Re: [spamdyke-users] TLS reason: TIMEOUT
This is a part of excessive log: @400057ffaef614a4dfbc CHKUSER accepted sender: from <xxx...@ergohestia.pl::> remote rcpt <> : sender accepted @400057ffaef80ebb7624 spamdyke[29165]: EXCESSIVE(middleman()@spamdyke.c:1965): child output file descriptor 5 closed @400057ffaef80ebb7df4 spamdyke[29165]: EXCESSIVE(output_writeln()@log.c:102): wrote 37 bytes to network file descriptor 1, buffer contained 37 bytes: 421 Timeout. Talk faster next @400057ffaef80ebb85c4 spamdyke[29165]: TIMEOUT from: pl.no.re...@dhl.com to: (unknown) origin_ip: 165.72.200.103 origin_rdns: gateway1j.dhl.com auth: (unknown) encryption: TLS reason: TIMEOUT @400057ffaf03331f68f4 tcpserver: status: 4/100 Marek From: spamdyke-users [mailto:spamdyke-users-boun...@spamdyke.org] On Behalf Of Sam Clippinger via spamdyke-users Sent: Thursday, October 13, 2016 2:37 PM To: spamdyke users Subject: Re: [spamdyke-users] TLS reason: TIMEOUT Looking at those log messages, I don't think TLS has anything to do with this. spamdyke's log message shows "encryption: (none)", which means TLS is not in use. When spamdyke logs TIMEOUT, it means the remote server held the connection open too long without sending any data at all. Usually that means the software on the remote server is badly written and it's expecting a very specific message before proceeding. Since it isn't getting that message, it just waits until it the connection times out. There's an FAQ about this too: http://www.spamdyke.org/documentation/FAQ.html#TROUBLE3 Documentation on how to adjust spamdyke's timeouts is here: http://www.spamdyke.org/documentation/README.html#TIMEOUTS By default, spamdyke doesn't enforce any timeouts, so another line in your config file must be enabling them. Perhaps simply increasing those values will solve this? If that doesn't help, I'd suggest using spamdyke's full logging feature to capture one of these failed connections. That will show exactly what's data is being sent and how long it's taking. -- Sam Clippinger On Oct 12, 2016, at 2:31 PM, marek--- via spamdyke-users <spamdyke-users@spamdyke.org> wrote: I read an old thread on this problem, but did not see a solution. # spamdyke -v spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc (at) silence (dot) org # uname -a Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 i686 i686 i386 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem The problem is TLS TIMEOUT 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from <xx...@ergohestia.pl::> remote rcpt <> : sender accepted 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT Add adress to whitelist_senders nothing change :( I try also on spamdyke 4.3 before upgrade to 5.1 it's the same. I don't any idea how to make to allow this mail. Any help will be appreciated ___ spamdyke-users mailing list <mailto:spamdyke-users@spamdyke.org> spamdyke-users@spamdyke.org <http://www.spamdyke.org/mailman/listinfo/spamdyke-users> http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
Looking at those log messages, I don't think TLS has anything to do with this. spamdyke's log message shows "encryption: (none)", which means TLS is not in use. When spamdyke logs TIMEOUT, it means the remote server held the connection open too long without sending any data at all. Usually that means the software on the remote server is badly written and it's expecting a very specific message before proceeding. Since it isn't getting that message, it just waits until it the connection times out. There's an FAQ about this too: http://www.spamdyke.org/documentation/FAQ.html#TROUBLE3 Documentation on how to adjust spamdyke's timeouts is here: http://www.spamdyke.org/documentation/README.html#TIMEOUTS By default, spamdyke doesn't enforce any timeouts, so another line in your config file must be enabling them. Perhaps simply increasing those values will solve this? If that doesn't help, I'd suggest using spamdyke's full logging feature to capture one of these failed connections. That will show exactly what's data is being sent and how long it's taking. -- Sam Clippinger On Oct 12, 2016, at 2:31 PM, marek--- via spamdyke-userswrote: > I read an old thread on this problem, but did not see a solution. > # spamdyke -v > spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc > (at) silence (dot) org > # uname -a > Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 > i686 i686 i386 GNU/Linux > > In spamdyke.config > > tls-level=smtp > tls-certificate-file=/var/qmail/control/servercert.pem > > The problem is TLS TIMEOUT > 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: from > remote > rcpt <> : sender accepted > 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: > xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: > smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT > > Add adress to whitelist_senders nothing change :( > > I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same. > I don’t any idea how to make to allow this mail. > > Any help will be appreciated > ___ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
