Re: [spamdyke-users] modifying way that filters are shown in log files
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... When I test the earlytalker filter by itself from the command line, it appears to work: root@patched:/usr/local/src/spamdyke-5.0.0/spamdyke# ./spamdyke --log-target stderr -linfo -e 10 ../tests/smtpdummy/smtpdummy helo me 220 smtpdummy ESMTP 250 HELO received mail from:f...@bar.com 250 Refused. You are not following the SMTP protocol. rcpt to:b...@foo.com 554 Refused. You are not following the SMTP protocol. spamdyke[4199]: DENIED_EARLYTALKER from: f...@bar.com to: b...@foo.com origin_ip: 0.0.0.0 origin_rdns: (unknown) auth: (unknown) encryption: (none) reason: (empty) quit 221 Refused. You are not following the SMTP protocol. So if your connections aren't being whitelisted, there may be a bug where the earlytalker filter is failing when combined with some other option(s). Could you send me your spamdyke configuration file so I can try to reproduce your setup and nail it down? -- Sam Clippinger On Mar 13, 2014, at 3:03 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I disabled all whitelist options in spamdyke.conf and restarted spamdyke. Confirmed no whitelist filters continued to be displayed in the maillog file and also confirmed that only FILTER_EARLYTALKER delay: 5 was found but still no DENIED_EARLYTALKER entries. I even checked back in maillog files from 2012 and found the same result. It just can't be an authenticated user from so many different IPs (100s) from such a long period of time as my server would certainly be listed in multiple DNS blacklists (it's currently not in any). If anyone else has the same issue I would be curious if it has anything to do with Plesk being involved. If there are no other recommendations maybe I'll try installing Spamdyke 5.0.0 unless anyone has had issues using it on a Plesk 10.4.4, CentoOS 6 server. All comments are welcomed. Regards, Shane Bywater -- Message: 1 Date: Wed, 12 Mar 2014 17:28:58 -0500 From: Sam Clippinger s...@silence.org Subject: Re: [spamdyke-users] modifying way that filters are shown in log files To: spamdyke users spamdyke-users@spamdyke.org Message-ID: a70266f0-2742-4c3b-9820-adc66fe9f...@silence.org Content-Type: text/plain; charset=us-ascii If the earlytalker filter actually blocks a connection, you should see a DENIED_EARLYTALKER message in the log. Are you sure that connection isn't whitelisted or authenticating? Either of those things would prevent the earlytalker filter from actually blocking the connection. -- Sam Clippinger On Mar 11, 2014, at 10:04 PM, Shane Bywater sh...@apexia.ca wrote: Hi, I'm running Spamdyke 4.3.1 on a Centos 6 server. I've been successfully using spamdyke along with fail2ban to block IPs with the following characteristics: Missing RNDS and RDNS containing IP address. In the maillog files I see the following: Aug 24 04:14:42 server spamdyke[20879]: FILTER_IP_IN_CC_RDNS ip: 186.52.196.7 rdns: r186-52-196-7.dialup.adsl.anteldata.net.uy Aug 24 04:14:42 server spamdyke[20879]: DENIED_IP_IN_CC_RDNS from: birgitta.weh...@vll.ca to: u...@domain.com origin_ip: 186.52.196.7 origin_rdns: r186-52-196-7.dialup.adsl.an Aug 24 04:15:07 server spamdyke[23813]: FILTER_RDNS_MISSING ip: 117.207.23.39 Aug 24 04:15:07 server spamdyke[23813]: DENIED_RDNS_MISSING from: 73a8...@enerdeco.nl to: u...@domain.com origin_ip: 117.207.23.39 origin_rdns: (unknown) auth: (unknown) Aug 24 04:21:33 apexia spamdyke[25574]: FILTER_EARLYTALKER delay: 5 Aug 24 04:21:33 apexia /var/qmail/bin/relaylock[25582]: /var/qmail/bin/relaylock: mail from 101.208.35.161:51645 (not defined) My fail2ban configuration file contains: [Definition] failregex = spamdyke.+: DENIED_RDNS_MISSING from:.+origin_ip: HOST spamdyke.+: DENIED_IP_IN_CC_RDNS from:.+origin_ip: HOST spamdyke.+: FILTER_EARLYTALKER delay: 5.+from HOST --not working ignoreregex = My issue is I now want to start banning IPs that set off the FILTER_EARLYTALKER filter but as there is no corresponding DENIED_EARLYTALKER from: x...@yyy.com to u...@domain.com origin_ip: 111.222.333.444 I cannot figure out the proper failregex expression to match the exising format for FILTER_EARLYTALKER nor do I know how to change spamdyke to show a familiar DENIED_EARLYTALKER ... heading in the maillog which I could determine the proper failregex for. If anyone can provide me with some suggestions that would be appreciated. Regards, Shane Bywater ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users -- next part -- An HTML attachment was scrubbed... URL:
