[qmailtoaster] Qmailadmin IP address checking

[Jeff Koch]

Qmailadmin seems to check the IP address to maintain a session. However, 
we have a customer that uses a dish network and the IP address changes 
during browser sessions. This kicks out an error and logs the user out. 
Is there anyway to prevent qmailadmin from checking the IP address. Can 
or does it uses another method to maintain the session?


Regards, Jeff

[qmailtoaster] qmail toaster support for BDAT

[Jeff Koch]

Never heard of this before but an email sender to our mailserver got the 
following error message:


550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains bare 
linefeeds, which cannot be sent via DATA and receiving system does not 
support BDAT


Does anyone know whether the qmail toaster supports the SMTP protocol 
BDAT command ?


Thanks,

Jeff

Re: [qmailtoaster] qmail toaster support for BDAT

[Jeff Koch]

Further information:

The sender also got the following message from his exchange mailserver 
when trying to send to our mailserver:


Your message contains invalid characters (bare line feed characters) 
which the email servers at ..com don't support


Jeff


On 8/28/2022 12:45 PM, Jeff Koch wrote:


Never heard of this before but an email sender to our mailserver got 
the following error message:


550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains bare 
linefeeds, which cannot be sent via DATA and receiving system does not 
support BDAT


Does anyone know whether the qmail toaster supports the SMTP protocol 
BDAT command ?


Thanks,

Jeff

Re: [qmailtoaster] qmail toaster support for BDAT

[Jeff Koch]

Thanks Tonix - so the result is that messages from email clients (like 
Outlook) that add multiple bare line feeds in their messages and use 
O365 will now get rejected by the qmail toaster.  How nice of Microsoft.


Jeff

On 8/28/2022 2:27 PM, to...@interazioni.it wrote:

This document explains the problem:
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-550-5-6-11-in-exchange-online

I will omit my thought on remote admins.
A very simple rule in communication is: be strict when sending, be 
tolerant when receiving.


Regards,
Tonino


Il 28 agosto 2022 19:24:13 CEST, Jeff Koch 
 ha scritto:

>Further information:
>
>The sender also got the following message from his exchange 
mailserver when trying to send to our mailserver:

>
>Your message contains invalid characters (bare line feed characters) 
which the email servers at ..com don't support

>
>Jeff
>
>
>On 8/28/2022 12:45 PM, Jeff Koch wrote:
>>
>> Never heard of this before but an email sender to our mailserver 
got the following error message:

>>
>> 550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains bare 
linefeeds, which cannot be sent via DATA and receiving system does not 
support BDAT

>>
>> Does anyone know whether the qmail toaster supports the SMTP 
protocol BDAT command ?

>>
>> Thanks,
>>
>> Jeff

Re: [qmailtoaster] qmail toaster support for BDAT

[Jeff Koch]

Hi Tonino:

Does this mean that all of the emails this sender sends through her O365 
server would be rejected ?


Jeff



On 8/29/2022 6:55 AM, Tonix wrote:


More exactly those messages will be rejected by remote O365 receiver 
servers whose admins will have enabled the 
SMTPSEND.BareLinefeedsAreIllegal flag.


Tonino

Il 28/08/2022 22:20, Jeff Koch ha scritto:
Thanks Tonix - so the result is that messages from email clients 
(like Outlook) that add multiple bare line feeds in their messages 
and use O365 will now get rejected by the qmail toaster.  How nice of 
Microsoft.


Jeff

On 8/28/2022 2:27 PM, to...@interazioni.it wrote:

This document explains the problem:
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-550-5-6-11-in-exchange-online 



I will omit my thought on remote admins.
A very simple rule in communication is: be strict when sending, be 
tolerant when receiving.


Regards,
Tonino


Il 28 agosto 2022 19:24:13 CEST, Jeff Koch 
 ha scritto:

>Further information:
>
>The sender also got the following message from his exchange 
mailserver when trying to send to our mailserver:

>
>Your message contains invalid characters (bare line feed 
characters) which the email servers at ..com don't support

>
>Jeff
>
>
>On 8/28/2022 12:45 PM, Jeff Koch wrote:
>>
>> Never heard of this before but an email sender to our mailserver 
got the following error message:

>>
>> 550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains 
bare linefeeds, which cannot be sent via DATA and receiving system 
does not support BDAT

>>
>> Does anyone know whether the qmail toaster supports the SMTP 
protocol BDAT command ?

>>
>> Thanks,
>>
>> Jeff





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail toaster support for BDAT

[Jeff Koch]

I do have to say that after running qmail toasters for over 20 years 
with over a few thousand users this is the first time I've heard of this 
issue. I should be getting complaints up the wazoo.  Jeff


On 8/29/2022 10:13 AM, Eric Broch wrote:

Tonix,

In your opinion, could this be fixed with a patch to the 'blast' 
function in qmail-smtpd to allow bare line feeds or would there need 
to be 'chunking' and 'bdat' calls added to smtp commands as well?


Eric

On 8/29/2022 7:16 AM, Tonix wrote:


Not only this (local) sender. Also other SMTP server which relay 
messages with same problem, or emails generated by application 
programs or network facilities which send simple alert emails not 
caring too much about CR LF.



Il 29/08/2022 14:56, Jeff Koch ha scritto:

Hi Tonino:

Does this mean that all of the emails this sender sends through her 
O365 server would be rejected ?


Jeff



On 8/29/2022 6:55 AM, Tonix wrote:


More exactly those messages will be rejected by remote O365 
receiver servers whose admins will have enabled the 
SMTPSEND.BareLinefeedsAreIllegal flag.


Tonino

Il 28/08/2022 22:20, Jeff Koch ha scritto:
Thanks Tonix - so the result is that messages from email clients 
(like Outlook) that add multiple bare line feeds in their messages 
and use O365 will now get rejected by the qmail toaster.  How nice 
of Microsoft.


Jeff

On 8/28/2022 2:27 PM, to...@interazioni.it wrote:

This document explains the problem:
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-550-5-6-11-in-exchange-online 



I will omit my thought on remote admins.
A very simple rule in communication is: be strict when sending, 
be tolerant when receiving.


Regards,
Tonino


Il 28 agosto 2022 19:24:13 CEST, Jeff Koch 
 ha scritto:

>Further information:
>
>The sender also got the following message from his exchange 
mailserver when trying to send to our mailserver:

>
>Your message contains invalid characters (bare line feed 
characters) which the email servers at ..com don't support

>
>Jeff
>
>
>On 8/28/2022 12:45 PM, Jeff Koch wrote:
>>
>> Never heard of this before but an email sender to our 
mailserver got the following error message:

>>
>> 550 5.6.11 SMTPSEND.BareLinefeedsAreIllegal; message contains 
bare linefeeds, which cannot be sent via DATA and receiving 
system does not support BDAT

>>
>> Does anyone know whether the qmail toaster supports the SMTP 
protocol BDAT command ?

>>
>> Thanks,
>>
>> Jeff





-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: 
qmailtoaster-list-h...@qmailtoaster.com







-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Outlook users get "unsupported encryption type" error after Windows update

[Jeff Koch]

Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

--
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17

    Session-ID-ctx:
    Master-Key: 
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 R9.\.qqL%...ONq.
    0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f .s..@.ZR...5.~K.
--

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates. Am I missing something?


Jeff




On 10/13/2022 12:27 PM, Quinn Comendant wrote:


The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to be
disabled by default


  * Windows support article: KB5017811—Manage Transport Layer Security
(TLS) 1.0 and 1.1 after default behavior change on September 20,
2022


  * Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday



Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and 
submission, but Courier IMAP only supports up to TLS 1.0. Results via 
testssl.sh:



smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered 
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 
not offered and downgraded to a weaker protocol |



imap

|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered 
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded to 
a weaker protocol TLS 1.3 not offered and downgraded to a weaker 
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |


Because the error should only occur when TLS 1.2 is not available, I 
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.


This thread 
 
started by Janno Sannik a couple years ago contains some hints how to 
upgrade or replace Courier for better TLS support.


Quinn

[qmailtoaster] Outlook users can't connect to QMT7 IMAP after Windows update

[Jeff Koch]

Hi - are there any suggestions on how to resolve this issue.

We're seeing more and more Outlook email client users complaining that 
they're no longer connecting to QMT7 IMAP to receive their mail.  This 
seems to have happened as a result of a recent Windows update.


Jeff Koch


On 10/13/2022 1:12 PM, Jeff Koch wrote:

Running the following command against our QMT mailservers shows:

openssl s_client -showcerts -connect mailserver.com:993

--
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
7DF738EE6BD9096B6CAE8047C4FBE4A980227BBBA7BBCD940BCE1BC4CE5ABA17

    Session-ID-ctx:
    Master-Key: 
42D30E9F7D9185EC883D188F298901335359D2298CDD74D93CE83C0EDA8478E331F2E9C57F70CBED7F8963C0B866D874

    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     - 52 39 f4 5c cc 71 71 4c-25 19 11 9a 4f 4e 71 e8 
R9.\.qqL%...ONq.
    0010 - d9 73 a6 0d 40 14 5a 52-d3 92 14 35 8e 7e 4b 0f 
.s..@.ZR...5.~K.

--

I think this would indicate that our Dovecot IMAP supports TLSv1.2 and 
should work with the Outlook updates. Am I missing something?


Jeff




On 10/13/2022 12:27 PM, Quinn Comendant wrote:


The Windows system update on October 11, 2021 included a change to 
disable TLS 1.0 and 1.1 by default.


  * Windows blog post: Plan for change: TLS 1.0 and TLS 1.1 soon to
be disabled by default

<https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/>
  * Windows support article: KB5017811—Manage Transport Layer
Security (TLS) 1.0 and 1.1 after default behavior change on
September 20, 2022

<https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e>
  * Blog post: Windows 10: Beware of a possible TLS disaster on
October 2022 patchday

<https://borncity.com/win/2022/10/11/windows-10-achtung-vor-einem-mglichen-tls-desaster-zum-oktober-2022-patchday/>

Our QMT v1.3 system with this issue does support TLS 1.2 for smtp and 
submission, but Courier IMAP only supports up to TLS 1.0. Results via 
testssl.sh:



smtp and submission

|SSLv2 not offered (OK) SSLv3 offered (NOT ok) TLS 1 offered 
(deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 
1.3 not offered and downgraded to a weaker protocol |



imap

|SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered 
(deprecated) TLS 1.1 not offered TLS 1.2 not offered and downgraded 
to a weaker protocol TLS 1.3 not offered and downgraded to a weaker 
protocol NPN/SPDY not offered ALPN/HTTP2 not offered |


Because the error should only occur when TLS 1.2 is not available, I 
think the |Ox800CCC1A| in Outlook occurs when doing an IMAP transaction.


This thread 
<https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg43073.html> 
started by Janno Sannik a couple years ago contains some hints how to 
upgrade or replace Courier for better TLS support.


Quinn

Re: [qmailtoaster]Fixed - Outlook users get "unsupported encryption type" error after Windows update

[Jeff Koch]

Eric - good news - upgrading Dovecot to the latest CDB version fixed the 
problem. Outlook users with the current updates can now get their IMAP 
(and I guess POP3) mail.


Thanks as always for your help.

Jeff Koch



On 10/15/2022 10:15 AM, Eric Broch wrote:


wget 
http://repo.whitehorsetc.com/7/spl/cdb/testing/x86_64/dovecot-2.3.7.2-9.qt.cdb.el7.x86_64.rpm


yum update 
http://repo.whitehorsetc.com/7/spl/cdb/testing/x86_64/dovecot-2.3.7.2-9.qt.cdb.el7.x86_64.rpm



On 10/15/2022 7:45 AM, Jeff Koch wrote:

Hi Eric - thanks for the rpm - can I just install it as is?

I'll configure my Windows 10 laptop today to run Outlook, advanced 
logging and see if I can trace a connection.


Jeff



On 10/15/2022 6:50 AM, Eric Broch wrote:


Actually, this is the latest one for cdb:

http://repo.whitehorsetc.com/7/spl/cdb/testing/x86_64/dovecot-2.3.7.2-9.qt.cdb.el7.x86_64.rpm

But if you're seeing nothing in the dovecot log, it means that there 
is no connection being made to the server from the PC which 
indicates something going on on the PC not the server.


Can you use tcpdump to see if any connection is being made. Tailor 
the command for the remote host and port.


You could also turn on advanced logging in Dovecot to troubleshoot.

Again, if nothing is in the Dovecot log, is a connection even being 
attempted by Outlook. If it is, is it being blocked by some Windows 
issue?


It'd be nice to know, if any traffic from the PC is even going 
across the network.



On 10/14/2022 9:10 PM, Jeff Koch wrote:

Hi Eric:

We're using dovecot-2.2.32-22.qt.el7.cdb.x86_64.rpm but I see the 
lastest qmt release is 2.3.11.3-12.qt.el7. Would it do any good to 
upgrade?


Jeff

On 10/14/2022 7:38 PM, Eric Broch wrote:


What is in the Dovecot log?


On 10/13/2022 12:04 PM, Jeff Koch wrote:

Hi Eric:

Has anyone figured out what's going on and is this a good short 
term fix? We also have Outlook users that say they are not 
connecting to IMAP. However we use Dovecot IMAP and the SSL 
connection on port 993 says its using TLSv1.2


Jeff

On 10/12/2022 9:21 PM, Eric Broch wrote:


What version of qmt

On 10/12/2022 2:16 PM, Quinn Comendant wrote:


Today we received several complaints from Outlook users who are 
unable to connect to QMT servers. They get this error:


Task "u...@example.com - Sending: reported error (Ox800CCC1A) :
'Your server does not support the connection encryption
type you have
specified. Try changing the encryption method. Contact your
mail server
administrator or internet service provider (ISP) for
additional assistance.'

The error began after installing Windows 10 servicing stack 
update - 19042.1940, 19043.1940, and 19044.1940 
<https://support.microsoft.com/en-us/topic/october-11-2022-kb5018410-os-builds-19042-2130-19043-2130-and-19044-2130-6390f057-28ca-43d3-92ce-f4b79a8378fd>, 
and the problem was fixed by uninstalling the update.


Has anyone else experienced this, or know what the problem 
could be? I hope there is a config change I can make on QMT 
servers so that users will not need to uninstall the update.


Quinn

Re: [qmailtoaster] forwarding to gmail address fails because of hard spf check

[Jeff Koch]

Peter - I don't think it matters whether the domain is added to 
rcpthosts or morercpthosts - the toaster will generally add additional 
domains to morercpthosts but it should work fine either way.


Jeff

On 1/4/2023 12:18 PM, Peter Peltonen wrote:
Okay I tested this setup and it seems to work, mail gets through and I 
get spf=pass for it in Gmail.


The only difference to the procedure I posted earlier were:

- needed to add srs.xyz.com  to morercpthosts and 
not to rcpthosts as I have more than 50 domains hosted

- at the end I ran qmailctl cdb and qmailctl restart, not sure if needed

Best,
Peter



On Tue, Jan 3, 2023 at 11:22 AM Peter Peltonen 
 wrote:


Googling "srs qmailtoaster" gave me this link:


http://wiki.qmailtoaster.net/index.php/Configuring_SRS_on_Toaster_1.03-1.3.13%2B

which does not work, it seems qmailtoaster.com
 should be used instead of .net

Okay now we have the instructions I guess I could try to test it,
I have a spare registered domain I could test with. Does this
sound ok procedure:

  * setup domain xyz.com  with SPF with hard fail
(-all) and the toaster as the MX
  * send email from xyz.com  to GMail through our
toaster: should pass ok
  * setup forwarding from xyz.com  to GMail
  * send email to xyz.com : should fail because
GMail does not accept
  * setup SRS at toaster:

 1. create NS record for domain srs.xyz.com 
with MX pointing to our toaster
 2. echo srs.xyz.com  >
/var/qmail/control/srs_domain
 3. mkpasswd -l 32 > /var/qmail/control/srs_secrets
 4. mkpasswd -l 32 >> /var/qmail/control/srs_secrets
 5. (repeat mkpasswd as many times you need, not sure how many is
really needed?)
 6. echo 7 > /var/qmail/control/srs_maxage
 7. echo 8 > /var/qmail/control/srs_hashlength
 8. qmailctl restart
 9. echo srs.xyz.com  >>
/var/qmail/control/rcpthosts
10. echo srs.xyz.com:srs >> /var/qmail/control/virtualdomains
11. echo "| /var/qmail/bin/srsfilter" >
/var/qmail/alias/.qmail-srs-default
(ownershp of other alias files on my server are user alias
group nofiles, so probably this should be changed to the same?)

  * send email to xyz.com : should pass ok


What do you think Angus?

Best,
Peter


On Mon, Jan 2, 2023 at 7:52 PM Angus McIntyre  wrote:



Peter Peltonen wrote on 1/2/23 11:57 AM:
> Some of my toaster users have their email forwarded to Gmail
... Some
> googling around tells me that SRS could be the solution for
this
> problem.
>
> There is info on this at Qmailtoaster Wiki, but the site
seems to be
> somehow broken.

Which page are you looking at, and in what way does it seem
broken?



http://wiki.qmailtoaster.com/index.php/Configuring_SRS_on_Toaster_1.03-1.3.13%2B

currently loads fine for me, and looks as if it has good
information.

I should stress that I haven't tried this yet. I didn't know
about SRS
until you posted this (thank you!) but I'm having the same
issue as you
and it sounds as if this might be just what I need.

Would anyone who's actually implemented this care to comment?

Angus


-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Status of Domain Keys in QMT

[Jeff Koch]

The tcp.smtp on our QMT mailservers looks like this:

:allow,SIMSCAN_DEBUG="5",BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="25",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

for outgoing mail we have a revised version of qmail-remote written in 
perl which signs outgoing mail.


Jeff

On 10/1/2023 2:18 PM, Quinn Comendant wrote:

Hi all,

What is the current status of Domain Keys in QMT? I've been following the advice 
given in  
(“Unfortunately, domain keys are broken in Toaster. It's recommended that you disable 
them for the time being.”), but wonder if there has been movement to fix this? 
Anybody get DKIM working?

Also, I noticed during a recent upgrade the `qmail-queue` symlink was pointing to 
`qmail-dk` by default; I thought by default it would go to `qmail-queue.orig` (the page 
above writes, "This will be disabled in future releases anyway").

Regards,
Quinn

-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Adding additional DKIM signatures to an email

[Jeff Koch]

Hi List

We've had a request from a client that uses one of our QMT mailservers. 
He wants to know if we can add an additional DKIM signature to the 
emails his sends. Currently we sign all emails with the DKIM key 
associated with the host name of the mailserver. I suppose this would be 
an additional signature created by his key and validated by the DKIM 
entry in his DNS zone.


Any thoughts?

Regards, Jeff Koch

[qmailtoaster] More: Adding additional DKIM signatures to an email

[Jeff Koch]

List:

Actually this turns out to be a little more difficult than the info in 
'http://www.qmailtoaster.com/dkim.html'. We have a client sending out 
newsletters in behalf of other entities (allowed by their SPF's). But he 
wants to sign the emails with his domain's key.  So really the question 
is how does the dkim code know which key to use to sign the email.


Jeff


Hi List

We've had a request from a client that uses one of our QMT mailservers. 
He wants to know if we can add an additional DKIM signature to the 
emails his sends. Currently we sign all emails with the DKIM key 
associated with the host name of the mailserver. I suppose this would be 
an additional signature created by his key and validated by the DKIM 
entry in his DNS zone.


Any thoughts?

Regards, Jeff Koch

[qmailtoaster] Receiving repeat copies of large files from gmail

[Jeff Koch]

Hi List:

One of our users receives email with large excel file attachments - over 
20MB - from a gmail and Outlook accounts. He reported that with these 
very large emails he's getting multiple copies with a new copy coming 
every couple of hours.


I checked his inbox and these are identical complete emails except for 
the 'part' codes withing the email body. It seems as if gmail is not 
getting the proper message received response from out QMT mailserver 
and, as a result, resend the email.


Has anybody else seen something like this?  I don't think it's a timeout 
on our end because the emails are complete. Nor is it a size issue since 
we have databytes set to 60 MB.


Any ideas on what I should look at?

Regards, Jeff Koch

[qmailtoaster] Talk_faster_next_time

[Jeff Koch]

Hi List:

Maybe you can advise on this.

I am sending an email with a 23MB attachment from one QMT mailserver to 
another. Both QMT server are on the same AWS network. However, the email 
gets deferred with:


21:03:30.201449500 starting delivery 513699: msg 397530692

21:04:10.328736500 delivery 513699: 
deferral:..failed_after_I_sent_the_message./Remote_host_said:_421_Tim

eout._Talk_faster_next_time./


Any idea what I should look at? It's only 40 seconds from the start of 
the delivery to the 'Timeout'.


Spamdyke timeout settings on the receiving server:

idle-timeout-secs=30
connection-timeout-secs=1800

Thanks,  Jeff Koch

Re: [qmailtoaster] Talk_faster_next_time

[Jeff Koch]

Thanks Remo - I'll give it a try.   Jeff

On 2/11/2024 1:55 PM, Remo Mattei wrote:
My guess is lookup try to add or change dns server or put something in 
the host file see what happen.


--
Sent from iPhone

On sabato, feb 10, 2024 at 19:53, Jeff Koch
 wrote:
Hi List:

Maybe you can advise on this.

I am sending an email with a 23MB attachment from one QMT
mailserver to another. Both QMT server are on the same AWS
network. However, the email gets deferred with:

21:03:30.201449500 starting delivery 513699: msg 397530692

21:04:10.328736500 delivery 513699:

deferral:..failed_after_I_sent_the_message./Remote_host_said:_421_Tim
eout._Talk_faster_next_time./


Any idea what I should look at? It's only 40 seconds from the
start of the delivery to the 'Timeout'.

Spamdyke timeout settings on the receiving server:

idle-timeout-secs=30
connection-timeout-secs=1800

    Thanks,  Jeff Koch

Re: [qmailtoaster] Talk_faster_next_time

[Jeff Koch]

Hi Eric:

I guess what I'm trying to get my brain around is where in the smtp 
process and under what circumstances the message 
'421_Timeout._Talk_faster_next_time' is generated. To start ss this a 
spamdyke thing or a qmail-smtp thing ?


Jeff

On 2/11/2024 12:30 AM, Eric Broch wrote:

Can you bump the idle timeout up to a couple minutes
On Feb 10, 2024, at 8:53 PM, Jeff Koch  
wrote:


Hi List:

Maybe you can advise on this.

I am sending an email with a 23MB attachment from one QMT
mailserver to another. Both QMT server are on the same AWS
network. However, the email gets deferred with:

21:03:30.201449500 starting delivery 513699: msg 397530692

21:04:10.328736500 delivery 513699:

deferral:..failed_after_I_sent_the_message./Remote_host_said:_421_Tim
eout._Talk_faster_next_time./


Any idea what I should look at? It's only 40 seconds from the
start of the delivery to the 'Timeout'.

Spamdyke timeout settings on the receiving server:

idle-timeout-secs=30
connection-timeout-secs=1800

Thanks,  Jeff Koch

Re: [qmailtoaster] OT - Question about Rocky Linux

[Jeff Koch]

Hi - this is really OT but I trust the judgement of this group.

All of our servers are running CentOS 7 and we're little leery of the 
CentOS stream and with RedHat having taken over CentOS. However, we've 
been in the RH Linux eco-system for 25 years and SUSE, Debian and Ubuntu 
would be a tough adjustment. I hear a lot about Rocky Linux.  Are you 
CentOS guys comfortable with Rocky Linux?


Jeff



On 2/18/2024 4:28 PM, Gary Bowling wrote:



What is everyone doing with selinux on new Rocky 9 builds?


In the past, I've always disabled selinux. But maybe for some added 
security it's time to do something different. I've learned a bit about 
selinux and am using it successfully in my new web servers. But it 
comes with some things already set up for nginx and standard web 
directories. It will be a bit trickier with a "toaster."



Thanks, gb

--

The Moderns on Spotify 

- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

[qmailtoaster] Qmail Admin File error 6 - IP Address Change

[Jeff Koch]

Hi - we have a user getting File error 6  errors ( IP != IP) when he 
uses qmail admin on his cell phone and tablet and sometimes from his 
office. This is due to his provider changing his IP address during his 
session. I understand qmail admin may view the IP change as session 
spoofing and cancels authentication. Is there any work-around that still 
provides session security?


