Hi Sam, With TCPREMOTEIP=1.2.3.4 /usr/local/bin/spamdyke -f /etc/spamdyke.conf -l4 --config-test /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
I get the expected result SUCCESS: /var/qmail/bin/relaylock appears to offer SMTP AUTH support. spamdyke will observe any authentication and trust its response. Thanks for your support. I guess I'll just lean back and watch the spam being held off my system for a while now... :-)) bye, Michael Sam Clippinger wrote: > relaylock uses the TCPREMOTEIP environment variable (set by tcpserver or > tcp_env) to determine the IP address of the remote server. When > spamdyke runs its configuration tests, it sets TCPREMOTEIP to 127.0.0.1. > relaylock doesn't seem to offer SMTP AUTH to that IP address. > > Try this -- set TCPREMOTEIP to another value: > export TCPREMOTEIP=11.22.33.44 > Then run the configuration test one more time. The SMTP AUTH test > should succeed. > > I see this on my Plesk server when I test with your configuration file: > ------------------------------------------------------------------------ > spamdyke-3.1.1/spamdyke# cat config.txt > log-level=2 > local-domains-file=/var/qmail/control/rcpthosts > max-recipients=5 > idle-timeout-secs=60 > graylist-dir=/var/qmail/gray > graylist-min-secs=300 > graylist-max-secs=1814400 > reject-empty-rdns > reject-unresolvable-rdns > reject-ip-in-cc-rdns > greeting-delay-secs=5 > check-dnsrbl=zombie.dnsbl.sorbs.net > check-dnsrbl=dul.dnsbl.sorbs.net > check-dnsrbl=bogons.cymru.com > smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true > smtp-auth-command=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true > local-domains-file=/var/qmail/control/rcpthosts > reject-missing-sender-mx > hostname=v31616.vierfpeile.de > tls-certificate-file=/var/qmail/control/servercert.pem > spamdyke-3.1.1/spamdyke# export TCPREMOTEIP=11.22.33.44 > spamdyke-3.1.1/spamdyke# ./spamdyke -f config.txt --config-test > /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd > /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw > /var/qmail/bin/true > spamdyke 3.1.1+TLS (C)2007 Sam Clippinger, samc (at) silence (dot) org > http://www.spamdyke.org/ > > Use -h for an option summary or see README.html for complete option details. > > Testing configuration... > > WARNING: Running tests as superuser root (0), group root (0). These test > results may not be valid if the mail server runs as another user. > INFO: Running command to test capabilities: /var/qmail/bin/relaylock > WARNING: command aborted abnormally: /var/qmail/bin/relaylock > SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue > using the "tls-certificate-file" flag so spamdyke will be able to filter > all traffic. > WARNING: /var/qmail/bin/relaylock appears to offer SMTP AUTH support but > the "smtp-auth-command", "smtp-auth-command-encryption" and/or > "access-file" flags are in use. This is not necessary and needlessly > creates extra load on the server. > ERROR(graylist-dir): Unable to read graylist directory /var/qmail/gray: > No such file or directory > ERROR: Tests complete. Errors detected. > spamdyke-3.1.1/spamdyke# > ------------------------------------------------------------------------ > > -- Sam Clippinger > > Grimmi Meloni wrote: > >> Hi Sam, >> >> thank you for your very detailed answer. In fact you were right about >> relaylock. I removed it during my tests and forgot to add it during the >> config-test. Anyway, I gave it another shot, and I'm still stuck with >> the same problem. I used loglevel 4 and got a warning saying: >> >> WARNING: command aborted abnormally: /var/qmail/bin/relaylock >> >> This line is shown directly above the TLS Success and the SMTP-Auth >> Warning messages of the test: >> >> SUCCESS: /var/qmail/bin/relaylock appears to offer TLS support. Continue >> using the "tls-certificate-file" flag so spamdyke will be able to filter >> all traffic. >> WARNING: /var/qmail/bin/relaylock does not appear to offer SMTP AUTH >> support. Please use the "smtp-auth-command" flag or the >> "smtp-auth-command-encryption" flag as well as the "access-file" and >> "local-domains-file" flags so spamdyke will be able to authenticate >> users and correctly allow them to relay. >> >> I decided to run strace and see what's happening. To me it seems like >> something goes wrong during the testing of the SMTP Auth capacities? >> >> --------- strace excerpt --------- >> [.... creation of the socket .....] >> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left >> {1200, 0}) >> [pid 19807] write(1, "220 myserver.mydomain.com ESMTP\r\n", 26 >> <unfinished ...