Re: [spamdyke-users] SMTP Auth Problem
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... Did you ever get this issue resolved? The only thing that jumps out to me is the way you've formatted your smtp-auth-command option -- you've got two commands on a single line, which means only the first one will be executed. Try breaking it up into two lines, like this: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true Also, the error messages you sent show the user is trying to authenticate with the username webmaster. Is that legal on your server? Most Plesk servers require authenticating with the full email address as the username. -- Sam Clippinger On Mar 18, 2014, at 5:30 AM, Arne.Metzger mo...@foni.net wrote: In the meantime i switched back to 4.3.1, which works like a charm! Here is my config for 4.3.1 - what did i do wrong during update to 5.0.0? log-level=verbose local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand-encrypted filter-level=normal config-dir=/var/qmail/spamdyke/config.d graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns policy-url=http://www.shjjv.de/Spamfilter.547.0.html sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender dns-blacklist-entry=ix.dnsbl.manitu.net dns-blacklist-entry=zen.spamhaus.org reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns reject-identical-sender-recipient Am 18.03.2014 11:18, schrieb Marc Gregel: Arne, maybe you can try to set log-level=debug an watch the mail-log for useful infos... 2014-03-18 10:02 GMT+01:00 Arne.Metzger mo...@foni.net: Ok, problem must be spamdyke. I removed spamdyke from smtp_psa and smtps_psa and auth works fine. So, where is my misconfiguration? Am 18.03.2014 08:25, schrieb Arne.Metzger: Hi Folks, no hints? I am still confused about this issue, since all worked perfect sind monday... Am 17.03.2014 15:54, schrieb Arne.Metzger: Here are my config files, i use two spamdyke-configs, on for tls and one for non-tls spamdyke5tls.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns #rdns ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords #reject-missing-sender-mx reject-sender=no-mx #reject-sender=not-local #reject-sender=authentication-domain-mismatch reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns #reject-identical-sender-recipient reject-recipient=same-as-sender reject-recipient=invalid #dns dns-blacklist-file=/var/qmail/spamdyke/blacklist_rbl #dns-blacklist-entry=ix.dnsbl.manitu.net #dns-blacklist-entry=zen.spamhaus.org #dns-blacklist-entry=dnsbl-1.uceprotect.net #dns-blacklist-entry=bl.spamcannibal.org
Re: [spamdyke-users] Mails with Wildcard Recipient
I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... Is *@domain.tld being logged as the recipient in the spamdyke logs? Or are you seeing that as the To line in the message header? If it's in the logs, you should be able to just add *@domain.tld to your recipient blacklist file -- spamdyke doesn't use * as a wildcard character, so it will interpret that entry literally and block it. If it's in the message header, you should be able to stop it using the header blacklisting feature; you'll just have to be sure to escape the * character so it doesn't match every recipient. -- Sam Clippinger On Mar 21, 2014, at 10:40 AM, Lutz Petersen l...@shlink.de wrote: Hi, today we got some astonishing Mails - such Recipients: *@domain.tld Does anyone know how to prevent this ? Lutz Petersen ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] No TLS with openssl elliptic curve cipher suites / pfs perfect forward secrecy
I'm really sorry I haven't been able to get to spamdyke issues lately, let me
see if I can catch up...
I'll update the docs, thanks for the tip!
