Re: [spamdyke-users] MAILER-DAEMON Flood

2016-11-07 Thread Gary Gendel via spamdyke-users 
This doesn't look like it's email originating from your system.  
Instead, it looks like spamdyke has accepted the message and then qmail 
is doing the rejection.  My guess is that it passes through spamdyke 
with an invalid destination user.  Qmail then tries to reject it.


You can avoid this by adding invalid user checks in spamdyke so it 
doesn't reach qmail by setting "recipient-validation-command=" 
(I use spamdyke-qrv) and "reject-recipient=invalid".


Gary

On 11/07/2016 10:59 AM, BC via spamdyke-users wrote:


It hasn't risen to the level of DDOS, yet, but I'm getting many 
hundreds of these messages per night (and it is now continuing during 
the day).


They look like this:



Hi. This is the qmail-send program at purgatoire.org.
I tried to deliver a bounce message to this address, but the bounce 
bounced!


:
212.4.107.202 does not like recipient.
Remote host said: 550 5.1.1: Recipient address 
rejected: telcom.es

Giving up on 212.4.107.202.

--- Below this line is the original bounce.




... each one with totally unrelated email and IP addresses and with 
variable sizes and all in MIME format.


I use FreeBSD here.  Running qmail in a jail.  I do use ssmtp running 
on the host (not jailed) in order to get the periodic 
daily/weekly/monthly reports.


Is someone somehow using my system to try to send spam?

Any idea how to block this?

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users






smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2016-10-12 Thread Gary Gendel via spamdyke-users 

Don't you need a private key file as well?  Mine has:

tls-certificate-file=fullchain.pem
tls-privatekey-file=privkey.pem

On 10/12/2016 03:31 PM, marek--- via spamdyke-users wrote:


I read an old thread on this problem, but did not see a solution.

# spamdyke -v

spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, 
samc (at) silence (dot) org


# uname -a

Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 
2012 i686 i686 i386 GNU/Linux


In spamdyke.config
tls-level=smtp
tls-certificate-file=/var/qmail/control/servercert.pem

The problem is TLS TIMEOUT

2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from 
 remote 
 rcpt <> : sender accepted


2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: 
xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 
origin_rdns: smtp1.hestia.pl auth: (unknown) encryption: (none) 
reason: TIMEOUT


Add adress to whitelist_senders nothing change :(

I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same.

I don’t any idea how to make to allow this mail.

Any help will be appreciated



___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Fail2ban integration

2016-07-25 Thread Gary Gendel via spamdyke-users 

Sam,

Thanks.  I'll let you know how it goes.

Gary

On 07/25/2016 09:58 AM, Sam Clippinger via spamdyke-users wrote:
spamdyke won't log the IP in its current version, but it wouldn't be 
hard to add.  If you want a quick'n'dirty solution right away, you can 
add it very easily... just edit exec.c and change line 206 to this:
SPAMDYKE_LOG_VERBOSE(current_settings, LOG_VERBOSE_AUTH_FAILURE "%s 
%s", username, current_settings->server_ip);
Then recompile and replace the spamdyke binary with the new copy. 
 Once it's in place, the "authentication failure" messages should show 
the IP address right after the username, separated by a space.  (NOTE: 
I haven't compiled or tested this change, proceed with caution...)


-- Sam Clippinger




On Jul 22, 2016, at 6:17 PM, Gary Gendel via spamdyke-users 
<spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote:



Sam,

Is there a way to get spamdyke to log invalid authorizations in a 
manner that fail2ban can use?  My host has been hit continuously with 
brute-force attacks.  Unfortunately, the logs only have:


Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure 
(bad username/password, vchkpw uses this to indicate SMTP access is 
not allowed): verizon


They seem to have a huge list of account names to try and I've got 
thousands of attempts just for today.  Unfortunately, without any IP 
address in the message I can't have fail2ban automatically block these.


Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Fail2ban integration

2016-07-22 Thread Gary Gendel via spamdyke-users 

Sam,

Is there a way to get spamdyke to log invalid authorizations in a manner 
that fail2ban can use?  My host has been hit continuously with 
brute-force attacks.  Unfortunately, the logs only have:


Jul 22 18:54:43 tardis spamdyke[26727]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:54:50 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 18:56:01 tardis spamdyke[26727]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:57:16 tardis spamdyke[26736]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 18:57:23 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 18:58:37 tardis spamdyke[26736]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 18:59:59 tardis spamdyke[26743]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:00:10 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 19:01:21 tardis spamdyke[26743]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
Jul 22 19:02:32 tardis spamdyke[26876]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:02:38 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon
Jul 22 19:03:50 tardis spamdyke[26876]: [ID 702911 mail.info] 
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
operation failed due to an I/O error, Unexpected EOF found
\Jul 22 19:05:11 tardis spamdyke[26891]: [ID 702911 mail.info] 
FILTER_AUTH_REQUIRED
Jul 22 19:05:16 tardis spamdyke[26891]: [ID 702911 mail.info] 
ERROR(exec_checkpassword_argv()@exec.c:206): authentication failure (bad 
username/password, vchkpw uses this to indicate SMTP access is not 
allowed): verizon


They seem to have a huge list of account names to try and I've got 
thousands of attempts just for today.  Unfortunately, without any IP 
address in the message I can't have fail2ban automatically block these.


Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] ip-in-rdns-keyword - are hyphens supported?

2016-05-06 Thread Gary Gendel via spamdyke-users 

Faris,

Looks like it does.  From the documentation in the section on Reverse DNS:

When matching an IP address in an rDNS name, spamdyke looks for the IP 
address in many forms; for example, if the IP address is 11.22.33.44, 
spamdyke will look for the following patterns in the rDNS name (the dots 
in the examples below can be any single character):


The phrase in the parenthesis implies that any non-digit character would 
be treated as a period.


Gary

On 05/06/2016 11:02 AM, Faris Raouf via spamdyke-users wrote:


Dear all,

Does ip-in-rdns-keyword-* only look for IPs delimited by periods, or 
does it allow hyphens too?


The reason I’m asking is that I want to block senders with rDNS that 
look similar to this:


dsl-111-222-333-444-dyn.domain.tld

So if it does look for hyphens as well as periods, I could block by 
using -dyn as a keyword, which would be excellent.


But if it only looks for periods…I think I’m stuck L



___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Progress Report

2015-12-15 Thread Gary Gendel via spamdyke-users 

Sam,

I've started a discussion on the OpenIndiana developer's mailing list 
about Spamdyke and generated a lot of interest.  I know you're working 
on divorcing Spamdyke from Qmail and also supporting IPv6. How is this 
work progressing?  It seems that IPv6 seems to be a sticky point for 
deployment.


Gary


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Weird behavior with TLS and auth-level=always

2015-08-26 Thread Gary Gendel via spamdyke-users 

Sam,

I compiled spamdyke myself instead of using the pkgsrc binary for 
Illumos and that solved the problem.  I'm getting the feeling that the 
gcc compiler used for creating the binaries is broken.  Both netqmail 
and spamdyke pkgsrc installations behave badly on OmniOS. My personally 
compiled qmail and spamdyke seem to behave as expected.


Gary

On 08/25/2015 08:15 PM, Sam Clippinger via spamdyke-users wrote:
I'm having trouble reproducing this problem.  I've tried running 
spamdyke with this config against both patched qmail and my own 
smtpdummy (in the tests folder) and both of them show the AUTH lines 
in every case.


How did you install qmail?  Is this netqmail or Plesk or QTP or?

-- Sam Clippinger




On Aug 24, 2015, at 11:42 AM, Gary Gendel via spamdyke-users 
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote:



Sam,

Yes I'm on 5.0.1.

I've paired the configuration file down to:

qmail-rcpthosts-file=/var/qmail/control/rcpthosts
recipient-validation-command=/usr/local/bin/spamdyke-qrv
reject-recipient=invalid
max-recipients=5
idle-timeout-secs=300
tls-level=smtp-no-passthrough
tls-certificate-file=/usr/local/etc/ssl/certs/dovecot.pem
tls-privatekey-file=/usr/local/etc/ssl/private/dovecot.pem
filter-level=require-auth
smtp-auth-level=always
smtp-auth-command=/usr/local/bin/checkpassword-pam -s smtp /bin/true

If I comment out the smpt-auth-level so it uses qmail, I get the 
STARTTLS, this way I don't.


