Re: [qmailtoaster] TLS reason: 503_MAIL_first_(#5.5.1)

[Chris]

Why does 'Setting tls-level=none turns of ALL TLS even in qmail's offering'
when it's a spamdyke config file, not qmail?

What if I think spamdyke is part of my multi-delivery problem?  If I take
spamdyke out of the equation in smtp/run how do I get qmail to pick up the
TLS negotiation?

On Sat, Aug 8, 2020 at 12:28 PM Eric Broch <ebr...@whitehorsetc.com> wrote:

> I'm not sure I like how spamdyke handles tls, though I don't know another
> way one would do it.
>
> Setting tls-level=none turns of ALL TLS even in qmail's offering.
>
> If you want qmail to handle TLS comment the certificate file:
>
> #tls-certificate-file=/var/qmail/control/servercert.pem
>
> However, if you do this, spamdyke (I think) will not work anymore because
> all traffic through it is now encrypted (you could check if I'm correct on
> the spamdyke mailing list).
> On 8/7/2020 6:13 PM, Chris wrote:
>
> I know I'm responding to a really old thread here, but I stumbled upon
> this trying to solve another issue.
>
> When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and reboot,
> I now completely fail the SMTP TLS checker at
> https://luxsci.com/smtp-tls-checker
> It would appear that qmail isn't doing the tls at all.
>
> Where are the settings to telling qmail to handle the tls? Is it in the
> run file, or elsewhere?
>
> On Wed, Jun 19, 2019 at 3:14 AM Eric Broch <ebr...@whitehorsetc.com>
> wrote:
>
>> In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.
>>
>> tls-level=none
>>
>> allow qmail to do the tls and see if it works.
>>
>>
>> On 6/18/2019 9:07 AM, Rajesh M wrote:
>>
>> eric
>>
>> in the spamdyke.conf i can see this
>> tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> also i am using the
>> /var/qmail/control/servercert.pem
>> for domain key signing of outgoing emails.
>>
>> rajesh
>>
>> ----- Original Message -----
>> From: Eric Broch [mailto:ebr...@whitehorsetc.com <ebr...@whitehorsetc.com>]
>> To: qmailtoaster-list@qmailtoaster.com
>> Sent: Tue, 18 Jun 2019 08:52:13 -0600
>> Subject:
>>
>> So you have spamdyke doing the TLS?
>>
>> On 6/18/2019 8:38 AM, Rajesh M wrote:
>>
>> Hi
>>
>> ISSUE 1
>> all of a sudden we are receiving error on one of our servers for one 
>> specific sender domain (sending from microsoft server)
>>
>> the sender domain is not able to send emails to the recepient domain on our 
>> server. The email bounces with the following error
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
>> origin_ip: 40.107.69.126 origin_rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) 
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
>> QUIT
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
>> operation failed due to an I/O error, Connection reset by peer
>> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
>> descriptor 1: Connection reset by peer
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
>> 221 ns1.HOSTNAME.com
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
>> operation failed due to an I/O error, Unexpected EOF found
>>
>> 06/18/2019 19:33:16 - TLS ended and closed
>>
>>
>> the error log of spamdyke  full-log-dir is give below follows
>>
>>
>> ISSUE 2
>> also i noted that spamdyke log mentions as such
>> reset address space soft limit to infinity: please stop using the softlimit 
>> program
>>
>> What exactly does this mean. What is the alternative to prevent large files 
>> should i disable softlimit program in
>> /usr/bin/softlimit -m 64000000 \
>> in the smtp run file
>>
>> require your kind help in resolving the above 2 issues
>>
>> thanks
>> rajesh
>>
>> 06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID = 