As for how the key size of the DH key relates to well, anything at all, I
honestly have no idea. The OpenSSL documentation is extremely frustrating to
use -- I suspect it was only written because someone was told you can't go
home until you write some docs, not because they actually intended to convey
any useful information (or confidence in their product). The only man page I
found even slightly helpful was this one:
https://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html
Anyway, the key length parameter you're seeing in the qmail patch is used when
the callback function is used (SSL_CTX_set_tmp_dh_callback()). When OpenSSL
uses the supplied callback, it provides the key length as a parameter. The
examples on the OpenSSL site (and the qmail patch) use the key length to choose
a PEM file. spamdyke doesn't use that function, it uses SSL_CTX_set_tmp_dh()
instead, which allows it to provide a DH key when the TLS session is created.
Avoiding the callback is (very slightly) less efficient but simplifies
spamdyke's code (and configuration) quite a bit. But from what I can grok from
the OpenSSL docs, the key spamdyke loads is not used directly for securing the
connection; it's used for creating the key that actually does secure the
connection (through a magical, completely unexplained process). I'm not sure
the client ever sees the DH key used by spamdyke, I think it's used as a seed
for the ephemeral key. Or maybe for signing the ephemeral key. Or something
else only OpenSSL coders understand. If you can figure it out, I'd love to
know how it works.
In my testing, running openssl from the command will connect to spamdyke using
DH ephemeral keys when spamdyke's DH key is 2048 bits. Of course, most of my
testing has been done by connecting to/from the same box, obviously running the
same version of OpenSSL. It would be interesting to try running spamdyke with
different sizes of DH keys to/from different hosts to see if/when the
connections fail. It may also be possible to provide a bunch of different keys
in the same file by simply concatenating them -- the PEM format allows that.
As for the list of default ciphers, my understanding is that the list is
created when OpenSSL is compiled, so it can be different for each
distro/update/host. So there is no standard list, though there are some very
common ciphers that are probably in everyone's default list. The only way to
find your server's default list is to run openssl ciphers from the command
line.
-- Sam Clippinger
On Mar 28, 2014, at 1:47 PM, Eric Shubert e...@shubes.net wrote:
Marc ( Sam),
Would you please elaborate a little on this? I'm trying to straighten
things up on QMail-Toaster and could use a little help. I'm far from an
openssl expert, but I'm learning. ;)
The qmail TLS patch that's presently in place (Frederik Vermeulen -
qmail-tls 20060104 http://inoa.net/qmail-tls/) is a little outdated. It
has provisions for rsa512.pem along with dh512.pem and dh1024.pem files.
I see that rsa key exchange is now disabled by default, so that code is
dead.
I'm wondering though about dh512.pem vs dh1024.pem files. These are
generated by the openssl dhparam command for the respective key lengths.
From the patch code, I see that a key length parameter is given to the
callback function, which controls which pem file is used. Here's the
callback function from the patch:
+DH *tmp_dh_cb(SSL *ssl, int export, int keylen)
+{
+ if (!export) keylen = 1024;
+ if (keylen == 512) {
+FILE *in = fopen(control/dh512.pem, r);
+if (in) {
+ DH *dh = PEM_read_DHparams(in, NULL, NULL, NULL);
+ fclose(in);
+ if (dh) return dh;
+}
+ }
+ if (keylen == 1024) {
+FILE *in = fopen(control/dh1024.pem, r);
+if (in) {
+ DH *dh = PEM_read_DHparams(in, NULL, NULL, NULL);
+ fclose(in);
+ if (dh) return dh;
+}
+ }
+ return DH_generate_parameters(keylen, DH_GENERATOR_2, NULL, NULL);
+}
I'm at a loss determining where this keylen comes from. I'm not finding
where it's set or determined.
I'm also wondering, should 2048 and 4096 key lengths also be included?
They are mentioned in the man page
(http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html) Notes
section, but not in the code examples found there.
How are the multiple key lengths implemented (distinguished) in the
tls-dhparams-file option of the spamdyke configuration?
Thanks for your help with this. I'm learning a lot.
P.S. Sam, the documentation refers to openssl dhparams. Should be
openssl dhparam (no S in dhparam).
