Re: [spamdyke-users] Error unable to write to SSL/TLS stream
Hi Angus, thanks for you reply. We are not using greylisting in spamdyke. Il 03/03/21 19:00, Angus McIntyre via spamdyke-users ha scritto: I think spamdyke implements greylisting by sending a 421 Temporary Failure code on first connection. That might be what's happening here. Greylisting is off by default, but if you have it turned on you could set `graylist-level` to `none` to turn it off. If you want to keep it on but just fix it for that specific domain, you should be able to configure exceptions by adding appropriate `graylist-exception-ip-entry` or `graylist-exception-rdns-entry` entries. Incidentally, I tend to favor disabling greylisting these days. The original intention was to protect against spam clients that couldn't recognize the 421 error as indicating a temporary condition: they'd try once, get an error code, and go away. But from what I see in my own server logs, many -- most? -- spam clients these days just keep attempting redeliveries until either something gets delivered or they hit some threshold number of retries. Greylisting is no help against those. Angus Alessio Cecchi via spamdyke-users wrote on 3/3/21 12:22 PM: Hi, when a specific company send an email to us we receive the messages many times, but only if they insert into recipients about 50 email address of the same domain, if they sent the same email to only one recipients all works fine. After some investigation, with "full-log-dir" enabled, we discovered that our qmail send a "421 timeout" to remote server but when the email is already accepted, so the remote server try again and so on. Debug log, please note the delay from the last . and the error, five minutes and note that "421 timeout" error was sent before of "250 ok" from qmail: [...] 03/02/2021 12:03:00 FROM REMOTE TO CHILD: 3 bytes TLS . 03/02/2021 12:08:01 LOG OUTPUT TLS ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation failed due to an I/O error, Connection reset by peer ERROR(output_writeln()@log.c:104): unable to write 37 bytes to file descriptor 1: Connection reset by peer 03/02/2021 12:08:01 FROM SPAMDYKE TO REMOTE: 37 bytes TLS 421 Timeout. Talk faster next time. 03/02/2021 12:08:01 LOG OUTPUT TLS TIMEOUT from: u...@company.biz to: u...@partnercompany.biz origin_ip: 40.107.3.43 origin_rdns: mail-eopbgr30043.outbound.protection.outlook.com auth: (unknown) encryption: TLS reason: TIMEOUT 03/02/2021 12:10:06 FROM CHILD, FILTERED: 28 bytes TLS 250 ok 1614683406 qp 12548 03/02/2021 12:10:06 - TLS ended and closed 03/02/2021 12:10:06 CLOSED So I set the timeout from 600 to 1200 in qmail-smtpd, remove "idle-timeout" from spamdyke, and disable the softlimit, the error change but the problem is still present: 03/02/2021 13:59:27 FROM REMOTE TO CHILD: 3 bytes TLS . 03/02/2021 14:06:34 LOG OUTPUT TLS ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation failed due to an I/O error, Connection reset by peer ERROR(output_writeln()@log.c:104): unable to write 26 bytes to file descriptor 1: Connection reset by peer 03/02/2021 14:06:34 FROM CHILD TO REMOTE: 26 bytes TLS 250 ok 1614690394 qp 765 03/02/2021 14:06:34 LOG OUTPUT TLS ALLOWED from: u...@company.biz to: u...@partnercompany.biz origin_ip: 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protect ion.outlook.com auth: (unknown) encryption: TLS reason: 250_ok_1614690394_qp_765 [...] ALLOWED from: us...@company.biz to: us...@partnercompany.biz origin_ip: 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protection.outlook.com auth: (unknown) encryption: TLS reason: 250_ok_1614690394_qp_765 ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found 03/02/2021 14:06:34 - TLS ended and closed 03/02/2021 14:06:34 CLOSED Any suggestions? Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Error unable to write to SSL/TLS stream