thx for fast reply. I add tls-certificate-file=/var/qmail/control/servercert.pem But still denied Reason TIMEOUT :( ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
Don't you need a private key file as well? Mine has: tls-certificate-file=fullchain.pem tls-privatekey-file=privkey.pem On 10/12/2016 03:31 PM, marek--- via spamdyke-users wrote: I read an old thread on this problem, but did not see a solution. # spamdyke -v spamdyke 5.0.1+TLS+CONFIGTEST+DEBUG+EXCESSIVE (C)2015 Sam Clippinger, samc (at) silence (dot) org # uname -a Linux mail.x.xx 2.6.18-308.13.1.el5 #1 SMP Tue Aug 21 17:10:06 EDT 2012 i686 i686 i386 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem The problem is TLS TIMEOUT 2016-10-08 21:04:50.283975500 CHKUSER accepted sender: fromremote rcpt <> : sender accepted 2016-10-08 21:05:51.280337500 spamdyke[13676]: TIMEOUT from: xx...@ergohestia.pl to: (unknown) origin_ip: 91.198.179.205 origin_rdns: smtp1.hestia.pl auth: (unknown) encryption: (none) reason: TIMEOUT Add adress to whitelist_senders nothing change :( I try also on spamdyke 4.3 before upgrade to 5.1 it’s the same. I don’t any idea how to make to allow this mail. Any help will be appreciated ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users smime.p7s Description: S/MIME Cryptographic Signature ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
I apologize for taking so long to reply to your message, I didn't see it until this morning and didn't have time to respond until now. Could you provide a link to the thread you read? I don't remember it offhand and searching my email archives for timeout turns up hundreds of messages. As far as requiring TLS from your mail clients but not other servers, I'm not sure how you can do that. How can spamdyke tell the difference between a mail client and a remote server? If you're just talking about authentication, you could configure spamdyke to block authentication on port 25 connections (smtp-auth-level=none), which would force your users to use port 587 in order to authenticate, but that still wouldn't force them to use TLS. Maybe if you blocked authentication on port 25, turned off port 587, then required authentication on port 465 where SSL is mandatory, that might work. I can't imagine your helpdesk staff would thank you for that change though. I'm already planning to add a filter to a future version to block authentication unless SSL/TLS is in use, but I can't give you an ETA on that. -- Sam Clippinger On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote: Problem: TLS reason: TIMEOUT I read an old thread on this problem, but did not see a solution. What was the outcome? # spamdyke -v spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. # uname -a Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem Also, I am confused about one thing. We want to require TLS for SMTP between QMAIL and the mail client. We do not care about TLS from QMAIL to another Mail server. If I turn off the SPAMDYKE tls-level, and leave the tls patch in QMAIL will the client side TLS still work and the timeout go away? Bruce -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] TLS reason: TIMEOUT
Sam, I found this thread on the web from 2011. https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html We are now thinking that it might not be TLS but just a timeout. Is it possible to get better granularity about what condition is timing out? I have attached my spamdyke config file for reference. Bruce On 02/04/2014 12:30 PM, Sam Clippinger wrote: I apologize for taking so long to reply to your message, I didn't see it until this morning and didn't have time to respond until now. Could you provide a link to the thread you read? I don't remember it offhand and searching my email archives for timeout turns up hundreds of messages. As far as requiring TLS from your mail clients but not other servers, I'm not sure how you can do that. How can spamdyke tell the difference between a mail client and a remote server? If you're just talking about authentication, you could configure spamdyke to block authentication on port 25 connections (smtp-auth-level=none), which would force your users to use port 587 in order to authenticate, but that still wouldn't force them to use TLS. Maybe if you blocked authentication on port 25, turned off port 587, then required authentication on port 465 where SSL is mandatory, that might work. I can't imagine your helpdesk staff would thank you for that change though. I'm already planning to add a filter to a future version to block authentication unless SSL/TLS is in use, but I can't give you an ETA on that. -- Sam Clippinger On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md mailto:bschrei...