Thanks,  Jeff

Re: [qmailtoaster] Qmail Admin File error 6 - IP Address Change

[Jeff Koch]

Hi Eric:

Here's an image. The user is in Ecuador. But don't cell phone data 
connections or even the Dish network often change IP addresses while 
you've got a screen open ?


Jeff





On 4/2/2024 9:39 AM, Eric Broch wrote:

I'm not aware of any, but giving it some thought:

What provider does this!!!???

Is there any software anywhere that could overcome something like this 
where once communication is establish between hosts and one host's IP 
address arbitrarily changes how could any communication still 
exist


*perplexed*


On 4/2/2024 7:27 AM, Jeff Koch wrote:

File error 6


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Rocky9 - new mailserver setup - off topic

[Jeff Koch]

Hi - we're setting up a new mailserver with Rocky 9 and the learning 
curve is slow as is usual with the first time with a new distro.


Anyway because our various scripts look for apache at /usr/local/apache/ 
we've decided to compile our own binary with the latest apache and have 
run into trouble / errors related to 'nghttp2'.


We did download, compile and install the latest nghttp2-1.61.0 from 
github. The configure and make went well and http1.1 works but apache 
generates the following error when we activate  mod_http2


 (Cannot load modules/mod_http2.so into server: 
/usr/local/apache2/modules/mod_http2.so: undefined symbol: 
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)


If anyone on the list has compiled their own httpd 2.4.59 with Rocky 9 
would you mind sharing the details ?


Thanks, Jeff Koch



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Rocky9 - new mailserver setup - off topic

[Jeff Koch]

I may have resolved this. I did the Rocy9 distro install of apache and 
copied the mod_http2.so file over to our install of apache. Seems to 
work (no errors) but I won't know for sure until we setup Lets Encrypt 
SSL certbot tomorrow


Jeff

On 4/14/2024 3:11 PM, Jeff Koch wrote:


Hi - we're setting up a new mailserver with Rocky 9 and the learning 
curve is slow as is usual with the first time with a new distro.


Anyway because our various scripts look for apache at 
/usr/local/apache/ we've decided to compile our own binary with the 
latest apache and have run into trouble / errors related to 'nghttp2'.


We did download, compile and install the latest nghttp2-1.61.0 from 
github. The configure and make went well and http1.1 works but apache 
generates the following error when we activate mod_http2


 (Cannot load modules/mod_http2.so into server: 
/usr/local/apache2/modules/mod_http2.so: undefined symbol: 
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)


If anyone on the list has compiled their own httpd 2.4.59 with Rocky 9 
would you mind sharing the details ?


Thanks, Jeff Koch

Re: [qmailtoaster] Re: Rocky9 - new mailserver setup - off topic

[Jeff Koch]

Gary - thanks for this info - I'll add it to our setup notes.

Jeff

On 4/15/2024 8:25 AM, Gary Bowling wrote:



Hey Jeff, glad you're making progress. Be aware that when you get a 
new cert from Letsencrypt that the default now retrieves an ECDSA 
cert. Which is fine for apache, but doesn't work on qmail, or at least 
it didn't for me. To fix that you'll need to configure letsencrypt to 
give you an RSA 2048 cert.



There are two ways to do that. If you want all your certs to be RSA 
2048, you can add this to the /etc/letsencrypt/cli.ini file.


key-type = rsa
rsa-key-size = 2048


If you just want to do that for your keys you use in qmail, then you 
can put the above in the /etc/letsencrypt/renewal/domain.conf file. 
Where "domain" is the name of the cert you're renewing. Certbot 
creates the file so it should already be there.



Gary


On 4/14/2024 10:39 PM, Jeff Koch wrote:
I may have resolved this. I did the Rocy9 distro install of apache 
and copied the mod_http2.so file over to our install of apache. Seems 
to work (no errors) but I won't know for sure until we setup Lets 
Encrypt SSL certbot tomorrow


Jeff

On 4/14/2024 3:11 PM, Jeff Koch wrote:


Hi - we're setting up a new mailserver with Rocky 9 and the learning 
curve is slow as is usual with the first time with a new distro.


Anyway because our various scripts look for apache at 
/usr/local/apache/ we've decided to compile our own binary with the 
latest apache and have run into trouble / errors related to 'nghttp2'.


We did download, compile and install the latest nghttp2-1.61.0 from 
github. The configure and make went well and http1.1 works but 
apache generates the following error when we activate  mod_http2


 (Cannot load modules/mod_http2.so into server: 
/usr/local/apache2/modules/mod_http2.so: undefined symbol: 
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)


If anyone on the list has compiled their own httpd 2.4.59 with Rocky 
9 would you mind sharing the details ?


Thanks, Jeff Koch




- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

[qmailtoaster] Rocky9 - new mailserver setup - off topic

[Jeff Koch]

Hi Eric - Besides Rocky9/EL9 are you working with any other distros?  
EL9/epel is missing two libraries I need - libmaxminddb and  oniguruma.


Jeff


On 4/15/2024 12:44 PM, Eric Broch wrote:


Neither,

/var/qmail/control/dh2048.pem
/var/qmail/control/rsa2048.pem

On 4/15/2024 10:33 AM, Gary Bowling wrote:



Thanks, will still require rsa?


On 4/15/2024 10:47 AM, Eric Broch wrote:


My next iteration on EL9 will remove keysize it's deprecated, has 
been for a while. Should have the new code out within the week.


SSL_CTX_set_tmp_rsa_callback · openssl/openssl · Discussion #23769 
(github.com) <https://github.com/openssl/openssl/discussions/23769>



On 4/15/2024 6:25 AM, Gary Bowling wrote:



Hey Jeff, glad you're making progress. Be aware that when you get a 
new cert from Letsencrypt that the default now retrieves an ECDSA 
cert. Which is fine for apache, but doesn't work on qmail, or at 
least it didn't for me. To fix that you'll need to configure 
letsencrypt to give you an RSA 2048 cert.



There are two ways to do that. If you want all your certs to be RSA 
2048, you can add this to the /etc/letsencrypt/cli.ini file.


key-type = rsa
rsa-key-size = 2048


If you just want to do that for your keys you use in qmail, then 
you can put the above in the /etc/letsencrypt/renewal/domain.conf 
file. Where "domain" is the name of the cert you're renewing. 
Certbot creates the file so it should already be there.



Gary


On 4/14/2024 10:39 PM, Jeff Koch wrote:
I may have resolved this. I did the Rocy9 distro install of apache 
and copied the mod_http2.so file over to our install of apache. 
Seems to work (no errors) but I won't know for sure until we setup 
Lets Encrypt SSL certbot tomorrow


Jeff

On 4/14/2024 3:11 PM, Jeff Koch wrote:


Hi - we're setting up a new mailserver with Rocky 9 and the 
learning curve is slow as is usual with the first time with a new 
distro.


Anyway because our various scripts look for apache at 
/usr/local/apache/ we've decided to compile our own binary with 
the latest apache and have run into trouble / errors related to 
'nghttp2'.


We did download, compile and install the latest nghttp2-1.61.0 
from github. The configure and make went well and http1.1 works 
but apache generates the following error when we activate  mod_http2


 (Cannot load modules/mod_http2.so into server: 
/usr/local/apache2/modules/mod_http2.so: undefined symbol: 
nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation)


If anyone on the list has compiled their own httpd 2.4.59 with 
Rocky 9 would you mind sharing the details ?


Thanks, Jeff Koch




- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

Re: [qmailtoaster] qmail using ramdisk

[Jeff Koch]

We've used ramdisks to hold the qmail-queue and it did make a big 
difference in speed. Depending on the size of ram disk you could also 
consider including /var/log/qmail which also uses a lot of IO.  Although 
we backed up the ram disk before planned reboots we weren't particularly 
concerned if those two directories were accidentally wiped.


Jeff

On 6/6/2024 3:28 AM, William Silverstein wrote:

I wondered if using a RAM disk (maybe 32 GB) in Qmail would speed up
processing, i.e., handling scanning (using qmail-scanner)?

Is this a crazy idea?

Re: [qmailtoaster] qmail using ramdisk

[Jeff Koch]

Just my opinion

200 MB for the queue
1GB for logs assuming 21 logs x 14MB x 3(sub,send,smtp)

This assumes your going to use actual ram memory - not SSD and not swap 
- otherwise there's no point.


Jeff


On 6/6/2024 1:20 PM, William Silverstein wrote:

What would be a good size?

On Thu, June 6, 2024 3:50 am, Eric Broch wrote:

It should. Do you need 32 GB?

On 6/6/2024 1:28 AM, William Silverstein wrote:

I wondered if using a RAM disk (maybe 32 GB) in Qmail would speed up
processing, i.e., handling scanning (using qmail-scanner)?

Is this a crazy idea?




-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qmail using ramdisk

[Jeff Koch]

Yes /var/qmail/queue. That folder has most of the I/O and where a ram 
disk has the most benefit. And when you create the ramdisk use 'noatime' 
so the CPU doesn't waste time logging meaningless access timestamps. You 
could do a tarzip backup of the queue folder every 10 minutes. If you 
have a substantial risk of unplanned shutdowns and crashes and you're 
dealing with critical emails I wouldn't use a ram disk.


Jeff

On 6/6/2024 1:20 PM, William Silverstein wrote:

I didn't think about the qmail log files, which would be good.

Where is qmail-queue? What is that? Do you mean /var/qmail/queue? I don't
want to risk mail being lost if the system was unexpectedly shutdown.





On Thu, June 6, 2024 5:39 am, Jeff Koch wrote:

We've used ramdisks to hold the qmail-queue and it did make a big
difference in speed. Depending on the size of ram disk you could also
consider including /var/log/qmail which also uses a lot of IO.  Although
we backed up the ram disk before planned reboots we weren't particularly
concerned if those two directories were accidentally wiped.

Jeff

On 6/6/2024 3:28 AM, William Silverstein wrote:

I wondered if using a RAM disk (maybe 32 GB) in Qmail would speed up
processing, i.e., handling scanning (using qmail-scanner)?

Is this a crazy idea?

[qmailtoaster] DKIM seems now to be required by Outlook

[Jeff Koch]

QMT'ers

Emails to Outlook accounts started bouncing today until we added unique 
dkim keys and DNS records to the sender domains.  So now we'll probably 
need to do the same for all the accounts we do email for.


So I was thinking it would be a whole lot easier if we gave everyone the 
same key and DNS text record. Then the question is whether we can setup 
a wildcard signconf.xml stanza something like:



  < * domain="*" keyfile="/var/qmail/control/dkim/wildcard.key" 
selector="dkim1">

    
    
  


Any thoughts on whether this is doable or advisable ?

Jeff

Re: [qmailtoaster] DKIM seems now to be required by Outlook

[Jeff Koch]

They seem to work for me.

http://www.qmailtoaster.com/dkim.html

Jeff

On 6/19/2024 8:30 PM, Chris Knight wrote:

The wiki says that Domain Keys are broken, and will be removed from future 
releases.  What does that mean for DKIM support?

http://wiki.qmailtoaster.com/index.php?title=Disabling_Domain_Keys



On Jun 20, 2024, at 12:01 PM, Jeff Koch  wrote:

QMT'ers

Emails to Outlook accounts started bouncing today until we added unique dkim 
keys and DNS records to the sender domains.  So now we'll probably need to do 
the same for all the accounts we do email for.

So I was thinking it would be a whole lot easier if we gave everyone the same 
key and DNS text record. Then the question is whether we can setup a wildcard 
signconf.xml stanza something like:


   < * domain="*" keyfile="/var/qmail/control/dkim/wildcard.key" 
selector="dkim1">
 
 
   


Any thoughts on whether this is doable or advisable ?

Jeff


-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] dkim - automating signconf.xml setup

[Jeff Koch]

Hi List

Does anyone have instructions on how to include the signconf.xml 
configuration whenever a new account is setup?


Jeff

[qmailtoaster] dkim global - signing

[Jeff Koch]

Hi:

We must be doing something wrong. Maybe one of you can help. No matter 
how we setup the contents of signconf.xml we can't get qmail-remote to 
sign emails with anything other than the mailserver's name unless we 
specify each domain in a separate stanza of the xml file.


For example: If we use a signconf.xml file with just the global stanza 
as in:



  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


and then sign an email from say 'j...@domain1.com' and send that email 
to a gmail account. Gmail's dkim analysis shows:

---
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h= 
message-id:date:subject:from:to:mime-version:content-type 
:content-transfer-encoding; s=dkim1;

---
and it pulls the dkim dns record from 'mymailserver.com' based on the 
'd' attribute to verify the signature.


But what we really want is for the dkim signature to show 
'd=domain1.com' so that gmail uses the dkim record in domain1.com's DNS 
record and the only way we've been able to make that happen is to have a 
separate signconf.xml stanza for 'domain1.com' like:


 keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">

    
    
  

Somehow qmail-remote should be extracting sending domain name from 'from 
address' and using that in the 'd' attribute when signing the email. But 
it's not doing that for us.


Jeff

Re: [qmailtoaster] dkim global - signing

[Jeff Koch]

Yes !

On 6/22/2024 1:14 PM, Eric Broch wrote:


Are these installed on your server?

  yum -y install perl-XML-Simple perl-Mail-DKIM perl-XML-Parser
On 6/22/2024 10:52 AM, Jeff Koch wrote:

Hi:

We must be doing something wrong. Maybe one of you can help. No 
matter how we setup the contents of signconf.xml we can't get 
qmail-remote to sign emails with anything other than the mailserver's 
name unless we specify each domain in a separate stanza of the xml file.


For example: If we use a signconf.xml file with just the global 
stanza as in:



  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


and then sign an email from say 'j...@domain1.com' and send that 
email to a gmail account. Gmail's dkim analysis shows:

---
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h= 
message-id:date:subject:from:to:mime-version:content-type 
:content-transfer-encoding; s=dkim1;

---
and it pulls the dkim dns record from 'mymailserver.com' based on the 
'd' attribute to verify the signature.


But what we really want is for the dkim signature to show 
'd=domain1.com' so that gmail uses the dkim record in domain1.com's 
DNS record and the only way we've been able to make that happen is to 
have a separate signconf.xml stanza for 'domain1.com' like:


 keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">

    
    
  

Somehow qmail-remote should be extracting sending domain name from 
'from address' and using that in the 'd' attribute when signing the 
email. But it's not doing that for us.


Jeff

Re: [qmailtoaster] dkim global - signing

[Jeff Koch]

Hi Philip - this is it:


  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


Note that the 'domain' attribute is defined as 'me' which is the 
mailserver's name and that is what shows up as the 'd' attribute in the 
dkim signing that gmail sees.


Jeff


On 6/22/2024 1:14 PM, Philip Nix Guru wrote:


Hello

post your

signconf.xml

Regards
On 6/22/24 18:52, Jeff Koch wrote:

Hi:

We must be doing something wrong. Maybe one of you can help. No 
matter how we setup the contents of signconf.xml we can't get 
qmail-remote to sign emails with anything other than the mailserver's 
name unless we specify each domain in a separate stanza of the xml file.


For example: If we use a signconf.xml file with just the global 
stanza as in:



  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


and then sign an email from say 'j...@domain1.com' and send that 
email to a gmail account. Gmail's dkim analysis shows:

---
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h= 
message-id:date:subject:from:to:mime-version:content-type 
:content-transfer-encoding; s=dkim1;

---
and it pulls the dkim dns record from 'mymailserver.com' based on the 
'd' attribute to verify the signature.


But what we really want is for the dkim signature to show 
'd=domain1.com' so that gmail uses the dkim record in domain1.com's 
DNS record and the only way we've been able to make that happen is to 
have a separate signconf.xml stanza for 'domain1.com' like:


 keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">

    
    
  

Somehow qmail-remote should be extracting sending domain name from 
'from address' and using that in the 'd' attribute when signing the 
email. But it's not doing that for us.


Jeff

Re: [qmailtoaster] dkim global - signing

[Jeff Koch]

Hi Philip:

I think this is what you want:


  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  
keyfile="/var/qmail/control/dkim/global.key" selector="dkim1">

    
    
  


But in this case an email from j...@domain1.com would be signed with the 
'/var/qmail/control/dkim/global.key' and the attribute "d=domain1.com". 
What I'm trying to do is avoid having to list stanzas for the hundreds 
of domains on this mailserver and still have emails show as being signed 
by the key associated with the sender's domain.


Jeff



On 6/22/2024 2:30 PM, Philip Nix Guru wrote:


Hello Jeff

ok but I mean paste the sign.conf including the domain1.com using a 
different key :)


just to make sure the format is correct


I recall a friend had issues and he just forgot to add

 at the end ... -P
On 6/22/24 20:19, Jeff Koch wrote:

Hi Philip - this is it:


  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


Note that the 'domain' attribute is defined as 'me' which is the 
mailserver's name and that is what shows up as the 'd' attribute in 
the dkim signing that gmail sees.


Jeff


On 6/22/2024 1:14 PM, Philip Nix Guru wrote:


Hello

post your

signconf.xml

Regards
On 6/22/24 18:52, Jeff Koch wrote:

Hi:

We must be doing something wrong. Maybe one of you can help. No 
matter how we setup the contents of signconf.xml we can't get 
qmail-remote to sign emails with anything other than the 
mailserver's name unless we specify each domain in a separate 
stanza of the xml file.


For example: If we use a signconf.xml file with just the global 
stanza as in:



  
  keyfile="/var/qmail/control/dkim/global.key" method="simple" 
selector="dkim1">

    
  


and then sign an email from say 'j...@domain1.com' and send that 
email to a gmail account. Gmail's dkim analysis shows:

---
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h= 
message-id:date:subject:from:to:mime-version:content-type 
:content-transfer-encoding; s=dkim1;

---
and it pulls the dkim dns record from 'mymailserver.com' based on 
the 'd' attribute to verify the signature.


But what we really want is for the dkim signature to show 
'd=domain1.com' so that gmail uses the dkim record in domain1.com's 
DNS record and the only way we've been able to make that happen is 
to have a separate signconf.xml stanza for 'domain1.com' like:


 keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">

    
    
  

Somehow qmail-remote should be extracting sending domain name from 
'from address' and using that in the 'd' attribute when signing the 
email. But it's not doing that for us.


Jeff

[qmailtoaster] Converting dot qmail forwards to mysql by domain

[Jeff Koch]

Hi:

We're in the process of converting a large qmail/vpopmail mailserver 
with about a hundred domains, from Bill's Centos 5 Toaster to the new 
CentOS 7 qmailtoaster. It's been a bit of a learning curve but so far it 
looks good.


We're migrating blocks of ten domains at a time. We've found a script 
that generates the SQL to convert the vpasswd file to mysql but we 
haven't found anything similar for the .qmail forwards.


We'd like to do this on a domain by domain basis and have a chance to 
look at the SQL before it's executed. 'vconvert' and 'dotqmail2valias' 
seem to want to convert every domain on the server.


If anyone knows of or has a script that generates the SQL to convert 
dotqmail forwards to mysql we'd appreciate it.


Thanks, Jeff Koch

Re: [qmailtoaster] Converting dot qmail forwards to mysql by domain

[Jeff Koch]

Hmmm... I didn't see that in the doc's but I'll check it out. I would 
hate, however, to screw up the 20 or so domains that have been 
migrated.  I'd much prefer a something that generates SQL that I can 
inspect. I suppose I could write something.


By the way, thanks for putting together this version of the toaster.

Jeff

On 3/27/2017 12:08 PM, Eric Broch wrote:


Hi Jeff,

I've never used it (and there's not much documentation), but doesn't 
'dotqmail2valias' have a domainlist option?


[root@host bin]# ./dotqmail2valias
usage: dotqmail2valias [options] [domainlist]
  Converts .qmail-alias files for listed domains to valias format.
  Options:
-a = convert all domains
-v = version
-d = debug info

For example, could it be used like so? :

./dotqmail2valias mydomain1.tld

./dotqmail2valias mydomain2.tld

.

.

.

or

./dotqmail2valias mydomain1.tld mydomain2.tld ...


Eric


On 3/27/2017 9:49 AM, Jeff Koch wrote:

Hi:

We're in the process of converting a large qmail/vpopmail mailserver 
with about a hundred domains, from Bill's Centos 5 Toaster to the new 
CentOS 7 qmailtoaster. It's been a bit of a learning curve but so far 
it looks good.


We're migrating blocks of ten domains at a time. We've found a script 
that generates the SQL to convert the vpasswd file to mysql but we 
haven't found anything similar for the .qmail forwards.


We'd like to do this on a domain by domain basis and have a chance to 
look at the SQL before it's executed. 'vconvert' and 
'dotqmail2valias' seem to want to convert every domain on the server.


If anyone knows of or has a script that generates the SQL to convert 
dotqmail forwards to mysql we'd appreciate it.


Thanks, Jeff Koch



--
Eric Broch, IMSO, DAM, NGOO, DITH, URTS
White Horse Technical Consulting (WHTC)

[qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi - we're running a new qmailtoaster (installed in March 2017) on a new 
CentOS 7 server. We're seeing  a large number of soft rejects in the 
/var/log/qmail/smtp log that look like this:


qmail-smtpd: qq soft reject (mail server temporarily rejected message 
(#4.3.0)):


We tried turning off ClamAV to see if that helped but it didn't. 
However, these rejects seem to be accompanied by the following spamdyke 
errors in the /var/log/maillog:


Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file for 
searching /home/vpopmail/etc/tcp.s

mtp: No such file or directory
Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file for 
searching /home/vpopmail/etc/open-smtp: No such file or directory
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to load or decrypt 
SSL/TLS private key from file: 
/home/vpopmail/spamdyke/server_domain_net.key : A protocol or library 
failure occurred, error:0B080074:lib(11):func(128):reason(116)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: incorrect SSL/TLS private 
key password or SSL/TLS certificate/privatekey 
mismatch/home/vpopmail/spamdyke/server_domain_net.key : A protocol or 
library failure occurred, error:140A80B1:lib(20):func(168):reason(177)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to initialize 
SSL/TLS library
Apr 28 09:52:32 server spamdyke[20476]: TLS_ENCRYPTED from: (unknown) 
to: (unknown) origin_ip: 200.xx.xx.10 origin_rdns: ns.blah-blah.net 
auth: (unknown) encryption: TLS_PASSTHROUGH reason: (empty)


First Question - where did tcp.smtp go that used to reside in 
/home/vpopmail/etc in the old toasters?


Second Question - /home/vpopmail/spamdyke/server_domain_net.key does 
exist so what could be the reason why spamdyke is unable to decrypt the 
private key?


Thanks for any insights you guys might have.

Jeff Koch

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Sean:

I did not remove it but I changed Yes to No for ClamAV in simscan and 
did run qmailctl cdb. In doing the research it appears that the ClamAV 
'qq soft reject' issue was only related to earlier versions of ClamAV 
and I think only on CentOS 5. But I thought I'd try removing it anyway.


Jeff

On 4/28/2017 11:47 PM, Sean P. Murphy wrote:

Hi Jeff,

To answer your first question, the tcp.smtp file and related files now 
reside in /etc/tcprules.d.  As far as your second question goes, I 
haven't used spamdyke so I can't speak to anything regarding that. 
 Perhaps Eric or someone with some more experience can help you there.


When you turned off ClamAV, did you also remove it from simscan and 
run "qmailctl cdb" after doing so?


-Sean

On Apr 28, 2017, at 8:26 PM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:




Hi - we're running a new qmailtoaster (installed in March 2017) on a 
new CentOS 7 server. We're seeing  a large number of soft rejects in 
the /var/log/qmail/smtp log that look like this:


qmail-smtpd: qq soft reject (mail server temporarily rejected message 
(#4.3.0)):


We tried turning off ClamAV to see if that helped but it didn't. 
However, these rejects seem to be accompanied by the following 
spamdyke errors in the /var/log/maillog:


Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file 
for searching /home/vpopmail/etc/tcp.s

mtp: No such file or directory
Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file 
for searching /home/vpopmail/etc/open-smtp: No such file or directory
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to load or 
decrypt SSL/TLS private key from file: 
/home/vpopmail/spamdyke/server_domain_net.key : A protocol or library 
failure occurred, error:0B080074:lib(11):func(128):reason(116)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: incorrect SSL/TLS 
private key password or SSL/TLS certificate/privatekey 
mismatch/home/vpopmail/spamdyke/server_domain_net.key : A protocol or 
library failure occurred, error:140A80B1:lib(20):func(168):reason(177)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to initialize 
SSL/TLS library
Apr 28 09:52:32 server spamdyke[20476]: TLS_ENCRYPTED from: (unknown) 
to: (unknown) origin_ip: 200.xx.xx.10 origin_rdns: ns.blah-blah.net 
<http://ns.blah-blah.net> auth: (unknown) encryption: TLS_PASSTHROUGH 
reason: (empty)


First Question - where did tcp.smtp go that used to reside in 
/home/vpopmail/etc in the old toasters?


