Re: [spamdyke-users] MAILER-DAEMON Flood
This doesn't look like it's email originating from your system. Instead, it looks like spamdyke has accepted the message and then qmail is doing the rejection. My guess is that it passes through spamdyke with an invalid destination user. Qmail then tries to reject it. You can avoid this by adding invalid user checks in spamdyke so it doesn't reach qmail by setting "recipient-validation-command=" (I use spamdyke-qrv) and "reject-recipient=invalid". Gary On 11/07/2016 10:59 AM, BC via spamdyke-users wrote: It hasn't risen to the level of DDOS, yet, but I'm getting many hundreds of these messages per night (and it is now continuing during the day). They look like this: Hi. This is the qmail-send program at purgatoire.org. I tried to deliver a bounce message to this address, but the bounce bounced!: 212.4.107.202 does not like recipient. Remote host said: 550 5.1.1 : Recipient address rejected: telcom.es Giving up on 212.4.107.202. --- Below this line is the original bounce. ... each one with totally unrelated email and IP addresses and with variable sizes and all in MIME format. I use FreeBSD here. Running qmail in a jail. I do use ssmtp running on the host (not jailed) in order to get the periodic daily/weekly/monthly reports. Is someone somehow using my system to try to send spam? Any idea how to block this? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
Don't you need a private key file as well? Mine has: tls-certificate-file=fullchain.pem tls-privatekey-file=privkey.pem On 10/12/2016 03:31 PM, marek--- via spamdyke-users wrote: I read an old thread on this problem, but did not see a solution. # spamdyke -v spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc (at) silence (dot) org # uname -a Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 i686 i686 i386 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem The problem is TLS TIMEOUT 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: fromremote rcpt <> : sender accepted 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT Add adress to whitelist_senders nothing change :( I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same. I don’t any idea how to make to allow this mail. Any help will be appreciated ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fail2ban integration
Sam, Thanks. I'll let you know how it goes. Gary On 07/25/2016 09:58 AM, Sam Clippinger via spamdyke-users wrote: spamdyke won't log the IP in its current version, but it wouldn't be hard to add. If you want a quick'n'dirty solution right away, you can add it very easily... just edit exec.c and change line 206 to this: SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s %s", username, current_settings->server_ip); Then recompile and replace the spamdyke binary with the new copy. Once it's in place, the "authentication failure" messages should show the IP address right after the username, separated by a space. (NOTE: I haven't compiled or tested this change, proceed with caution...) -- Sam Clippinger On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users <spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote: Sam, Is there a way to get spamdyke to log invalid authorizations in a manner that fail2ban can use? My host has been hit continuously with brute-force attacks. Unfortunately, the logs only have: Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon They seem to have a huge list of account names to try and I've got thousands of attempts just for today. Unfortunately, without any IP address in the message I can't have fail2ban automatically block these. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org> http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Fail2ban integration
Sam, Is there a way to get spamdyke to log invalid authorizations in a manner that fail2ban can use? My host has been hit continuously with brute-force attacks. Unfortunately, the logs only have: Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found \Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] FILTER_AUTH_REQUIRED Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): verizon They seem to have a huge list of account names to try and I've got thousands of attempts just for today. Unfortunately, without any IP address in the message I can't have fail2ban automatically block these. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] ip-in-rdns-keyword - are hyphens supported?