Hi, when a specific company send an email to us we receive the messages many times, but only if they insert into recipients about 50 email address of the same domain, if they sent the same email to only one recipients all works fine. After some investigation, with "full-log-dir" enabled, we discovered that our qmail send a "421 timeout" to remote server but when the email is already accepted, so the remote server try again and so on. Debug log, please note the delay from the last . and the error, five minutes and note that "421 timeout" error was sent before of "250 ok" from qmail: [...] 03/02/2021 12:03:00 FROM REMOTE TO CHILD: 3 bytes TLS . 03/02/2021 12:08:01 LOG OUTPUT TLS ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation failed due to an I/O error, Connection reset by peer ERROR(output_writeln()@log.c:104): unable to write 37 bytes to file descriptor 1: Connection reset by peer 03/02/2021 12:08:01 FROM SPAMDYKE TO REMOTE: 37 bytes TLS 421 Timeout. Talk faster next time. 03/02/2021 12:08:01 LOG OUTPUT TLS TIMEOUT from: u...@company.biz to: u...@partnercompany.biz origin_ip: 40.107.3.43 origin_rdns: mail-eopbgr30043.outbound.protection.outlook.com auth: (unknown) encryption: TLS reason: TIMEOUT 03/02/2021 12:10:06 FROM CHILD, FILTERED: 28 bytes TLS 250 ok 1614683406 qp 12548 03/02/2021 12:10:06 - TLS ended and closed 03/02/2021 12:10:06 CLOSED So I set the timeout from 600 to 1200 in qmail-smtpd, remove "idle-timeout" from spamdyke, and disable the softlimit, the error change but the problem is still present: 03/02/2021 13:59:27 FROM REMOTE TO CHILD: 3 bytes TLS . 03/02/2021 14:06:34 LOG OUTPUT TLS ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The operation failed due to an I/O error, Connection reset by peer ERROR(output_writeln()@log.c:104): unable to write 26 bytes to file descriptor 1: Connection reset by peer 03/02/2021 14:06:34 FROM CHILD TO REMOTE: 26 bytes TLS 250 ok 1614690394 qp 765 03/02/2021 14:06:34 LOG OUTPUT TLS ALLOWED from: u...@company.biz to: u...@partnercompany.biz origin_ip: 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protect ion.outlook.com auth: (unknown) encryption: TLS reason: 250_ok_1614690394_qp_765 [...] ALLOWED from: us...@company.biz to: us...@partnercompany.biz origin_ip: 40.107.0.68 origin_rdns: mail-eopbgr00068.outbound.protection.outlook.com auth: (unknown) encryption: TLS reason: 250_ok_1614690394_qp_765 ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found 03/02/2021 14:06:34 - TLS ended and closed 03/02/2021 14:06:34 CLOSED Any suggestions? Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] How to hide RBL name in responses
Hi, since many commercial DNSBL are providing access to their RBL with a "key" (es. 1234abcd.zen.dq.spamhaus.net.) we need to hide the RBL name in the response in order to not divulgate our secret key. Can we customize the text response for IP in RBL with spamdyke and omitting the specific RBL name? I tried with "rejection-text-dns-blacklist" but the RBL is always shown. Thanks -- Alessio Cecchi https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] spamdyke processes at 100%CPU
Hi Martin, Il 08/01/20 15:58, Martin Sluka ha scritto: Hi Alessio, Here is an example where there are 2 spamdyke process (22218 and 22957) at 100%CPU: The protocol is UDP, could be a DNS problem? maybe. What does strace show you? Strace show nothing: [root@srv-2 ~]# strace -fftt -s -o outputfile -p 11158 Process 11158 attached ^CProcess 11158 detached [root@srv-2 ~]# ls -l outputfile.11158 -rw-r--r-- 1 root root 0 8 gen 16:12 outputfile.11158 :-( -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org https://spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] spamdyke processes at 100%CPU
