Hi Sam,
thank you for your very detailed answer. In fact you were right about
relaylock. I removed it during my tests and forgot to add it during the
config-test. Anyway, I gave it another shot, and I'm still stuck with
the same problem. I used loglevel 4 and got a warning saying:
WARNING: command aborted abnormally: /var/qmail/bin/relaylock
This line is shown directly above the TLS Success and the SMTP-Auth
Warning messages of the test:
SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue
using the "tls-certificate-file" flag so spamdyke will be able to filter
all traffic.
WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH
support. Please use the "smtp-auth-command" flag or the
"smtp-auth-command-encryption" flag as well as the "access-file" and
"local-domains-file" flags so spamdyke will be able to authenticate
users and correctly allow them to relay.
I decided to run strace and see what's happening. To me it seems like
something goes wrong during the testing of the SMTP Auth capacities?
--------- strace excerpt ---------
[.... creation of the socket .....]
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, "220 myserver.mydomain.com ESMTP\r\n", 26
<unfinished ...>
[pid 19806] <... select resumed> ) = 1 (in [5], left {29, 926000})
[pid 19807] <... write resumed> ) = 26
[pid 19806] read(5, "220 myserver.mydomain.com ESMTP\r\n", 4095) = 26
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, "EHLO localhost\r\n", 16) = 16
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
[pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
{1200, 0})
[pid 19807] read(0, "EHLO localhost\r\n", 1024) = 16
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, "250-myserver.mydomain.com\r\n250-STARTTLS"..., 64
<unfinished ...>
[pid 19806] <... select resumed> ) = 1 (in [5], left {29, 999000})
[pid 19807] <... write resumed> ) = 64
[pid 19806] read(5, "250-myserver.mydomain.com\r\n250-STARTTLS"...,
4069) = 64
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0})
[pid 19806] write(4, "QUIT\r\n", 6) = 6
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
[pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left
{1200, 0})
[pid 19807] read(0, "QUIT\r\n", 1024) = 6
[pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left
{1200, 0})
[pid 19807] write(1, "221 myserver.mydomain.com\r\n", 20 <unfinished ...>
[pid 19806] <... select resumed> ) = 1 (in [5], left {30, 0})
[pid 19807] <... write resumed> ) = 20
[pid 19806] read(5, "221 myserver.mydomain.com\r\n", 4005) = 20
[pid 19806] time(NULL) = 1194975400
[pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...>
[pid 19807] exit_group(0) = ?
Process 19807 detached
<... select resumed> ) = 1 (in [5], left {29, 999000})
read(5, "", 3985) = 0
close(5) = 0
time(NULL) = 1194975400
select(8, [7], [], NULL, {30, 0}) = 1 (in [7], left {30, 0})
read(7, "", 3985) = 0
close(7) = 0
time(NULL) = 1194975400
close(4) = 0
wait4(19807, 0x7fbfff0a5c, WNOHANG, NULL) = 0
kill(19807, SIGKILL) = 0
write(2, "WARNING: command aborted abnorma"..., 61WARNING: command
aborted abnormally: /var/qmail/bin/relaylock) = 61
--------- strace excerpt ---------
I don't know if it is the right approach to the problem, but maybe it
will give you some clue?
I also tried to imitate what I see in the log above by telnetting my
system manually, because the strace only shows the first few bytes of
each read operation:
myserver:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myserver.mydomain.com ESMTP
EHLO localhost
250-myserver.mydomain.com
250-STARTTLS
250-PIPELINING
250 8BITMIME
QUIT
221 myserver.mydomain.com
Connection closed by foreign host.
I'm far from being a SMTP crack, but shouldn't there be a line
announcing my SMTP_AUTH capabilities as well?
bye, Michael
Sam Clippinger wrote:
> Plesk is such a queer duck. I like its control panel but it sure does
> some screwy things to the system configuration.
>
> I see something in your spamdyke configuration file that could be
> causing the SMTP AUTH problem. You have the following line commented out:
> smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
> This is actually two commands -- smtp_auth and cmd5checkpw. They should
> be given on two separate lines and they should offer encrypted
> authentication:
> smtp-auth-command-encryption=/var/qmail/bin/smtp_auth
> /var/qmail/bin/true
> smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw
> /var/qmail/bin/true
> I suspect the authentication is failing because cmd5checkpw is the
> program that can actually process your credentials but it's not being
> started (because your configuration file lists it as a parameter to
> smtp_auth).
>
> However, you're correct that you don't need it with 3.0.0 and later --
> spamdyke now automatically detects successful authentication without
> running the commands itself.
>
> Next, your "config-test" is giving strange results because you probably
> used this command:
> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd
> Plesk doesn't patch qmail-smtpd to provide SMTP AUTH, so spamdyke can't
> see it. Instead, Plesk uses relaylock for that purpose. You should
> really test with:
> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock
> /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true
> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
> With that command line, the SMTP AUTH banners will appear and spamdyke
> won't complain about it any more.