Faris, Looks like it does. From the documentation in the section on Reverse DNS: When matching an IP address in an rDNS name, spamdyke looks for the IP address in many forms; for example, if the IP address is 11.22.33.44, spamdyke will look for the following patterns in the rDNS name (the dots in the examples below can be any single character): The phrase in the parenthesis implies that any non-digit character would be treated as a period. Gary On 05/06/2016 11:02 AM, Faris Raouf via spamdyke-users wrote: Dear all, Does ip-in-rdns-keyword-* only look for IPs delimited by periods, or does it allow hyphens too? The reason I’m asking is that I want to block senders with rDNS that look similar to this: dsl-111-222-333-444-dyn.domain.tld So if it does look for hyphens as well as periods, I could block by using -dyn as a keyword, which would be excellent. But if it only looks for periods…I think I’m stuck L ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Progress Report
Sam, I've started a discussion on the OpenIndiana developer's mailing list about Spamdyke and generated a lot of interest. I know you're working on divorcing Spamdyke from Qmail and also supporting IPv6. How is this work progressing? It seems that IPv6 seems to be a sticky point for deployment. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Weird behavior with TLS and auth-level=always
Sam, I compiled spamdyke myself instead of using the pkgsrc binary for Illumos and that solved the problem. I'm getting the feeling that the gcc compiler used for creating the binaries is broken. Both netqmail and spamdyke pkgsrc installations behave badly on OmniOS. My personally compiled qmail and spamdyke seem to behave as expected. Gary On 08/25/2015 08:15 PM, Sam Clippinger via spamdyke-users wrote: I'm having trouble reproducing this problem. I've tried running spamdyke with this config against both patched qmail and my own smtpdummy (in the tests folder) and both of them show the AUTH lines in every case. How did you install qmail? Is this netqmail or Plesk or QTP or? -- Sam Clippinger On Aug 24, 2015, at 11:42 AM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote: Sam, Yes I'm on 5.0.1. I've paired the configuration file down to: qmail-rcpthosts-file=/var/qmail/control/rcpthosts recipient-validation-command=/usr/local/bin/spamdyke-qrv reject-recipient=invalid max-recipients=5 idle-timeout-secs=300 tls-level=smtp-no-passthrough tls-certificate-file=/usr/local/etc/ssl/certs/dovecot.pem tls-privatekey-file=/usr/local/etc/ssl/private/dovecot.pem filter-level=require-auth smtp-auth-level=always smtp-auth-command=/usr/local/bin/checkpassword-pam -s smtp /bin/true If I comment out the smpt-auth-level so it uses qmail, I get the STARTTLS, this way I don't. I'm still trying to figure out the qmail auth failure. This one is a real head-stratcher. It's timing out so it looks like the pipe isn't connecting to checkpasswd-pam. I tried hard-coding the string that was sent (and works fine on external checkpasswd-pam tests) but it still times out. However, spamdyke's auth works fine which is how I discovered the above problem. Gary On 08/24/2015 12:26 PM, Sam Clippinger via spamdyke-users wrote: What version of spamdyke are you using? I fixed a bug related to this in 5.0.1... that doesn't mean there isn't another bug, I just want to make sure you're on that version before I spend time chasing a bug that's already fixed. :) If you are on 5.0.1, could you post your configuration file that shows how to reproduce this? That'll probably save me quite a bit of time. -- Sam Clippinger On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote: Sam, If I use qmail with smtp auth, then spamdyke announces STARTTLS capabilities, but if I have spamdyke do it then it doesn't. It's there and works, but it isn't announced in the ehlo response. gary@abby ~ openssl s_client -starttls smtp -crlf -connect tardis.genashor.com http://tardis.genashor.com/:587 -starttls smtp CONNECTED(0003) didn't found starttls in server response, try anyway... depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA I'm trying to use spamdyke for auth because qmail auth doesn't seem to work for me. If I test checkpassword-pam outside it works, but from qmail it just hangs for a few seconds than then fails. I'll figure it out but I wanted to report this quirk. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Weird behavior with TLS and auth-level=always