Hi, in the last months I have an issue on some servers where spamdyke processes use the 100% of the CPU when connections are coming from specific remote host. When this happens the load on the server increase and the only way to solve is to kill the processes. We are running spamdyke 5.0.1 on CentOS 6.10. Here is an example where there are 2 spamdyke process (22218 and 22957) at 100%CPU: [root@srv-2 ~]# netstat -natpu | grep 22218 udp 0 0 0.0.0.0:45298 0.0.0.0:* 22218/spamdyke [root@srv-2 ~]# netstat -natpu | grep 22957 tcp 200592 0 78.45.67.31:25 154.16.116.187:32320 CLOSE_WAIT 22957/spamdyke udp 0 0 0.0.0.0:60265 0.0.0.0:* 22957/spamdyke [root@srv-2 ~]# lsof -n | grep 22957 spamdyke 22957 vpopmail cwd DIR 253,0 4096 9830479 /var/qmail/supervise/qmail-smtpd spamdyke 22957 vpopmail rtd DIR 253,0 4096 2 / spamdyke 22957 vpopmail txt REG 253,0 325376 6557448 /usr/local/bin/spamdyke-5.0.1 spamdyke 22957 vpopmail mem REG 253,0 122056 13631570 /lib64/libselinux.so.1 spamdyke 22957 vpopmail mem REG 253,0 143280 13631527 /lib64/libpthread-2.12.so spamdyke 22957 vpopmail mem REG 253,0 111440 13631529 /lib64/libresolv-2.12.so spamdyke 22957 vpopmail mem REG 253,0 10192 13631671 /lib64/libkeyutils.so.1.3 spamdyke 22957 vpopmail mem REG 253,0 43728 13631681 /lib64/libkrb5support.so.0.1 spamdyke 22957 vpopmail mem REG 253,0 88600 13631554 /lib64/libz.so.1.2.3 spamdyke 22957 vpopmail mem REG 253,0 20024 13631509 /lib64/libdl-2.12.so spamdyke 22957 vpopmail mem REG 253,0 174840 13631677 /lib64/libk5crypto.so.3.1 spamdyke 22957 vpopmail mem REG 253,0 14664 13631562 /lib64/libcom_err.so.2.1 spamdyke 22957 vpopmail mem REG 253,0 946048 13631679 /lib64/libkrb5.so.3.3 spamdyke 22957 vpopmail mem REG 253,0 277704 13631673 /lib64/libgssapi_krb5.so.2.2 spamdyke 22957 vpopmail mem REG 253,0 1971488 6555384 /usr/lib64/libcrypto.so.1.0.1e spamdyke 22957 vpopmail mem REG 253,0 1924768 13631503 /lib64/libc-2.12.so spamdyke 22957 vpopmail mem REG 253,0 443416 6555386 /usr/lib64/libssl.so.1.0.1e spamdyke 22957 vpopmail mem REG 253,0 159312 13631897 /lib64/ld-2.12.so spamdyke 22957 vpopmail 0u IPv4 1188469288 0t0 TCP 78.45.67.31:smtp->154.16.116.187:32320 (CLOSE_WAIT) spamdyke 22957 vpopmail 1u IPv4 1188469288 0t0 TCP 78.45.67.31:smtp->154.16.116.187:32320 (CLOSE_WAIT) spamdyke 22957 vpopmail 2w FIFO 0,8 0t0 10454 pipe spamdyke 22957 vpopmail 3u IPv4 1188469320 0t0 UDP *:60265 spamdyke 22957 vpopmail 4u unix 0x88085f6e33c0 0t0 1188505138 socket spamdyke 22957 vpopmail 6r FIFO 0,8 0t0 1188469325 pipe [root@srv-2 ~]# lsof -n | grep 22218 spamdyke 22218 vpopmail cwd DIR 253,0 4096 9830479 /var/qmail/supervise/qmail-smtpd spamdyke 22218 vpopmail rtd DIR 253,0 4096 2 / spamdyke 22218 vpopmail txt REG 253,0 325376 6557448 /usr/local/bin/spamdyke-5.0.1 spamdyke 22218 vpopmail mem REG 253,0 122056 13631570 /lib64/libselinux.so.1 spamdyke 22218 vpopmail mem REG 253,0 143280 13631527 /lib64/libpthread-2.12.so spamdyke 22218 vpopmail mem REG 253,0 111440 13631529 /lib64/libresolv-2.12.so spamdyke 22218 vpopmail mem REG 253,0 10192 13631671 /lib64/libkeyutils.so.1.3 spamdyke 22218 vpopmail mem REG 253,0 43728 13631681 /lib64/libkrb5support.so.0.1 spamdyke 22218 vpopmail mem REG 253,0 88600 13631554 /lib64/libz.so.1.2.3 spamdyke 22218 vpopmail mem REG 253,0 20024 13631509 /lib64/libdl-2.12.so spamdyke 22218 vpopmail mem REG 253,0 174840 13631677 /lib64/libk5crypto.so.3.1 spamdyke 22218 vpopmail mem REG 253,0 14664 13631562 /lib64/libcom_err.so.2.1 spamdyke 22218 vpopmail mem REG 253,0 946048 13631679 /lib64/libkrb5.so.3.3 spamdyke 22218 vpopmail mem REG 253,0 277704 13631673 /lib64/libgssapi_krb5.so.2.2 spamdyke 22218 vpopmail mem REG 253,0 1971488 6555384 /usr/lib64/libcrypto.so.1.0.1e spamdyke 22218 vpopmail mem REG 253,0 1924768 13631503 /lib64/libc-2.12.so spamdyke 22218 vpopmail mem REG 253,0 443416 6555386
Re: [spamdyke-users] Custom timeout for IP in DNS RBL
