That's the nature of spamdyke. See the documentation. I understand why
it was programmed the way it was, with TLS, so that it could, after
decrypting the email, operate spam blocking techniques. With qmail doing
decryption everything that passes through spamdyke is encrypted so
examining the email is not possible.
|tls-level| |none|,|smtp||smtp-no-passthrough|or|smtps| |none|: Do
not offer or allow SSL/TLS, even if qmail supports it.
|smtp|: If|tls-certificate-file|is given, offer TLS during the SMTP
conversation and decrypt the traffic. If|tls-certificate-file|is not
given, allow qmail to offer TLS (if it has been patched to provide TLS)
and pass the encrypted traffic to qmail.
|smtp-no-passthrough|: If|tls-certificate-file|is given, offer TLS
during the SMTP conversation and decrypt the traffic.
If|tls-certificate-file|is not given, prevent TLS from starting.
|smtps|: Initiate a SSL session at the beginning of the connection,
before SMTP begins.
If|tls-level|is given multiple times, spamdyke will use the last value
it finds.
If|tls-level|is not given, spamdyke will use a value of|smtp|.
|tls-level|is not valid within configuration directories.
SeeTLS <https://www.spamdyke.org/documentation/README.html#TLS>for details.
Qmail will pick up TLS negotiation if spamdyke is disabled. You can
check the headers of incoming email to confirm.
Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
by myhost.whitehorsetc.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
or in older TLS patches
Received: from unknown (HELO mail.qmailtoaster.com) (162.213.42.64)
by myhost.whitehorsetc.com with SMTP (DHE-RSA-AES256-SHA encrypted);
On 8/7/2020 6:36 PM, Chris wrote:
Why does 'Setting tls-level=none turns of ALL TLS even in qmail's
offering' when it's a spamdyke config file, not qmail?
What if I think spamdyke is part of my multi-delivery problem? If I
take spamdyke out of the equation in smtp/run how do I get qmail to
pick up the TLS negotiation?
On Sat, Aug 8, 2020 at 12:28 PM Eric Broch <[email protected]
<mailto:[email protected]>> wrote:
I'm not sure I like how spamdyke handles tls, though I don't know
another way one would do it.
Setting tls-level=none turns of ALL TLS even in qmail's offering.
If you want qmail to handle TLS comment the certificate file:
#tls-certificate-file=/var/qmail/control/servercert.pem
However, if you do this, spamdyke (I think) will not work anymore
because all traffic through it is now encrypted (you could check
if I'm correct on the spamdyke mailing list).
On 8/7/2020 6:13 PM, Chris wrote:
I know I'm responding to a really old thread here, but I stumbled
upon this trying to solve another issue.
When I set tls-level=none in /opt/spamdyke/etc/spamdyke.conf and
reboot, I now completely fail the SMTP TLS checker at
https://luxsci.com/smtp-tls-checker
It would appear that qmail isn't doing the tls at all.
Where are the settings to telling qmail to handle the tls? Is it
in the run file, or elsewhere?
On Wed, Jun 19, 2019 at 3:14 AM Eric Broch
<[email protected] <mailto:[email protected]>> wrote:
In /etc/spamdyke/spamdyke.conf set 'tls-level' to 'none'.
tls-level=none
allow qmail to do the tls and see if it works.
On 6/18/2019 9:07 AM, Rajesh M wrote:
eric
in the spamdyke.conf i can see this
tls-certificate-file=/var/qmail/control/servercert.pem
also i am using the
/var/qmail/control/servercert.pem
for domain key signing of outgoing emails.
rajesh
----- Original Message -----
From: Eric Broch [mailto:[email protected]]
To:[email protected]
<mailto:[email protected]>
Sent: Tue, 18 Jun 2019 08:52:13 -0600
Subject:
So you have spamdyke doing the TLS?