Sam, Yes I'm on 5.0.1. I've paired the configuration file down to: qmail-rcpthosts-file=/var/qmail/control/rcpthosts recipient-validation-command=/usr/local/bin/spamdyke-qrv reject-recipient=invalid max-recipients=5 idle-timeout-secs=300 tls-level=smtp-no-passthrough tls-certificate-file=/usr/local/etc/ssl/certs/dovecot.pem tls-privatekey-file=/usr/local/etc/ssl/private/dovecot.pem filter-level=require-auth smtp-auth-level=always smtp-auth-command=/usr/local/bin/checkpassword-pam -s smtp /bin/true If I comment out the smpt-auth-level so it uses qmail, I get the STARTTLS, this way I don't. I'm still trying to figure out the qmail auth failure. This one is a real head-stratcher. It's timing out so it looks like the pipe isn't connecting to checkpasswd-pam. I tried hard-coding the string that was sent (and works fine on external checkpasswd-pam tests) but it still times out. However, spamdyke's auth works fine which is how I discovered the above problem. Gary On 08/24/2015 12:26 PM, Sam Clippinger via spamdyke-users wrote: What version of spamdyke are you using? I fixed a bug related to this in 5.0.1... that doesn't mean there isn't another bug, I just want to make sure you're on that version before I spend time chasing a bug that's already fixed. :) If you are on 5.0.1, could you post your configuration file that shows how to reproduce this? That'll probably save me quite a bit of time. -- Sam Clippinger On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote: Sam, If I use qmail with smtp auth, then spamdyke announces STARTTLS capabilities, but if I have spamdyke do it then it doesn't. It's there and works, but it isn't announced in the ehlo response. gary@abby ~ openssl s_client -starttls smtp -crlf -connect tardis.genashor.com http://tardis.genashor.com:587 -starttls smtp CONNECTED(0003) didn't found starttls in server response, try anyway... depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA I'm trying to use spamdyke for auth because qmail auth doesn't seem to work for me. If I test checkpassword-pam outside it works, but from qmail it just hangs for a few seconds than then fails. I'll figure it out but I wanted to report this quirk. Gary ___ spamdyke-users mailing list spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Weird behavior with TLS and auth-level=always
Sam, If I use qmail with smtp auth, then spamdyke announces STARTTLS capabilities, but if I have spamdyke do it then it doesn't. It's there and works, but it isn't announced in the ehlo response. gary@abby ~ openssl s_client -starttls smtp -crlf -connect tardis.genashor.com:587 -starttls smtp CONNECTED(0003) didn't found starttls in server response, try anyway... depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA I'm trying to use spamdyke for auth because qmail auth doesn't seem to work for me. If I test checkpassword-pam outside it works, but from qmail it just hangs for a few seconds than then fails. I'll figure it out but I wanted to report this quirk. Gary smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
[spamdyke-users] Spamdyke auth problems resolved
I use port 22 for non-auth mail and 587 for TLS with auth mail. On 587 I ended up using postfix because I could never get spamdyke working. It always failed valid authorizations. I was putting together a new server and I decided to take another look. The problem ended up in the checkpassword-pam module on Illumos (Solaris). Illumos (and possibly other Unix derivatives) require that pam has PAM_TTY set before starting a session. The checkpassword-pam module doesn't do this. I posted a bug report but my solution was to add the following code just before opening the pam session (in pam-support.c). retval = pam_set_item(pamh, PAM_TTY, /dev/null); if (retval != PAM_SUCCESS) { fatal(Setting PAM_TTY failed: %s, pam_strerror(pamh, retval)); return 1; } I just thought I'd send this information along in case anyone else was having issues with spamdyke authorization. Sam, How's the next gen version coming? Will it support IPv6? Gary smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Spamdyke auth problems resolved
Sam, I don't bother with Solaris since Oracle closed the source. Instead I use the open-sourced branch for the kernel called Illumos which is being developed by the upstream commercial distros as well as other contributors. There are three main distributions for x86 platforms. OpenIndiana -- This is the continuation of OpenSolaris. Good for server and desktop. This was the distribution I have used for years. There is a lot of reorganization (compilers, userland, etc.) recently which tends to break things. The package repositories are also in flux as well (broken dependencies). It's a good distro but no longer stable and no reasonable release schedule. SmartOS -- You can get support from Joyent. It's a cloud-based implementation and the OS is booted from USB drive to provide a memory resident hypervisor. It has regular releases and uses NetBSD pkgsrc as it's package system which has pretty much everything you'd want (including spamdyke). It's designed for VM farms. OmniOS -- You can get support from OmniTi. It's a minimalistic server with regular releases (bloody, stable, LTS). It comes with IPS but you can use pkgsrc from SmartOS as well. This is the distro I'm moving to. It's very stable. IPS is nice because it allows you to freeze and rollback packages. However, it's hard to find something missing in pkgsrc so that's what I've chosen for my userland. I've worked with several Linux distros (my company is a Linux house) and have found they