Hi Sam, first of all thanks for your time and inputs! We tried your patch (attached) and it compiles fine but unfortunately does now work as we need. It exits immediately after "RCTP TO" but without any message regarding RBL: Trying 195.10.84.201... Connected to 195.10.84.201. Escape character is '^]'. 220 popmx-staging.cloudisp.net ESMTP helo example.com 250 popmx-staging.cloudisp.net MAIL FROM: he...@example.com 250 ok RCPT TO: t...@example.com Connection closed by foreign host. Furthermore it exits immediately after RCTP TO even if the IP address is not in RBL, so it definitely cannot be used in production. Do you have any other idea or suggestion? Thanks, Alessio Il 31/03/2017 03:56, Sam Clippinger via spamdyke-users ha scritto: I'm very sorry it's taken me so long to get back to you about this! If you're willing to edit the code, I suggest changing spamdyke.c. Change line 1615 (the first line of an if statement) to this: if ( And change line 1644 (the call to filter_dns_rbl()) to this: if (filter_dns_rbl(current_settings, _settings->current_options->filter_action, _settings->current_options->filter_action_locked, _settings->current_options->rejection, _settings->current_options->rejection_buf, current_settings->current_options->reject_message_buf, MAX_BUF, current_settings->current_options->reject_reason_buf, MAX_BUF) == FILTER_DECISION_DO_FILTER) return_value = FILTER_FLAG_QUIT; And change line 1668 (setting return_value) to this: return_value = (return_value != FILTER_FLAG_QUIT) ? FILTER_FLAG_INTERCEPT : FILTER_FLAG_QUIT; And change line 3400 (an if statement) to this: if (0) Then recompile with "make" and install the new spamdyke binary. With those changes on lines 1615 and 3400, spamdyke will wait until the client sends the recipient addresses to check its filters (including DNS RBLs), the same way it does when a configuration directory is given. However, the changes on lines 1644 and 1668 will make it quit when an RBL is matched, the same way it does when the client sends "QUIT", even if a sender or recipient whitelist is matched. All other rejections should behave normally. Caveat emptor: I haven't tested these suggestions or even attempted to compile them. Good luck! -- Sam Clippinger On Mar 24, 2017, at 10:19 AM, Alessio Cecchi via spamdyke-users <spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote: Thanks Sam for your answer, anyway it is crucial for us to avoid letting the timeout expire after "RCTP TO" message in case of RBL check. So, even developing a custom patch, we need something to prevent clients keeping the connection open after "554 Refused. Your IP address is listed in the RBL at..." message. We tried adding a simple exit(0) around line 1695 of filter.c just to test the behavior but doing that the client is not able to connect anymore. Can you suggest a (even dirty) way to workaround it or point me to the proper direction to investigate it further? This is an extract of the handshake message at the end of which we need to close the communication 220 popmx-staging.cloud.net <http://popmx-staging.cloud.net> ESMTP helo example.com <http://example.com> 250 popmx-staging.cloud.net <http://popmx-staging.cloud.net> MAIL FROM: exam...@example.com 250 Refused. Your IP address is listed in the RBL at cidr.bl RCPT TO: t...@test.com 554 Refused. Your IP address is listed in the RBL at cidr.bl < we need to close the connection in this moment (when we receive 554 Refused) instead of waiting for DATA and then waiting the default timeout. Thanks for your time. Alessio Cecchi Il 19/03/2017 20:05, Sam Clippinger via spamdyke-users ha scritto: Unfortunately no, spamdyke isn't designed with the idea of different timeouts for different reasons. It will always keep the connection open as long as there is any chance the message could be allowed. For example, if your configuration includes a recipient whitelist and the remote IP is blacklisted, spamdyke won't close the connection until the recipients are given, just in case one of them is on the whitelist. Even when it's no longer possible to match a whitelist, spamdyke still won't close the connection because the remote client could sent a RSET command and begin a new session. Your only option is to set a lower idle timeout, anything else would require a major refactoring of spamdyke's code. Sorry! -- Sam Clippinger On Mar 10, 2017, at 4:11 AM, Alessio Cecchi via spamdyke-users <spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote: Hi, some months ago we switch from rblsmtpd to spamdyke in order to have more info in the log about blocked IP. But after switch to spamdyke the number of concurrency incoming SMTP sessions was increased about 10 time. This because with rblsmtp