Second Question - /home/vpopmail/spamdyke/server_domain_net.key does 
exist so what could be the reason why spamdyke is unable to decrypt 
the private key?


Thanks for any insights you guys might have.

Jeff Koch

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Erin:

Thanks, we found the tcp.smtp file at /etc/trcrules.d and pointed 
spamdyke there. So that's fixed.


We also pointed the certificate file to 
/var/qmail/control/servercert.pem and cleared those errors.


However, we are still seeing qq soft rejects in 
/var/log/qmail/smtp/current. They seem to be related to the matching 
spamdyke log entries in /var/log/maillog. Example:


Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/msg.1493481946.217350.3912:

OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/addr.1493481946.217350.3912:

 OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/textfile1: OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/2c7fdfebf8050265e8b51bd3c2ea

58f0: OK
Apr 29 11:05:46 server spamdyke[3905]: DENIED_OTHER from: 
@pokemailing.com to: .yyy@idfim
portadora.com origin_ip: 67.211.215.94 origin_rdns: km61.pokemailing.com 
auth: (unknown) encryption: (no

ne) reason: 451_mail_server_temporarily_rejected_message_(#4.3.0)

I put the clamd log entries above so you could that clamd passed the 
message OK.  However does anybody know what 'DENIED OTHER" means or 
figure out from the message why spamdyke rejected the message?



Jeff Koch


On 4/29/2017 1:18 AM, Eric Broch wrote:

Hi Jeff,

Do you know why spamdyke would be looking in /home/vpopmail/etc for 
anything ? I've never heard of this before.


Spamdyke's configuration directory is a link in /etc: /etc/spamdyke -> 
../opt/spamdyke/etc.


Here's my spamdyke configuration: 'cat /etc/spamdyke/spamdyke.conf'



#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
graylist-dir=/var/spamdyke/graylist
graylist-level=none
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=2
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=60
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
#qmail-rcpthosts-file=/var/qmail/control/qmail-morercpthosts-cdb
log-level=info
max-recipients=50
#policy-url=http://my.policy.explanation.url/
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns
#reject-ip-in-cc-rdns
reject-sender=no-mx
reject-unresolvable-rdns
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp



And, how did you make your certificate and where did you put it?

Let me know if that helps.

Eric


On 4/28/2017 6:26 PM, Jeff Koch wrote:
Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file 
for searching /home/vpopmail/etc/open-smtp: No such file or directory
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to load or 
decrypt SSL/TLS private key from file: 
/home/vpopmail/spamdyke/server_domain_net.key : A protocol or library 
failure occurred, error:0B080074:lib(11):func(128):reason(116)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: incorrect SSL/TLS 
private key password or SSL/TLS certificate/privatekey 
mismatch/home/vpopmail/spamdyke/server_domain_net.key : A protocol or 
library failure occurred, error:140A80B1:lib(20):func(168):reason(177)

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Eric - thanks - I'll give it a try - jeff

On 4/29/2017 2:02 PM, Eric Broch wrote:


Jeff,

In summary...

DENIED_OTHER: The connection was rejected by qmail (or another 
downstream filter), not spamdyke.|REASON| will contain the rejection 
message given by qmail (or other downstream filter).


REASON: 451_mail_server_temporarily_rejected_message_(#4.3.0).

Check /var/log/messages for segfault

Check /var/qmail/supervise/smtp/run softlimit

Try this:

Edit /var/qmail/control/simcontrol and set the following to 'no'

:clam=no,spam=no

# qmailctl stop

# qmailctl cdb

# qmailctl start

Let me know.

If that doesn't work edit /etc/tcprules.d/tcp.smtp

change

QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue"


Eric



On 4/29/2017 11:23 AM, Jeff Koch wrote:

Hi Erin:

Thanks, we found the tcp.smtp file at /etc/trcrules.d and pointed 
spamdyke there. So that's fixed.


We also pointed the certificate file to 
/var/qmail/control/servercert.pem and cleared those errors.


However, we are still seeing qq soft rejects in 
/var/log/qmail/smtp/current. They seem to be related to the matching 
spamdyke log entries in /var/log/maillog. Example:


Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/msg.1493481946.217350.3912:

OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/addr.1493481946.217350.3912:

 OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/textfile1: OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/2c7fdfebf8050265e8b51bd3c2ea

58f0: OK
Apr 29 11:05:46 server spamdyke[3905]: DENIED_OTHER from: 
@pokemailing.com to: .yyy@idfim
portadora.com origin_ip: 67.211.215.94 origin_rdns: 
km61.pokemailing.com auth: (unknown) encryption: (no

ne) reason: 451_mail_server_temporarily_rejected_message_(#4.3.0)

I put the clamd log entries above so you could that clamd passed the 
message OK.  However does anybody know what 'DENIED OTHER" means or 
figure out from the message why spamdyke rejected the message?



Jeff Koch


On 4/29/2017 1:18 AM, Eric Broch wrote:

Hi Jeff,

Do you know why spamdyke would be looking in /home/vpopmail/etc for 
anything ? I've never heard of this before.


Spamdyke's configuration directory is a link in /etc: /etc/spamdyke 
-> ../opt/spamdyke/etc.


Here's my spamdyke configuration: 'cat /etc/spamdyke/spamdyke.conf'



#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
graylist-dir=/var/spamdyke/graylist
graylist-level=none
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=2
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=60
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
#qmail-rcpthosts-file=/var/qmail/control/qmail-morercpthosts-cdb
log-level=info
max-recipients=50
#policy-url=http://my.policy.explanation.url/
rdns-blacklist-file=/etc/spamdyke/blacklist_rdns
rdns-whitelist-file=/etc/spamdyke/whitelist_rdns
recipient-blacklist-file=/etc/spamdyke/blacklist_recipients
recipient-whitelist-file=/etc/spamdyke/whitelist_recipients
reject-empty-rdns
#reject-ip-in-cc-rdns
reject-sender=no-mx
reject-unresolvable-rdns
sender-blacklist-file=/etc/spamdyke/blacklist_senders
sender-whitelist-file=/etc/spamdyke/whitelist_senders
tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp



And, how did you make your certificate and where did you put it?

Let me know if that helps.

Eric


On 4/28/2017 6:26 PM, Jeff Koch wrote:
Apr 28 09:52:29 server spamdyke[20476]: ERROR: unable to open file 
for searching /home/vpopmail/etc/open-smtp: No such file or directory
Apr 28 09:52:32 server spamdyke[20476]: ERROR: unable to load or 
decrypt SSL/TLS private key from file: 
/home/vpopmail/spamdyke/server_domain_net.key : A protocol or 
library failure occurred, error:0B080074:lib(11):func(128):reason(116)
Apr 28 09:52:32 server spamdyke[20476]: ERROR: incorrect SSL/TLS 
private key password or SSL/TLS certificate/privatekey 
mismatch/home/vpopmail/spamdyke/server_domain_net.key : A protocol 
or library failure occurred, 
error:140A80B1:lib(20):func(168):reason(177)






--
Eric Broch
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.ctickets.com> 
RCPTTO:rodx...@brxxx.com.ec


This seems weird. Not sure why the server would be trying to sign a 
message that is coming to a local recipient. I could see it signing a 
message being sent or relayed but not received for a local recipient


Jeff


On 4/29/2017 2:02 PM, Eric Broch wrote:


Jeff,

In summary...

DENIED_OTHER: The connection was rejected by qmail (or another 
downstream filter), not spamdyke.|REASON| will contain the rejection 
message given by qmail (or other downstream filter).


REASON: 451_mail_server_temporarily_rejected_message_(#4.3.0).

Check /var/log/messages for segfault

Check /var/qmail/supervise/smtp/run softlimit

Try this:

Edit /var/qmail/control/simcontrol and set the following to 'no'

:clam=no,spam=no

# qmailctl stop

# qmailctl cdb

# qmailctl start

Let me know.

If that doesn't work edit /etc/tcprules.d/tcp.smtp

change

QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue"


Eric



On 4/29/2017 11:23 AM, Jeff Koch wrote:

Hi Erin:

Thanks, we found the tcp.smtp file at /etc/trcrules.d and pointed 
spamdyke there. So that's fixed.


We also pointed the certificate file to 
/var/qmail/control/servercert.pem and cleared those errors.


However, we are still seeing qq soft rejects in 
/var/log/qmail/smtp/current. They seem to be related to the matching 
spamdyke log entries in /var/log/maillog. Example:


Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/msg.1493481946.217350.3912:

OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/addr.1493481946.217350.3912:

 OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/textfile1: OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/2c7fdfebf8050265e8b51bd3c2ea

58f0: OK
Apr 29 11:05:46 server spamdyke[3905]: DENIED_OTHER from: 
@pokemailing.com to: .yyy@idfim
portadora.com origin_ip: 67.211.215.94 origin_rdns: 
km61.pokemailing.com auth: (unknown) encryption: (no

ne) reason: 451_mail_server_temporarily_rejected_message_(#4.3.0)

I put the clamd log entries above so you could that clamd passed the 
message OK.  However does anybody know what 'DENIED OTHER" means or 
figure out from the message why spamdyke rejected the message?



Jeff Koch


On 4/29/2017 1:18 AM, Eric Broch wrote:

Hi Jeff,

Do you know why spamdyke would be looking in /home/vpopmail/etc for 
anything ? I've never heard of this before.


Spamdyke's configuration directory is a link in /etc: /etc/spamdyke 
-> ../opt/spamdyke/etc.


Here's my spamdyke configuration: 'cat /etc/spamdyke/spamdyke.conf'



#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
graylist-dir=/var/spamdyke/graylist
graylist-level=none
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=2
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=60
ip-blacklist-file=/etc/spamdyke/blacklist_ip
ip-in-rdns-keyword-blacklist-file=/etc/spamdyke/blacklist_keywords
ip-in-rdns-keyword-whitelist-file=/etc/spamdyke/whitelist_keywords
ip-whitelist-file=/etc/spamdyke/whitelist_ip
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
#qmail-rcpthosts-file=/var/qmail/control/qmail-morercpthosts

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

Not yet - we had some data center issues. Will get back to it this 
afternoon after business hours. I really appreciate your help on this.


Regards, Jeff Koch


On 5/1/2017 11:26 AM, Eric Broch wrote:


Jeff,

What's the status of this...any resolution?

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.ctickets.com> 
RCPTTO:rodx...@brxxx.com.ec


This seems weird. Not sure why the server would be trying to sign a 
message that is coming to a local recipient. I could see it signing a 
message being sent or relayed but not received for a local recipient


Jeff


On 4/29/2017 2:02 PM, Eric Broch wrote:


Jeff,

In summary...

DENIED_OTHER: The connection was rejected by qmail (or another 
downstream filter), not spamdyke.|REASON| will contain the rejection 
message given by qmail (or other downstream filter).


REASON: 451_mail_server_temporarily_rejected_message_(#4.3.0).

Check /var/log/messages for segfault

Check /var/qmail/supervise/smtp/run softlimit

Try this:

Edit /var/qmail/control/simcontrol and set the following to 'no'

:clam=no,spam=no

# qmailctl stop

# qmailctl cdb

# qmailctl start

Let me know.

If that doesn't work edit /etc/tcprules.d/tcp.smtp

change

QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue"


Eric



On 4/29/2017 11:23 AM, Jeff Koch wrote:

Hi Erin:

Thanks, we found the tcp.smtp file at /etc/trcrules.d and pointed 
spamdyke there. So that's fixed.


We also pointed the certificate file to 
/var/qmail/control/servercert.pem and cleared those errors.


However, we are still seeing qq soft rejects in 
/var/log/qmail/smtp/current. They seem to be related to the 
matching spamdyke log entries in /var/log/maillog. Example:


Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/msg.1493481946.217350.3912:

OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/addr.1493481946.217350.3912:

 OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/textfile1: OK
Apr 29 11:05:46 server clamd[661]: 
/var/qmail/simscan/1493481946.217350.3912/2c7fdfebf8050265e8b51bd3c2ea

58f0: OK
Apr 29 11:05:46 server spamdyke[3905]: DENIED_OTHER from: 
@pokemailing.com to: .yyy@idfim
portadora.com origin_ip: 67.211.215.94 origin_rdns: 
km61.pokemailing.com auth: (unknown) encryption: (no

ne) reason: 451_mail_server_temporarily_rejected_message_(#4.3.0)

I put the clamd log entries above so you could that clamd passed 
the message OK.  However does anybody know what 'DENIED OTHER" 
means or figure out from the message why spamdyke rejected the message?



Jeff Koch


On 4/29/2017 1:18 AM, Eric Broch wrote:

Hi Jeff,

Do you know why spamdyke would be looking in /home/vpopmail/etc 
for anything ? I've never heard of this before.


Spamdyke's configuration directory is a link in /etc: 
/etc/spamdyke -> ../opt/spamdyke/etc.


Here's my spamdyke configuration: 'cat /etc/spamdyke/spamdyke.conf'



#dns-blacklist-entry=zombie.dnsbl.sorbs.net
#dns-blacklist-entry=dul.dnsbl.sorbs.net
#dns-blacklist-entry=bogons.cymru.com
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
graylist-dir=/var/spamdyke/graylist
graylist-level=none
graylist-max-secs=2678400
graylist-min-secs=180
greeting-delay-secs=2
header-blacklist-entry=From:*>,*<*
idle-timeout-secs=60
ip-blacklist-file=/et

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and check 
between steps whether qq soft rejects persisted) in this order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) to 
12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.

So far it looks good. I've let the server run for 20 minutes and I don't 
see any 'DENIED_OTHER' or 451's nor do we see any qq soft rejects in 
/var/qmail/log/smtp/current.


It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the threshold the filter diverts the 
message to the domain's spam user's mailbox. I'm also now getting 
detailed spam analysis information in the /var/log/maillog. I wasn't 
seeing that before.


I should point out that this is the same procedure and setup we've used 
successfully for almost ten years with Bill's Toaster. With the Bill's 
Toaster setup the spamassassin logs were logged separately at 
/var/log/spamd/. Is it possible that two instances of spamassassin are 
conflicting with each other


The issue does seem to be related to simscan - even with spam and clam 
disabled in simscan we were getting 451 rejects / DENIED_OTHER


Please let me know what you think.

Jeff


Once we get this stop we can start adding things in one at a time with 
simscan in debug mode to find out where the problem is.


Eric




On 4/29/2017 10:26 PM, Eric Broch wrote:


Sorry, Jeff,

change

QMAILQUEUE="/var/qmail/bin/qmail-queue


QMAILQUEUE="/var/qmail/bin/qmail-queue.orig


qmail-queue is a link to qmail-dk so use qmail-queue.orig

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.ctickets.com> 
RCPTTO:rodx...@brxxx.com.ec


This seems weird. Not sure why the server would be trying to sign a 
message that is coming to a local recipient. I could see it signing 
a message being sent or relayed but not received for a local recipient


Jeff


On 4/29/2017 2:02 PM, Eric Broch wrote:


Jeff,

In summary...

DENIED_OTHER: The connection was rejected by qmail (or another 
downstream filter), not spamdyke.|REASON| will contain the 
rejection message given by qmail (or other downstream filter).


REASON: 451_mail_server_temporarily_rejected_message_(#4.3.0).

Check /var/log/messages for segfault

Check /var/qmail/supervise/smtp/run softlimit

Try this:

Edit /var/qmail/control/simcontrol and set the following to 'no'

:clam=no,spam=no

# qmailctl stop

# qmailctl cdb

# qmailctl start

Let me know.

If that doesn't work edit /etc/tcprules.d/tcp.smtp

change

QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUE

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

- The simscan SA pass operates as an initial filter deleting all emails 
with a score higher than 12 ( the assumption is that with a threshold 
that high it would be unlikely to have a false negative). In the case 
where one message might be forwarded to several email accounts this 
would be more efficient then having maildrop run SA separately for each 
account.


- For messages with a score less than 12 then we let maildrop calculate 
the score and compare to each email account's custom threshold, custom 
white and black list and determine if the message should be transferred 
to the 'spam' account.


There's probably a better way to do this.

Jeff


On 5/2/2017 12:32 AM, Eric Broch wrote:


Also,

If SA scans on messages in simscan why are they also being scanned in 
maildrop?





On 5/1/2017 10:27 PM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?

You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and 
check between steps whether qq soft rejects persisted) in this order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) 
to 12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.

So far it looks good. I've let the server run for 20 minutes and I 
don't see any 'DENIED_OTHER' or 451's nor do we see any qq soft 
rejects in /var/qmail/log/smtp/current.


It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the threshold the filter diverts the 
message to the domain's spam user's mailbox. I'm also now getting 
detailed spam analysis information in the /var/log/maillog. I wasn't 
seeing that before.


I should point out that this is the same procedure and setup we've 
used successfully for almost ten years with Bill's Toaster. With the 
Bill's Toaster setup the spamassassin logs were logged separately at 
/var/log/spamd/. Is it possible that two instances of spamassassin 
are conflicting with each other


The issue does seem to be related to simscan - even with spam and 
clam disabled in simscan we were getting 451 rejects / DENIED_OTHER


Please let me know what you think.

Jeff


Once we get this stop we can start adding things in one at a time 
with simscan in debug mode to find out where the problem is.


Eric




On 4/29/2017 10:26 PM, Eric Broch wrote:


Sorry, Jeff,

change

QMAILQUEUE="/var/qmail/bin/qmail-queue


QMAILQUEUE="/var/qmail/bin/qmail-queue.orig


qmail-queue is a link to qmail-dk so use qmail-queue.orig

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origi

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

I added
SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

to /var/qmail/supervise/smtp/run and did qmailctl stop, start.

Where is the log that simscan will be logging to? I don't see anything 
new in /var/log/maillog.


Jeff

On 5/2/2017 12:27 AM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?

You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and check 
between steps whether qq soft rejects persisted) in this order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) 
to 12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.

So far it looks good. I've let the server run for 20 minutes and I 
don't see any 'DENIED_OTHER' or 451's nor do we see any qq soft 
rejects in /var/qmail/log/smtp/current.


It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the threshold the filter diverts the 
message to the domain's spam user's mailbox. I'm also now getting 
detailed spam analysis information in the /var/log/maillog. I wasn't 
seeing that before.


I should point out that this is the same procedure and setup we've 
used successfully for almost ten years with Bill's Toaster. With the 
Bill's Toaster setup the spamassassin logs were logged separately at 
/var/log/spamd/. Is it possible that two instances of spamassassin 
are conflicting with each other


The issue does seem to be related to simscan - even with spam and 
clam disabled in simscan we were getting 451 rejects / DENIED_OTHER


Please let me know what you think.

Jeff


Once we get this stop we can start adding things in one at a time 
with simscan in debug mode to find out where the problem is.


Eric




On 4/29/2017 10:26 PM, Eric Broch wrote:


Sorry, Jeff,

change

QMAILQUEUE="/var/qmail/bin/qmail-queue


QMAILQUEUE="/var/qmail/bin/qmail-queue.orig


qmail-queue is a link to qmail-dk so use qmail-queue.orig

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) 
reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.ctickets.com> 
RCPTTO:rodx...@brxxx.com.ec


This seems weird. Not sure why the server would be trying to sign 
a message that is coming to a local recipient. I could see it 
signing a message being sent or relayed bu

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

HI Eric:

I turned on simscan debugging but I don't see any 'simscan' logging in 
/var/log/maillog or /var/log/qmail/smtp


Jeff

On 5/2/2017 12:27 AM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?

You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and check 
between steps whether qq soft rejects persisted) in this order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) 
to 12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.

So far it looks good. I've let the server run for 20 minutes and I 
don't see any 'DENIED_OTHER' or 451's nor do we see any qq soft 
rejects in /var/qmail/log/smtp/current.


It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the threshold the filter diverts the 
message to the domain's spam user's mailbox. I'm also now getting 
detailed spam analysis information in the /var/log/maillog. I wasn't 
seeing that before.


I should point out that this is the same procedure and setup we've 
used successfully for almost ten years with Bill's Toaster. With the 
Bill's Toaster setup the spamassassin logs were logged separately at 
/var/log/spamd/. Is it possible that two instances of spamassassin 
are conflicting with each other


The issue does seem to be related to simscan - even with spam and 
clam disabled in simscan we were getting 451 rejects / DENIED_OTHER


Please let me know what you think.

Jeff


Once we get this stop we can start adding things in one at a time 
with simscan in debug mode to find out where the problem is.


Eric




On 4/29/2017 10:26 PM, Eric Broch wrote:


Sorry, Jeff,

change

QMAILQUEUE="/var/qmail/bin/qmail-queue


QMAILQUEUE="/var/qmail/bin/qmail-queue.orig


qmail-queue is a link to qmail-dk so use qmail-queue.orig

Eric


On 4/29/2017 10:01 PM, Jeff Koch wrote:

Hi Eric:

no indication of segfaults in /var/log/messages or dmesg
softlimit is set at 1  (100MB)

changed clam and spam to 'no' and did qmailctl stop, cdb, start
changed

This was the contents of tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

changed to:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/qmail-queue",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and then did qmailctl stop, cdb, start

Now the /var/log/maillog is showing many:

DENIED_OTHER from: 
cap21-return-27-contabilidad=idfimportadora@cape.info to: 
contabxx...@idfimpo.com origin_ip: 98.130.1.xx8 origin_rdns: 
mail1103.opentransfer.com auth: (unknown) encryption: (none) 
reason: 
554_qmail-dk:_Cannot_sign_message_due_to_invalid_message_syntax._(#5.3.0)


and /var/log/qmail/smtp

qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to 
invalid message syntax. (#5.3.0)): 
MAILFROM:<323792861003aa0d40b02-b17119-1eec421bc9e947029e3ec865f716e...@mg.mailer.ctickets.com> 
RCPTTO:rodx...@brxxx.com.ec


This seems weird. Not sure why the server would be trying to sign 
a message that is coming to a local recipient. I could see it 
signing a message being sent or relayed but not received for a 
local recipient


Jeff


On 4/29/2017 2:02 PM, Eric Broch wrot

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

HI Eric:

Here's what I have in tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and here's what I have in /var/qmai/control/simcontrol

:clam=yes,spam=no,spam_hits=12,attach=.mp3:.src:.bat:.pif

and I know simscan is working because I see the clamav entries in 
/var/log/maillog. Note: we need to have clamav running because the email 
is going to real people. But when clamav was turned off there no simscan 
logging either.


Here's what I have in /var/qmail/supervise/smtp/run

#!/bin/sh
SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SPAMDYKE="/usr/bin/spamdyke"
SPAMDYKE_CONF="/etc/spamdyke/spamdyke.conf"
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
REQUIRE_AUTH=0

exec /usr/bin/softlimit -m 12800 \
 /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
 -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
 $SPAMDYKE --config-file $SPAMDYKE_CONF \
 $SMTPD $VCHKPW /bin/true 2>&1

and I ran qmailctl - stop - cdb - start  (Note: The HOSTNAME entry is 
exactly as shown 'hostname' - we did not change it to the actual hostname


In the /var/log/maillog we see no entries that reference 'simscan' - is 
that the log that the debug logging should appear in?


In this log we see entries referencing 'spamdyke', spamd, clamd, 
vpopmail (vchkpw-smtp) but none that says 'simscan' ** remember we have 
clamav running:


May  3 22:28:47 server spamdyke[26952]: ALLOWED from:...
May  3 22:31:40 server spamd[2772]: spamd: connection..
May  3 22:31:52 server clamd[661]: /var/qmail.
May  3 22:25:55 server vpopmail[26673]: vchkpw-smtp: vpopmail 
user.


and were are still seeing DENIED_OTHER 451 rejects like this:

May  3 22:32:20 server spamdyke[27401]: DENIED_OTHER from: 
3294909110062131b4b02-b17122-5f62f91568cf4aa2ad5adb71f8f94...@mg.expediaxxx.com 
to: jsux...@sinpxxx.com origin_ip: 135.84.xxx.10 origin_rdns: 
gears217-10.expediaxxx.com auth: (unknown) encryption: TLS reason: 
451_mail_server_temporarily_rejected_message_(#4.3.0)


As you can see we do have spamdyke running. Could that be interfering 
with the logging?


