Re: [spamdyke-users] TLS reason: TIMEOUT

2016-10-13 Thread marek--- via spamdyke-users 
This is a part of excessive log:

 

@400057ffaef614a4dfbc CHKUSER accepted sender: from
<xxx...@ergohestia.pl::> remote 
rcpt <> : sender accepted

@400057ffaef80ebb7624 spamdyke[29165]:
EXCESSIVE(middleman()@spamdyke.c:1965): child output file descriptor 5
closed

@400057ffaef80ebb7df4 spamdyke[29165]:
EXCESSIVE(output_writeln()@log.c:102): wrote 37 bytes to network file
descriptor 1, buffer contained 37 bytes: 421 Timeout. Talk faster next

@400057ffaef80ebb85c4 spamdyke[29165]: TIMEOUT from: pl.no.re...@dhl.com
to: (unknown) origin_ip: 165.72.200.103 origin_rdns: gateway1j.dhl.com auth:
(unknown) encryption: TLS reason: TIMEOUT

@400057ffaf03331f68f4 tcpserver: status: 4/100

 

Marek

 

From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf
Of Sam Clippinger via spamdyke-users
Sent: Thursday, October 13, 2016 2:37 PM
To: spamdyke users
Subject: Re: [spamdyke-users] TLS reason: TIMEOUT

 

Looking at those log messages, I don't think TLS has anything to do with
this.  spamdyke's log message shows "encryption: (none)", which means TLS is
not in use.

 

When spamdyke logs TIMEOUT, it means the remote server held the connection
open too long without sending any data at all.  Usually that means the
software on the remote server is badly written and it's expecting a very
specific message before proceeding.  Since it isn't getting that message, it
just waits until it the connection times out.  There's an FAQ about this
too:

http://www.spamdyke.org/documentation/FAQ.html#TROUBLE3

Documentation on how to adjust spamdyke's timeouts is here:

http://www.spamdyke.org/documentation/README.html#TIMEOUTS

By default, spamdyke doesn't enforce any timeouts, so another line in your
config file must be enabling them.  Perhaps simply increasing those values
will solve this?

 

If that doesn't help, I'd suggest using spamdyke's full logging feature to
capture one of these failed connections.  That will show exactly what's data
is being sent and how long it's taking.


-- Sam Clippinger

 

 

 

 

On Oct 12, 2016, at 2:31 PM, marek--- via spamdyke-users
<spamdyke-users@spamdyke.org> wrote:





I read an old thread on this problem, but did not see a solution. 

# spamdyke -v

spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc
(at) silence (dot) org

# uname -a

Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012
i686 i686 i386 GNU/Linux

 

In spamdyke.config
 
tls-level=smtp
tls-certificate-file=/var/qmail/control/servercert.pem

 

The problem is TLS TIMEOUT

2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from
<xx...@ergohestia.pl::> remote 
rcpt <> : sender accepted

2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from:
xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns:
smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT

 

Add adress to whitelist_senders nothing change :(

 

I try also on spamdyke 4.3 before upgrade to 5.1 it's the same.

I don't any idea how to make to allow this mail. 

 

Any help will be appreciated

___
spamdyke-users mailing list
 <mailto:spamdyke-users@spamdyke.org> spamdyke-users@spamdyke.org
 <http://www.spamdyke.org/mailman/listinfo/spamdyke-users>
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

 

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2016-10-13 Thread Sam Clippinger via spamdyke-users 
Looking at those log messages, I don't think TLS has anything to do with this.  
spamdyke's log message shows "encryption: (none)", which means TLS is not in 
use.

When spamdyke logs TIMEOUT, it means the remote server held the connection open 
too long without sending any data at all.  Usually that means the software on 
the remote server is badly written and it's expecting a very specific message 
before proceeding.  Since it isn't getting that message, it just waits until it 
the connection times out.  There's an FAQ about this too:
http://www.spamdyke.org/documentation/FAQ.html#TROUBLE3
Documentation on how to adjust spamdyke's timeouts is here:
http://www.spamdyke.org/documentation/README.html#TIMEOUTS
By default, spamdyke doesn't enforce any timeouts, so another line in your 
config file must be enabling them.  Perhaps simply increasing those values will 
solve this?

If that doesn't help, I'd suggest using spamdyke's full logging feature to 
capture one of these failed connections.  That will show exactly what's data is 
being sent and how long it's taking.