Re: [spamdyke-users] Custom timeout for IP in DNS RBL
Thanks Sam for your answer, anyway it is crucial for us to avoid letting the timeout expire after "RCTP TO" message in case of RBL check. So, even developing a custom patch, we need something to prevent clients keeping the connection open after "554 Refused. Your IP address is listed in the RBL at..." message. We tried adding a simple exit(0) around line 1695 of filter.c just to test the behavior but doing that the client is not able to connect anymore. Can you suggest a (even dirty) way to workaround it or point me to the proper direction to investigate it further? This is an extract of the handshake message at the end of which we need to close the communication 220 popmx-staging.cloud.net ESMTP helo example.com 250 popmx-staging.cloud.net MAIL FROM: exam...@example.com 250 Refused. Your IP address is listed in the RBL at cidr.bl RCPT TO: t...@test.com 554 Refused. Your IP address is listed in the RBL at cidr.bl < we need to close the connection in this moment (when we receive 554 Refused) instead of waiting for DATA and then waiting the default timeout. Thanks for your time. Alessio Cecchi Il 19/03/2017 20:05, Sam Clippinger via spamdyke-users ha scritto: Unfortunately no, spamdyke isn't designed with the idea of different timeouts for different reasons. It will always keep the connection open as long as there is any chance the message could be allowed. For example, if your configuration includes a recipient whitelist and the remote IP is blacklisted, spamdyke won't close the connection until the recipients are given, just in case one of them is on the whitelist. Even when it's no longer possible to match a whitelist, spamdyke still won't close the connection because the remote client could sent a RSET command and begin a new session. Your only option is to set a lower idle timeout, anything else would require a major refactoring of spamdyke's code. Sorry! -- Sam Clippinger On Mar 10, 2017, at 4:11 AM, Alessio Cecchi via spamdyke-users <spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote: Hi, some months ago we switch from rblsmtpd to spamdyke in order to have more info in the log about blocked IP. But after switch to spamdyke the number of concurrency incoming SMTP sessions was increased about 10 time. This because with rblsmtpd we set a timeout of 10 seconds and spamdyke have a global timeout that we set at 180 seconds (idle-timeout-secs). So when an IP in blacklist connects to our MX it grabs a qmail-smtpd process for 180 seconds instead of 10. Increasing the number of /var/qmail/control/concurrencyincoming is not a solution because we expose our cluster to receive a number of sessions that we could be unable to manage. Can spamdyke close a connections with IP in blacklist after a time shorter than idle-timeout-secs? Here an example of timeout: with spamdyke $ time telnet mx01.mail.net <http://mx01.mail.net> 25 Trying 192.168.1.135... Connected to mx01.mail.net <http://mx01.mail.net>. Escape character is '^]'. 220 mx01.mail.net <http://mx01.mail.net> ESMTP helo ciao.com <http://ciao.com> 250 mx01.mail.net <http://mx01.mail.net> MAIL FROM: ales...@ciao.it <mailto:ales...@ciao.it> 250 Refused. Your IP address is listed in the RBL at www.spamhaus.org <http://www.spamhaus.org>: http://www.spamhaus.org/query/bl?ip=19.9.131.86 RCPT TO: ales...@ciao.com <mailto:ales...@ciao.com> 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org <http://www.spamhaus.org>: http://www.spamhaus.org/query/bl?ip=19.9.131.86 [ here we should close the connection ] DATA 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org <http://www.spamhaus.org>: http://www.spamhaus.org/query/bl?ip=19.9.131.86 421 Timeout. Talk faster next time. Connection closed by foreign host. real3m46.105s user0m0.000s sys0m0.000s with rblsmtpd: $ time telnet mx01.mail.net <http://mx01.mail.net> 25 Trying 192.168.1.135... Connected to mx01.mail.net <http://mx01.mail.net>. Escape character is '^]'. 220 rblsmtpd.local Connection closed by foreign host. real0m10.389s user0m0.000s sys0m0.000s Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Custom timeout for IP in DNS RBL