>> 19829
>>
>> 06/18/2019 19:32:54 CURRENT ENVIRONMENT
>> PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
>> PWD=/var/qmail/supervise/smtp
>> SHLVL=0
>> PROTO=TCP
>> TCPLOCALIP=103.241.181.154
>> TCPLOCALPORT=25
>> TCPLOCALHOST=ns1.HOSTNAME.com
>> TCPREMOTEIP=40.107.69.126
>> TCPREMOTEPORT=42264
>> BADMIMETYPE=
>> BADLOADERTYPE=M
>> QMAILQUEUE=/var/qmail/bin/simscan
>> CHKUSER_START=ALWAYS
>> CHKUSER_RCPTLIMIT=50
>> CHKUSER_WRONGRCPTLIMIT=10
>> NOP0FCHECK=1
>> DKQUEUE=/var/qmail/bin/qmail-queue.orig
>> DKVERIFY=DEGIJKfh
>> DKSIGN=/var/qmail/control/domainkeys/%/private
>>
>> 06/18/2019 19:32:54 CURRENT CONFIG
>> config-file=/etc/spamdyke/spamdyke.conf
>> dns-blacklist-entry=zen.spamhaus.org
>> full-log-dir=/var/log/spamdyke
>> graylist-dir=/var/spamdyke/graylist
>> graylist-max-secs=2678400
>> graylist-min-secs=180
>> header-blacklist-entry=From:*>,*<*
>> idle-timeout-secs=600
>> ip-blacklist-file=/etc/spamdyke/blacklist_ip
>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
>> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
>> ip-whitelist-file=/etc/spamdyke/whitelist_ip
>> log-level=info
>> max-recipients=100
>> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
>> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
>> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
>> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
>> reject-empty-rdns=1
>> reject-sender=no-mx
>> reject-sender=authentication-domain-mismatch
>> reject-unresolvable-rdns=1
>> relay-level=normal
>> sender-blacklist-file=/etc/spamdyke/blacklist_senders
>> sender-whitelist-file=/etc/spamdyke/whitelist_senders
>> tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> 06/18/2019 19:32:54 - Remote IP = 40.107.69.126
>>
>> 06/18/2019 19:32:54 CURRENT CONFIG
>> config-file=/etc/spamdyke/spamdyke.conf
>> dns-blacklist-entry=zen.spamhaus.org
>> dns-server-ip-primary=8.8.8.8
>> full-log-dir=/var/log/spamdyke
>> graylist-dir=/var/spamdyke/graylist
>> graylist-max-secs=2678400
>> graylist-min-secs=180
>> header-blacklist-entry=From:*>,*<*
>> idle-timeout-secs=600
>> ip-blacklist-file=/etc/spamdyke/blacklist_ip
>> ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
>> ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
>> ip-whitelist-file=/etc/spamdyke/whitelist_ip
>> log-level=info
>> max-recipients=100
>> rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
>> rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
>> recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
>> recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
>> reject-empty-rdns=1
>> reject-sender=no-mx
>> reject-sender=authentication-domain-mismatch
>> reject-unresolvable-rdns=1
>> relay-level=normal
>> sender-blacklist-file=/etc/spamdyke/blacklist_senders
>> sender-whitelist-file=/etc/spamdyke/whitelist_senders
>> tls-certificate-file=/var/qmail/control/servercert.pem
>>
>> 06/18/2019 19:32:54 - Remote rDNS = 
>> mail-eopbgr690126.outbound.protection.outlook.com
>>
>> 06/18/2019 19:32:54 LOG OUTPUT
>> DEBUG(filter_rdns_missing()@filter.c:947): checking for missing rDNS; rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_rdns_whitelist_file()@filter.c:1055): searching rDNS whitelist 
>> file(s); rdns: mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_rdns_blacklist_file()@filter.c:1159): searching rDNS blacklist 
>> file(s); rdns: mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_ip_whitelist()@filter.c:1228): searching IP whitelist file(s); 
>> ip: 40.107.69.126
>> DEBUG(filter_ip_blacklist()@filter.c:1279): searching IP blacklist file(s); 
>> ip: 40.107.69.126
>> DEBUG(filter_ip_in_rdns_whitelist()@filter.c:1380): checking for IP in rDNS 