Jeff



On 5/3/2017 10:09 AM, Eric Broch wrote:


Did you turn simscan on in tcp.smtp:

QMAILQUEUE=/var/qmail/bin/simscan

and stop/cdb/start qmail?

On 5/2/2017 9:08 PM, Jeff Koch wrote:

HI Eric:

I turned on simscan debugging but I don't see any 'simscan' logging 
in /var/log/maillog or /var/log/qmail/smtp


Jeff

On 5/2/2017 12:27 AM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?

You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and 
check between steps whether qq soft rejects persisted) in this order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb qmail) 
to 12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

to

:clam=no,spam=no

this stops clamd, spamc, and ripmime.

stop/start/cdb qmail.


No effect - 451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 3) Revert /var/qmail/control/simcontrol settings and change 
/etc/tcprules.d/tcp.smtp


QMAILQUEUE="/var/qmail/bin/simscan"

to

QMAILQUEUE="/var/qmail/bin/qmail-queue.orig"

stop/start/cdb qmail.

So far it looks good. I've let the server run for 20 minutes and I 
don't see any 'DENIED_OTHER' or 451's nor do we see any qq soft 
rejects in /var/qmail/log/smtp/current.


It is interesting that spamd seems to be running. That is probably 
because we use 'spamc' in a maildrop filter that also develops a 
spamassassin score prior to dropping the message into the user's 
mailbox. If the score is over the thre

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Ah - ha - so that's where the simscan logging is. I see it now. I'll 
check the log against the 451 qq soft rejects and see what it says. 
(Funny it wasn't showing there before - maybe I didn't wait long enough 
for the simscan logging to start or I screwed up in some other way.)


Also, spamd shows up because we have SA running in a maildrop filter.

I'll let you know what I find.

Thanks - Jeff


On 5/4/2017 1:35 AM, Eric Broch wrote:


Spamdyke was not interfering with my logging when I tested, but then 
again I wasn't getting any errors.


It's interesting that you see a spamd connection and spamc (spam=no) 
is turned off with simcontrol.


Also, did you check /var/log/qmail/smtp/current? This is where you 
should see simscan logging.



On 5/3/2017 9:38 PM, Jeff Koch wrote:

HI Eric:

Here's what I have in tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and here's what I have in /var/qmai/control/simcontrol

:clam=yes,spam=no,spam_hits=12,attach=.mp3:.src:.bat:.pif

and I know simscan is working because I see the clamav entries in 
/var/log/maillog. Note: we need to have clamav running because the 
email is going to real people. But when clamav was turned off there 
no simscan logging either.


Here's what I have in /var/qmail/supervise/smtp/run

#!/bin/sh
SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SPAMDYKE="/usr/bin/spamdyke"
SPAMDYKE_CONF="/etc/spamdyke/spamdyke.conf"
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
REQUIRE_AUTH=0

exec /usr/bin/softlimit -m 12800 \
 /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c 
"$MAXSMTPD" \

 -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
 $SPAMDYKE --config-file $SPAMDYKE_CONF \
 $SMTPD $VCHKPW /bin/true 2>&1

and I ran qmailctl - stop - cdb - start  (Note: The HOSTNAME entry is 
exactly as shown 'hostname' - we did not change it to the actual hostname


In the /var/log/maillog we see no entries that reference 'simscan' - 
is that the log that the debug logging should appear in?


In this log we see entries referencing 'spamdyke', spamd, clamd, 
vpopmail (vchkpw-smtp) but none that says 'simscan' ** remember we 
have clamav running:


May  3 22:28:47 server spamdyke[26952]: ALLOWED from:...
May  3 22:31:40 server spamd[2772]: spamd: connection..
May  3 22:31:52 server clamd[661]: 
/var/qmail.
May  3 22:25:55 server vpopmail[26673]: vchkpw-smtp: vpopmail 
user.


and were are still seeing DENIED_OTHER 451 rejects like this:

May  3 22:32:20 server spamdyke[27401]: DENIED_OTHER from: 
3294909110062131b4b02-b17122-5f62f91568cf4aa2ad5adb71f8f94...@mg.expediaxxx.com 
to: jsux...@sinpxxx.com origin_ip: 135.84.xxx.10 origin_rdns: 
gears217-10.expediaxxx.com auth: (unknown) encryption: TLS reason: 
451_mail_server_temporarily_rejected_message_(#4.3.0)


As you can see we do have spamdyke running. Could that be interfering 
with the logging?


Jeff



On 5/3/2017 10:09 AM, Eric Broch wrote:


Did you turn simscan on in tcp.smtp:

QMAILQUEUE=/var/qmail/bin/simscan

and stop/cdb/start qmail?

On 5/2/2017 9:08 PM, Jeff Koch wrote:

HI Eric:

I turned on simscan debugging but I don't see any 'simscan' logging 
in /var/log/maillog or /var/log/qmail/smtp


Jeff

On 5/2/2017 12:27 AM, Eric Broch wrote:


I wonder if you have a permissions issue somewhere?

You could now change /var/qmail/supervise/smtp/run script to debug 
simscan by adding the following settings


SIMSCAN_DEBUG=5
export SIMSCAN_DEBUG

and in tcp.smtp change

QMAILQUEUE=/var/qmail/bin/simscan

and in simcontrol change to

:clam=no, spam=no

and qmailctl stop/cdb/start

and see what the log produces.

You should (hopefully) see the reason for the failure.


On 5/1/2017 8:59 PM, Jeff Koch wrote:

Hi Eric:

Here are the results of this tests. See below:

On 4/30/2017 1:08 AM, Eric Broch wrote:


Also,

My plan was that you would change things a step at a time (and 
check between steps whether qq soft rejects persisted) in this 
order:


Step 1) Increase softlimit in smtp run file (stop/start/cdb 
qmail) to 12800


No effect - still seeing spamdyke DENIED_OTHER - 
451_mail_server_temporarily_rejected_message_(#4.3.0)


Step 2) Change /var/qmail/control/simcontrol settings from

:clam=yes,spam=yes,spam_hits=12,attach=.mp3:.src:.bat:.pif

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

simscan debugging log seems to be showing the problem but I'll need your 
help figuring out what to do about it. Here's a copy of simscan log 
entries showing the 451 'qq soft reject' errors. I have clamav disabled 
in simscan but you can see that simscan is still taking apart the 
attachments.


Keep in mind that not all emails with attachments are having the soft 
reject issue. Here are two examples where attachments generated a soft 
reject and one example where it didn't.


I googled 'exit error code: 71' and found some references going back to 
2006-7 discussing group permissions on /var/qmail/simscan and umask 
issues and the simscan-1.4.0-umask.patch that was supposed to correct 
this problem.


Any idea what I should do to fix this problem on my server?

Thanks, Jeff Koch

Example One - showing 451 qq soft reject

2017-05-05 11:08:35.407367500 simscan: checking attachment textfile1 
against .pif
2017-05-05 11:08:35.407368500 simscan: checking attachment textfile2 
against .mp3
2017-05-05 11:08:35.407374500 simscan: checking attachment textfile2 
against .src
2017-05-05 11:08:35.407375500 simscan: checking attachment textfile2 
against .bat
2017-05-05 11:08:35.407375500 simscan: checking attachment textfile2 
against .pif

2017-05-05 11:08:35.407376500 simscan: cdb looking up version attach
2017-05-05 11:08:35.407376500 simscan: runned_scanners is  attach: 1.4.0
2017-05-05 11:08:35.407377500 simscan: found 1.4.0
2017-05-05 11:08:35.407377500 simscan: clamdscan disabled
2017-05-05 11:08:35.407378500 simscan: done, execing qmail-queue
2017-05-05 11:08:35.408635500 simscan: error writing msg to qmail-queue 
error: 32

2017-05-05 11:08:35.408812500 simscan: exit error code: 71
2017-05-05 11:08:35.408991500 qmail-smtpd: qq soft reject (mail server 
temporarily rejected message (#4.3.0)): 
MAILFROM: 
RCPTTO:jere...@stinternational.com


Example Two - showing 451 qq soft reject

2017-05-05 11:08:45.623775500 simscan: checking attachment ficha de 
inscripcion logistica de .xlsx against .bat
2017-05-05 11:08:45.623776500 simscan: checking attachment ficha de 
inscripcion logistica de .xlsx against .pif
2017-05-05 11:08:45.623778500 simscan: checking attachment FICHA DE 
.xlsx against .mp3
2017-05-05 11:08:45.623779500 simscan: checking attachment ficha de 
i.xlsx against .src
2017-05-05 11:08:45.623779500 simscan: checking attachment ficha de 
.xlsx against .bat
2017-05-05 11:08:45.623780500 simscan: checking attachment ficha de 
.xlsx against .pif

2017-05-05 11:08:45.623780500 simscan: cdb looking up version attach
2017-05-05 11:08:45.623785500 simscan: runned_scanners is  attach: 1.4.0
2017-05-05 11:08:45.623785500 simscan: found 1.4.0
2017-05-05 11:08:45.623786500 simscan: clamdscan disabled
2017-05-05 11:08:45.623807500 simscan: done, execing qmail-queue
2017-05-05 11:08:45.625205500 simscan: error writing msg to qmail-queue 
error: 32

2017-05-05 11:08:45.625526500 simscan: exit error code: 71
2017-05-05 11:08:45.625718500 qmail-smtpd: qq soft reject (mail server 
temporarily rejected message (#4.3.0)): 
MAILFROM:<77-return-9-mantenimiento=crsf.com...@seminarioxxx.com> 
RCPTTO:mant...@.com.ec


Example Three - attachments but no error

2017-05-05 11:08:53.901311500 simscan: checking attachment textfile2 
against .bat
2017-05-05 11:08:53.901312500 simscan: checking attachment textfile2 
against .pif
2017-05-05 11:08:53.901312500 simscan: checking attachment textfile3 
against .mp3
2017-05-05 11:08:53.901313500 simscan: checking attachment textfile3 
against .src
2017-05-05 11:08:53.901313500 simscan: checking attachment textfile3 
against .bat
2017-05-05 11:08:53.901314500 simscan: checking attachment textfile3 
against .pif

2017-05-05 11:08:53.901316500 simscan: cdb looking up version attach
2017-05-05 11:08:53.901317500 simscan: runned_scanners is  attach: 1.4.0
2017-05-05 11:08:53.901317500 simscan: found 1.4.0
2017-05-05 11:08:53.901318500 simscan: clamdscan disabled
2017-05-05 11:08:53.901339500 simscan: done, execing qmail-queue
2017-05-05 11:08:53.918481500 simscan: qmail-queue exited 0











On 5/4/2017 1:35 AM, Eric Broch wrote:


Spamdyke was not interfering with my logging when I tested, but then 
again I wasn't getting any errors.


It's interesting that you see a spamd connection and spamc (spam=no) 
is turned off with simcontrol.


Also, did you check /var/log/qmail/smtp/current? This is where you 
should see simscan logging.



On 5/3/2017 9:38 PM, Jeff Koch wrote:

HI Eric:

Here's what I have in tcp.smtp:

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="100",CHKUSER_WRONGRCPTLIMIT="10",NOP0FCHECK="1",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKVERIFY="DEGIJKfh",DKSIGN="/var/qmail/control/domainkeys/%/private"

and here's what I have in /var/qmai/control/simcontrol

:

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 Apr 20 09:49 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 Apr 20 09:49 18
drwx-- 2 qmails qmail 6 Apr 20 13:10 19
drwx-- 2 qmails qmail 6 Apr 20 09:49 2
drwx-- 2 qmails qmail 6 Apr 20 09:49 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 Apr 20 09:49 3
drwx-- 2 qmails qmail 6 Apr 20 09:49 4
drwx-- 2 qmails qmail 6 Apr 20 09:49 5
drwx-- 2 qmails qmail 6 Apr 20 09:49 6
drwx-- 2 qmails qmail 6 Apr 20 09:49 7
drwx-- 2 qmails qmail 6 Apr 20 09:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/todo:
total 0





[root]# ls -l /var/qmail/bin
total 1444
-rwxr-xr-x 1 root   qmail  14480 Apr 20 09:49 bouncesaying
-rwxr-xr-x 1 root   qmail  31184 Apr 20 09:49 condredirect
-rwxr-xr-x 1 root   qmail   1087 Apr 20 09:49 config-fast
-rwxr-xr-x 1 root   qmail126 Apr 20 09:49 datemail
-rwxr-xr-x 1 root   qmail928 Apr 20 09:49 dh_key
-rwxr-xr-x 1 root   qmail114 Apr 20 09:49 elq
-rwxr-xr-x 1 root   qmail  14480 Apr 20 09:49 except
-rwxr-xr-x 1 root   qmail  31152 Apr 20 09:49 forward
-rwxr-xr-x 1 root   qmail  26824 Apr 20 09:49 instcheck
-rwxr-xr-x 1 root   qmail  26920 Apr 20 09:49 maildir2mbox
-rwxr-xr-x 1 root   qmail  14504 Apr 20 09:49 maildirmake
-rwxr-xr-x 1 root   qmail  22856 Apr 20 09:49 maildirwatch
-rwxr-xr-x 1 root   qmail179 Apr 20 09:49 mailsubj
-rwxr-xr-x 1 root   qmail   8259 Apr 20 09:49 makecert.sh
-rwxr-xr-x 1 root   qmail115 Apr 20 09:49 pinq
-rwxr-xr-x 1 root   qmail  18824 Apr 20 09:49 predate
-rwxr-xr-x 1 root   qmail  18760 Apr 20 09:49 preline
-rwxr-xr-x 1 root   qmail115 Apr 20 09:49 qail
-rwxr-xr-x 1 root   qmail  18728 Apr 20 09:49 qbiff
-rwxr-xr-x 1 root   qmail  18672 Apr 20 09:49 qmail-badloadertypes
-rwxr-xr-x 1 root   qmail  18672 Apr 20 09:49 qmail-badmimetypes
-rwx--x--x 1 root   qmail  14680 Apr 20 09:49 qmail-clean
-rws--x--x 1 qmailq qmail  52096 Apr 20 09:49 qmail-dk
-rwx--x--x 1 root   qmail  10416 Apr 20 09:49 qmail-getpw
-rwxr-xr-x 1 root   qmail  51728 Apr 20 09:49 qmail-inject
-rwx--x--x 1 root   qmail  64120 Apr 20 09:49 qmail-local
-rwx-- 1 root   qmail  22848 Apr 20 09:49 qmail-lspawn
-rwx-- 1 root   qmail  18672 Apr 20 09:49 qmail-newmrh
-rwx-- 1 root   qmail  14576 Apr 20 09:49 qmail-newu
-rwx--x--x 1 root   qmail  22904 Apr 20 09:49 qmail-pw2u
-rwxr-xr-x 1 root   qmail  18744 Apr 20 09:49 qmail-qmqpc
-rwxr-xr-x 1 root   qmail  22832 Apr 20 09:49 qmail-qmqpd
-rwxr-xr-x 1 root   qmail  31032 Apr 20 09:49 qmail-qmtpd
-rwxr-xr-x 1 root   qmail  22776 Apr 20 09:49 qmail-qread
-rwxr-xr-x 1 root   qmail371 Apr 20 09:49 qmail-qstat
lrwxrwxrwx 1 root   root  23 Apr 20 12:58 qmail-queue -> 
/var/qmail/bin/qmail-dk

-rws--x--x 1 qmailq qmail  27040 Apr 20 09:49 qmail-queue.orig
-rwx--x--x 1 root   qmail  56080 Apr 20 09:49 qmail-remote
-rwx--x--x 1 root   qmail  56080 Feb  6  2015 qmail-remote.orig
-rwx--x--x 1 root   qmail  18704 Apr 20 09:49 qmail-rspawn
-rwx--x--x 1 root   qmail  59936 Apr 20 09:49 qmail-send
-rwxr-xr-x 1 root   qmail  22816 Apr 20 09:49 qmail-showctl
-rwxr-xr-x 1 root   qmail 205680 Apr 20 09:49 qmail-smtpd
-rwx-- 1 root   qmail  10424 Apr 20 09:49 qmail-start
-rwxr-xr-x 1 root   qmail  14512 Apr 20 09:49 qmail-tcpok
-rwxr-xr-x 1 root   qmail  14544 Apr 20 09:49 qmail-tcpto
-rwxr-xr-x 1 root   qmail  31152 Apr 20 09:49 qreceipt
-rwxr-xr-x 1 root   qmail  14568 Apr 20 09:49 qsmhook
-rwxr-xr-x 1 root   qmail  14576 Apr 20 09:49 sendmail
-rws--x--x 1 clamav root   34774 Apr  6  2016 simscan
-rwsr-xr-x 1 root   root   24461 Apr  6  2016 simscanmk
-rwxr-xr-x 1 root   qmail  35528 Apr 20 09:49 spfquery
-rwx--x--x 1 root   qmail  10504 Apr 20 09:49 splogger
-rwxr-xr-x 1 root   qmail  31152 Apr 20 09:49 srsfilter
-rwxr-xr-x 1 root   qmail  26864 Apr 20 09:49 tcp-env
-rwxr-xr-x 1 root   root 618 Dec 24  2013 update-simscan





On 5/5/2017 10:29 AM, Jeff Koch wrote:

Hi Eric:

simscan debugging log seems to be showing the problem but I'll need 
your help figuring out what to do about it. Here's a copy of simscan 
log entries showing the 451 'qq soft reject' errors. I have clamav 
disabled in simscan but you can see that simscan is still taking 
apart the attachments.


Keep in mind that not all emails with attachments are having the soft 
reject issue. Here are two examples where attachments generated a 
soft reject and one example where it didn't.


I googled 'exit error code: 71' and found some references going back 
to 2006-7 discussing group permissions on /var/qmail/simscan and 
umask issues and the simscan-1.4.0-umask.patch that was supposed to 
correct this problem.


Any idea what I should do to fix this problem on my server?

Thanks, Jeff Koch

Example One - showing 451 

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Eric - thanks - Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's the 
procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with restart 
and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below ).

2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/intd:
total 0

/var/qmail/queue/local:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 09:49 9

/var/qmail/queue/lock:
total 4
-rw--- 1 qmails qmail0 Apr 20 09:49 sendmutex
-rw-r--r-- 1 qmailr qmail 1024 Apr 27 06:08 tcpto
prw--w--w- 1 qmails qmail0 May  5 08:34 trigger

/var/qmail/queue/mess:
total 0
drwxr-x--- 2 qmailq qmail 6 May  3 03:21 0
drwxr-x--- 2 qmailq qmail 6 May  3 04:52 1
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 10
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 11
drwxr-x--- 2 qmailq qmail 6 Apr 21 06:06 12
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 13
drwxr-x--- 2 qmailq qmail 6 May  5 03:31 14
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 15
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 16
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 17
drwxr-x--- 2 qmailq qmail 6 May  3 04:52 18
drwxr-x--- 2 qmailq qmail 6 May  5 08:34 19
drwxr-x--- 2 qmailq qmail 6 May  1 03:42 2
drwxr-x--- 2 qmailq qmail 6 May  4 03:47 20
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 21
drwxr-x--- 2 qmailq qmail 6 Apr 20 09:49 22
drwxr-x--- 2 qmailq qmail 6 May  4 03:47 3
drwxr-x--- 2 qmailq qmail 6 May  5 08:34 4
drwxr-x--- 2 qmailq qmail 6 May  2 04:49 5
drwxr-x--- 2 qmailq qmail 6

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

One other thing. What does it mean when we see  'simscan: no envelope 
information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment image003.png 
against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment image003.png 
against .pif

2017-05-06 09:45:11.691724500 simscan: cdb looking up version attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is  attach: 1.4.0
2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- SCAN 
SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamdscan: Time: 0.034 sec (0 m 0 s)
2017-05-06 09:45:11.728961500 simscan: cdb looking up version clamav
2017-05-06 09:45:11.728975500 simscan: runned_scanners is  attach: 1.4.0 
clamav: 0.99.2/m:

2017-05-06 09:45:11.728976500 simscan: found 0.99.2/m:
2017-05-06 09:45:11.728977500 simscan: normal clamdscan return code: 0
2017-05-06 09:45:11.728998500 simscan: done, execing qmail-queue
2017-05-06 09:45:11.758794500 simscan: qmail-queue exited 0
2017-05-06 09:45:12.076061500 simscan: no envelope information, deferred 
exit

2017-05-06 09:45:12.076219500 simscan: exit error code: 54

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's the 
procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with restart 
and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below ).

2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/intd:
total 0

/var/qmail/queue/local:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qma

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

I reinstalled simscan but unfortunately that didn't help. We're still 
seeing the 451 soft rejects when simscan tries to exec qmail-queue after 
having clamav analyze attachments. We're also seeing the 'no envelope' 
deferrals. I assume you don't have these issues on your qmail toaster.


We tried to see if there was any pattern that distinguished emails with 
attachments that went through simscan and executed qmail-queue 
successfully and those that had an error writing to qmail-queue and 
exited with code 71. But we see no pattern.


We've removed simscan from the process until we figure this out.

Anyone know what qmail-queue error code 32 means? As in 'error writing 
msg to qmail-queue error: 32'


Let me know if anyone has ideas.

Thanks for your help

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's the 
procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with restart 
and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below ).

2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/intd:
total 0

/var/qmail/queue/local:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 09:49 9

/var/qmail/queue/lock:
total 4
-rw--- 1 qmails qmail0 Apr 20 09:49 sendmutex
-rw-r--r-- 1 qmailr qmail 1024 Apr 27 06:08 tcpto
prw--w--w- 1 qmails qmail0 May  5 08:34 trigger

/var/qmail/queue/mess:
total 0
drwxr-x--- 2 qmailq qmail 6 May  3 03:21 0
drwxr-x---

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

Drive space is fine - using less than half of the main disk and small 
percents of the ram disks


On 5/6/2017 8:13 PM, Eric Broch wrote:


What about drive space?


On 5/6/2017 5:33 PM, Jeff Koch wrote:

Hi Eric:

I reinstalled simscan but unfortunately that didn't help. We're still 
seeing the 451 soft rejects when simscan tries to exec qmail-queue 
after having clamav analyze attachments. We're also seeing the 'no 
envelope' deferrals. I assume you don't have these issues on your 
qmail toaster.


We tried to see if there was any pattern that distinguished emails 
with attachments that went through simscan and executed qmail-queue 
successfully and those that had an error writing to qmail-queue and 
exited with code 71. But we see no pattern.


We've removed simscan from the process until we figure this out.

Anyone know what qmail-queue error code 32 means? As in 'error 
writing msg to qmail-queue error: 32'


Let me know if anyone has ideas.

Thanks for your help

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's 
the procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with 
restart and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below perms>).


2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/intd:
total 0

/var/qmail/queue/local:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 09:49 9

/var/qmail/queue/lock:
total 4
-rw---

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

Would you happen to know where I can get the source code for the 
qmail-queue.orig. I'd like to see what error code 32 means.


Jeff

On 5/6/2017 8:13 PM, Eric Broch wrote:


What about drive space?


On 5/6/2017 5:33 PM, Jeff Koch wrote:

Hi Eric:

I reinstalled simscan but unfortunately that didn't help. We're still 
seeing the 451 soft rejects when simscan tries to exec qmail-queue 
after having clamav analyze attachments. We're also seeing the 'no 
envelope' deferrals. I assume you don't have these issues on your 
qmail toaster.


We tried to see if there was any pattern that distinguished emails 
with attachments that went through simscan and executed qmail-queue 
successfully and those that had an error writing to qmail-queue and 
exited with code 71. But we see no pattern.


We've removed simscan from the process until we figure this out.

Anyone know what qmail-queue error code 32 means? As in 'error 
writing msg to qmail-queue error: 32'


Let me know if anyone has ideas.

Thanks for your help

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's 
the procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with 
restart and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below perms>).