I'm still trying to figure out the qmail auth failure. This one is a 
real head-stratcher.  It's timing out so it looks like the pipe isn't 
connecting to checkpasswd-pam.  I tried hard-coding the string that 
was sent (and works fine on external checkpasswd-pam tests) but it 
still times out.  However, spamdyke's auth works fine which is how I 
discovered the above problem.


Gary

On 08/24/2015 12:26 PM, Sam Clippinger via spamdyke-users wrote:
What version of spamdyke are you using?  I fixed a bug related to 
this in 5.0.1... that doesn't mean there isn't another bug, I just 
want to make sure you're on that version before I spend time chasing 
a bug that's already fixed. :)


If you are on 5.0.1, could you post your configuration file that 
shows how to reproduce this?  That'll probably save me quite a bit 
of time.


-- Sam Clippinger




On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users 
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org 
wrote:



Sam,

If I use qmail with smtp auth, then spamdyke announces STARTTLS 
capabilities, but if I have spamdyke do it then it doesn't.  It's 
there and works, but it isn't announced in the ehlo response.


gary@abby ~ openssl s_client -starttls smtp -crlf -connect 
tardis.genashor.com http://tardis.genashor.com/:587 -starttls smtp

CONNECTED(0003)
didn't found starttls in server response, try anyway...
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Certification Authority

verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Class 1 Primary Intermediate Server CA


I'm trying to use spamdyke for auth because qmail auth doesn't seem 
to work for me.  If I test checkpassword-pam outside it works, but 
from qmail it just hangs for a few seconds than then fails.  I'll 
figure it out but I wanted to report this quirk.


Gary

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


___
spamdyke-users mailing list
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Weird behavior with TLS and auth-level=always

2015-08-24 Thread Gary Gendel via spamdyke-users 

Sam,

Yes I'm on 5.0.1.

I've paired the configuration file down to:

qmail-rcpthosts-file=/var/qmail/control/rcpthosts
recipient-validation-command=/usr/local/bin/spamdyke-qrv
reject-recipient=invalid
max-recipients=5
idle-timeout-secs=300
tls-level=smtp-no-passthrough
tls-certificate-file=/usr/local/etc/ssl/certs/dovecot.pem
tls-privatekey-file=/usr/local/etc/ssl/private/dovecot.pem
filter-level=require-auth
smtp-auth-level=always
smtp-auth-command=/usr/local/bin/checkpassword-pam -s smtp /bin/true

If I comment out the smpt-auth-level so it uses qmail, I get the 
STARTTLS, this way I don't.


I'm still trying to figure out the qmail auth failure.  This one is a 
real head-stratcher.  It's timing out so it looks like the pipe isn't 
connecting to checkpasswd-pam.  I tried hard-coding the string that was 
sent (and works fine on external checkpasswd-pam tests) but it still 
times out.  However, spamdyke's auth works fine which is how I 
discovered the above problem.


Gary

On 08/24/2015 12:26 PM, Sam Clippinger via spamdyke-users wrote:
What version of spamdyke are you using?  I fixed a bug related to this 
in 5.0.1... that doesn't mean there isn't another bug, I just want to 
make sure you're on that version before I spend time chasing a bug 
that's already fixed. :)


If you are on 5.0.1, could you post your configuration file that shows 
how to reproduce this?  That'll probably save me quite a bit of time.


-- Sam Clippinger




On Aug 21, 2015, at 1:54 PM, Gary Gendel via spamdyke-users 
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote:



Sam,

If I use qmail with smtp auth, then spamdyke announces STARTTLS 
capabilities, but if I have spamdyke do it then it doesn't.  It's 
there and works, but it isn't announced in the ehlo response.


gary@abby ~ openssl s_client -starttls smtp -crlf -connect 
tardis.genashor.com http://tardis.genashor.com:587 -starttls smtp

CONNECTED(0003)
didn't found starttls in server response, try anyway...
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Certification Authority

verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Class 1 Primary Intermediate Server CA


I'm trying to use spamdyke for auth because qmail auth doesn't seem 
to work for me.  If I test checkpassword-pam outside it works, but 
from qmail it just hangs for a few seconds than then fails.  I'll 
figure it out but I wanted to report this quirk.