>> +keyword(s) in whitelist file; ip: 40.107.69.126 rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_ip_in_rdns_blacklist()@filter.c:1333): checking for IP in rDNS 
>> +keyword(s) in blacklist file; ip: 40.107.69.126 rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_rdns_resolve()@filter.c:1426): checking rDNS resolution; rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com
>> DEBUG(filter_dns_rbl()@filter.c:1645): checking DNS RBL(s); ip: 40.107.69.126
>> DEBUG(undo_softlimit()@spamdyke.c:3203): reset address space soft limit to 
>> infinity: please stop using the softlimit program
>> DEBUG(undo_softlimit()@spamdyke.c:3223): reset data segment soft limit to 
>> infinity: please stop using the softlimit program
>> DEBUG(undo_softlimit()@spamdyke.c:3241): reset stack size soft limit to 
>> infinity: please stop using the softlimit program
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 33 bytes
>> 220 ns1.HOSTNAME.com ESMTP
>>
>> 06/18/2019 19:32:54 FROM REMOTE TO CHILD: 52 bytes
>> EHLO NAM04-CO1-obe.outbound.protection.outlook.com
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 27 bytes250-ns1.HOSTNAME.com
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 14 bytes
>> 250-STARTTLS
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 16 bytes
>> 250-PIPELINING
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 14 bytes
>> 250-8BITMIME
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 19 bytes
>> 250-SIZE 31457280
>>
>> 06/18/2019 19:32:54 FROM CHILD TO REMOTE: 31 bytes
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>> 06/18/2019 19:32:55 FROM REMOTE TO CHILD: 10 bytes
>> STARTTLS
>>
>> 06/18/2019 19:32:55 FROM SPAMDYKE TO REMOTE: 14 bytes
>> 220 Proceed.
>>
>> 06/18/2019 19:32:56 LOG OUTPUT TLS
>> DEBUG(tls_start()@tls.c:417): TLS/SSL connection established, using cipher 
>> AES256-GCM-SHA384, 256 bits
>>
>> 06/18/2019 19:32:56 - TLS negotiated and started
>>
>> 06/18/2019 19:32:56 FROM REMOTE TO CHILD: 52 bytes TLS
>> EHLO NAM04-CO1-obe.outbound.protection.outlook.com
>>
>> 06/18/2019 19:32:56 FROM CHILD TO REMOTE: 27 bytes TLS250-ns1.HOSTNAME.com
>>
>> 06/18/2019 19:32:56 FROM CHILD, FILTERED: 14 bytes TLS
>> 250-STARTTLS
>>
>> 06/18/2019 19:32:56 FROM CHILD TO REMOTE: 16 bytes TLS
>> 250-PIPELINING
>>
>> 06/18/2019 19:32:56 FROM CHILD TO REMOTE: 14 bytes TLS
>> 250-8BITMIME
>>
>> 06/18/2019 19:32:56 FROM CHILD TO REMOTE: 19 bytes TLS
>> 250-SIZE 31457280
>>
>> 06/18/2019 19:32:56 FROM CHILD TO REMOTE: 31 bytes TLS
>> 250 AUTH LOGIN PLAIN CRAM-MD5
>>
>> 06/18/2019 19:32:57 FROM REMOTE TO CHILD: 48 bytes TLS
>> MAIL FROM:<rethish.n...@sender.com> <rethish.n...@sender.com> SIZE=68640
>>
>> 06/18/2019 19:32:57 LOG OUTPUT TLS
>> DEBUG(find_username()@spamdyke.c:127): searching for username between 
>> positions 11 and 33: MAIL FROM:<rethish.n...@sender.com> 
>> <rethish.n...@sender.com> SIZE=68640
>> RCPT TO:<ranj...@dxb.recepient.com> <ranj...@dxb.recepient.com>
>> RCPT TO:<nominati...@dxb.recepient.com> <nominati...@dxb.recepient.com>
>> DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 
>> 23 and 33: MAIL FROM:<rethish.n...@sender.com> <rethish.n...@sender.com> 
>> SIZE=68640
>> RCPT TO:<ranj...@dxb.recepient.com> <ranj...@dxb.recepient.com>
>> RCPT TO:<nominati...@dxb.recepient.com> <nominati...@dxb.recepient.com>
>> DEBUG(find_address()@spamdyke.c:726): found username: Rethish.Nair
>> DEBUG(find_address()@spamdyke.c:743): found domain: SENDER.com
>> DEBUG(filter_sender_whitelist()@filter.c:1871): searching sender 
>> whitelist(s); sender: rethish.n...@sender.com
>> FILTER_SENDER_WHITELIST sender: rethish.n...@sender.com file: 
>> /etc/spamdyke/whitelist_senders(781)