2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 13:02 9

/var/qmail/queue/intd:
total 0

/var/qmail/queue/local:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09:49 17
drwx-- 2 qmails qmail 6 May  3 04:52 18
drwx-- 2 qmails qmail 6 May  5 08:34 19
drwx-- 2 qmails qmail 6 May  1 03:42 2
drwx-- 2 qmails qmail 6 May  4 03:47 20
drwx-- 2 qmails qmail 6 Apr 20 09:49 21
drwx-- 2 qmails qmail 6 Apr 20 09:49 22
drwx-- 2 qmails qmail 6 May  4 03:47 3
drwx-- 2 qmails qmail 6 May  5 08:34 4
drwx-- 2 qmails qmail 6 May  2 04:49 5
drwx-- 2 qmails qmail 6 May  1 07:21 6
drwx-- 2 qmails qmail 6 Apr 23 03:23 7
drwx-- 2 qmails qmail 6 May  2 04:49 8
drwx-- 2 qmails qmail 6 Apr 20 09:49 9

/var/q

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

I'm pretty sure there's something wrong with my simscan and the way it 
interacts with my server. (I did start with a CentOS 7 minimal install). 
Doesn't make sense that it would lose the envelope information. That 
info is supposed to be written to a temporary file in 
/var/qmail/simscan. I don't think the setup would even accept an email 
without mailfrom and mailto info.


So, I'd like to try recompiling simscan from source. I found source code 
for version 1.4.0 at https://sourceforge.net/projects/simscan/ but it 
could be a little stale since it was last modified 10/29/2007. Is that 
the version you use? do you have a later patched version?


Also, I'd need the configure script.

Thanks, Jeff Koch


On 5/6/2017 11:06 AM, Eric Broch wrote:


Hmm... not sure.

Not sure if you a 'c' programmer but here's the code:

  if ( MailFrom[0] == 0 && RcptTo[0][0] == 0 ) {
if ( DebugFlag > 0 ) {
  fprintf(stderr, "simscan: no envelope information, deferred 
exit\n");

}
exit_clean(EXIT_454);
  }

Looks like the 'mail from' and 'rcpt to' variables are empty.


On 5/6/2017 8:58 AM, Jeff Koch wrote:

Hi Eric:

One other thing. What does it mean when we see  'simscan: no envelope 
information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .pif

2017-05-06 09:45:11.691724500 simscan: cdb looking up version attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is attach: 1.4.0
2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- SCAN 
SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamdscan: Time: 0.034 sec (0 
m 0 s)

2017-05-06 09:45:11.728961500 simscan: cdb looking up version clamav
2017-05-06 09:45:11.728975500 simscan: runned_scanners is attach: 
1.4.0 clamav: 0.99.2/m:

2017-05-06 09:45:11.728976500 simscan: found 0.99.2/m:
2017-05-06 09:45:11.728977500 simscan: normal clamdscan return code: 0
2017-05-06 09:45:11.728998500 simscan: done, execing qmail-queue
2017-05-06 09:45:11.758794500 simscan: qmail-queue exited 0
2017-05-06 09:45:12.076061500 simscan: no envelope information, 
deferred exit

2017-05-06 09:45:12.076219500 simscan: exit error code: 54

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and it's 
subdirectories ?


Also, we installed everthing from the QMT install script. What's 
the procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with 
restart and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below perms>).


2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, and 
that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmail 6 May  3 04:52 1
drwx-- 2 qmails qmail 6 Apr 20 09:49 10
drwx-- 2 qmails qmail 6 Apr 20 09:49 11
drwx-- 2 qmails qmail 6 Apr 21 06:06 12
drwx-- 2 qmails qmail 6 Apr 20 09:49 13
drwx-- 2 qmails qmail 6 May  5 03:31 14
drwx-- 2 qmails qmail 6 Apr 20 09:49 15
drwx-- 2 qmails qmail 6 Apr 20 09:49 16
drwx-- 2 qmails qmail 6 Apr 20 09

Re: [qmailtoaster] qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

Standby - I may have found the solution. So far simscan has been running 
for two hours without qq soft reject or envelope issue. I'll wait 
another two hours and let you know.  :)


Jeff

On 5/7/2017 7:25 PM, Eric Broch wrote:


ftp://ftp.whitehorsetc.com/pub/qmail/CentOS7/qmt/srpms/simscan-1.4.0-0.qt.src.rpm


On 5/7/2017 3:27 PM, Jeff Koch wrote:

Hi Eric:

I'm pretty sure there's something wrong with my simscan and the way 
it interacts with my server. (I did start with a CentOS 7 minimal 
install). Doesn't make sense that it would lose the envelope 
information. That info is supposed to be written to a temporary file 
in /var/qmail/simscan. I don't think the setup would even accept an 
email without mailfrom and mailto info.


So, I'd like to try recompiling simscan from source. I found source 
code for version 1.4.0 at https://sourceforge.net/projects/simscan/ 
but it could be a little stale since it was last modified 10/29/2007. 
Is that the version you use? do you have a later patched version?


Also, I'd need the configure script.

Thanks, Jeff Koch


On 5/6/2017 11:06 AM, Eric Broch wrote:


Hmm... not sure.

Not sure if you a 'c' programmer but here's the code:

  if ( MailFrom[0] == 0 && RcptTo[0][0] == 0 ) {
if ( DebugFlag > 0 ) {
  fprintf(stderr, "simscan: no envelope information, deferred 
exit\n");

}
exit_clean(EXIT_454);
  }

Looks like the 'mail from' and 'rcpt to' variables are empty.


On 5/6/2017 8:58 AM, Jeff Koch wrote:

Hi Eric:

One other thing. What does it mean when we see  'simscan: no 
envelope information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .pif

2017-05-06 09:45:11.691724500 simscan: cdb looking up version attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is attach: 1.4.0
2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- SCAN 
SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamdscan: Time: 0.034 sec 
(0 m 0 s)

2017-05-06 09:45:11.728961500 simscan: cdb looking up version clamav
2017-05-06 09:45:11.728975500 simscan: runned_scanners is attach: 
1.4.0 clamav: 0.99.2/m:

2017-05-06 09:45:11.728976500 simscan: found 0.99.2/m:
2017-05-06 09:45:11.728977500 simscan: normal clamdscan return code: 0
2017-05-06 09:45:11.728998500 simscan: done, execing qmail-queue
2017-05-06 09:45:11.758794500 simscan: qmail-queue exited 0
2017-05-06 09:45:12.076061500 simscan: no envelope information, 
deferred exit

2017-05-06 09:45:12.076219500 simscan: exit error code: 54

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and 
it's subdirectories ?


Also, we installed everthing from the QMT install script. What's 
the procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with 
restart and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below perms>).


2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, 
and that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 Apr 20 09:49 bounce
drwx-- 25 qmails qmail 4096 Apr 20 09:49 info
drwx--  2 qmailq qmail6 May  5 08:34 intd
drwx-- 25 qmails qmail 4096 Apr 20 09:49 local
drwxr-x---  2 qmailq qmail   48 Apr 20 12:58 lock
drwxr-x--- 25 qmailq qmail 4096 Apr 20 09:49 mess
drwx--  2 qmailq qmail6 May  5 08:34 pid
drwx-- 25 qmails qmail 4096 Apr 20 09:49 remote
drwxr-x---  2 qmailq qmail6 May  5 08:34 todo

[root]# ls -l /var/qmail/q*/*
/var/qmail/queue/bounce:
total 0

/var/qmail/queue/info:
total 0
drwx-- 2 qmails qmail 6 May  3 03:21 0
drwx-- 2 qmails qmai

Re: [qmailtoaster] SOLVED - qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

The problem was the permissions and ownership of /var/qmail/simscan

I had:

drwxr-x---  2 clamav root 6 May  6 17:57 simscan/

changing this to the following fixed the problem:

drwxr-s---  2 clamav clamav 6 May  6 17:57 simscan/

I discovered this solution when I came across 'Simscan Troubleshooting' 
by John M. Simpson written in 2009 
https://qmail.jms1.net/simscan/troubleshooting.shtml.


Maybe I screwed something up on the Toaster install but the permissions 
and ownerships I had for the simscan working directory were wrong and 
resulted in missing message envelopes and sporadic inability of simscan 
to pass messages with attachments on to qmail-queue.


Eric - thanks for your help and encouragement to examine everything

Regards, Jeff Koch


On 5/7/2017 7:25 PM, Eric Broch wrote:


ftp://ftp.whitehorsetc.com/pub/qmail/CentOS7/qmt/srpms/simscan-1.4.0-0.qt.src.rpm


On 5/7/2017 3:27 PM, Jeff Koch wrote:

Hi Eric:

I'm pretty sure there's something wrong with my simscan and the way 
it interacts with my server. (I did start with a CentOS 7 minimal 
install). Doesn't make sense that it would lose the envelope 
information. That info is supposed to be written to a temporary file 
in /var/qmail/simscan. I don't think the setup would even accept an 
email without mailfrom and mailto info.


So, I'd like to try recompiling simscan from source. I found source 
code for version 1.4.0 at https://sourceforge.net/projects/simscan/ 
but it could be a little stale since it was last modified 10/29/2007. 
Is that the version you use? do you have a later patched version?


Also, I'd need the configure script.

Thanks, Jeff Koch


On 5/6/2017 11:06 AM, Eric Broch wrote:


Hmm... not sure.

Not sure if you a 'c' programmer but here's the code:

  if ( MailFrom[0] == 0 && RcptTo[0][0] == 0 ) {
if ( DebugFlag > 0 ) {
  fprintf(stderr, "simscan: no envelope information, deferred 
exit\n");

}
exit_clean(EXIT_454);
  }

Looks like the 'mail from' and 'rcpt to' variables are empty.


On 5/6/2017 8:58 AM, Jeff Koch wrote:

Hi Eric:

One other thing. What does it mean when we see  'simscan: no 
envelope information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .pif

2017-05-06 09:45:11.691724500 simscan: cdb looking up version attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is attach: 1.4.0
2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- SCAN 
SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamdscan: Time: 0.034 sec 
(0 m 0 s)

2017-05-06 09:45:11.728961500 simscan: cdb looking up version clamav
2017-05-06 09:45:11.728975500 simscan: runned_scanners is attach: 
1.4.0 clamav: 0.99.2/m:

2017-05-06 09:45:11.728976500 simscan: found 0.99.2/m:
2017-05-06 09:45:11.728977500 simscan: normal clamdscan return code: 0
2017-05-06 09:45:11.728998500 simscan: done, execing qmail-queue
2017-05-06 09:45:11.758794500 simscan: qmail-queue exited 0
2017-05-06 09:45:12.076061500 simscan: no envelope information, 
deferred exit

2017-05-06 09:45:12.076219500 simscan: exit error code: 54

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your permissions look like for /var/qmail/simscan and 
it's subdirectories ?


Also, we installed everthing from the QMT install script. What's 
the procedure for removing and reinstalling simscan?


Thanks for your help.

Jeff

On 5/5/2017 1:42 PM, Eric Broch wrote:


It does look like a permission's issue. Try these steps with 
restart and reload of qmail between each step


1) Check permissions on your queue, visibly (mine below perms>).


2) Check /var/qmail/bin permissions (mine below ).

3) Remove and reinstall simscan

4) Try running one of the good queue repair tools like qfixq, 
qmail_repair.py. With these make absolutely sure qmail is OFF, 
and that there are NO straggling send processes.




[root]# ls -ld /var/qmail/queue
drwxr-x--- 11 qmailq qmail 109 Apr 20 09:49 /var/qmail/queue

[root]# ls -l /var/qmail/q*
total 16
drwx--  2 qmails qmail6 

Re: [qmailtoaster] SOLVED - qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

My toaster does not have a simscan group (/etc/group). Does yours? Is 
that in the setup script?


Jeff

On 5/8/2017 1:20 AM, Eric Broch wrote:


Interesting. I'm glad that this worked out for you. It's intriguing 
because we should have been seeing this issue in CentOS 5/6/7 for some 
time to the same degree as you have experience. The permissions have 
been the same across all these platforms.


All of my installations have permissions "drwxr-x---  2 clamav 
root 6 May  6 17:57 simscan/".


And no other installation on the list is having issues like this..., 
BUT, I will keep this in mind.


Did you also change clamav to be  a member of the simscan group?

Also, I might experiment with the changes you've made on my 
installations, and if it works, change the rpm install accordingly.



On 5/7/2017 8:37 PM, Jeff Koch wrote:

Hi Eric:

The problem was the permissions and ownership of /var/qmail/simscan

I had:

drwxr-x---  2 clamav root 6 May  6 17:57 simscan/

changing this to the following fixed the problem:

drwxr-s---  2 clamav clamav 6 May  6 17:57 simscan/

I discovered this solution when I came across 'Simscan 
Troubleshooting' by John M. Simpson written in 2009 
https://qmail.jms1.net/simscan/troubleshooting.shtml.


Maybe I screwed something up on the Toaster install but the 
permissions and ownerships I had for the simscan working directory 
were wrong and resulted in missing message envelopes and sporadic 
inability of simscan to pass messages with attachments on to qmail-queue.


Eric - thanks for your help and encouragement to examine everything

Regards, Jeff Koch


On 5/7/2017 7:25 PM, Eric Broch wrote:


ftp://ftp.whitehorsetc.com/pub/qmail/CentOS7/qmt/srpms/simscan-1.4.0-0.qt.src.rpm


On 5/7/2017 3:27 PM, Jeff Koch wrote:

Hi Eric:

I'm pretty sure there's something wrong with my simscan and the way 
it interacts with my server. (I did start with a CentOS 7 minimal 
install). Doesn't make sense that it would lose the envelope 
information. That info is supposed to be written to a temporary 
file in /var/qmail/simscan. I don't think the setup would even 
accept an email without mailfrom and mailto info.


So, I'd like to try recompiling simscan from source. I found source 
code for version 1.4.0 at https://sourceforge.net/projects/simscan/ 
but it could be a little stale since it was last modified 
10/29/2007. Is that the version you use? do you have a later 
patched version?


Also, I'd need the configure script.

Thanks, Jeff Koch


On 5/6/2017 11:06 AM, Eric Broch wrote:


Hmm... not sure.

Not sure if you a 'c' programmer but here's the code:

  if ( MailFrom[0] == 0 && RcptTo[0][0] == 0 ) {
if ( DebugFlag > 0 ) {
  fprintf(stderr, "simscan: no envelope information, deferred 
exit\n");

}
exit_clean(EXIT_454);
  }

Looks like the 'mail from' and 'rcpt to' variables are empty.


On 5/6/2017 8:58 AM, Jeff Koch wrote:

Hi Eric:

One other thing. What does it mean when we see 'simscan: no 
envelope information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .pif

2017-05-06 09:45:11.691724500 simscan: cdb looking up version attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is  
attach: 1.4.0

2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- 
SCAN SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamdscan: Time: 0.034 sec 
(0 m 0 s)

2017-05-06 09:45:11.728961500 simscan: cdb looking up version clamav
2017-05-06 09:45:11.728975500 simscan: runned_scanners is  
attach: 1.4.0 clamav: 0.99.2/m:

2017-05-06 09:45:11.728976500 simscan: found 0.99.2/m:
2017-05-06 09:45:11.728977500 simscan: normal clamdscan return 
code: 0

2017-05-06 09:45:11.728998500 simscan: done, execing qmail-queue
2017-05-06 09:45:11.758794500 simscan: qmail-queue exited 0
2017-05-06 09:45:12.076061500 simscan: no envelope information, 
deferred exit

2017-05-06 09:45:12.076219500 simscan: exit error code: 54

Jeff

On 5/6/2017 10:21 AM, Eric Broch wrote:


[root]#ls -ld /var/qmail/simscan
drwxr-x--- 4 clamav root 64 Apr 20 14:18 /var/qmail/simscan

[root]# ls -ld /var/qmail/simscan/*
drwxr-x--- 2 clamav root 39 Dec 23 01:26 
/var/qmail/simscan/1482481568.945036.3336
drwxr-x--- 2 clamav root 73 Dec 23 01:34 
/var/qmail/simscan/1482482077.257292.3618


yum reinstall simscan



On 5/5/2017 12:16 PM, Jeff Koch wrote:

Hi Eric:

What do your

Re: [qmailtoaster] SOLVED - qq soft reject with Centos 7

[Jeff Koch]

Hi Eric:

I surmised from John's webpage that since I didn't have the simscan 
group that we could use clamav as the group owner since simscan runs as 
suid clamav.  But to tell you the truth I don't understand what setguid 
does to a directory despite having read the wikipedia entry 6 times. 
Perhaps some group other than clamav is writing the attachment and addr 
slices associated with a message and qmail-queue can't read those files 
unless /var/qmail/simscan is setguid clamav. But I'm just happy it works.


Jeff

On 5/8/2017 10:43 AM, Eric Broch wrote:


Hi Jeff:

No to both questions...just wanted to know your full procedure next 
time this issue raises its ugly head. It seems that when it does come 
up the answer to it is difficult to nail down. Your's (or John's) may 
well solve most of them, hopefully.


Anyway, I'm VERY happy that you found the solution. John Simpson's 
site has been very helpful to me as well.


Eric



On 5/8/2017 8:32 AM, Jeff Koch wrote:

Hi Eric:

My toaster does not have a simscan group (/etc/group). Does yours? Is 
that in the setup script?


Jeff

On 5/8/2017 1:20 AM, Eric Broch wrote:


Interesting. I'm glad that this worked out for you. It's intriguing 
because we should have been seeing this issue in CentOS 5/6/7 for 
some time to the same degree as you have experience. The permissions 
have been the same across all these platforms.


All of my installations have permissions "drwxr-x---  2 clamav 
root 6 May  6 17:57 simscan/".


And no other installation on the list is having issues like this..., 
BUT, I will keep this in mind.


Did you also change clamav to be  a member of the simscan group?

Also, I might experiment with the changes you've made on my 
installations, and if it works, change the rpm install accordingly.



On 5/7/2017 8:37 PM, Jeff Koch wrote:

Hi Eric:

The problem was the permissions and ownership of /var/qmail/simscan

I had:

drwxr-x---  2 clamav root 6 May  6 17:57 simscan/

changing this to the following fixed the problem:

drwxr-s---  2 clamav clamav 6 May  6 17:57 simscan/

I discovered this solution when I came across 'Simscan 
Troubleshooting' by John M. Simpson written in 2009 
https://qmail.jms1.net/simscan/troubleshooting.shtml.


Maybe I screwed something up on the Toaster install but the 
permissions and ownerships I had for the simscan working directory 
were wrong and resulted in missing message envelopes and sporadic 
inability of simscan to pass messages with attachments on to 
qmail-queue.


Eric - thanks for your help and encouragement to examine everything

Regards, Jeff Koch


On 5/7/2017 7:25 PM, Eric Broch wrote:


ftp://ftp.whitehorsetc.com/pub/qmail/CentOS7/qmt/srpms/simscan-1.4.0-0.qt.src.rpm


On 5/7/2017 3:27 PM, Jeff Koch wrote:

Hi Eric:

I'm pretty sure there's something wrong with my simscan and the 
way it interacts with my server. (I did start with a CentOS 7 
minimal install). Doesn't make sense that it would lose the 
envelope information. That info is supposed to be written to a 
temporary file in /var/qmail/simscan. I don't think the setup 
would even accept an email without mailfrom and mailto info.


So, I'd like to try recompiling simscan from source. I found 
source code for version 1.4.0 at 
https://sourceforge.net/projects/simscan/ but it could be a 
little stale since it was last modified 10/29/2007. Is that the 
version you use? do you have a later patched version?


Also, I'd need the configure script.

Thanks, Jeff Koch


On 5/6/2017 11:06 AM, Eric Broch wrote:


Hmm... not sure.

Not sure if you a 'c' programmer but here's the code:

  if ( MailFrom[0] == 0 && RcptTo[0][0] == 0 ) {
if ( DebugFlag > 0 ) {
  fprintf(stderr, "simscan: no envelope information, 
deferred exit\n");

}
exit_clean(EXIT_454);
  }

Looks like the 'mail from' and 'rcpt to' variables are empty.


On 5/6/2017 8:58 AM, Jeff Koch wrote:

Hi Eric:

One other thing. What does it mean when we see 'simscan: no 
envelope information, deferred exit'? As in the following:



2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .bat
2017-05-06 09:45:11.691723500 simscan: checking attachment 
image003.png against .pif
2017-05-06 09:45:11.691724500 simscan: cdb looking up version 
attach
2017-05-06 09:45:11.691724500 simscan: runned_scanners is  
attach: 1.4.0

2017-05-06 09:45:11.691725500 simscan: found 1.4.0
2017-05-06 09:45:11.691725500 simscan: calling clamdscan
2017-05-06 09:45:11.728577500 simscan: clamdscan: 
/var/qmail/simscan/1494081910.545549.2165: OK

2017-05-06 09:45:11.728632500 simscan: clamdscan:
2017-05-06 09:45:11.728633500 simscan: clamdscan: --- 
SCAN SUMMARY ---

2017-05-06 09:45:11.728672500 simscan: clamdscan: Infected files: 0
2017-05-06 09:45:11.728684500 simscan: clamd

[qmailtoaster] Random delivery of bounces

[Jeff Koch]

Hi Eric or List - maybe you can help with this puzzle.

We had an email account user whose username and password got to a 
spammer. The spammer then sent out thousands of spams from our email 
server using our user's credential. We caught the situation midway. To 
stop the spamming we disabled the user's SMTP access stopped qmail and 
then deleted everything from the all the queue folders.


We are now getting numerous failure notices from the server's 
MAILER-DAEMON (which is odd because we had cleared the qmail queue) and 
they are being attached to emails that were not the spam and sent to 
user's that never did the spamming. We can't understand why this is 
happening since after having stopped qmail and cleared the queue there 
should have been nothing in the pipeline trying to be sent and if there 
was a bounce-back it should have gone to the user whose credentials were 
used originally to send out the spam.


Any ideas? Is email in the process of making multiple attempts at 
sending being stored or queued outside of the qmail queue?


Jeff

Re: [qmailtoaster] Random delivery of bounces

[Jeff Koch]

HI Eric:

Yup we changed passwords and did all the restarts. Turns out when I 
cleared the queue I neglected to clear the 'bounce' folder. Looks like 
those are the files applying themselves to other user's emails.


I just went through deleted everything in the bounce folder - that 
should put a stop to the failure notices.


Jeff


On 5/12/2017 10:41 PM, Eric Broch wrote:


First off, I'd simply change the offending user's password and restart 
qmail and dovecot. This will stop the spammer.


I'll have to give the rest some thought.


On 5/12/2017 8:28 PM, Jeff Koch wrote:


Hi Eric or List - maybe you can help with this puzzle.

We had an email account user whose username and password got to a 
spammer. The spammer then sent out thousands of spams from our email 
server using our user's credential. We caught the situation midway. 
To stop the spamming we disabled the user's SMTP access stopped qmail 
and then deleted everything from the all the queue folders.


We are now getting numerous failure notices from the server's 
MAILER-DAEMON (which is odd because we had cleared the qmail queue) 
and they are being attached to emails that were not the spam and sent 
to user's that never did the spamming. We can't understand why this 
is happening since after having stopped qmail and cleared the queue 
there should have been nothing in the pipeline trying to be sent and 
if there was a bounce-back it should have gone to the user whose 
credentials were used originally to send out the spam.


Any ideas? Is email in the process of making multiple attempts at 
sending being stored or queued outside of the qmail queue?


Jeff


--
Eric Broch
White Horse Technical Consulting (WHTC)

[qmailtoaster] Cannot sign message due to invalid message syntax

[Jeff Koch]

Hi Eric/List

We're seeing a number of these errors in the smtp log. Users are also 
reporting seeing some of these responses. Is there a recommended fix?


554 qmail-dk: Cannot sign message due to invalid message syntax (#5.3.0)

I came across this suggestion after Googling the error:

Disable domain keys:

rm -f /var/qmail/bin/qmail-queue
ln -s /var/qmail/bin/qmail-queue.orig /var/qmail/bin/qmail-queue


Regards, Jeff Koch

[qmailtoaster] Qmail - Can't find host

[Jeff Koch]

This is interesting and maybe I'm overthinking this but on all of my 
qmail toaster servers (three old Bill's Toaster and one new QMT server) 
when I try to send an email to this address or any address at the domain 
grupodecor.com I get:


:
Sorry, I couldn't find any host named grupodecor.com. (#5.1.2)

I can do an nslookup on the mailservers and get the MX record

nslookup -q=mx grupodecor.com

Non-authoritative answer:
grupodecor.com  mail exchanger = 0 
grupodecor-com.mail.protection.outlook.com.


and,

nslookup grupodecor.com

Non-authoritative answer:
Name:   grupodecor.com
Address: 34.194.244.120

Can anyone help explain this?