On 6/18/2019 8:38 AM, Rajesh M wrote:
Hi
ISSUE 1
all of a sudden we are receiving error on one of our servers for one
specific sender domain (sending from microsoft server)
the sender domain is not able to send emails to the recepient domain on
our server. The email bounces with the following error
encryption: TLS reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from:[email protected] <mailto:[email protected]>
to:[email protected] <mailto:[email protected]> origin_ip:
40.107.69.126 origin_rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com> auth: (unknown) encryption: TLS
reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The
operation failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file
descriptor 1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221ns1.HOSTNAME.com <http://ns1.HOSTNAME.com>
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
06/18/2019 19:33:16 - TLS ended and closed
the error log of spamdyke full-log-dir is give below follows
ISSUE 2
also i noted that spamdyke log mentions as such
reset address space soft limit to infinity: please stop using the
softlimit program
What exactly does this mean. What is the alternative to prevent large
files should i disable softlimit program in
/usr/bin/softlimit -m 64000000 \
in the smtp run file
require your kind help in resolving the above 2 issues
thanks
rajesh
06/18/2019 19:32:54 STARTED: VERSION = 5.0.1+TLS+CONFIGTEST+DEBUG, PID
= 19829
06/18/2019 19:32:54 CURRENT ENVIRONMENT
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
PWD=/var/qmail/supervise/smtp
SHLVL=0
PROTO=TCP
TCPLOCALIP=103.241.181.154
TCPLOCALPORT=25
TCPLOCALHOST=ns1.HOSTNAME.com <http://ns1.HOSTNAME.com>
TCPREMOTEIP=40.107.69.126
TCPREMOTEPORT=42264
BADMIMETYPE=
BADLOADERTYPE=M
QMAILQUEUE=/var/qmail/bin/simscan
CHKUSER_START=ALWAYS
CHKUSER_RCPTLIMIT=50
CHKUSER_WRONGRCPTLIMIT=10
NOP0FCHECK=1
DKQUEUE=/var/qmail/bin/qmail-queue.orig
DKVERIFY=DEGIJKfh
DKSIGN=/var/qmail/control/domainkeys/%/private
06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org <http://zen.spamhaus.org>
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
06/18/2019 19:32:54 - Remote IP = 40.107.69.126
06/18/2019 19:32:54 CURRENT CONFIG
config-file=/etc/spamdyke/spamdyke.conf
dns-blacklist-entry=zen.spamhaus.org <http://zen.spamhaus.org>
dns-server-ip-primary=8.8.8.8
full-log-dir=/var/log/spamdyke
graylist-dir=/var/spamdyke/graylist
graylist-max-secs=2678400
graylist-min-secs=180
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=600
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
log-level=info
max-recipients=100
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns=1
reject-sender=no-mx
reject-sender=authentication-domain-mismatch
reject-unresolvable-rdns=1
relay-level=normal
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
06/18/2019 19:32:54 - Remote rDNS
=mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
06/18/2019 19:32:54 LOG OUTPUT
DEBUG(filter_rdns_missing()@filter.c:947): checking for missing rDNS;
rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_rdns_whitelist_file()@filter.c:1055): searching rDNS whitelist
file(s); rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_rdns_blacklist_file()@filter.c:1159): searching rDNS blacklist
file(s); rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_ip_whitelist()@filter.c:1228): searching IP whitelist
file(s); ip: 40.107.69.126
DEBUG(filter_ip_blacklist()@filter.c:1279): searching IP blacklist
file(s); ip: 40.107.69.126
DEBUG(filter_ip_in_rdns_whitelist()@filter.c:1380): checking for IP in rDNS
+keyword(s) in whitelist file; ip: 40.107.69.126
rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_ip_in_rdns_blacklist()@filter.c:1333): checking for IP in rDNS
+keyword(s) in blacklist file; ip: 40.107.69.126
rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_rdns_resolve()@filter.c:1426): checking rDNS resolution;
rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com>
DEBUG(filter_dns_rbl()@filter.c:1645): checking DNS RBL(s); ip:
40.107.69.126
DEBUG(undo_softlimit()@spamdyke.c:3203): reset address space soft limit
to infinity: please stop using the softlimit program
DEBUG(undo_softlimit()@spamdyke.c:3223): reset data segment soft limit
to infinity: please stop using the softlimit program
DEBUG(undo_softlimit()@spamdyke.c:3241): reset stack size soft limit to
infinity: please stop using the softlimit program
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 33 bytes
220ns1.HOSTNAME.com <http://ns1.HOSTNAME.com> ESMTP
06/18/2019 19:32:54 FROM REMOTE TO CHILD: 52 bytes
EHLONAM04-CO1-obe.outbound.protection.outlook.com
<http://NAM04-CO1-obe.outbound.protection.outlook.com>
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 27 bytes
250-ns1.HOSTNAME.com <http://250-ns1.HOSTNAME.com>
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 14 bytes
250-STARTTLS
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 16 bytes
250-PIPELINING
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 14 bytes
250-8BITMIME
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 19 bytes
250-SIZE 31457280
06/18/2019 19:32:54 FROM CHILD TO REMOTE: 31 bytes
250 AUTH LOGIN PLAIN CRAM-MD5
06/18/2019 19:32:55 FROM REMOTE TO CHILD: 10 bytes
STARTTLS
06/18/2019 19:32:55 FROM SPAMDYKE TO REMOTE: 14 bytes
220 Proceed.
06/18/2019 19:32:56 LOG OUTPUT TLS
DEBUG(tls_start()@tls.c:417): TLS/SSL connection established, using
cipher AES256-GCM-SHA384, 256 bits
06/18/2019 19:32:56 - TLS negotiated and started
06/18/2019 19:32:56 FROM REMOTE TO CHILD: 52 bytes TLS
EHLONAM04-CO1-obe.outbound.protection.outlook.com
<http://NAM04-CO1-obe.outbound.protection.outlook.com>
06/18/2019 19:32:56 FROM CHILD TO REMOTE: 27 bytes TLS
250-ns1.HOSTNAME.com <http://250-ns1.HOSTNAME.com>
06/18/2019 19:32:56 FROM CHILD, FILTERED: 14 bytes TLS
250-STARTTLS
06/18/2019 19:32:56 FROM CHILD TO REMOTE: 16 bytes TLS
250-PIPELINING
06/18/2019 19:32:56 FROM CHILD TO REMOTE: 14 bytes TLS
250-8BITMIME
06/18/2019 19:32:56 FROM CHILD TO REMOTE: 19 bytes TLS
250-SIZE 31457280
06/18/2019 19:32:56 FROM CHILD TO REMOTE: 31 bytes TLS
250 AUTH LOGIN PLAIN CRAM-MD5
06/18/2019 19:32:57 FROM REMOTE TO CHILD: 48 bytes TLS
MAIL FROM:<[email protected]> <mailto:[email protected]>
SIZE=68640
06/18/2019 19:32:57 LOG OUTPUT TLS
DEBUG(find_username()@spamdyke.c:127): searching for username between positions 11
and 33: MAIL FROM:<[email protected]> <mailto:[email protected]>
SIZE=68640
RCPT TO:<[email protected]> <mailto:[email protected]>
RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 23 and
33: MAIL FROM:<[email protected]> <mailto:[email protected]>
SIZE=68640
RCPT TO:<[email protected]> <mailto:[email protected]>
RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_address()@spamdyke.c:726): found username: Rethish.Nair
DEBUG(find_address()@spamdyke.c:743): found domain: SENDER.com
DEBUG(filter_sender_whitelist()@filter.c:1871): searching sender
whitelist(s); sender:[email protected] <mailto:[email protected]>
FILTER_SENDER_WHITELIST sender:[email protected]
<mailto:[email protected]> file: /etc/spamdyke/whitelist_senders(781)
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 33 bytes TLS
451 SPF lookup failure (#4.3.0)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 40 bytes TLS