Hi, some months ago we switch from rblsmtpd to spamdyke in order to have more info in the log about blocked IP. But after switch to spamdyke the number of concurrency incoming SMTP sessions was increased about 10 time. This because with rblsmtpd we set a timeout of 10 seconds and spamdyke have a global timeout that we set at 180 seconds (idle-timeout-secs). So when an IP in blacklist connects to our MX it grabs a qmail-smtpd process for 180 seconds instead of 10. Increasing the number of /var/qmail/control/concurrencyincoming is not a solution because we expose our cluster to receive a number of sessions that we could be unable to manage. Can spamdyke close a connections with IP in blacklist after a time shorter than idle-timeout-secs? Here an example of timeout: with spamdyke $ time telnet mx01.mail.net 25 Trying 192.168.1.135... Connected to mx01.mail.net. Escape character is '^]'. 220 mx01.mail.net ESMTP helo ciao.com 250 mx01.mail.net MAIL FROM: ales...@ciao.it 250 Refused. Your IP address is listed in the RBL at www.spamhaus.org: http://www.spamhaus.org/query/bl?ip=19.9.131.86 RCPT TO: ales...@ciao.com 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org: http://www.spamhaus.org/query/bl?ip=19.9.131.86 [ here we should close the connection ] DATA 554 Refused. Your IP address is listed in the RBL at www.spamhaus.org: http://www.spamhaus.org/query/bl?ip=19.9.131.86 421 Timeout. Talk faster next time. Connection closed by foreign host. real3m46.105s user0m0.000s sys0m0.000s with rblsmtpd: $ time telnet mx01.mail.net 25 Trying 192.168.1.135... Connected to mx01.mail.net. Escape character is '^]'. 220 rblsmtpd.local Connection closed by foreign host. real0m10.389s user0m0.000s sys0m0.000s Thanks -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Help getting TLS to work please
Il 10/03/2016 00:27, Faris Raouf via spamdyke-users ha scritto: From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On >Behalf Of Alessio Cecchi via spamdyke-users >For me works fine with: > >tls-level=smtp-no-passthrough >tls-certificate-file=/var/ssl/wildcard.pem > >and in /var/ssl/wildcard.pem there is a chain like this: > >CERTIFICATE >PRIVATE-KEY > > >openssl s_client -connect localhost:25 --starttls smtp > >Try with "-starttls" > Thank you for your suggestion. I really appreciate it. But in the past hour I've just found the cause: fixcrio Hi, if you use spamdyke fixcrio is no more necessary. -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Help getting TLS to work please
Il 09/03/2016 13:39, Faris Raouf via spamdyke-users ha scritto: Dear all, I’m stuck with a qmail installation that doesn’t support TLS, so I’m trying to get Spamdyke to deal with it on incoming connections. Unfortunately I’ve not managed to get it to work – I get the following error in the maillog when testing: ** unable to start SSL/TLS connection: A protocol or library failure occurred, error:1408A0BB:lib(20):func(138):reason(187) ** My spamdyke.conf contains the following: tls-certificate-file=/ssl/servercert.pem tls-level=smtp-no-passthrough #tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:DES-CBC3-SHA tls-dhparams-file=/ssl/dhparams.pem I’ve tried with and without the tls-cipher-list line commented out (which I’m not sure is in any way correct anyway – I was just trying to disable SSLv2 and SSLv3) and similarly with and without the dhparams line commented out. For me works fine with: tls-level=smtp-no-passthrough tls-certificate-file=/var/ssl/wildcard.pem and in /var/ssl/wildcard.pem there is a chain like this: CERTIFICATE PRIVATE-KEY I’m using the following to test: openssl s_client -connect localhost:25 --starttls smtp Try with "-starttls" Let me know. -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Disable SSLv3 in spamdyke