-- Sam Clippinger




On Oct 12, 2016, at 2:31 PM, marek--- via spamdyke-users 
 wrote:

> I read an old thread on this problem, but did not see a solution.
> # spamdyke -v
> spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc 
> (at) silence (dot) org
> # uname -a
> Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 
> i686 i686 i386 GNU/Linux
>  
> In spamdyke.config
>  
> tls-level=smtp
> tls-certificate-file=/var/qmail/control/servercert.pem
>  
> The problem is TLS TIMEOUT
> 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from 
>  remote  
> rcpt <> : sender accepted
> 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: 
> xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: 
> smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT
>  
> Add adress to whitelist_senders nothing change :(
>  
> I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same.
> I don’t any idea how to make to allow this mail.
>  
> Any help will be appreciated
> ___
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2016-10-12 Thread marek--- via spamdyke-users 
thx for fast reply.
I add tls-certificate-file=/var/qmail/control/servercert.pem

But still denied

Reason TIMEOUT :(

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2016-10-12 Thread Gary Gendel via spamdyke-users 

Don't you need a private key file as well?  Mine has:

tls-certificate-file=fullchain.pem
tls-privatekey-file=privkey.pem

On 10/12/2016 03:31 PM, marek--- via spamdyke-users wrote:


I read an old thread on this problem, but did not see a solution.

# spamdyke -v

spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, 
samc (at) silence (dot) org


# uname -a

Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 
2012 i686 i686 i386 GNU/Linux


In spamdyke.config
tls-level=smtp
tls-certificate-file=/var/qmail/control/servercert.pem

The problem is TLS TIMEOUT

2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from 
 remote 
 rcpt <> : sender accepted


2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: 
xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 
origin_rdns: smtp1.hestia.pl auth: (unknown) encryption: (none) 
reason: TIMEOUT


Add adress to whitelist_senders nothing change :(

I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same.

I don’t any idea how to make to allow this mail.

Any help will be appreciated



___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users





smime.p7s
Description: S/MIME Cryptographic Signature
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2014-02-04 Thread Sam Clippinger 
I apologize for taking so long to reply to your message, I didn't see it until 
this morning and didn't have time to respond until now.

Could you provide a link to the thread you read?  I don't remember it offhand 
and searching my email archives for timeout turns up hundreds of messages.

As far as requiring TLS from your mail clients but not other servers, I'm not 
sure how you can do that.  How can spamdyke tell the difference between a mail 
client and a remote server?  If you're just talking about authentication, you 
could configure spamdyke to block authentication on port 25 connections 
(smtp-auth-level=none), which would force your users to use port 587 in order 
to authenticate, but that still wouldn't force them to use TLS.  Maybe if you 
blocked authentication on port 25, turned off port 587, then required 
authentication on port 465 where SSL is mandatory, that might work.  I can't 
imagine your helpdesk staff would thank you for that change though.

I'm already planning to add a filter to a future version to block 
authentication unless SSL/TLS is in use, but I can't give you an ETA on that.

-- Sam Clippinger




On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote:

 Problem: TLS reason: TIMEOUT
 
 I read an old thread on this problem, but did not see a solution. What 
 was the outcome?
 # spamdyke -v
 spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) 
 silence (dot) org
 http://www.spamdyke.org/
 
 Use -h for an option summary or see README.html for complete option details.
 
 # uname -a
 Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 
 x86_64 x86_64 x86_64 GNU/Linux
 
 In spamdyke.config
 
 tls-level=smtp
 
 tls-certificate-file=/var/qmail/control/servercert.pem
 
 Also, I am confused about one thing.  We want to require TLS for SMTP 
 between QMAIL  and the mail client.  We do not care about TLS from QMAIL 
 to another Mail server.  If I turn off the SPAMDYKE tls-level, and leave 
 the tls patch in QMAIL will the client side TLS still work and the 
 timeout go away?
 
 Bruce
 
 -- 
 Bruce B Schreiber
 CTO, MaxMD
 2200 Fletcher Ave, 5th Floor
 Fort Lee, NJ 07024
 201 963 0005 office
 917 532 4995 cell
 bschrei...@max.md
 www.max.md
 www.mdEmail.md
 
 ___
 spamdyke-users mailing list
 spamdyke-users@spamdyke.org
 http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Re: [spamdyke-users] TLS reason: TIMEOUT

2014-02-04 Thread Bruce Schreiber 

Sam,

I found this thread on the web from 2011.
https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html

We are now thinking that it might not be TLS but just a timeout.  Is it 
possible to get better granularity about what condition is timing out?  
I have attached my spamdyke config file for reference.