@max.md wrote: Problem: TLS reason: TIMEOUT I read an old thread on this problem, but did not see a solution. What was the outcome? # spamdyke -v spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. # uname -a Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem Also, I am confused about one thing. We want to require TLS for SMTP between QMAIL and the mail client. We do not care about TLS from QMAIL to another Mail server. If I turn off the SPAMDYKE tls-level, and leave the tls patch in QMAIL will the client side TLS still work and the timeout go away? Bruce -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ## # # spamdyke.config # # created: April 15, 2008 # author: Bruce Schreiber # with thanks to Chris Godwin from Rackspace for his valued input and support # # configuration parameters for spamdyke # for documentation execute spamdyke -h # local list files will be found in directory /var/qmail/control/Spamdyke/ # ### dns-level=aggressive dns-blacklist-entry=bl.spamcop.net # Check the remote server's IP address against the realtime blackhole list # DNSRBL. If it is found, the connection is rejected. Default: do not check any # DNS RBLs. # check-dnsrbl may be used multiple times. # connection-timeout-secs=0 # Forcibly disconnect after a total of SECS seconds, regardless of activity. A # value of 0 disables this feature. Default: 0. # SECS must be between (or equal to) 0 and 2147483647. greeting-delay-secs=3 # Delay sending the SMTP greeting banner SECS seconds to see if the remote server # begins sending data early. If it does, the connection is rejected. Default: no # delay. # SECS must be between (or equal to) 0 and 2147483647. # changed from 5 to 3 2/3/2014 - BBS hostname=mail.mdemail.md # Use NAME as the fully qualified domain name of this host. This value is only # used to create an encrypted challenge during SMTP AUTH challenge-response. # Default: unknown.server.unknown.domain. # hostname may only be used once. idle-timeout-secs=60 # Forcibly disconnect after SECS seconds of inactivity. A value of 0 disables # this feature. Default: 60. # SECS must be between (or equal to) 0 and 2147483647. # set to 60 from 30 on 2/3/2014 - BBS # # Blacklist was turned off May 9, 2008 as it is probably redundant - BBS # turned back
Re: [spamdyke-users] TLS reason: TIMEOUT
To my knowledge, that issue was never solved. Dossy Shiobara sent a followup here: https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03208.html But nothing after that. Can you tell if your sender has anything in common with what Dossy and Ron figured out? If you use spamdyke's full-log-dir feature to capture one of these timeouts, you'll be able to see exactly where the SMTP protocol stops. You should probably recompile spamdyke with excessive output first so you'll get as much detail as possible: ./configure --with-excessive-output make Then replace your existing spamdyke binary with the new one. -- Sam Clippinger On Feb 4, 2014, at 3:34 PM, Bruce Schreiber bschrei...@max.md wrote: Sam, I found this thread on the web from 2011. https://www.mail-archive.com/spamdyke-users@spamdyke.org/msg03120.html We are now thinking that it might not be TLS but just a timeout. Is it possible to get better granularity about what condition is timing out? I have attached my spamdyke config file for reference. Bruce On 02/04/2014 12:30 PM, Sam Clippinger wrote: I apologize for taking so long to reply to your message, I didn't see it until this morning and didn't have time to respond until now. Could you provide a link to the thread you read? I don't remember it offhand and searching my email archives for timeout turns up hundreds of messages. As far as requiring TLS from your mail clients but not other servers, I'm not sure how you can do that. How can spamdyke tell the difference between a mail client and a remote server? If you're just talking about authentication, you could configure spamdyke to block authentication on port 25 connections (smtp-auth-level=none), which would force your users to use port 587 in order to authenticate, but that still wouldn't force them to use TLS. Maybe if you blocked authentication on port 25, turned off port 587, then required authentication on port 465 where SSL is mandatory, that might work. I can't imagine your helpdesk staff would thank you for that change though. I'm already planning to add a filter to a future version to block authentication unless SSL/TLS is in use, but I can't give you an ETA on that. -- Sam Clippinger On Feb 3, 2014, at 8:05 PM, Bruce Schreiber bschrei...@max.md wrote: Problem: TLS reason: TIMEOUT I read an old thread on this problem, but did not see a solution. What was the outcome? # spamdyke -v spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG (C)2012 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. # uname -a Linux rs6.max.md 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux In spamdyke.config tls-level=smtp tls-certificate-file=/var/qmail/control/servercert.pem Also, I am confused about one thing. We want to require TLS for SMTP between QMAIL and the mail client. We do not care about TLS from QMAIL to another Mail server. If I turn off the SPAMDYKE tls-level, and leave the tls patch in QMAIL will the client side TLS still work and the timeout go away? Bruce -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- Bruce B Schreiber CTO, MaxMD 2200 Fletcher Ave, 5th Floor Fort Lee, NJ 07024 201 963 0005 office 917 532 4995 cell bschrei...@max.md www.max.md www.mdEmail.md spamdyke.config___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users