>
> So in summary, you can either use Plesk's relaylock OR you can use
> spamdyke's "smtp-auth-command-encryption" directive. Using both is
> unnecessary and wastes server resources. If you have some users (or
> servers) that need to relay without authenticating, continue using
> relaylock. If you don't, create an empty access file and use spamdyke's
> "smtp-auth-command-encryption" and "access-file" instead of relaylock.
> It's a bit more efficient.
>
> To answer your last question about qmail-smtpd's command line, it
> doesn't have one by default. Most of the time, when you see command
> line options passed to qmail-smtpd, you're looking at a patched version
> of qmail-smtpd. (In Plesk's case, the extra options are not parameters
> to qmail-smtpd, they're actually parameters to relaylock.) Typically,
> any parameters are commands to process SMTP AUTH attempts.
>
> The authentication commands always come in pairs -- the auth command and
> a "true" command. This is a holdover from DJB's original
> "checkpassword" program, which runs the second command if the
> authentication is successful. I think his intent was that successful
> authentications could have side-effects, such as logging or unlocking
> resources. The password-checking program could be generic (i.e. only
> check the password) and the second command could perform the
> side-effect. In practice, this hasn't happened. People have simply
> written password-checking programs that perform the side-effects
> internally. "true" is used as the side-effect command because it's
> small and fast.
>
> For more information on "checkpassword" (but not much more), see DJB's site:
> http://cr.yp.to/checkpwd/interface.html
>
> -- Sam Clippinger
>
> Grimmi Meloni wrote:
>
>> Hi,
>>
>> I've been using spamdyke for about 2 weeks now, and I'm quite satisfied
>> with the results. Thanks for this great tool.
>>
>> As the subject states, I'm running a Plesk 8.1 based system. Today I
>> upgraded from the 2.6.3 version, to the 3.1.0.
>>
>> The good news is: I got everything working so far.
>>
>> But what made me curious are two things:
>>
>> With the old 2.6.3 I could use the --smtp-auth-command option, with the
>> new 3.1.0 this does not work anymore. "Not working anymore" in this case
>> means, that I have to remove this option or my client gets an error
>> message. In the logs it looks like authentication is tried twice. Really
>> weired, but since Plesk delivers a SMTP_AUTH capable server, this is no
>> problem - at least my relaying tests all failed when not authenticated.
>> So I think I'm still good.
>>
>> During the trial and error phase of this, I ran the --config-test option
>> of spamdyke. Although smtp authentication works, the config-test gives
>> me this warning:
>>
>> WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH
>> support. Please use the "smtp-auth-command" flag or the
>> "smtp-auth-command-encryption" flag as well as the "access-file" and
>> "local-domains-file" flags so spamdyke will be able to authenticate
>> users and correctly allow them to relay.
>>
>> Now I'm wondering why this warning occurs at all. Is it a
>> misconfiguration on my part, or just the config-test failing to detect
>> the SMTP AUTH capabilities of my qmail_smtpd?
>>
>> bye, Michael
>>
>> P.S.: Although offtopic: Can anybody point me to a place where the
>> commandline of qmail_smtpd is explained? Basically I would like to know,
>> why /var/qmail/bin/true has to be in the commandline twice, or even
>> better, what qmail_smtpd in general does with it's parameters? Thanks.
>>
>> ------------- my spamdyke.conf ------------
>> log-level=2
>> local-domains-file=/var/qmail/control/rcpthosts
>> max-recipients=5
>> idle-timeout-secs=60
>> graylist-dir=/var/qmail/gray
>> graylist-min-secs=300
>> graylist-max-secs=1814400
>> reject-empty-rdns
>> reject-unresolvable-rdns
>> reject-ip-in-cc-rdns
>> greeting-delay-secs=5
>> check-dnsrbl=zombie.dnsbl.sorbs.net
>> check-dnsrbl=dul.dnsbl.sorbs.net
>> check-dnsrbl=bogons.cymru.com
>> #smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
>> local-domains-file=/var/qmail/control/rcpthosts
>> reject-missing-sender-mx
>> hostname=v31616.vierfpeile.de
>> tls-certificate-file=/var/qmail/control/servercert.pem
>> ---------------end my spamdyke.conf------------
>>
>>
>> ------------ my xinetd.d config for smtp_psa ---------
>> server = /var/qmail/bin/tcp-env
>> server_args = -Rt0 /usr/local/bin/spamdyke -f
>> /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
>> /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
>> /var/qmail/bin/true
>> ------------ my xinetd.d config for smtp_psa ---------
>> _______________________________________________
>> spamdyke-users mailing list
>> [email protected]
>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>>
> _______________________________________________
> spamdyke-users mailing list
> [email protected]
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users
>
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