Bruce

On 02/04/2014 12:30 PM, Sam Clippinger wrote:
I apologize for taking so long to reply to your message, I didn't see 
it until this morning and didn't have time to respond until now.


Could you provide a link to the thread you read?  I don't remember it 
offhand and searching my email archives for timeout turns up 
hundreds of messages.


As far as requiring TLS from your mail clients but not other servers, 
I'm not sure how you can do that.  How can spamdyke tell the 
difference between a mail client and a remote server?  If you're just 
talking about authentication, you could configure spamdyke to block 
authentication on port 25 connections (smtp-auth-level=none), which 
would force your users to use port 587 in order to authenticate, but 
that still wouldn't force them to use TLS.  Maybe if you blocked 
authentication on port 25, turned off port 587, then required 
authentication on port 465 where SSL is mandatory, that might work.  I 
can't imagine your helpdesk staff would thank you for that change though.


I'm already planning to add a filter to a future version to block 
authentication unless SSL/TLS is in use, but I can't give you an ETA 
on that.


-- Sam Clippinger




On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md 
mailto:bschrei...@max.md wrote:



Problem: TLS reason: TIMEOUT

I read an old thread on this problem, but did not see a solution. What
was the outcome?
# spamdyke -v
spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at)
silence (dot) org
http://www.spamdyke.org/

Use -h for an option summary or see README.html for complete option 
details.


# uname -a
Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010
x86_64 x86_64 x86_64 GNU/Linux

In spamdyke.config

tls-level=smtp

tls-certificate-file=/var/qmail/control/servercert.pem

Also, I am confused about one thing.  We want to require TLS for SMTP
between QMAIL  and the mail client.  We do not care about TLS from QMAIL
to another Mail server.  If I turn off the SPAMDYKE tls-level, and leave
the tls patch in QMAIL will the client side TLS still work and the
timeout go away?

Bruce

--
Bruce B Schreiber
CTO, MaxMD
2200 Fletcher Ave, 5th Floor
Fort Lee, NJ 07024
201 963 0005 office
917 532 4995 cell
bschrei...@max.md
www.max.md
www.mdEmail.md

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users




___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


--
Bruce B Schreiber
CTO, MaxMD
2200 Fletcher Ave, 5th Floor
Fort Lee, NJ 07024
201 963 0005 office
917 532 4995 cell
bschrei...@max.md
www.max.md
www.mdEmail.md
##
#
# spamdyke.config
#
# created: April 15, 2008
# author: Bruce Schreiber
# with thanks to Chris Godwin from Rackspace for his valued input and support
#
# configuration parameters for spamdyke
# for documentation execute spamdyke -h
# local  list files will be found in directory /var/qmail/control/Spamdyke/
#
###

dns-level=aggressive
dns-blacklist-entry=bl.spamcop.net
#  Check the remote server's IP address against the realtime blackhole list
#  DNSRBL. If it is found, the connection is rejected. Default: do not check any
#  DNS RBLs.
#  check-dnsrbl may be used multiple times.

# connection-timeout-secs=0
#  Forcibly disconnect after a total of SECS seconds, regardless of activity. A
#  value of 0 disables this feature. Default: 0.
#  SECS must be between (or equal to) 0 and 2147483647.


greeting-delay-secs=3
#  Delay sending the SMTP greeting banner SECS seconds to see if the remote 
server
#  begins sending data early. If it does, the connection is rejected. Default: 
no
#  delay.
#  SECS must be between (or equal to) 0 and 2147483647.
#  changed from 5 to 3 2/3/2014 - BBS

hostname=mail.mdemail.md
#  Use NAME as the fully qualified domain name of this host. This value is only
#  used to create an encrypted challenge during SMTP AUTH challenge-response.
#  Default: unknown.server.unknown.domain.
#  hostname may only be used once.

idle-timeout-secs=60
#  Forcibly disconnect after SECS seconds of inactivity. A value of 0 disables
#  this feature. Default: 60.
#  SECS must be between (or equal to) 0 and 2147483647.
#  set to 60 from 30 on 2/3/2014 - BBS

#
# Blacklist was turned off May 9, 2008 as it is probably redundant - BBS
# turned back

Re: [spamdyke-users] TLS reason: TIMEOUT

2014-02-04 Thread Sam Clippinger 
To my knowledge, that issue was never solved.  Dossy Shiobara sent a followup 
here:
https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03208.html
But nothing after that.