Gary

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Weird behavior with TLS and auth-level=always

2015-08-21 Thread Gary Gendel via spamdyke-users 

Sam,

If I use qmail with smtp auth, then spamdyke announces STARTTLS 
capabilities, but if I have spamdyke do it then it doesn't.  It's there 
and works, but it isn't announced in the ehlo response.


gary@abby ~ openssl s_client -starttls smtp -crlf -connect 
tardis.genashor.com:587 -starttls smtp

CONNECTED(0003)
didn't found starttls in server response, try anyway...
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Certification Authority

verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate 
Signing, CN = StartCom Class 1 Primary Intermediate Server CA


I'm trying to use spamdyke for auth because qmail auth doesn't seem to 
work for me.  If I test checkpassword-pam outside it works, but from 
qmail it just hangs for a few seconds than then fails.  I'll figure it 
out but I wanted to report this quirk.


Gary



smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

[spamdyke-users] Spamdyke auth problems resolved

2015-08-18 Thread Gary Gendel via spamdyke-users 
I use port 22 for non-auth mail and 587 for TLS with auth mail.  On 587 
I ended up using postfix because I could never get spamdyke working.  It 
always failed valid authorizations.


I was putting together a new server and I decided to take another look.  
The problem ended up in the checkpassword-pam module on Illumos 
(Solaris).  Illumos (and possibly other Unix derivatives) require that 
pam has PAM_TTY set before starting a session.  The checkpassword-pam 
module doesn't do this.  I posted a bug report but my solution was to 
add the following code just before opening the pam session (in 
pam-support.c).


retval = pam_set_item(pamh, PAM_TTY, /dev/null);
if (retval != PAM_SUCCESS) {
fatal(Setting PAM_TTY failed: %s, pam_strerror(pamh, retval));
return 1;
}

I just thought I'd send this information along in case anyone else was 
having issues with spamdyke authorization.


Sam,

How's the next gen version coming?  Will it support IPv6?

Gary




smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] Spamdyke auth problems resolved

2015-08-18 Thread Gary Gendel via spamdyke-users 

Sam,

I don't bother with Solaris since Oracle closed the source. Instead I 
use the open-sourced branch for the kernel called Illumos which is being 
developed by the upstream commercial distros as well as other contributors.


There are three main distributions for x86 platforms.

OpenIndiana -- This is the continuation of OpenSolaris.  Good for server 
and desktop.  This was the distribution I have used for years.  There is 
a lot of reorganization (compilers, userland, etc.) recently which tends 
to break things.  The package repositories are also in flux as well 
(broken dependencies).  It's a good distro but no longer stable and no 
reasonable release schedule.


SmartOS -- You can get support from Joyent.  It's a cloud-based 
implementation and the OS is booted from USB drive to provide a memory 
resident hypervisor.  It has regular releases and uses NetBSD pkgsrc as 
it's package system which has pretty much everything you'd want 
(including spamdyke).  It's designed for VM farms.


OmniOS -- You can get support from OmniTi.  It's a minimalistic server 
with regular releases (bloody, stable, LTS).  It comes with IPS but you 
can use pkgsrc from SmartOS as well. This is the distro I'm moving to.  
It's very stable. IPS is nice because it allows you to freeze and 
rollback packages.  However, it's hard to find something missing in 
pkgsrc so that's what I've chosen for my userland.


I've worked with several Linux distros (my company is a Linux house) and 
have found they need much more care than illumos-based servers.


SInce we're just using qmail backend as a delivery agent, I'm not sure 
what the strength of a proxy-based approach is other than to broaden 
it's appeal (which makes a lot of sense).  However, it's spamdyke that 
kept me using qmail for so long.