RCPT TO:<[email protected]> <mailto:[email protected]>
06/18/2019 19:33:16 LOG OUTPUT TLS
DEBUG(find_username()@spamdyke.c:127): searching for username between positions 9
and 36: RCPT TO:<[email protected]> <mailto:[email protected]>
RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 16 and
36: RCPT TO:<[email protected]> <mailto:[email protected]>
RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_address()@spamdyke.c:726): found username: ranjini
DEBUG(find_address()@spamdyke.c:743): found domain:dxb.RECEPIENT.com
<http://dxb.RECEPIENT.com>
DEBUG(find_cdb_record()@cdb.c:138): searching CDB file
/var/qmail/control/morercpthosts.cdb for 20 byte key =dxb.RECEPIENT.com
<http://dxb.RECEPIENT.com>, hash = 3655419700, main index = 52, num_slots = 2,
slot_num = 1
06/18/2019 19:33:16 LOG OUTPUT TLS
FILTER_OTHER response: "503 MAIL first (#5.5.1)"
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 25 bytes TLS
503 MAIL first (#5.5.1)
06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from:[email protected] <mailto:[email protected]>
to:[email protected] <mailto:[email protected]> origin_ip: 40.107.69.126
origin_rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com> auth: (unknown) encryption: TLS
reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 44 bytes TLS
RCPT TO:<[email protected]>
<mailto:[email protected]>
06/18/2019 19:33:16 LOG OUTPUT TLS
DEBUG(find_username()@spamdyke.c:127): searching for username between positions 9
and 40: RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_domain()@spamdyke.c:361): searching for domain between positions 20 and
40: RCPT TO:<[email protected]>
<mailto:[email protected]>
DEBUG(find_address()@spamdyke.c:726): found username: nominations
DEBUG(find_address()@spamdyke.c:743): found domain:dxb.RECEPIENT.com
<http://dxb.RECEPIENT.com>
DEBUG(find_cdb_record()@cdb.c:138): searching CDB file
/var/qmail/control/morercpthosts.cdb for 20 byte key =dxb.RECEPIENT.com
<http://dxb.RECEPIENT.com>, hash = 3655419700, main index = 52, num_slots = 2,
slot_num = 1
06/18/2019 19:33:16 LOG OUTPUT TLS
FILTER_OTHER response: "503 MAIL first (#5.5.1)"
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 25 bytes TLS
503 MAIL first (#5.5.1)
06/18/2019 19:33:16 LOG OUTPUT TLS
DENIED_OTHER from:[email protected] <mailto:[email protected]>
to:[email protected] <mailto:[email protected]> origin_ip:
40.107.69.126 origin_rdns:mail-eopbgr690126.outbound.protection.outlook.com
<http://mail-eopbgr690126.outbound.protection.outlook.com> auth: (unknown) encryption: TLS
reason: 503_MAIL_first_(#5.5.1)
06/18/2019 19:33:16 FROM REMOTE TO CHILD: 6 bytes TLS
QUIT
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_write()@tls.c:678): unable to write to SSL/TLS stream: The
operation failed due to an I/O error, Connection reset by peer
ERROR(output_writeln()@log.c:104): unable to write 27 bytes to file
descriptor 1: Connection reset by peer
06/18/2019 19:33:16 FROM CHILD TO REMOTE: 27 bytes TLS
221ns1.HOSTNAME.com <http://ns1.HOSTNAME.com>
06/18/2019 19:33:16 LOG OUTPUT TLS
ERROR(tls_read()@tls.c:620): unable to read from SSL/TLS stream: The
operation failed due to an I/O error, Unexpected EOF found
06/18/2019 19:33:16 - TLS ended and closed
06/18/2019 19:33:16 CLOSED
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
<mailto:[email protected]>
For additional commands, e-mail:[email protected]
<mailto:[email protected]>
---------------------------------------------------------------------
To unsubscribe, e-mail:[email protected]
<mailto:[email protected]>
For additional commands, e-mail:[email protected]
<mailto:[email protected]>