Can you tell if your sender has anything in common with what Dossy and Ron 
figured out?

If you use spamdyke's full-log-dir feature to capture one of these timeouts, 
you'll be able to see exactly where the SMTP protocol stops.  You should 
probably recompile spamdyke with excessive output first so you'll get as much 
detail as possible:
./configure --with-excessive-output
make
Then replace your existing spamdyke binary with the new one.

-- Sam Clippinger




On Feb 4, 2014, at 3:34 PM, Bruce Schreiber bschrei...@max.md wrote:

 Sam,
 
 I found this thread on the web from 2011.
 https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html
 
 We are now thinking that it might not be TLS but just a timeout.  Is it 
 possible to get better granularity about what condition is timing out?  I 
 have attached my spamdyke config file for reference.
 
 Bruce
 
 On 02/04/2014 12:30 PM, Sam Clippinger wrote:
 I apologize for taking so long to reply to your message, I didn't see it 
 until this morning and didn't have time to respond until now.
 
 Could you provide a link to the thread you read?  I don't remember it 
 offhand and searching my email archives for timeout turns up hundreds of 
 messages.
 
 As far as requiring TLS from your mail clients but not other servers, I'm 
 not sure how you can do that.  How can spamdyke tell the difference between 
 a mail client and a remote server?  If you're just talking about 
 authentication, you could configure spamdyke to block authentication on port 
 25 connections (smtp-auth-level=none), which would force your users to use 
 port 587 in order to authenticate, but that still wouldn't force them to use 
 TLS.  Maybe if you blocked authentication on port 25, turned off port 587, 
 then required authentication on port 465 where SSL is mandatory, that might 
 work.  I can't imagine your helpdesk staff would thank you for that change 
 though.
 
 I'm already planning to add a filter to a future version to block 
 authentication unless SSL/TLS is in use, but I can't give you an ETA on that.
 
 -- Sam Clippinger
 
 
 
 
 On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote:
 
 Problem: TLS reason: TIMEOUT
 
 I read an old thread on this problem, but did not see a solution. What 
 was the outcome?
 # spamdyke -v
 spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) 
 silence (dot) org
 http://www.spamdyke.org/
 
 Use -h for an option summary or see README.html for complete option details.
 
 # uname -a
 Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 
 x86_64 x86_64 x86_64 GNU/Linux
 
 In spamdyke.config
 
 tls-level=smtp
 
 tls-certificate-file=/var/qmail/control/servercert.pem
 
 Also, I am confused about one thing.  We want to require TLS for SMTP 
 between QMAIL  and the mail client.  We do not care about TLS from QMAIL 
 to another Mail server.  If I turn off the SPAMDYKE tls-level, and leave 
 the tls patch in QMAIL will the client side TLS still work and the 
 timeout go away?
 
 Bruce
 
 -- 
 Bruce B Schreiber
 CTO, MaxMD
 2200 Fletcher Ave, 5th Floor
 Fort Lee, NJ 07024
 201 963 0005 office
 917 532 4995 cell
 bschrei...@max.md
 www.max.md
 www.mdEmail.md
 
 ___
 spamdyke-users mailing list
 spamdyke-users@spamdyke.org
 http://www.spamdyke.org/mailman/listinfo/spamdyke-users
 
 
 
 ___
 spamdyke-users mailing list
 spamdyke-users@spamdyke.org
 http://www.spamdyke.org/mailman/listinfo/spamdyke-users
 
 -- 
 Bruce B Schreiber
 CTO, MaxMD
 2200 Fletcher Ave, 5th Floor
 Fort Lee, NJ 07024
 201 963 0005 office
 917 532 4995 cell
 bschrei...@max.md
 www.max.md
 www.mdEmail.md
 spamdyke.config___
 spamdyke-users mailing list
 spamdyke-users@spamdyke.org
 http://www.spamdyke.org/mailman/listinfo/spamdyke-users

___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users