P.P.S. Sam, the documentation says the default list of ciphers is
usually fine. What *is* the default list? Same as what the openssl
ciphers command returns
Re: [spamdyke-users] SMTP Auth Problem
Hi Sam, i wasn't able to resolve the issue, so i switched back to 4.3.1. I have smtp-auth-command 1:1 in my spamdyke4.conf and it works, but i have splitted it into 2 lines now. Users mays authenticate with short or long username, so both versions will work. Most use the short version. I am sorry to say that, but i haven't tried 5.0.0 again since then, because i need to have a stable mailsystem. Regards, Arne Am 02.04.2014 01:38, schrieb Sam Clippinger: I'm really sorry I haven't been able to get to spamdyke issues lately, let me see if I can catch up... Did you ever get this issue resolved? The only thing that jumps out to me is the way you've formatted your smtp-auth-command option -- you've got two commands on a single line, which means only the first one will be executed. Try breaking it up into two lines, like this: smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true Also, the error messages you sent show the user is trying to authenticate with the username webmaster. Is that legal on your server? Most Plesk servers require authenticating with the full email address as the username. -- Sam Clippinger On Mar 18, 2014, at 5:30 AM, Arne.Metzger mo...@foni.net mailto:mo...@foni.net wrote: In the meantime i switched back to 4.3.1, which works like a charm! Here is my config for 4.3.1 - what did i do wrong during update to 5.0.0? log-level=verbose local-domains-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand-encrypted filter-level=normal config-dir=/var/qmail/spamdyke/config.d graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip graylist-exception-rdns-file=/var/qmail/spamdyke/graylist-exception-rdns policy-url=http://www.shjjv.de/Spamfilter.547.0.html sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients ip-in-rdns-keyword-blacklist-file=/var/qmail/spamdyke/blacklist_keywords ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender dns-blacklist-entry=ix.dnsbl.manitu.net http://ix.dnsbl.manitu.net dns-blacklist-entry=zen.spamhaus.org http://zen.spamhaus.org reject-missing-sender-mx reject-empty-rdns reject-unresolvable-rdns reject-ip-in-cc-rdns reject-identical-sender-recipient Am 18.03.2014 11:18, schrieb Marc Gregel: Arne, maybe you can try to set log-level=debug an watch the mail-log for useful infos... 2014-03-18 10:02 GMT+01:00 Arne.Metzger mo...@foni.net mailto:mo...@foni.net: Ok, problem must be spamdyke. I removed spamdyke from smtp_psa and smtps_psa and auth works fine. So, where is my misconfiguration? Am 18.03.2014 08:25, schrieb Arne.Metzger: Hi Folks, no hints? I am still confused about this issue, since all worked perfect sind monday... Am 17.03.2014 15:54, schrieb Arne.Metzger: Here are my config files, i use two spamdyke-configs, on for tls and one for non-tls spamdyke5tls.conf #general log-level=verbose qmail-rcpthosts-file=/var/qmail/control/rcpthosts tls-certificate-file=/var/qmail/control/servercert.pem max-recipients=20 idle-timeout-secs=100 greeting-delay-secs=5 smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true smtp-auth-level=ondemand tls-level=smtps filter-level=normal config-dir=/var/qmail/spamdyke/config.d policy-url=http://www.shjjv.de/Spamfilter.547.0.html recipient-validation-command=/usr/local/bin/spamdyke5-qrv #blacklist, whitelist ip-blacklist-file=/var/qmail/spamdyke/blacklist_ip ip-whitelist-file=/var/qmail/spamdyke/whitelist_ip sender-blacklist-file=/var/qmail/spamdyke/blacklist_senders recipient-blacklist-file=/var/qmail/spamdyke/blacklist_recipients sender-whitelist-file=/var/qmail/spamdyke/whitelist_sender rdns-blacklist-file=/var/qmail/spamdyke/blacklist_rdns rdns-whitelist-file=/var/qmail/spamdyke/whitelist_rdns header-blacklist-file=/var/qmail/spamdyke/blacklist_headers #graylist graylist-dir=/var/qmail/spamdyke/graylist graylist-level=always-create-dir graylist-min-secs=300 graylist-max-secs=604800 graylist-exception-ip-file=/var/qmail/spamdyke/graylist-exception-ip