Thanks, Jeff

[qmailtoaster] qmail - couldn't find any host named grupodecor.com

[Jeff Koch]

I'm having trouble sending email to anyone at grupodecor.com. All of my 
qmail mailservers say:


Sorry, I couldn't find any host named grupodecor.com. (#5.1.2)

And yet I can send from my hotmail account and the MX host - 
grupodecor-com.mail.protection.outlook.com - responds to smtp 
connections. Try sending an email to anyone at that domain ( like 
ab...@grupodecor.com )


Anyone know why thisis happening?

Jeff

Re: [qmailtoaster] qmail - couldn't find any host named grupodecor.com

[Jeff Koch]

Hi Boheme:

Sorry If I was rude - I do appreciate your response on 6/12 and I 
considered the two solutions you recommended.


With respect to routing the mail through mailcleaner - if I understand 
the purpose of this recommendation - I don't think the problem has 
anything to the contents of the email we are trying to send. Qmail is 
saying that it couldn't find any host named grupodecor.com. So it's an 
issue on the side of our sending mailserver and I'd really like to 
understand how our mailserver came to that conclusion - what exactly is 
qmail testing to determine that.


With respect to your second recommendation about installing djbdns we 
already have a BIND server running on our network and I prefer not to 
install another DNS server ( I will if I absolutely have to.)


The problem here does not seem to be related to Outlook 365 since we are 
able to send email to many other domains with email hosted by Outlook.


I really would like to understand what's going on in the qmail code that 
is causing qmail to come to the conclusion that it can't find this host. 
( What exactly does qmail mean by 'host' ? Does this mean qmail can't 
find the DNS zone? Can't find an 'A' record or host? Can't find the MX 
record or host?)


Jeff



On 6/20/2017 11:34 PM, Boheme wrote:

I replied with two solutions to this problem on 6/12.

You never replied, so I have no idea whether you tried my suggestions.

-Sent from my Pip-Boy 3000

On Jun 20, 2017, at 8:10 PM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:




I'm having trouble sending email to anyone at grupodecor.com 
<http://grupodecor.com>. All of my qmail mailservers say:


Sorry, I couldn't find any host named grupodecor.com 
<http://grupodecor.com>. (#5.1.2)


And yet I can send from my hotmail account and the MX host - 
grupodecor-com.mail.protection.outlook.com 
<http://grupodecor-com.mail.protection.outlook.com> - responds to 
smtp connections. Try sending an email to anyone at that domain ( 
like ab...@grupodecor.com <http://grupodecor.com> )


Anyone know why thisis happening?

Jeff

Re: [qmailtoaster] qmail - couldn't find any host named grupodecor.com

[Jeff Koch]

Hi Tonino - thanks for finding that out. Some qmail servers seem able to 
deal with this - the ones we have don't.


Jeff

On 6/21/2017 10:45 AM, Tonix - Antonio Nati wrote:

It looks like nameservers of grupodecor.com do not answer to TCP queries.

http://dnscheck.pingdom.com/?domain=grupodecor.com×tamp=1498055971&view=1

Regards,

Tonino

Il 21/06/2017 14:01, Jeff Koch ha scritto:

Hi Boheme:

Sorry If I was rude - I do appreciate your response on 6/12 and I 
considered the two solutions you recommended.


With respect to routing the mail through mailcleaner - if I 
understand the purpose of this recommendation - I don't think the 
problem has anything to the contents of the email we are trying to 
send. Qmail is saying that it couldn't find any host named 
grupodecor.com. So it's an issue on the side of our sending 
mailserver and I'd really like to understand how our mailserver came 
to that conclusion - what exactly is qmail testing to determine that.


With respect to your second recommendation about installing djbdns we 
already have a BIND server running on our network and I prefer not to 
install another DNS server ( I will if I absolutely have to.)


The problem here does not seem to be related to Outlook 365 since we 
are able to send email to many other domains with email hosted by 
Outlook.


I really would like to understand what's going on in the qmail code 
that is causing qmail to come to the conclusion that it can't find 
this host. ( What exactly does qmail mean by 'host' ? Does this mean 
qmail can't find the DNS zone? Can't find an 'A' record or host? 
Can't find the MX record or host?)


Jeff



On 6/20/2017 11:34 PM, Boheme wrote:

I replied with two solutions to this problem on 6/12.

You never replied, so I have no idea whether you tried my suggestions.

-Sent from my Pip-Boy 3000

On Jun 20, 2017, at 8:10 PM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:




I'm having trouble sending email to anyone at grupodecor.com 
<http://grupodecor.com>. All of my qmail mailservers say:


Sorry, I couldn't find any host named grupodecor.com 
<http://grupodecor.com>. (#5.1.2)


And yet I can send from my hotmail account and the MX host - 
grupodecor-com.mail.protection.outlook.com 
<http://grupodecor-com.mail.protection.outlook.com> - responds to 
smtp connections. Try sending an email to anyone at that domain ( 
like ab...@grupodecor.com <http://grupodecor.com> )


Anyone know why thisis happening?

Jeff





--

 Inter@zioniInterazioni di Antonio Nati
http://www.interazioni.it   to...@interazioni.it

Re: [qmailtoaster] qmail - couldn't find any host named grupodecor.com

[Jeff Koch]

Hi Chris:

Thank you for troubleshooting this. Adding 'edns no' to our BIND dns 
server looks like a great solution to the issue. I'll give it a try and 
let you know.


Thanks, Jeff

On 6/21/2017 12:09 PM, Chris wrote:

Howdy Jeff,

  My apologies.  I guess I should have gone into more technical 
detail, rather than just supplying solutions. My original reply was 
sent from my iPhone, and I was just trying to get you a quick solution 
while I was on a train.


  First one bit of explanation, then the meat of it all, and a new 
third option you can implement:  The reason I routed email through 
mailcleaner had nothing to do with the content of the email. It had to 
do with mailcleaner not using qmail under the hood, and therefore not 
having the same problem with the returned DNS for the outlook hosted 
domain I was trying to mail to.  The particular email server I applied 
the mailcleaner fix to is an OLD FreeBSD box that I'm in the process 
of replacing, and as such I didn't want to waste time shoehorning in a 
new DNS server when I had a ready fix available.  Again, not a content 
issue, just trying to get qmail/BIND out of the equation.


  So, the crux of my issue was that qmail doesn't like it when a DNS 
query returns more than 512 bytes of data.  There is another issue, 
solved the same way, where some name servers give a malformed response 
when edns is enabled.  qmail doesn't try to figure out malformed 
responses, as that would go against its philosophy.  This can be seen 
in the thread that Eric sent you on 6/12 
(https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html 
<https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html>) 
where one of the viable solutions was to disable the edns option in 
the bind config.  (So, solution #3:  Add "edns no;" to the server 
block in your bind config of the dns server that your qmailtoaster is 
using for resolution.)


qmail's issue with large DNS packets is also documented here: 
https://www.webfactory.de/blog/patch-qmail-in-ubuntu-to-avoid-cname-lookup-failed-temporarily-errors
  The crux of the above post was an issue with CNAME responses, but 
that's not what's happening to you.


In troubleshooting the domain you were trying to send to, 
grupodecor.com <http://grupodecor.com>, I discovered something very 
interesting.  The DNSSEC analysis tool at 
http://dnsviz.net/d/grupodecor.com/dnssec/ reported the following:  
"grupodecor.com/A <http://grupodecor.com/A>: *The response (160 bytes) 
was malformed until EDNS was disabled.* (34.194.232.55, 34.197.49.47, 
34.197.219.118, 52.207.176.29, 54.236.164.22, 54.236.167.176, 
54.236.168.41, UDP_0_EDNS0_32768_4096)"


So, there is something borked with the DNS at grupodecor.com 
<http://grupodecor.com> when the querying server has edns enabled.  My 
suggestion of using djbdns works because djbdns
doesn't do edns.  My suggestion of relaying through something like 
mailcleaner works because it isn't running qmail and doesn't flat out 
reject the malformed response the way qmail does.  The latest 
suggestion of turning off edns in your bind server will work because 
it won't ask for edns responses anymore.


Does that help explain the why's of this issue?

-Chris


-Sent from my Pip-Boy 3000

On Jun 21, 2017, at 5:01 AM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:



Hi Boheme:

Sorry If I was rude - I do appreciate your response on 6/12 and I 
considered the two solutions you recommended.


With respect to routing the mail through mailcleaner - if I 
understand the purpose of this recommendation - I don't think the 
problem has anything to the contents of the email we are trying to 
send. Qmail is saying that it couldn't find any host named 
grupodecor.com <http://grupodecor.com>. So it's an issue on the side 
of our sending mailserver and I'd really like to understand how our 
mailserver came to that conclusion - what exactly is qmail testing to 
determine that.


With respect to your second recommendation about installing djbdns we 
already have a BIND server running on our network and I prefer not to 
install another DNS server ( I will if I absolutely have to.)


The problem here does not seem to be related to Outlook 365 since we 
are able to send email to many other domains with email hosted by 
Outlook.


I really would like to understand what's going on in the qmail code 
that is causing qmail to come to the conclusion that it can't find 
this host. ( What exactly does qmail mean by 'host' ? Does this mean 
qmail can't find the DNS zone? Can't find an 'A' record or host? 
Can't find the MX record or host?)


Jeff



On 6/20/2017 11:34 PM, Boheme wrote:

I replied with two solutions to this problem on 6/12.

You never replied, so I have no idea whether you

Re: [qmailtoaster] qmail - couldn't find any host named grupodecor.com

[Jeff Koch]

Hi Chris:

Was out-of-town for a week.

We tried the

server 0.0.0.0/0 {
   edns no;
}

in our BIND and although we were able to receive email from 
grupedecor.com a bunch of other websites failed. Is there a way to 
restrict the 'edns no' to a particular sending domain? And what server 
IP address goes into that directive - the IP of the MX record or the IP 
of the DNS server for grupodecor.com?


Thanks, Jeff



On 6/21/2017 9:27 PM, Chris wrote:

Hi Jeff,

  Let me know how it goes.  I've been playing with adding the 
following block to various nameservers in my network, with mixed success:


server0.0.0.0/0 <http://0.0.0.0/0>  {
edns no;
};

Adding the above block to the instance of BIND that resides on my 
qmail server, and setting 127.0.0.1 as the primary nameserver in 
/etc/resolv.conf worked.


Adding that same block to my ns1 and ns2 nameservers, that are used 
for recursive lookups within my network, was a complete bust.  Still 
experimenting with that.


-Chris

On Wed, Jun 21, 2017 at 6:18 PM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:


Hi Chris:

Thank you for troubleshooting this. Adding 'edns no' to our BIND
dns server looks like a great solution to the issue. I'll give it
a try and let you know.

Thanks, Jeff

On 6/21/2017 12:09 PM, Chris wrote:

Howdy Jeff,

My apologies.  I guess I should have gone into more technical
detail, rather than just supplying solutions. My original reply
was sent from my iPhone, and I was just trying to get you a quick
solution while I was on a train.

  First one bit of explanation, then the meat of it all, and a
new third option you can implement:  The reason I routed email
through mailcleaner had nothing to do with the content of the
email. It had to do with mailcleaner not using qmail under the
hood, and therefore not having the same problem with the returned
DNS for the outlook hosted domain I was trying to mail to.  The
particular email server I applied the mailcleaner fix to is an
OLD FreeBSD box that I'm in the process of replacing, and as such
I didn't want to waste time shoehorning in a new DNS server when
I had a ready fix available.  Again, not a content issue, just
trying to get qmail/BIND out of the equation.

  So, the crux of my issue was that qmail doesn't like it when a
DNS query returns more than 512 bytes of data.  There is another
issue, solved the same way, where some name servers give a
malformed response when edns is enabled.  qmail doesn't try to
figure out malformed responses, as that would go against its
philosophy.  This can be seen in the thread that Eric sent you on
6/12

(https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html

<https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html>)
where one of the viable solutions was to disable the edns option
in the bind config. (So, solution #3:  Add "edns no;" to the
server block in your bind config of the dns server that your
qmailtoaster is using for resolution.)

qmail's issue with large DNS packets is also documented here:

https://www.webfactory.de/blog/patch-qmail-in-ubuntu-to-avoid-cname-lookup-failed-temporarily-errors

<https://www.webfactory.de/blog/patch-qmail-in-ubuntu-to-avoid-cname-lookup-failed-temporarily-errors>
The crux of the above post was an issue with CNAME responses, but
that's not what's happening to you.

In troubleshooting the domain you were trying to send to,
grupodecor.com <http://grupodecor.com>, I discovered something
very interesting. The DNSSEC analysis tool at
http://dnsviz.net/d/grupodecor.com/dnssec/
<http://dnsviz.net/d/grupodecor.com/dnssec/> reported the
following:  "grupodecor.com/A <http://grupodecor.com/A>: *The
response (160 bytes) was malformed until EDNS was disabled.*
(34.194.232.55, 34.197.49.47, 34.197.219.118, 52.207.176.29,
54.236.164.22, 54.236.167.176, 54.236.168.41,
UDP_0_EDNS0_32768_4096)"

So, there is something borked with the DNS at grupodecor.com
<http://grupodecor.com> when the querying server has edns
enabled.  My suggestion of using djbdns works because djbdns
doesn't do edns.  My suggestion of relaying through something
like mailcleaner works because it isn't running qmail and doesn't
flat out reject the malformed response the way qmail does. The
latest suggestion of turning off edns in your bind server will
work because it won't ask for edns responses anymore.

Does that help explain the why's of this issue?

-Chris


-Sent from my Pip-Boy 3000

On Jun 21, 2017, at 5:01 AM, Jeff Koch
mailto:jeffk...@intersessions.com>>
wrote:


Hi Boheme:

Re: [qmailtoaster] DomainKeys error rejecting mail

[Jeff Koch]

Hi Roxanne:

Try using:

http://www.appmaildev.com/en/dkim

to test the DKIM information in your emails. They give a fairly detailed 
analysis that should help you figure this out.


Jeff


On 7/26/2017 7:03 PM, Roxanne Sandesara wrote:

I have a user trying to send emails to my server from their ISP to go through a 
mailing list my server is hosting. I have previously added the user’s email 
address to spamdyke’s whitelist. However, that no longer seems sufficient to 
deal with this problem.

 From /var/log/qmail/smtp/current:

2017-07-26 18:02:53.023764500 policy_check: policy allows transmission
2017-07-26 18:02:53.377824500 simscan:[10795]:CLEAN 
(1.20/12.00):0.3534s::209.86.89.65:@earthlink.net:gvmi...@golem-computing.com
2017-07-26 18:02:53.379325500 qmail-smtpd: qq hard reject (DomainKeys verify status: 
bad format   (#5.3.0)): MAILFROM: 
RCPTTO:gvmi...@golem-computing.com


Pursuant to emails recently to the list, here’s what I can find in 
/var/log/maillog:

Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/msg.1501106573.24430.10797: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/addr.1501106573.24430.10797: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file0: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file1: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file2: OK
Jul 26 18:02:53 mail spamd[14603]: spamd: connection from localhost [::1]:35784 
to port 783, fd 5
Jul 26 18:02:53 mail spamd[14603]: spamd: processing message 
<000b01d3065a$e66cf540$b346dfc0$@earthlink.net> for clamav:89
Jul 26 18:02:53 mail spamd[14603]: spamd: clean message (1.2/5.0) for clamav:89 
in 0.2 seconds, 10946 bytes.
Jul 26 18:02:53 mail spamd[14603]: spamd: result: . 1 - 
AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE 
scantime=0.2,size=10946,user=clamav,uid=
89,required_score=5.0,rhost=localhost,raddr=::1,rport=35784,mid=<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>,autolearn=no
 autolearn_force=no
Jul 26 18:02:53 mail spamdyke[10791]: DENIED_OTHER from: 
@earthlink.net to: gvmi...@golem-computing.com origin_ip: 
209.86.89.65 origin_rdns: elasmtp-kukur.atl.sa.earthlink.net auth: (unknown) 
encryption: TLS reason: 554_DomainKeys_verify_status:_bad_format___(#5.3.0)
Jul 26 18:02:53 mail spamd[14603]: spamd: processing message 
<000b01d3065a$e66cf540$b346dfc0$@earthlink.net> for clamav:89
Jul 26 18:02:53 mail spamd[14603]: spamd: clean message (1.2/5.0) for 
clamav:89in 0.2 seconds, 10946 bytes.
Jul 26 18:02:53 mail spamd[14603]: spamd: result: . 1 - 
AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE 
scantime=0.2,size=10946,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=::1,rport=35784,mid=<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>,autolearn=no
 autolearn_force=no
Jul 26 18:02:53 mail spamdyke[10791]: DENIED_OTHER from: 
@earthlink.net to: gvmi...@golem-computing.com origin_ip: 
209.86.89.65 origin_rdns: elasmtp-kukur.atl.sa.earthlink.net auth: (unknown) 
encryption: TLS reason: 554_DomainKeys_verify_status:_bad_format___(#5.3.0)
Jul 26 18:02:53 mail spamd[14575]: prefork: child states: II


Obviously, I would prefer to keep Spamdyke in place if possible to cut down on 
the veritable torrent of spam going on out there. What can I do to bypass this 
so that my user can properly send out their messages? As it is, the server 
rejects their original send, so the mailing list never sends back the 
confirmation, and the message thusly never goes out.




-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] DomainKeys error rejecting mail

[Jeff Koch]

Sorry - misunderstood - Jeff


On 7/26/2017 8:31 PM, Roxanne Sandesara wrote:

Jeff —

These aren’t my emails that are being rejected. These aren’t messages 
coming from an account on my server. These are emails coming from a 
client’s ISP into my server; I have no control over their servers and 
no way to make changes to whatever is wrong.


What I need is a way to bypass this, but ONLY for this client’s emails.

On Jul 26, 2017, at 8:16 PM, Jeff Koch <mailto:jeffk...@intersessions.com>> wrote:


Hi Roxanne:

Try using:

http://www.appmaildev.com/en/dkim

to test the DKIM information in your emails. They give a fairly 
detailed analysis that should help you figure this out.


Jeff


On 7/26/2017 7:03 PM, Roxanne Sandesara wrote:

I have a user trying to send emails to my server from their ISP to go through a 
mailing list my server is hosting. I have previously added the user’s email 
address to spamdyke’s whitelist. However, that no longer seems sufficient to 
deal with this problem.

 From /var/log/qmail/smtp/current:

2017-07-26 18:02:53.023764500 policy_check: policy allows transmission
2017-07-26 18:02:53.377824500 simscan:[10795]:CLEAN 
(1.20/12.00):0.3534s::209.86.89.65:@earthlink.net:gvmi...@golem-computing.com
 <mailto:gvmi...@golem-computing.com>
2017-07-26 18:02:53.379325500 qmail-smtpd: qq hard reject (DomainKeys verify status: 
bad format   (#5.3.0)): MAILFROM:  
RCPTTO:gvmi...@golem-computing.com


Pursuant to emails recently to the list, here’s what I can find in 
/var/log/maillog:

Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/msg.1501106573.24430.10797: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/addr.1501106573.24430.10797: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file0: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file1: OK
Jul 26 18:02:53 mail clamd[3341]: 
/var/qmail/simscan/1501106573.24430.10797/text file2: OK
Jul 26 18:02:53 mail spamd[14603]: spamd: connection from localhost [::1]:35784 
to port 783, fd 5
Jul 26 18:02:53 mail spamd[14603]: spamd: processing 
message<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>  for clamav:89
Jul 26 18:02:53 mail spamd[14603]: spamd: clean message (1.2/5.0) for clamav:89 
in 0.2 seconds, 10946 bytes.
Jul 26 18:02:53 mail spamd[14603]: spamd: result: . 1 - 
AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE 
scantime=0.2,size=10946,user=clamav,uid=
89,required_score=5.0,rhost=localhost,raddr=::1,rport=35784,mid=<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>,autolearn=no
 autolearn_force=no
Jul 26 18:02:53 mail spamdyke[10791]: DENIED_OTHER from: @earthlink.net to:gvmi...@golem-computing.com  origin_ip: 209.86.89.65 origin_rdns:elasmtp-kukur.atl.sa.earthlink.net 
<http://elasmtp-kukur.atl.sa.earthlink.net/>  auth: (unknown) encryption: TLS reason: 554_DomainKeys_verify_status:_bad_format___(#5.3.0)

Jul 26 18:02:53 mail spamd[14603]: spamd: processing 
message<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>  for clamav:89
Jul 26 18:02:53 mail spamd[14603]: spamd: clean message (1.2/5.0) for 
clamav:89in 0.2 seconds, 10946 bytes.
Jul 26 18:02:53 mail spamd[14603]: spamd: result: . 1 - 
AWL,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RDNS_NONE 
scantime=0.2,size=10946,user=clamav,uid=89,required_score=5.0,rhost=localhost,raddr=::1,rport=35784,mid=<000b01d3065a$e66cf540$b346dfc0$@earthlink.net>,autolearn=no
 autolearn_force=no
Jul 26 18:02:53 mail spamdyke[10791]: DENIED_OTHER from: @earthlink.net to:gvmi...@golem-computing.com  origin_ip: 209.86.89.65 origin_rdns:elasmtp-kukur.atl.sa.earthlink.net 
<http://elasmtp-kukur.atl.sa.earthlink.net/>  auth: (unknown) encryption: TLS reason: 554_DomainKeys_verify_status:_bad_format___(#5.3.0)

Jul 26 18:02:53 mail spamd[14575]: prefork: child states: II


Obviously, I would prefer to keep Spamdyke in place if possible to cut down on 
the veritable torrent of spam going on out there. What can I do to bypass this 
so that my user can properly send out their messages? As it is, the server 
rejects their original send, so the mailing list never sends back the 
confirmation, and the message thusly never goes out.




-
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] qq soft reject errors on high load

[Jeff Koch]

Eric / Remo / Rajesh - we reported this same problem a number of months 
ago and thought we had fixed it. But alas, it's still with us. The good 
news is that we haven't had any customer complaints. I'll be very 
interested if it can be resolved.


Jeff Koch


On 9/1/2017 12:01 PM, Eric Broch wrote:


I'm not sure what's going on here. Is this a relatively new phenomenon?

I wonder if it's a memory, or even a disk speed, issue since it only 
happens at peak hours?


I think I'll appy Johannes Weberhofer's patch and put it out there for 
you...and cross or fingers.



On 9/1/2017 6:28 AM, Rajesh M wrote:

remo / eric

i have still not being able to resolve the qq soft reject error.

these are my findings

1) the errors i see are "error forking qmail-queue" and "ripmime error" which 
causes the qq soft reject.

2) the max concurrent connections in the logs is around 35.

3)  These errors come up during peak working hours when the server is under a  
load of 4 - 8, and they increase the load even more to over 10-15.