Gary

On 8/18/15 8:05 PM, Sam Clippinger via spamdyke-users wrote:
That's good to know, thanks for posting that info.  I'm always amazed 
to hear people still use Solaris any more... I endured it a few years 
ago because ZFS was worth the pain, but finally had to abandon it 
because it was impossible to get security updates without an 
enterprise contract.


spamdyke's next version is nearly ready but I'm still running tests. 
 It fixes the recipient validation code in spamdyke-qrv when vpopmail 
is being used, which has increased the number of test scripts to 4-6 
million (from about 200K-300K).  So it's taking a lot longer to test 
(about 2 weeks straight on 20 EC2 instances).  They say familiarity 
breeds contempt, and lately I've become very familiar with vpopmail's 
code, so it's very hard to regard it with anything but contempt.  I'll 
write up a complete rant about it later; for now I'll just say I will 
never install it on a new server again and I'm giving serious thought 
to deleting it from my current server.  If anyone out there has 
vpopmail running on a server where users can edit their own .qmail 
files inside their mail folders, be very very afraid.  Crashes and 
fork bombs are easy to do and cooking up a denial of service attack 
would probably be simple.  I haven't been looking for exploitable 
holes, but I'm positive they're in there.


Anyway, sadly spamdyke's next version doesn't include any 
earth-shattering features but it does add one small thing -- the 
ability to block authorization attempts unless SSL/TLS is active. 
 IPv6 is certainly on my radar, but frankly I'm far more interested in 
adding a real proxy mode to spamdyke so it will work with other mail 
servers beyond qmail.  Qmail has become an anachronism and I'm 
convinced it's time to let it go.  If spamdyke can forward connections 
from port 25 to port X while doing all the filtering it does now, it 
should work nicely with just about any other mail server.


-- Sam Clippinger




On Aug 18, 2015, at 12:03 PM, Gary Gendel via spamdyke-users 
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote:


I use port 22 for non-auth mail and 587 for TLS with auth mail.  On 
587 I ended up using postfix because I could never get spamdyke 
working.  It always failed valid authorizations.


I was putting together a new server and I decided to take another 
look.  The problem ended up in the checkpassword-pam module on 
Illumos (Solaris).  Illumos (and possibly other Unix derivatives) 
require that pam has PAM_TTY set before starting a session.  The 
checkpassword-pam module doesn't do this.  I posted a bug report but 
my solution was to add the following code just before opening the pam 
session (in pam-support.c).


retval = pam_set_item(pamh, PAM_TTY, /dev/null);
if (retval != PAM_SUCCESS) {
   fatal(Setting PAM_TTY failed: %s, pam_strerror(pamh, retval));
   return 1;
}

I just thought I'd send this information along in case anyone else 
was having issues with spamdyke authorization.


Sam,

How's the next gen version coming?  Will it support IPv6?

Gary


___
spamdyke-users mailing list
spamdyke-users

Re: [spamdyke-users] Moving from GreyLite

2015-06-19 Thread Gary Gendel via spamdyke-users 

Phil,

The greylisting feature of Spamdyke kicks in after whitelisting and 
blacklisting operations.  If these operations don't specifically reject 
or accept the incoming email then it is chosen for greylisting.  I 
suggest you scan it's features from the spamdyke homepage.  It sounds 
like it is a GreyLite replacement since it uses the connection 
information to determine whether to greylist.


There has been multiple discussions on whether greylisting is a good or 
bad spam filter.  In my case, I turned it off because sometimes 
registration confirmations aren't resent at all, are sent too late so 
they get caught in the greylist again, or they finally come through 
after they've expired.  I had to be proactive in these cases and 
whitelist that domain before I register.  For the small percentage of 
spam rejections over my other spamdyke filter settings, I decided it 
wasn't worth the hassle of false positive delays.


Gary

On 06/19/2015 06:21 AM, Philip Rhoades via spamdyke-users wrote:

People,

I have been using GreyLite for many years but it hasn't been supported 
for quite a while - I think it is time to update to SpamDyke . . but I 
have some questions - first one:


I looked at the SpamDyke web site and it is still not clear to me - it 
says 'connection-time means spamdyke evaluates and rejects spam 
while the remote server is still delivering it' - does this mean it 
does it at the TCP / mail envelope level? ie so it would be the same 
as GreyLite?  GL blocks and forces possibly bad mails to be resent 
some time later which many spammers don't attempt . .


Thanks,

Phil.





smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users