries-total, some nameservers may never be queried" it leads me to believe the primary servers are queried in order given in the configuration file. Q ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Too many links
I noticed this Spamdyke error message: ERROR: unable to create directory /var/qmail/spamdyke/greylist/example.com/redacted/bounce.nytimes.com: Too many links Indeed this user's greylist directory is full: # sudo ls -dl /var/qmail/spamdyke/greylist/example.com/redacted/ | awk '{print $2}' 32000 In fact, I have lots of users with full and nearly-full greylist directories: # sudo find /var/qmail/spamdyke/greylist/ -mindepth 2 -maxdepth 2 -type d | while read D; do echo "$(sudo ls -dl $D | f2) $(cut -d / -f 7 <<<"$D")@$(cut -d / -f 6 <<<"$D")"; done | sort -rn | head -100 32000 redac...@example.com 32000 redac...@example.com 32000 redac...@example.com 32000 redac...@example.com 32000 redac...@example.com 32000 redac...@example.com 31293 redac...@example.com 30193 redac...@example.com 28559 redac...@example.com 28483 redac...@example.com [etc…] What is the best way to solve this? I suspect this is a pretty common issue. I wonder if there is a way to remove only seldom-seen senders, perhaps using a last-accessed timestamp on the directories? And doing monthly pruning via cron? Thanks, Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Graylisting delivery failure notifications
A client using our Spamdyke-enabled mail server has reported someone sending them an email received a "bounce" message notifying the sender that the messages has been graylisted (see the delivery failure notification below). They did receive the message (graylisting works well for us). This is the first time I've heard of a soft failure resulting in a notification returning to the sender. If graylisting is a common practice, these notifications must be terribly annoying, however the sender (from the cdph.ca.gov network) seems surprised by the message. So either: A) graylisting is not very common, or B) cdph.ca.gov has an uncommon setup that sends annoying bounce messages. If graylisting will result in annoying senders with delivery failure notifications, I'd prefer to avoid that by disabling graylisting (doesn't matter who is to blame, what the RFCs say, etc). What do y'all think? Regards, Quinn The delivery failure notification received: > Hi Barb and Steph - > > When the email below went out yesterday, the following message was received: > > redac...@clientdomain.org... > Deferred: 421 Your address has been graylisted. Try again later. > > redac...@clientdomain.org... > Deferred: 421 Your address has been graylisted. Try again later. > > Patricia> Care Operations Advisor > Office of AIDS > California Department of Public Health ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working
On Fri, 5 May 2017 10:15:36 -0500, Sam Clippinger via spamdyke-users wrote: > Ah, I should have asked. Yes, that option should work. Thanks Sam. BTW, I created a script to automate creating the custom sender configuration files using the _ip_ and _sender_ directory structures: https://gist.github.com/quinncomendant/4e62a0e4ab82d7b6fe0dc3947510c4c7 Use it like: sudo spamdyke-sender-conf 111.222.333.444 …or: sudo spamdyke-sender-conf tz.changeyourflight.com It may need customization for different systems. I'm using qmailtoaster.org's implementation. Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working
Update: I added `reject-sender=none` to /etc/spamdyke.conf and these errors started appearing in the log: 2017-05-05 06:33:46.873563500 ERROR: Unknown configuration file option in file /etc/spamdyke.conf on line 33: reject-sender I realize now this config option is only for spamdyke 5. I'm currently using spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE. So I presume the corresponding config option for version 4 is `reject-missing-sender-mx`. Would the correct syntax for disabling this in a spamdyke/_ip_/… directory be like this: reject-missing-sender-mx=0 ? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] reject-sender=none in spamdyke/_ip_/ directory not working
I've gotten this error: 2017-05-05 03:16:52.533029500 spamdyke[30324]: DENIED_SENDER_NO_MX from: bounces+1818979-7ef3-quinn=strangecode[.]c...@tz.changeyourflight.com to: quinn[@]strangecode[.]com origin_ip: 167.89.72.110 origin_rdns: o1678972x110.outbound-mail.sendgrid.net auth: (unknown) encryption: TLS reason: (empty) Indeed, "tz.changeyourflight.com" has no MX records. I have tried to apply a custom setting for this sender's IP address by adding a config file at: /var/qmail/spamdyke/_ip_/167/89/72/110 Containing: reject-sender=none Then restarting qmail smtp with `qmailctl restart`. I've used this method successfully in the past for `reject-empty-rdns=0` and `reject-unresolvable-rdns=0`. However, it's not working for the DENIED_SENDER_NO_MX error. The sending error continues to occur. Have I set this up wrong? Regards, Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Whitelist an IP for the DENIED_RDNS_MISSING error?
On Wed, 5 Aug 2015 20:02:51 -0500, Sam Clippinger via spamdyke-users wrote: But to answer your question, yes! It is possible to turn off the rDNS filters for just that one IP. The feature you need is a configuration directory. Create a folder structure on the server like this: /some/path/_ip_/64/34/221 […] Ooh, that's clever! I've done, and we'll see. Thx, Q ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Whitelist an IP for the DENIED_RDNS_MISSING error?
We're experiencing blocked email due to a DENIED_RDNS_MISSING error, although the domain PTR records do resolve: $ dig -x 64.34.221.10 +short mail.lassosoft.com. Error: 2015-08-05 18:56:56.452648500 spamdyke[5681]: DENIED_RDNS_MISSING from: donotre...@lassosoft.com to: u...@example.com origin_ip: 64.34.221.10 origin_rdns: (unknown) auth: (unknown) encryption: TLS reason: (empty) I've seen the recent thread on this where Sam explains that it could be DNS issues (https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg02009.html). My question is, can we whitelist an IP for the DENIED_RDNS_MISSING error? Quinn ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users