4) i came across this link (not sure if this is related)
https://github.com/qmail/simscan/blob/master/simscan.c

5) i can share with you my live smtp logs with simscan debug.

have extracted some lines below


Error forking qmail-queue

@400059a8fa7b0a2ed1b4 tcpserver: status: 31/200
@400059a8fa7b13162584 simscan: cdb looking up version spam
@400059a8fa7b13166bd4 simscan: runned_scanners is  attach: 1.4.0 clamav: 
0.98.6/m: spam: 3.3.2
@400059a8fa7b13166fbc simscan: found 3.3.2
@400059a8fa7b13168efc simscan:[10757]:CLEAN (5.00/30.00):9.7712s:-Possible 
Spam- RE_ REQUIRE BOOKING // 1X20  //
ICD TKD TO 
BANDARABASS:103.241.181.228:cs@atlasdecargo.com:rathe...@radiant-india.net
@400059a8fa7b1316cd7c simscan: done, execing qmail-queue
@400059a8fa7b1316fc5c simscan: error forking qmail-queue
@400059a8fa7b13199854 simscan: exit error code: 71
@400059a8fa7b131c4004 qmail-smtpd: qq soft reject (mail server temporarily 
rejected message (#4.3.0)): MAILFROM:
RCPTTO:rathe...@y.net


Error in ripmime

@400059a8fa98045a4bc4 simscan: pelookup: domain is aissamaritime.in
@400059a8fa98045a4bc4 simscan: cdb looking up aissamaritime.in
@400059a8fa98045a4fac simscan: pelookup: local part is shailesh_k_bom
@400059a8fa98045a4fac simscan: lpart: local part is **
@400059a8fa98045a5394 simscan: cdb looking upshailesh_k_...@aissamaritime.in
@400059a8fa98045a5394 simscan: ripmime error
@400059a8fa98045a6334 simscan: exit error code: 71
@400059a8fa98045a95fc qmail-smtpd: qq soft reject (mail server temporarily 
rejected message (#4.3.0)):
MAILFROM:  RCPTTO:shailesh_k_...@yy.in


Wierd error logs

@400059a9032f3aa79a24 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9032f3aa7b964 simscan: clamdscan: 
/var/qmail/simscan/1504248613.321653.5221: OK
@400059a9032f3aa86d14 simscan: clamdscan:
@400059a9032f3aa870fc simscan: clamdscan: ---simscan: cdb looking up 
version clamav
@400059a9032f3aa8a3c4  SCAN simscan: clamdscan: SIUnMfMeAcRtYe d- 
-fsimscan: runned_scanners is  attach: 1.4.0 clamav: 0.98.6/m:
@400059a9032f3aa8c304 -isimscan: found 0.98.6/m:
@400059a9032f3aa8c6ec -l-e-s-:- -0
@400059a9032f3aa8f1e4 --simscan: normal clamdscan return code: 0
@400059a9032f3aa8f1e4
@400059a9032f3aa8f5cc simscan: clamdscan: Infected fsimscan: clamdscan: 
iTliemes::  00
@400059a9032f3aa93834 .simscan: clamdscan: 1T1i8m es:e c0 .1(002  ms 
e0simscan: calling spamc
@400059a9032f3aa96ee4 c  s(0)simscan: calling /usr/bin/spamc simscan: 
clamdscan:
@400059a9032f3aa999dc  spamcm
@400059a9032f3aa999dc 0 s)
@400059a9032f3aa9ad64 /var/qmail/simscan/1simscan: check_spam had an error 
ret: -1
@400059a9032f3aa9e02c 504248613.307311.5215: OK
@400059a9032f337c simscan: clamdscan:
@400059a9032f3764 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9032f3aab3fbc simscan: clamdscan: Infected files: 0
@400059a9032f3aaba164 simscan: clamdscan: Time: 0.135 sec (0 m 0 s)
@400059a9032f3aac39bc simscan: clamdscan: /var/qmail/simscan/15simscan: 
exit error code: 71
@400059a9032f3aaca334 04248613.308469.5216: OK
@400059a9032f3aacddcc simscan: clamdscan:
@400059a9032f3aace984 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9




@400059a9032f3aa86d14 simscan: clamdscan:
@400059a9032f3aa870fc simscan: clamdscan: ---simscan: cdb looking up 
version clamav
@400059a9032f3aa8a3c4  SCAN simscan: clamdscan: SIUnMfMeAcRtYe d- 
-fsimscan: runned_scanners is  attach: 1.4.0 clamav: 0.98.6/m:
@400059a9032f3aa8c304 -isimscan: found 0.98.6/m:
@400059a9032f3aa8c6ec -l-e-s-:- -0
@400059a9032f3aa8f1e4 --simscan: normal clamdscan return code: 0
@400059a9032f3aa8f1e4
@400059a9032f3aa8f5cc simscan: clamdscan: Infected fsimscan: c

Re: [qmailtoaster] qq soft reject errors on high load

[Jeff Koch]

Hi Rajesh:

Intel(R) Xeon(R) CPU E3-1230 V2

ASUS P8B-M,  16GB RAM



On 9/1/2017 3:53 PM, Rajesh M wrote:

jeff

could you please let me know the cpu details of your machine

is it a dell machine or some other with  intel E5 processor ?

rajesh


- Original Message -
From: Jeff Koch [mailto:jeffk...@intersessions.com]
To: qmailtoaster-list@qmailtoaster.com
Sent: Fri, 1 Sep 2017 13:39:37 -0400
Subject:

Eric / Remo / Rajesh - we reported this same problem a number of months
ago and thought we had fixed it. But alas, it's still with us. The good
news is that we haven't had any customer complaints. I'll be very
interested if it can be resolved.

Jeff Koch


On 9/1/2017 12:01 PM, Eric Broch wrote:

I'm not sure what's going on here. Is this a relatively new phenomenon?

I wonder if it's a memory, or even a disk speed, issue since it only
happens at peak hours?

I think I'll appy Johannes Weberhofer's patch and put it out there for
you...and cross or fingers.


On 9/1/2017 6:28 AM, Rajesh M wrote:

remo / eric

i have still not being able to resolve the qq soft reject error.

these are my findings

1) the errors i see are "error forking qmail-queue" and "ripmime error" which 
causes the qq soft reject.

2) the max concurrent connections in the logs is around 35.

3)  These errors come up during peak working hours when the server is under a  
load of 4 - 8, and they increase the load even more to over 10-15.

4) i came across this link (not sure if this is related)
https://github.com/qmail/simscan/blob/master/simscan.c

5) i can share with you my live smtp logs with simscan debug.

have extracted some lines below


Error forking qmail-queue

@400059a8fa7b0a2ed1b4 tcpserver: status: 31/200
@400059a8fa7b13162584 simscan: cdb looking up version spam
@400059a8fa7b13166bd4 simscan: runned_scanners is  attach: 1.4.0 clamav: 
0.98.6/m: spam: 3.3.2
@400059a8fa7b13166fbc simscan: found 3.3.2
@400059a8fa7b13168efc simscan:[10757]:CLEAN (5.00/30.00):9.7712s:-Possible 
Spam- RE_ REQUIRE BOOKING // 1X20  //
ICD TKD TO 
BANDARABASS:103.241.181.228:cs@atlasdecargo.com:rathe...@radiant-india.net
@400059a8fa7b1316cd7c simscan: done, execing qmail-queue
@400059a8fa7b1316fc5c simscan: error forking qmail-queue
@400059a8fa7b13199854 simscan: exit error code: 71
@400059a8fa7b131c4004 qmail-smtpd: qq soft reject (mail server temporarily 
rejected message (#4.3.0)): MAILFROM:
RCPTTO:rathe...@y.net


Error in ripmime

@400059a8fa98045a4bc4 simscan: pelookup: domain is aissamaritime.in
@400059a8fa98045a4bc4 simscan: cdb looking up aissamaritime.in
@400059a8fa98045a4fac simscan: pelookup: local part is shailesh_k_bom
@400059a8fa98045a4fac simscan: lpart: local part is **
@400059a8fa98045a5394 simscan: cdb looking upshailesh_k_...@aissamaritime.in
@400059a8fa98045a5394 simscan: ripmime error
@400059a8fa98045a6334 simscan: exit error code: 71
@400059a8fa98045a95fc qmail-smtpd: qq soft reject (mail server temporarily 
rejected message (#4.3.0)):
MAILFROM:  RCPTTO:shailesh_k_...@yy.in


Wierd error logs

@400059a9032f3aa79a24 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9032f3aa7b964 simscan: clamdscan: 
/var/qmail/simscan/1504248613.321653.5221: OK
@400059a9032f3aa86d14 simscan: clamdscan:
@400059a9032f3aa870fc simscan: clamdscan: ---simscan: cdb looking up 
version clamav
@400059a9032f3aa8a3c4  SCAN simscan: clamdscan: SIUnMfMeAcRtYe d- 
-fsimscan: runned_scanners is  attach: 1.4.0 clamav: 0.98.6/m:
@400059a9032f3aa8c304 -isimscan: found 0.98.6/m:
@400059a9032f3aa8c6ec -l-e-s-:- -0
@400059a9032f3aa8f1e4 --simscan: normal clamdscan return code: 0
@400059a9032f3aa8f1e4
@400059a9032f3aa8f5cc simscan: clamdscan: Infected fsimscan: clamdscan: 
iTliemes::  00
@400059a9032f3aa93834 .simscan: clamdscan: 1T1i8m es:e c0 .1(002  ms 
e0simscan: calling spamc
@400059a9032f3aa96ee4 c  s(0)simscan: calling /usr/bin/spamc simscan: 
clamdscan:
@400059a9032f3aa999dc  spamcm
@400059a9032f3aa999dc 0 s)
@400059a9032f3aa9ad64 /var/qmail/simscan/1simscan: check_spam had an error 
ret: -1
@400059a9032f3aa9e02c 504248613.307311.5215: OK
@400059a9032f337c simscan: clamdscan:
@400059a9032f3764 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9032f3aab3fbc simscan: clamdscan: Infected files: 0
@400059a9032f3aaba164 simscan: clamdscan: Time: 0.135 sec (0 m 0 s)
@400059a9032f3aac39bc simscan: clamdscan: /var/qmail/simscan/15simscan: 
exit error code: 71
@400059a9032f3aaca334 04248613.308469.5216: OK
@400059a9032f3aacddcc simscan: clamdscan:
@400059a9032f3aace984 simscan: clamdscan: --- SCAN SUMMARY 
---
@400059a9




@400059a9032f3aa86d14 simscan: clamdscan:
@400059a9032f3aa870fc simscan: clamdscan: ---simscan: cdb looking up 
ve

[qmailtoaster] dovecot mysql connection lost

[Jeff Koch]

For about a 15 minutes period users couldn't receive emails - emails 
were bouncing back saying the users did not exist. We traced the problem 
to the dovecot log where we saw this:


Sep 15 12:16:23 auth-worker: Error: vmysql: sql error[3]: Table 
'vpopmail.users' doesn't exist
Sep 15 12:16:23 auth-worker: Error: Attempting to rebuild connection to 
SQL server
Sep 15 12:16:23 auth-worker: Error: vmysql: connection rebuild failed: 
Table 'vpopmail.users' doesn't exist


Shortly thereafter dovecot was able to connect and emails began being 
received normally again.


Any thoughts on how to prevent this in the future? Should we raise the 
number of mysql connections - we're using the default.


Regards, Jeff Koch

Re: [qmailtoaster] dovecot mysql connection lost

[Jeff Koch]

Thanks - I'll give these a try should it happen again.

Jeff

On 9/17/2017 3:10 PM, Eric Broch wrote:


And, here's another one:

mysql -u root -ppassword -BNe "select host,count(host) from 
processlist group by host;" information_schema


Explanation:

Display the number of connections to a MySQL Database

Count the number of active connections to a MySQL database.

The MySQL command "show processlist" gives a list of all the active 
clients.


However, by using the processlist table, in the information_schema 
database, we can sort and count the results within MySQL.




On 9/17/2017 11:33 AM, Jeff Koch wrote:

Eric - thanks !  Jeff

On 9/17/2017 11:14 AM, Eric Broch wrote:


Hi Jeff,

Here are some commands you can run to determine the number of 
connections (to determine if this is the issue) to the MariaDB in 
the event that this happens again:


1) echo "show full processlist" | mysql -u root -ppassword

2) doveadm who

3)  ps aux | grep vpopmail | grep dovecot

Eric


On 9/15/2017 4:02 PM, Jeff Koch wrote:
I raised it to 300 but we're a little concerned about all these 
root sessions. Could they be a form of break-in attempt and why 
would they affect mysql to the point that dovecot could not 
connect. And what the heck is a 'user-89.slice. vpopmail is usually 
user 89.


Jeff

On 9/15/2017 5:57 PM, Eric Broch wrote:


I think I'd try upping the connection count, what's it at 151?


On 9/15/2017 3:25 PM, Jeff Koch wrote:

Nope.

But I did see this strange series of entries in /var/log/messages 
- which started at 12:03 and continued to 12:15. This was the 
same period that dovecot was complaining that it couldn't connect 
to mysql


Sep 15 12:04:01 vid systemd: Started Session 208671 of user root.
Sep 15 12:04:01 vid systemd: Starting Session 208671 of user root.
Sep 15 12:04:01 vid systemd: Started Session 208670 of user root.
Sep 15 12:04:01 vid systemd: Starting Session 208670 of user root.
Sep 15 12:04:01 vid systemd: Started Session 208672 of user root.
Sep 15 12:04:01 vid systemd: Starting Session 208672 of user root.
..
..
Sep 15 12:15:01 vid systemd: Starting Session 208707 of user root.
Sep 15 12:15:01 vid systemd: Started Session 208709 of user root.
Sep 15 12:15:01 vid systemd: Starting Session 208709 of user root.
Sep 15 12:15:01 vid systemd: Started Session 208708 of user root.
Sep 15 12:15:01 vid systemd: Starting Session 208708 of user root.
Sep 15 12:15:01 vid systemd: Created slice user-89.slice.
Sep 15 12:15:01 vid systemd: Starting user-89.slice.
Sep 15 12:15:01 vid systemd: Started Session 208710 of user vpopmail.
Sep 15 12:15:01 vid systemd: Starting Session 208710 of user 
vpopmail.

Sep 15 12:15:17 vid clamd: SelfCheck: Database status OK.
Sep 15 12:15:18 vid systemd: Removed slice user-89.slice.
Sep 15 12:15:18 vid systemd: Stopping user-89.slice.

Jeff


On 9/15/2017 4:09 PM, Eric Broch wrote:


Any entries in /var/log/mariadb/mariadb.log ?


On 9/15/2017 1:21 PM, Jeff Koch wrote:


For about a 15 minutes period users couldn't receive emails - 
emails were bouncing back saying the users did not exist. We 
traced the problem to the dovecot log where we saw this:


Sep 15 12:16:23 auth-worker: Error: vmysql: sql error[3]: Table 
'vpopmail.users' doesn't exist
Sep 15 12:16:23 auth-worker: Error: Attempting to rebuild 
connection to SQL server
Sep 15 12:16:23 auth-worker: Error: vmysql: connection rebuild 
failed: Table 'vpopmail.users' doesn't exist


Shortly thereafter dovecot was able to connect and emails began 
being received normally again.


Any thoughts on how to prevent this in the future? Should we 
raise the number of mysql connections - we're using the default.


Regards, Jeff Koch


--
Eric Broch
White Horse Technical Consulting (WHTC)




--
Eric Broch
White Horse Technical Consulting (WHTC)








--
Eric Broch
White Horse Technical Consulting (WHTC)

[qmailtoaster] Autoresponder Password Message

[Jeff Koch]

When we setup a new autoresponder (robot) the toaster seems to be 
automatically inserting the following text in the autoresponder message. 
Anybody know how to make it stop doing that?


-
Password MUST be 6-8 characters, contain at least 1 upper case and 1 
lower case letter,and at least one number to be secure. Example: 
mYpass95
Sorry, we no longer dynamically forward email to Yahoo, AOL, Gmail or 
Hotmail\naccounts. This practice inadvertently forwards spam and causes 
blacklisting\nissues with these providers.

Please review and try again.
Your password must be minimum 8 characters in length.
Your password is missing Numbers.
Your password can not contain Symbols or Spaces.
Your password is missing Uppercase Letters.
Your password is missing Lowercase Letters.
Password fields do not match.
-

Jeff

Re: [qmailtoaster] Also - bad copy in - send copy to - Autoresponder Password Message

[Jeff Koch]

Hi Eric

Here's another thing we noticed. When setting up the autoresponder no 
matter what you enter into the 'Send Copy to' field when you go to edit 
the autoresponder later you see :


/usr/bin/autorespond 1 5 
/home/vpopmail/domains/x.com/AUTO11/message 
/home/vpopmail/domains/.comt/AUTO11'


in that field.

Jeff



On 9/20/2017 11:26 AM, Eric Broch wrote:


Hi Jeff,

I noticed this the other day. I had to downgrad qmailadmin myself:

# yum downgrade qmailadmin

  Installing : qmailadmin-1.2.16-1.qt.el7.x86_64
  Cleanup    : qmailadmin-1.2.16-2.qt.el7.x86_64
  Verifying  : qmailadmin-1.2.16-1.qt.el7.x86_64
  Verifying  : qmailadmin-1.2.16-2.qt.el7.x86_64

If Laurentiu Grigore is out there can you give a status on you 
qmailadmin password fix, can you fix this?


Eric


On 9/20/2017 8:54 AM, Jeff Koch wrote:


When we setup a new autoresponder (robot) the toaster seems to be 
automatically inserting the following text in the autoresponder 
message. Anybody know how to make it stop doing that?


-
Password MUST be 6-8 characters, contain at least 1 upper case and 1 
lower case letter,and at least one number to be secure. Example: 
mYpass95
Sorry, we no longer dynamically forward email to Yahoo, AOL, Gmail or 
Hotmail\naccounts. This practice inadvertently forwards spam and 
causes blacklisting\nissues with these providers.

Please review and try again.
Your password must be minimum 8 characters in length.
Your password is missing Numbers.
Your password can not contain Symbols or Spaces.
Your password is missing Uppercase Letters.
Your password is missing Lowercase Letters.
Password fields do not match.
-

Jeff


--
Eric Broch
White Horse Technical Consulting (WHTC)

[qmailtoaster] Forwarding to yahoo, hotmail, aol and gmail

[Jeff Koch]

Has anybody seen this message before and how do we defeat this? I'm 
getting this when we send an email to an autoresponder.  Does this also 
apply to vacation messages?



Sorry, we no longer dynamically forward email to Yahoo, AOL, Gmail or 
Hotmail\naccounts. This practice inadvertently forwards spam and causes 
blacklisting\nissues with these providers.

Regards, Jeff

[qmailtoaster] Migrating a large server to the new QMT

[Jeff Koch]

I have a fairly big mailserver (over 1,000 domains) built with Bill's 
Toaster. It uses vpasswd.cdb files rather than a mysql table. What's the 
best way to migrate to the QMT toaster?


I see the issues as:

1. converting the vpasswd text and cdb files to the vpopmail mysql tables

2. converting the 'forwards' to the mysql alias table

3. editing the '.qmail' maildrop filters to look for the filter files in 
a different location. (This probably can be handled via symlink)


1 & 2 above are the biggest concern. There's no way we're manually 
migrating running a SED and mysql vpopmail table load for each of 1,000 
domains.


Any thoughts or recommendations? I'd like to hear from someone that's 
actually done a large migration.


Regards, Jeff Koch

Re: [qmailtoaster] Migrating a large server to the new QMT

[Jeff Koch]

Hi Eric:

Yes there are. One small server we migrated required a messy two step 
process of first running an AWK script again the vpasswd text file and 
entering the resultant file and running a replacement directive to 
replace " with '.


And what about the 'forwards' - is there a way to convert those en-mass ?

Jeff

On 10/26/2017 1:06 PM, Eric Broch wrote:


Is there a plain text vpasswd file?

In my mind 1 and 2 could easily be scripted and 3 copied (rsync'ed) 
into place.




On 10/26/2017 7:51 AM, Jeff Koch wrote:


I have a fairly big mailserver (over 1,000 domains) built with Bill's 
Toaster. It uses vpasswd.cdb files rather than a mysql table. What's 
the best way to migrate to the QMT toaster?


I see the issues as:

1. converting the vpasswd text and cdb files to the vpopmail mysql tables

2. converting the 'forwards' to the mysql alias table

3. editing the '.qmail' maildrop filters to look for the filter files 
in a different location. (This probably can be handled via symlink)


1 & 2 above are the biggest concern. There's no way we're manually 
migrating running a SED and mysql vpopmail table load for each of 
1,000 domains.


Any thoughts or recommendations? I'd like to hear from someone that's 
actually done a large migration.


Regards, Jeff Koch


--
Eric Broch
White Horse Technical Consulting (WHTC)

[qmailtoaster] QMT - non-mysql

[Jeff Koch]

Hi

We need to migrate a large qmail toaster mailserver to the new version 
that uses MySQL. Rather than attempt to migrate the old vpasswd text and 
cdb files, as well as, aliases, to the MySQL vpopmail format my thought 
is to recompile the QMT for CentOS 7 to use the older format.


This should just be a few changes in the config command for qmailadmin 
and vpopmail. But what else needs to be reconfigured? spamdyke, dovecot, 
squirrelmail


Any thoughts or advice?

Regards, Jeff Koch

Re: [qmailtoaster] QMT - non-mysql

[Jeff Koch]

Hi L.A.:

That WiKi page only covers moving one domain. We have to move over a 
thousand domains. Plus the AWK script is not complete - you have to 
manually enter the sql file and edit the backticks. We've used this 
approach when we need to move one domain at a time - it works but is 
tedious and not practical for a mass migration.


The Wiki page also does not consider the migration of the dot qmail 
forwards to the mysql format. We had to move the dot qmail forwards 
manually to mysql or so they would show up in qmailadmin.


Jeff

On 11/3/2017 1:07 AM, L. A. wrote:

Are you shure about this idea?
As result you may loose ability of grown, updates should be more accurate.
Long time ago we moved from qmail with vpasswd with few domains and 
about 2500 active users to qmt.

Used this:
http://wiki.qmailtoaster.com/index.php/Migrating_from_qmail_that_using_vpasswd
It wasn't so hard at all.


31.10.2017, 21:26, "Jeff Koch" :


Hi

We need to migrate a large qmail toaster mailserver to the new 
version that uses MySQL. Rather than attempt to migrate the old 
vpasswd text and cdb files, as well as, aliases, to the MySQL 
vpopmail format my thought is to recompile the QMT for CentOS 7 to 
use the older format.


This should just be a few changes in the config command for 
qmailadmin and vpopmail. But what else needs to be reconfigured? 
spamdyke, dovecot, squirrelmail


Any thoughts or advice?

Regards, Jeff Koch


- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

[qmailtoaster] maildirsize

[Jeff Koch]

I know this is way off topic but I'm hoping some one on this list has an 
answer.


I have a mailserver that uses Bill Shupp's toaster and I'm trying to 
change a user's quota. Despite everything I've tried when maildirsize 
gets rebuilt it reverts to the old quota.


I've tried everything - vsetuserquota, vmoduser, manually gone into 
vpasswd. Forced updates to vpasswd.cdb, deleted vpasswd.cdb, deleted 
maildirsize. But somehow after deleting maildirsize when the next email 
comes in and maildirsize is rebuilt the first line has the old quota 
again. I'm racking my brain trying to figure out where vpopmail or 
dovecot is getting the old quota info from. Is there a cache somewhere 
that I'm not aware of ?


I figured once I deleted vpasswd.cdb and forced a cdb rebuild from 
vpasswd it would have the new quota and use that in rebuilding maildirsize.


Any help or suggestions would be appreciated.

Jeff

[qmailtoaster] QMT - Big DNS Patch ?

[Jeff Koch]

Hi Group:

We are seeing some errors like this in the qmail logs:

2017-11-23 17:14:55
info msg 6891411: bytes 3794956 from  qp 27142 
uid 89

starting delivery 144153: msg 6891411 to remote mroval...@prevenir.com.ec
delivery 144153: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/

Doing a little research says that it's often resolved by installing the 
big dns patch - but I believe QMT already has that patch. Could anything 
else cause this error?


Also, why is qmail even trying to do a CNAME lookup when the MX record 
is what's needed ?


Jeff

Re: [qmailtoaster] QMT - Big DNS Patch ?

[Jeff Koch]

Hi Eric:

I read the link you provided and agree with the patch to remove the 
CNAME lookups. Jeff


On 11/29/2017 11:05 PM, Eric Broch wrote:


Hi Jeff,

I've been reading some about this and on one site 
<https://lists.gt.net/qmail/users/138190> Dan Bernstein recommended in 
2012 or there about that the CNAME lookup should be commented out in 
the code. I might do this and make it available sometime soon.


Eric



On 11/29/2017 8:44 PM, Jeff Koch wrote:


Hi Group:

We are seeing some errors like this in the qmail logs:

2017-11-23 17:14:55
info msg 6891411: bytes 3794956 from  qp 
27142 uid 89

starting delivery 144153: msg 6891411 to remote mroval...@prevenir.com.ec
delivery 144153: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/

Doing a little research says that it's often resolved by installing 
the big dns patch - but I believe QMT already has that patch. Could 
anything else cause this error?


Also, why is qmail even trying to do a CNAME lookup when the MX 
record is what's needed ?


Jeff


--
Eric Broch
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] QMT - Big DNS Patch ?

[Jeff Koch]

The server connects to a BIND DNS server. However, this CNAME issue 
apparently has been a problem for a long, long time as noted in the link 
Eric provided.


Jeff

On 11/30/2017 9:55 AM, Chris wrote:
Is the server that is having the issues using djbdns or BIND?  There 
was a thread on June 21 that discussed the differences in the way 
djbdns handles CNAMES and EDNS, vs the way BIND does, and why it 
causes delivery issues for qmail.