Hi Sam, the right way to test is: openssl s_client -connect MXIP:25 -starttls smtp and with my ciphers list works fine, but only apparently, in fact disable SSLv3 with !SSLv3 also disable TLSv1.0 and TLSv1.1, so only TLSv1.2 is available. With this configuiration SMTP servers that support only TLS up to v1.0 have problem to delivery email to me. This is a log from a Debian 6 (but also Centos 5 and others distro have the same problem) server: Aug 21 09:15:16 smtp1 postfix/smtp[6995]: SSL_connect error to mx01.domain.com[192.168.1.2]:25: -1 Aug 21 09:15:16 smtp1 postfix/smtp[6995]: warning: TLS library problem: 6995:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:607: Aug 21 09:15:16 smtp1 postfix/smtp[6995]: dJ0c42zXPl: Cannot start TLS: handshake failure Aug 21 09:15:16 smtp1 postfix/smtp[6995]: Host offered STARTTLS: [mx01.domain.com] Here you can find a similar problem with old Dovecot version: http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher there are no ciphers specific for TLS1.0 and TLS1.1, that is they use the same ciphers as SSL 3.0. Only TLS1.2 defined some new ciphers. This means, that if you disable SSLv3 ciphers no SSLv3 clients can connect, but also no TLS1.0 or TLS1.1 clients. This is probably not what you intended to do. The real way is not to disable the SSLv3 ciphers, but to disable the SSLv3 protocol where to solve the problem the only way was to made a patch that disable SSLv3 protocol because via ciphers list is impossibile to disable SSLv3 but not TLSv1.0/1.1. So I thinks also spamdyke to disable SSLv3 (protocol) need a patch. Thanks Il 20/08/2015 17:23, Sam Clippinger via spamdyke-users ha scritto: I think you can test it by using the openssl client from the command line: openssl s_client -ssl3 -connect SERVERNAME:PORT If it connects and you see Protocol: SSLv3, it's not disabled. If you see sslv3 alert handshake failure and it doesn't connect, you're done! -- Sam Clippinger On Aug 20, 2015, at 7:28 AM, Alessio Cecchi via spamdyke-users spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote: Hi, I'm running spadyke 5 in front of a Qmail without TLS patch. My Qmail acts only as MX so I'm not interesting into smtp authentication via TLS, but I need TLS to send e receiv encrypted email from others servers. But my MX also accept SSLv3 and I would like to disable it. So I inset in spamdyke.conf: tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL but I'm not sure if the list of cipher is correct. Can somebody help me? Thanks -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Help me to understand 503 MAIL first
Hi, one sender (and only this one) is unable to send email to my users, this is the error in spamdyke log: Jun 22 05:47:37 mx01 spamdyke[1066]: DENIED_OTHER from: i...@domain.net to: j...@domain.com origin_ip: 98.18.75.3 origin_rdns: static-98-18-75-3.optusnet.com.au auth: (unknown) encryption: TLS reason: 503_MAIL_first_(#5.5.1) The sender said that is unable to send email only to me so the problem is mine ... When the error MAIL first occurs? How can I solve this problem or how can I demonstrate that is a sender problem? Thnaks -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Log helo with log-level=info
Hi, I'm running spamdyke 5.0.1 and works very well, but I have a request. Can spamdyke log the helo sent from the remote server? For example: spamdyke[10250]: ALLOWED from: newslet...@domain.com to: ales...@domain.it origin_ip: 85.11.212.124 origin_rdns: eg-c-7-124.domain.net helo: mx.domains.com auth: (unknown) encryption: (none) reason: 250_ok_1434101245_qp_10301 see helo: mx.domains.com. The helo is usefull but also mandatory if you want to send your log as feed to DNSBL organizations to improve their spam detection (and this would be a benefit for all users). Can the helo add via configuration or require some coding? -- Alessio Cecchi http://www.linkedin.com/in/alessice ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users