>>
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 33 bytes TLS
>> 451 SPF lookup failure (#4.3.0)
>>
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 40 bytes TLS
>> RCPT TO:<ranj...@dxb.recepient.com> <ranj...@dxb.recepient.com>
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DEBUG(find_username()@spamdyke.c:127): searching for username between 
>> positions 9 and 36: RCPT TO:<ranj...@dxb.recepient.com> 
>> <ranj...@dxb.recepient.com>
>> RCPT TO:<nominati...@dxb.recepient.com> <nominati...@dxb.recepient.com>
>> DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 
>> 16 and 36: RCPT TO:<ranj...@dxb.recepient.com> <ranj...@dxb.recepient.com>
>> RCPT TO:<nominati...@dxb.recepient.com> <nominati...@dxb.recepient.com>
>> DEBUG(find_address()@spamdyke.c:726): found username: ranjini
>> DEBUG(find_address()@spamdyke.c:743): found domain: dxb.RECEPIENT.com
>> DEBUG(find_cdb_record()@cdb.c:138): searching CDB file 
>> /var/qmail/control/morercpthosts.cdb for 20 byte key = dxb.RECEPIENT.com, 
>> hash = 3655419700, main index = 52, num_slots = 2, slot_num = 1
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> FILTER_OTHER response: "503 MAIL first (#5.5.1)"
>>
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 25 bytes TLS
>> 503 MAIL first (#5.5.1)
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DENIED_OTHER from: rethish.n...@sender.com to: ranj...@dxb.recepient.com 
>> origin_ip: 40.107.69.126 origin_rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) 
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>>
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 44 bytes TLS
>> RCPT TO:<nominati...@dxb.recepient.com> <nominati...@dxb.recepient.com>
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DEBUG(find_username()@spamdyke.c:127): searching for username between 
>> positions 9 and 40: RCPT TO:<nominati...@dxb.recepient.com> 
>> <nominati...@dxb.recepient.com>
>> DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 
>> 20 and 40: RCPT TO:<nominati...@dxb.recepient.com> 
>> <nominati...@dxb.recepient.com>
>> DEBUG(find_address()@spamdyke.c:726): found username: nominations
>> DEBUG(find_address()@spamdyke.c:743): found domain: dxb.RECEPIENT.com
>> DEBUG(find_cdb_record()@cdb.c:138): searching CDB file 
>> /var/qmail/control/morercpthosts.cdb for 20 byte key = dxb.RECEPIENT.com, 
>> hash = 3655419700, main index = 52, num_slots = 2, slot_num = 1
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> FILTER_OTHER response: "503 MAIL first (#5.5.1)"
>>
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 25 bytes TLS
>> 503 MAIL first (#5.5.1)
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> DENIED_OTHER from: rethish.n...@sender.com to: nominati...@dxb.recepient.com 
>> origin_ip: 40.107.69.126 origin_rdns: 
>> mail-eopbgr690126.outbound.protection.outlook.com auth: (unknown) 
>> encryption: TLS reason: 503_MAIL_first_(#5.5.1)
>>
>> 06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
>> QUIT
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The 
>> operation failed due to an I/O error, Connection reset by peer
>> ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file 
>> descriptor 1: Connection reset by peer
>>
>> 06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
>> 221 ns1.HOSTNAME.com
>>
>> 06/18/2019 19:33:16 LOG OUTPUT TLS
>> ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The 
>> operation failed due to an I/O error, Unexpected EOF found
>>
>> 06/18/2019 19:33:16 - TLS ended and closed
>>
>> 06/18/2019 19:33:16 CLOSED
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>> For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
>>
>>