-Chris

On Wed, Nov 29, 2017 at 9:02 PM, Eric Broch <mailto:ebr...@whitehorsetc.com>> wrote:


I'll see if I can have a patched version for separate download out
tomorrow. It's interesting that I never see these errors on my
servers. How often do you see them, and is mail not delivered?


On 11/29/2017 9:24 PM, Jeff Koch wrote:

Hi Eric:

I read the link you provided and agree with the patch to remove
the CNAME lookups. Jeff

On 11/29/2017 11:05 PM, Eric Broch wrote:


Hi Jeff,

I've been reading some about this and on one site
<https://lists.gt.net/qmail/users/138190> Dan Bernstein
recommended in 2012 or there about that the CNAME lookup should
be commented out in the code. I might do this and make it
available sometime soon.

Eric



    On 11/29/2017 8:44 PM, Jeff Koch wrote:


Hi Group:

We are seeing some errors like this in the qmail logs:

2017-11-23 17:14:55
info msg 6891411: bytes 3794956 from 
<mailto:pmaldon...@eurostaga.com> qp 27142 uid 89
starting delivery 144153: msg 6891411 to remote
mroval...@prevenir.com.ec <mailto:mroval...@prevenir.com.ec>
delivery 144153: deferral:
CNAME_lookup_failed_temporarily._(#4.4.3)/

Doing a little research says that it's often resolved by
installing the big dns patch - but I believe QMT already has
that patch. Could anything else cause this error?

Also, why is qmail even trying to do a CNAME lookup when the MX
record is what's needed ?

Jeff


-- 
Eric Broch

White Horse Technical Consulting (WHTC)




-- 
Eric Broch

White Horse Technical Consulting (WHTC)

[qmailtoaster] QMT - Problem with MessageID on Vacation Message Responses

[Jeff Koch]

I have been testing the vacation message function on the moduser page in 
qmailadmin. The autoresponses generated by the vacation message option 
end up in my spam folders because the Message ID generated by the 
autoresponder do not include a domain name and, as a result, violate RFC 
2822.


These two issues give the message 4.3 points for spamassassin and the 
message ends up as junk.


Here's the MessageID generated by the vacation responder:

Message-ID: <1516217515.27282.blah>

I don't have a clue where 'blah' comes from. All we need is a domain 
name to put in there - doesn't even need to be valid.


Does anyone know how to change 'blah' to something else?

Regards, Jeff

[qmailtoaster] SOLVED - Re: [qmailtoaster] QMT - Problem with MessageID on Vacation Message Responses

[Jeff Koch]

There is a new version of autorespond on GITHUB - version 2.06 - patched 
April 2016 that fixes the MessageID.


The original code in existence since 2001 creates the MessageID as follows:

fprintf(fdm,"Date: %u %s %u %02u:%02u:%02u -\nMessage-ID: 
<%lu.%u.blah>\n"
,dt->tm_mday,montab[dt->tm_mon],dt->tm_year+1900,dt->tm_hour,dt->tm_min,dt->tm_sec,msgwhen,getpid() 
);


with the word 'blah'.

The correction is:


fprintf(fdm,"Date: %u %s %u %02u:%02u:%02u -\nMessage-ID: 
<%lu.%u.autorespond@%s>\n

,dt->tm_mday,montab[dt->tm_mon],dt->tm_year+1900,dt->tm_hour,dt->tm_min,dt->tm_sec,msgwhen,getpid(),getenv("LOCAL")

using LOCAL which is the domain name followed by the user name.

You can just download the code, unzip it, run 'make' followed by 'make 
install' and your autoresponder is fixed.


Jeff


On 1/17/2018 2:41 PM, Jeff Koch wrote:


I have been testing the vacation message function on the moduser page 
in qmailadmin. The autoresponses generated by the vacation message 
option end up in my spam folders because the Message ID generated by 
the autoresponder do not include a domain name and, as a result, 
violate RFC 2822.


These two issues give the message 4.3 points for spamassassin and the 
message ends up as junk.


Here's the MessageID generated by the vacation responder:

Message-ID: <1516217515.27282.blah>

I don't have a clue where 'blah' comes from. All we need is a domain 
name to put in there - doesn't even need to be valid.


Does anyone know how to change 'blah' to something else?

Regards, Jeff

Re: [qmailtoaster] QMT - Problem with MessageID on Vacation Message Responses

[Jeff Koch]

The URL for GITHUB is:

https://github.com/roffe/autorespond-2.0.6/blob/master/patch_2.0.5-2.0.6.patch

Jeff

On 1/17/2018 2:41 PM, Jeff Koch wrote:


I have been testing the vacation message function on the moduser page 
in qmailadmin. The autoresponses generated by the vacation message 
option end up in my spam folders because the Message ID generated by 
the autoresponder do not include a domain name and, as a result, 
violate RFC 2822.


These two issues give the message 4.3 points for spamassassin and the 
message ends up as junk.


Here's the MessageID generated by the vacation responder:

Message-ID: <1516217515.27282.blah>

I don't have a clue where 'blah' comes from. All we need is a domain 
name to put in there - doesn't even need to be valid.


Does anyone know how to change 'blah' to something else?

Regards, Jeff

[qmailtoaster] Delivery fail

[Jeff Koch]

Hi:

We see entries like this in the qmail/send log when clients try to send 
to a particular domain:


2018-01-18 14:49:03.821437500 starting delivery 93767: msg 21453716 to 
remote mvelasq...@prevenir.com.ec
2018-01-18 14:49:39.016795500 delivery 93767: deferral: 
CNAME_lookup_failed_temporarily._(#4.4.3)/



Does anyone know what this entry is trying to tell us? and what would a 
CNAME lookup have to do with sending email?


Jeff

Re: [qmailtoaster] clamav KO - ERROR: accept() failed

[Jeff Koch]

Hi - I don't think this has anything to do with the problem - the ClamAV 
team at Cisco released a buggy set of definitions last night and they 
need patch that before ClamAV works properly again. Plus they need to 
fix the clamav code so that a buggy set of definitions will fall back to 
something that won't kill a mailserver.


http://lists.clamav.net/pipermail/clamav-users/2018-January/005687.html

Jeff

On 1/26/2018 11:38 AM, Remo Mattei wrote:

Here is what is mine set to

-rws--x--x  1 clamav root   34774 Apr  6  2016 simscan

And increased the exec /usr/bin/softlimit -m 6400 \

All good here.

Remo

On Jan 26, 2018, at 11:55 AM, Havrla > wrote:


Can't create temporary file

Re: [qmailtoaster] ClamAV 0.99.3

[Jeff Koch]

Eric - does anyone know if this solves the problem?  Jeff

On 1/26/2018 8:37 PM, Eric Broch wrote:

Hello list members,

The ClamAV 0.99.3 RPMS/SRPMS for COS 6 (i386, x86_64) & 7 (x86_64) are 
available for download or you can use Yum with the 
--enablerepo=qmt-testing option


ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/7/testing/x86_64/clamav-0.99.3-1.qt.el7.x86_64.rpm 



ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/7/testing/SRPMS/clamav-0.99.3-1.qt.el7.src.rpm 



ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/6/testing/x86_64/clamav-0.99.3-1.qt.el6.x86_64.rpm 



ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/6/testing/i386/clamav-0.99.3-1.qt.el6.i686.rpm 



ftp://ftp.qmailtoaster.com/pub/repo/qmt/CentOS/6/testing/SRPMS/clamav-0.99.3-1.qt.el6.src.rpm 




Eric



-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] ClamAV 0.99.3-2 Problem

[Jeff Koch]

Hi Eric:

Works great (so far) on my server also.

Jeff

On 1/27/2018 11:21 AM, Eric Broch wrote:


Thanks Rodrigo (and to all) for testing.


On 1/27/2018 9:19 AM, Rodrigo Cortes wrote:

Hi!!!

Working fine now!

Thx.

2018-01-27 13:18 GMT-03:00 Eric Broch >:


I had to do the following:

systemctl start clamav-freshclam.service

systemctl enable clamav-freshclam.service



On 1/27/2018 9:16 AM, Eric Broch wrote:

OK

Try now


ftp://ftp.qmailtoaster.org/pub/repo/qmt/CentOS/7/testing/x86_64/clamav-0.99.3-2.qt.el7.x86_64.rpm






On 1/27/2018 8:30 AM, Gary Bowling wrote:



Per the previous thread, I tried updating to ClamAV
0.99.3-2 on my CentOS 7 box.


The services are not created properly. I tried both the
yum update via the test repository and also tried
downloading the RPM from and installing via rpm -Uvh.
Both have the same issue.


Prior to installing, my toaststat shows this.

systemd service:    clamav-daemon.service: [  OK  ]
systemd service: clamav-daemon.socket: [  OK  ]
systemd service: clamav-freshclam: [  OK  ]


After installing, my toaststat shows this.

systemd service: clamav-freshclam: [  FAILED  ]


With no services created for clamav-daemon.


Also, with this situation if I enable clam in my
simcontrol file, it doesn't work.


Thanks, Gary


-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com




-- 
Eric Broch

White Horse Technical Consulting (WHTC)


-
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com





--
Eric Broch
White Horse Technical Consulting (WHTC)

[qmailtoaster] Mail Quota 2GB

[Jeff Koch]

Hi - Does anyone know if qmail/vpopmail is still limited to a mail quota 
of 2GB ?


Jeff

Re: [qmailtoaster] Mail Quota 2GB

[Jeff Koch]

Hi - I think I asked my question incorrectly. I too, use NOQUOTA in 
order to support very large email accounts. I would like to be able to 
set a quota of, say, 10, 20 or 30GB and have vpopmail monitor the 
account against that quota. That means when the account is over 10GB 
vpopmail blocks new emails from coming in with an 'over-quota' message 
the same as it does when you set a quota of 500MB and the user exceeds it.


My understanding, based on the link below, is that vpopmail will not 
support quotas greater than 2GB. (Please note that I wrote quotas - not 
mailbox size)


Jeff

On 2/7/2018 1:32 PM, Eric Broch wrote:


vsetuserquota is not obsolete.

Honestly, in the past if a mailbox is using over 2GB of space I set it 
to NOQUOTA. I have mailboxes with 30GB+ of mail.



On 2/7/2018 10:53 AM, Jeff Koch wrote:

Hi Eric:

Here's a link where I got that from:

http://vchkpw.inter7.narkive.com/1YYz1C41/vpopmail-max-quota-of-2gb

Have you had experience using mailbox quotas of 4, 6 or 8GB and 
confirmed that it works?


By the we typically use the vsetuserquota command like this setting a 
quota of disk space and total messages:


/home/vpopmail/bin/vsetuserquota f...@proginc.com 302428800S,8000C

Maybe this is obsolete.

Jeff


On 2/7/2018 12:41 PM, Eric Broch wrote:


shouldn't be

vmoduser & vadduser have quota (-q) option which I use all the time.

# /home/vpopmail/bin/vadduser
vadduser: usage: [options] email_address [passwd]
options: -v (print the version)
 -q quota_in_bytes (sets the users quota, use NOQUOTA for 
unlimited)

 -c comment (sets the gecos comment field)
 -e standard_encrypted_password
 -n no_password
 -r[len] (generate a len (default 8) char random password)

# /home/vpopmail/bin/vmoduser
vmoduser: usage: [options] email_addr or domain (for each user in 
domain)

options: -v ( display the vpopmail version number )
 -n ( don't rebuild the vpasswd.cdb file )
 -q quota ( set quota )
 -c comment (set the comment/gecos field )
 -e encrypted_passwd (set the password field )
 -C clear_text_passwd (set the password field )



On 2/7/2018 10:08 AM, Jeff Koch wrote:


Hi - Does anyone know if qmail/vpopmail is still limited to a mail 
quota of 2GB ?


Jeff


--
Eric Broch
White Horse Technical Consulting (WHTC)




--
Eric Broch
White Horse Technical Consulting (WHTC)

Re: [qmailtoaster] CNAME lookup failed temporarily -- workarounds?

[Jeff Koch]

Angus - I would be very cautious about switching if you've been using 
the non-mysql (cdb) version of the qmail toaster and you have many 
domains on the mailserver. You'll have to run a bunch of scripts to 
convert vpasswd and the dot-qmail forwards to the mysql format. And each 
domain has to be handled individually. I did this conversion with a 
mailserver with 150 domains and it took several days.


The good news is that Eric Broch recently put together a CDB version of 
the QMT 7 and I just finished converting a mailserver with 20 domains. 
It went much faster. I was able to tar-zip and dump in the entire 
/home/vpopmail/domains directory. Of course I had to update things in 
the /var/qmail/control and /users directories and setup some symlinks to 
handle changed locations. I'm still standing by and listening for user 
comments but it seems to be working very well.


Next, I plan to tackle two old qmail servers with over a 1000 domains each.

Jeff

On 2/15/2018 9:31 AM, Gary Bowling wrote:



For what it's worth, I was in the same boat last year and made the 
decision to move it to a new server. Set up a new CentOS 7 box as a 
virtual server at linode. Which was very painless. The install of the 
toaster on that box was a breeze, the guys have done a great job of 
supplying us with RPMs and scripts to get it done easily.



Moving over all the old mail was likewise very easy and just worked. I 
rsync'd from the old box to the new. The tricky part is cutting the 
users over. You need to set your DNS ttl to something really low (I 
first set mine to 4 hours, then to 1 minute the day of the cutover). 
That makes your mx and A records move very quickly. At cut time, 
change your dns, do a final rsync of all the old mail, make sure 
you're ownership and permissions are all right and you're done.



The transition was much smoother and easier than I had thought and 
everything worked like a charm.



So while it's not what you're looking for in terms of a short term 
fix. I do encourage you to take the plunge and move it. It's really 
not that bad and will clean up your entire environment.



Gary


On 2/15/2018 9:16 AM, Angus McIntyre wrote:
I'm running a fairly ancient qmail (netqmail-1.0.5, according to the 
manual) on CentOS 5, and I'm starting to get bitten with increasing 
frequency by the 'CNAME lookup failed temporarily' bug.


I urgently need to build a new host with an up-to-date OS and the 
latest version of qmail and move everything over, but I don't have 
the time to do that right now. I'm very hesitant to screw with this 
particular configuration (which is a mess) in case I bring everything 
crashing down around my ears.


So the question is, is there any easy (temporary) fix for this issue?

Thanks,

Angus

-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

Re: [qmailtoaster] password complexity and length

[Jeff Koch]

You can insert javascript password rules in the html code templates for 
qmailadmin.


Here's a simple password strength javascript that goes in the top of 
mod_user.html




function passwordStrength(password)
{
    var desc = new Array();
    desc[0] = "Very Weak";
    desc[1] = "Weak";
    desc[2] = "Better";
    desc[3] = "Medium";
    desc[4] = "Strong";
    desc[5] = "Strongest";

    var score   = 0;

    //if password bigger than 7 give 1 point
    if (password.length > 7) score++;

    //if password has both lower and uppercase characters give 1 point

Re: [qmailtoaster] password complexity and length

[Jeff Koch]

Hi Gary:

Only affects new passwords entered in mod_user.html. You'll need to add 
similar javascript.to 'add_user.html'. You can do the same in 
squirrelmail if you can find the correct place to slug in the 
javascript. The code analyzes text entered in the input field 'password' 
and grays out the submit button until the password meets the test 
criteria. It's pretty basic code and I'm sure javascript experts could 
do a lot to improve it and give more clues to the users.


Once of the problems with messing with the templates is that there is no 
table defining the hash mark codes like ##tt ##tu ##X251. If anyone has 
a cheat sheet please share.


Jeff

On 4/5/2018 7:42 AM, Gary Bowling wrote:



Thanks Jeff. Just to make sure, if I do that edit it doesn't affect 
any existing passwords? Only inputting any new passwords or changing 
any passwords?



Also, I guess a user can still change their password via squirrelmail 
and bypass these rules? That rarely happens on my server, but just 
want to make sure I understand.



Thanks, Gary


On 4/4/2018 11:03 PM, Jeff Koch wrote:
You can insert javascript password rules in the html code templates 
for qmailadmin.


Here's a simple password strength javascript that goes in the top of 
mod_user.html




function passwordStrength(password)
{
    var desc = new Array();
    desc[0] = "Very Weak";
    desc[1] = "Weak";
    desc[2] = "Better";
    desc[3] = "Medium";
    desc[4] = "Strong";
    desc[5] = "Strongest";

    var score   = 0;

    //if password bigger than 7 give 1 point
    if (password.length > 7) score++;

</pre><tt>    //if password has both lower and uppercase characters give 1 
</tt><tt>point
</tt><tt>    if ( ( password.match(/[a-z]/) ) && ( password.match(/[A-Z]/) 
</tt><tt>) ) score++;
</tt><pre style="margin: 0em;">

    //if password has at least one number give 1 point
    if (password.match(/\d+/)) score++;

    //if password has at least one special characther give 1 point
    if ( password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) ) score++;

    //if password bigger than 12 give another 1 point
    if (password.length > 12) score++;

document.getElementById("passwordDescription").innerHTML = desc[score];
</pre><tt> document.getElementById("passwordStrength").className = 
</tt><tt>"strength" + score;
</tt><pre style="margin: 0em;">

 if (score > 2 ) {
   document.getElementById("btnSubmit").disabled = false;
 }else{
   document.getElementById("btnSubmit").disabled = true;
 }

 return score;
}



then further along in the code we have:

  
    name="password2" maxlength=128 size=16>

  
    
  
    Password 
strength:
    id="passwordDescription">Password not entered

  
  
    
    
    class="strength0">

    
    
  

Passwords must be at least eight characters and 
include three of the following four types: upper case letters, lower 
case letters, numbers and special characters.





Regards, Jeff








On 4/4/2018 6:51 PM, Gary Bowling wrote:



Last time I checked it was either not possible or not easy to 
implement password rules one the toaster. But that was a long time ago.



Has anything changed in that regard?

--

Gary Bowling
- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 




- 
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

Re: [qmailtoaster] password complexity and length

[Jeff Koch]

Sorry - I left out this piece of code - goes right before the code that 
says password2. It's been 10 years since we looked at this.


    
  class="style1">##X110:

  
    name="password1" maxlength=128 size=16 id="pass" 
onkeyup="passwordStrength(this.value)">

  
    

Jeff

On 4/5/2018 9:55 AM, Jeff Koch wrote:

Hi Gary:

Only affects new passwords entered in mod_user.html. You'll need to 
add similar javascript.to 'add_user.html'. You can do the same in 
squirrelmail if you can find the correct place to slug in the 
javascript. The code analyzes text entered in the input field  
'password' and grays out the submit button until the password meets 
the test criteria. It's pretty basic code and I'm sure javascript 
experts could do a lot to improve it and give more clues to the users.


Once of the problems with messing with the templates is that there is 
no table defining the hash mark codes like ##tt ##tu ##X251. If anyone 
has a cheat sheet please share.


Jeff

On 4/5/2018 7:42 AM, Gary Bowling wrote:



Thanks Jeff. Just to make sure, if I do that edit it doesn't affect 
any existing passwords? Only inputting any new passwords or changing 
any passwords?



Also, I guess a user can still change their password via squirrelmail 
and bypass these rules? That rarely happens on my server, but just 
want to make sure I understand.



Thanks, Gary


On 4/4/2018 11:03 PM, Jeff Koch wrote:
You can insert javascript password rules in the html code templates 
for qmailadmin.


Here's a simple password strength javascript that goes in the top of 
mod_user.html




function passwordStrength(password)
{
    var desc = new Array();
    desc[0] = "Very Weak";
    desc[1] = "Weak";
    desc[2] = "Better";
    desc[3] = "Medium";
    desc[4] = "Strong";
    desc[5] = "Strongest";

    var score   = 0;

    //if password bigger than 7 give 1 point
    if (password.length > 7) score++;

</pre><tt>    //if password has both lower and uppercase characters give 1 
</tt><tt>point
</tt><tt>    if ( ( password.match(/[a-z]/) ) && ( 
</tt><tt>password.match(/[A-Z]/) ) ) score++;
</tt><pre style="margin: 0em;">

    //if password has at least one number give 1 point
    if (password.match(/\d+/)) score++;

    //if password has at least one special characther give 1 point
    if ( password.match(/.[!,@,#,$,%,^,&,*,?,_,~,-,(,)]/) ) score++;

    //if password bigger than 12 give another 1 point
    if (password.length > 12) score++;

document.getElementById("passwordDescription").innerHTML = desc[score];
</pre><tt>document.getElementById("passwordStrength").className = "strength" + 
</tt><tt>score;
</tt><pre style="margin: 0em;">

 if (score > 2 ) {
   document.getElementById("btnSubmit").disabled = false;
 }else{
   document.getElementById("btnSubmit").disabled = true;
 }

 return score;
}



then further along in the code we have:

  
    name="password2" maxlength=128 size=16>

  
    
  
    class="style1">Password strength:
    id="passwordDescription">Password not entered

  
  
    class="style1">

    
    class="strength0">

    
    
  

Passwords must be at least eight characters and 
include three of the following four types: upper case letters, lower 
case letters, numbers and special characters.





Regards, Jeff








On 4/4/2018 6:51 PM, Gary Bowling wrote:



Last time I checked it was either not possible or not easy to 
implement password rules one the toaster. But that was a long time 
ago.



Has anything changed in that regard?

--

Gary Bowling
- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 




- 
To unsubscribe, e-mail: 
qmailtoaster-list-unsubscr...@qmailtoaster.com For additional 
commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 

Re: [qmailtoaster] password complexity and length

[Jeff Koch]

For that section:

The original code was this:

 
  
  
  
  
  
  
  
    ##X092:
    maxlength="128" size="32" value="##i7">

  
  
    ##X110:
    maxlength=128 size=16>

  
  
    ##X091
    maxlength=128 size=16>

  
##tq  
    ##X249:
    
##ta
  value="##q">

   ##X251
 .
..
    
 
  
 
    
   
   




The modified code looks like this:

   action="##C/com/modusernow">

  
  
  value="ChangePassword">

  
  
  
  
  border="0">

    
  class="style1">##X092:

  
    maxlength="128" size="32" value="##i7">

  
    
    
  class="style1">##X110:

  
    name="password1" maxlength=128 size=16 id="pass" 
onkeyup="passwordStrength(this.value)">

  
    
    
  class="style1">##X091

  
    name="password2" maxlength=128 size=16>

  
    
  
    Password 
strength:
    id="passwordDescription">Password not entered

  
  
    
    
    
    
    
  

Passwords must be at least eight characters and 
include three of the following four types: upper case letters, lower 
case letters, numbers and special characters.




  ##tq
  
    ##X249:
     ##ta
    maxlength="128" size="16" value="##q">

 ##X251

...
..
  
     
    name="##X111" value="##X111">

    
  
  
    




Jeff



On 4/5/2018 10:39 AM, Gary Bowling wrote:



Also, does the code below replace the old "password1" section? Which 
looked like this.



  
    ##X110:
    maxlength=128 size=16>

  


And I assume the password2 section remains the same, which looked like 
this.



  
    ##X091
    maxlength=128 size=16>

  


Thanks and sorry for all the questions, I'm not a coder (obviously!) 
which of course is why I have a toaster in the first place. But I can 
follow directions!



Gary


On 4/5/2018 10:04 AM, Jeff Koch wrote:
Sorry - I left out this piece of code - goes right before the code 
that says password2. It's been 10 years since we looked at this.


    
  class="style1">##X110:

  
    name="password1" maxlength=128 size=16 id="pass" 
onkeyup="passwordStrength(this.value)">

  
    

Jeff

On 4/5/2018 9:55 AM, Jeff Koch wrote:

Hi Gary:

Only affects new passwords entered in mod_user.html. You'll need to 
add similar javascript.to 'add_user.html'. You can do the same in 
squirrelmail if you can find the correct place to slug in the 
javascript. The code analyzes text entered in the input field  
'password' and grays out the submit button until the password meets 
the test criteria. It's pretty basic code and I'm sure javascript 
experts could do a lot to improve it and give more clues to the users.


Once of the problems with messing with the templates is that there 
is no table defining the hash mark codes like ##tt ##tu ##X251. If 
anyone has a cheat sheet please share.


Jeff

On 4/5/2018 7:42 AM, Gary Bowling wrote:



Thanks Jeff. Just to make sure, if I do that edit it doesn't affect 
any exist