need much more care than illumos-based servers. SInce we're just using qmail backend as a delivery agent, I'm not sure what the strength of a proxy-based approach is other than to broaden it's appeal (which makes a lot of sense). However, it's spamdyke that kept me using qmail for so long. Gary On 8/18/15 8:05 PM, Sam Clippinger via spamdyke-users wrote: That's good to know, thanks for posting that info. I'm always amazed to hear people still use Solaris any more... I endured it a few years ago because ZFS was worth the pain, but finally had to abandon it because it was impossible to get security updates without an enterprise contract. spamdyke's next version is nearly ready but I'm still running tests. It fixes the recipient validation code in spamdyke-qrv when vpopmail is being used, which has increased the number of test scripts to 4-6 million (from about 200K-300K). So it's taking a lot longer to test (about 2 weeks straight on 20 EC2 instances). They say familiarity breeds contempt, and lately I've become very familiar with vpopmail's code, so it's very hard to regard it with anything but contempt. I'll write up a complete rant about it later; for now I'll just say I will never install it on a new server again and I'm giving serious thought to deleting it from my current server. If anyone out there has vpopmail running on a server where users can edit their own .qmail files inside their mail folders, be very very afraid. Crashes and fork bombs are easy to do and cooking up a denial of service attack would probably be simple. I haven't been looking for exploitable holes, but I'm positive they're in there. Anyway, sadly spamdyke's next version doesn't include any earth-shattering features but it does add one small thing -- the ability to block authorization attempts unless SSL/TLS is active. IPv6 is certainly on my radar, but frankly I'm far more interested in adding a real proxy mode to spamdyke so it will work with other mail servers beyond qmail. Qmail has become an anachronism and I'm convinced it's time to let it go. If spamdyke can forward connections from port 25 to port X while doing all the filtering it does now, it should work nicely with just about any other mail server. -- Sam Clippinger On Aug 18, 2015, at 12:03 PM, Gary Gendel via spamdyke-users spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote: I use port 22 for non-auth mail and 587 for TLS with auth mail. On 587 I ended up using postfix because I could never get spamdyke working. It always failed valid authorizations. I was putting together a new server and I decided to take another look. The problem ended up in the checkpassword-pam module on Illumos (Solaris). Illumos (and possibly other Unix derivatives) require that pam has PAM_TTY set before starting a session. The checkpassword-pam module doesn't do this. I posted a bug report but my solution was to add the following code just before opening the pam session (in pam-support.c). retval = pam_set_item(pamh, PAM_TTY, /dev/null); if (retval != PAM_SUCCESS) { fatal(Setting PAM_TTY failed: %s, pam_strerror(pamh, retval)); return 1; } I just thought I'd send this information along in case anyone else was having issues with spamdyke authorization. Sam, How's the next gen version coming? Will it support IPv6? Gary ___ spamdyke-users mailing list spamdyke-users
Re: [spamdyke-users] Moving from GreyLite
Phil, The greylisting feature of Spamdyke kicks in after whitelisting and blacklisting operations. If these operations don't specifically reject or accept the incoming email then it is chosen for greylisting. I suggest you scan it's features from the spamdyke homepage. It sounds like it is a GreyLite replacement since it uses the connection information to determine whether to greylist. There has been multiple discussions on whether greylisting is a good or bad spam filter. In my case, I turned it off because sometimes registration confirmations aren't resent at all, are sent too late so they get caught in the greylist again, or they finally come through after they've expired. I had to be proactive in these cases and whitelist that domain before I register. For the small percentage of spam rejections over my other spamdyke filter settings, I decided it wasn't worth the hassle of false positive delays. Gary On 06/19/2015 06:21 AM, Philip Rhoades via spamdyke-users wrote: People, I have been using GreyLite for many years but it hasn't been supported for quite a while - I think it is time to update to SpamDyke . . but I have some questions - first one: I looked at the SpamDyke web site and it is still not clear to me - it says 'connection-time means spamdyke evaluates and rejects spam while the remote server is still delivering it' - does this mean it does it at the TCP / mail envelope level? ie so it would be the same as GreyLite? GL blocks and forces possibly bad mails to be resent some time later which many spammers don't attempt . . Thanks, Phil. smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users