> >> [pid 19806] <... select resumed> ) = 1 (in [5], left {29, 926000}) >> [pid 19807] <... write resumed> ) = 26 >> [pid 19806] read(5, "220 myserver.mydomain.com ESMTP\r\n", 4095) = 26 >> [pid 19806] time(NULL) = 1194975400 >> [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) >> [pid 19806] write(4, "EHLO localhost\r\n", 16) = 16 >> [pid 19806] time(NULL) = 1194975400 >> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...> >> [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left >> {1200, 0}) >> [pid 19807] read(0, "EHLO localhost\r\n", 1024) = 16 >> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left >> {1200, 0}) >> [pid 19807] write(1, "250-myserver.mydomain.com\r\n250-STARTTLS"..., 64 >> <unfinished ...> >> [pid 19806] <... select resumed> ) = 1 (in [5], left {29, 999000}) >> [pid 19807] <... write resumed> ) = 64 >> [pid 19806] read(5, "250-myserver.mydomain.com\r\n250-STARTTLS"..., >> 4069) = 64 >> [pid 19806] time(NULL) = 1194975400 >> [pid 19806] select(5, [], [4], NULL, {30, 0}) = 1 (out [4], left {30, 0}) >> [pid 19806] write(4, "QUIT\r\n", 6) = 6 >> [pid 19806] time(NULL) = 1194975400 >> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...> >> [pid 19807] select(1, [0], NULL, NULL, {1200, 0}) = 1 (in [0], left >> {1200, 0}) >> [pid 19807] read(0, "QUIT\r\n", 1024) = 6 >> [pid 19807] select(2, NULL, [1], NULL, {1200, 0}) = 1 (out [1], left >> {1200, 0}) >> [pid 19807] write(1, "221 myserver.mydomain.com\r\n", 20 <unfinished ...> >> [pid 19806] <... select resumed> ) = 1 (in [5], left {30, 0}) >> [pid 19807] <... write resumed> ) = 20 >> [pid 19806] read(5, "221 myserver.mydomain.com\r\n", 4005) = 20 >> [pid 19806] time(NULL) = 1194975400 >> [pid 19806] select(8, [5 7], [], NULL, {30, 0} <unfinished ...> >> [pid 19807] exit_group(0) = ? >> Process 19807 detached >> <... select resumed> ) = 1 (in [5], left {29, 999000}) >> read(5, "", 3985) = 0 >> close(5) = 0 >> time(NULL) = 1194975400 >> select(8, [7], [], NULL, {30, 0}) = 1 (in [7], left {30, 0}) >> read(7, "", 3985) = 0 >> close(7) = 0 >> time(NULL) = 1194975400 >> close(4) = 0 >> wait4(19807, 0x7fbfff0a5c, WNOHANG, NULL) = 0 >> kill(19807, SIGKILL) = 0 >> write(2, "WARNING: command aborted abnorma"..., 61WARNING: command >> aborted abnormally: /var/qmail/bin/relaylock) = 61 >> --------- strace excerpt --------- >> >> I don't know if it is the right approach to the problem, but maybe it >> will give you some clue? >> >> I also tried to imitate what I see in the log above by telnetting my >> system manually, because the strace only shows the first few bytes of >> each read operation: >> >> myserver:~ # telnet localhost 25 >> Trying 127.0.0.1... >> Connected to localhost. >> Escape character is '^]'. >> 220 myserver.mydomain.com ESMTP >> EHLO localhost >> 250-myserver.mydomain.com >> 250-STARTTLS >> 250-PIPELINING >> 250 8BITMIME >> QUIT >> 221 myserver.mydomain.com >> Connection closed by foreign host. >> >> I'm far from being a SMTP crack, but shouldn't there be a line >> announcing my SMTP_AUTH capabilities as well? >> >> bye, Michael >> >> Sam Clippinger wrote: >> >>> Plesk is such a queer duck. I like its control panel but it sure does >>> some screwy things to the system configuration. >>> >>> I see something in your spamdyke configuration file that could be >>> causing the SMTP AUTH problem. You have the following line commented out: >>> smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true >>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true >>> This is actually two commands -- smtp_auth and cmd5checkpw. They should >>> be given on two separate lines and they should offer encrypted >>> authentication: >>> smtp-auth-command-encryption=/var/qmail/bin/smtp_auth >>> /var/qmail/bin/true >>> smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw >>> /var/qmail/bin/true >>> I suspect the authentication is failing because cmd5checkpw is the >>> program that can actually process your credentials but it's not being >>> started (because your configuration file lists it as a parameter to >>> smtp_auth). >>> >>> However, you're correct that you don't need it with 3.0.0 and later -- >>> spamdyke now automatically detects successful authentication without >>> running the commands itself. >>> >>> Next, your "config-test" is giving strange results because you probably >>> used this command: >>> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/qmail-smtpd >>> Plesk doesn't patch qmail-smtpd to provide SMTP AUTH, so spamdyke can't >>> see it. Instead, Plesk uses relaylock for that purpose. You should >>> really test with: >>> spamdyke -f /etc/spamdyke.conf /var/qmail/bin/relaylock >>> /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true >>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true >>> With that command line, the SMTP AUTH banners will appear and spamdyke >>> won't complain about it any more. >>> >>> So in summary, you can either use Plesk's relaylock OR you can use >>> spamdyke's "smtp-auth-command-encryption" directive. Using both is >>> unnecessary and wastes server resources. If you have some users (or >>> servers) that need to relay without authenticating, continue using >>> relaylock. If you don't, create an empty access file and use spamdyke's >>> "smtp-auth-command-encryption" and "access-file" instead of relaylock. >>> It's a bit more efficient. >>> >>> To answer your last question about qmail-smtpd's command line, it >>> doesn't have one by default. Most of the time, when you see command >>> line options passed to qmail-smtpd, you're looking at a patched version >>> of qmail-smtpd. (In Plesk's case, the extra options are not parameters >>> to qmail-smtpd, they're actually parameters to relaylock.) Typically, >>> any parameters are commands to process SMTP AUTH attempts. >>> >>> The authentication commands always come in pairs -- the auth command and >>> a "true" command. This is a holdover from DJB's original >>> "checkpassword" program, which runs the second command if the >>> authentication is successful. I think his intent was that successful >>> authentications could have side-effects, such as logging or unlocking >>> resources. The password-checking program could be generic (i.e. only >>> check the password) and the second command could perform the >>> side-effect. In practice, this hasn't happened. People have simply >>> written password-checking programs that perform the side-effects >>> internally. "true" is used as the side-effect command because it's >>> small and fast. >>> >>> For more information on "checkpassword" (but not much more), see DJB's site: >>> http://cr.yp.to/checkpwd/interface.html >>> >>> -- Sam Clippinger >>> >>> Grimmi Meloni wrote: >>> >>> >>>> Hi, >>>> >>>> I've been using spamdyke for about 2 weeks now, and I'm quite satisfied >>>> with the results. Thanks for this great tool. >>>> >>>> As the subject states, I'm running a Plesk 8.1 based system. Today I >>>> upgraded from the 2.6.3 version, to the 3.1.0. >>>> >>>> The good news is: I got everything working so far. >>>> >>>> But what made me curious are two things: >>>> >>>> With the old 2.6.3 I could use the --smtp-auth-command option, with the >>>> new 3.1.0 this does not work anymore. "Not working anymore" in this case >>>> means, that I have to remove this option or my client gets an error >>>> message. In the logs it looks like authentication is tried twice. Really >>>> weired, but since Plesk delivers a SMTP_AUTH capable server, this is no >>>> problem - at least my relaying tests all failed when not authenticated. >>>> So I think I'm still good. >>>> >>>> During the trial and error phase of this, I ran the --config-test option >>>> of spamdyke. Although smtp authentication works, the config-test gives >>>> me this warning: >>>> >>>> WARNING: /var/qmail/bin/qmail-smtpd does not appear to offer SMTP AUTH >>>> support. Please use the "smtp-auth-command" flag or the >>>> "smtp-auth-command-encryption" flag as well as the "access-file" and >>>> "local-domains-file" flags so spamdyke will be able to authenticate >>>> users and correctly allow them to relay. >>>> >>>> Now I'm wondering why this warning occurs at all. Is it a >>>> misconfiguration on my part, or just the config-test failing to detect >>>> the SMTP AUTH capabilities of my qmail_smtpd? >>>> >>>> bye, Michael >>>> >>>> P.S.: Although offtopic: Can anybody point me to a place where the >>>> commandline of qmail_smtpd is explained? Basically I would like to know, >>>> why /var/qmail/bin/true has to be in the commandline twice, or even >>>> better, what qmail_smtpd in general does with it's parameters? Thanks. >>>> >>>> ------------- my spamdyke.conf ------------ >>>> log-level=2 >>>> local-domains-file=/var/qmail/control/rcpthosts >>>> max-recipients=5 >>>> idle-timeout-secs=60 >>>> graylist-dir=/var/qmail/gray >>>> graylist-min-secs=300 >>>> graylist-max-secs=1814400 >>>> reject-empty-rdns >>>> reject-unresolvable-rdns >>>> reject-ip-in-cc-rdns >>>> greeting-delay-secs=5 >>>> check-dnsrbl=zombie.dnsbl.sorbs.net >>>> check-dnsrbl=dul.dnsbl.sorbs.net >>>> check-dnsrbl=bogons.cymru.com >>>> #smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true >>>> /var/qmail/bin/cmd5checkpw /var/qmail/bin/true >>>> local-domains-file=/var/qmail/control/rcpthosts >>>> reject-missing-sender-mx >>>> hostname=v31616.vierfpeile.de >>>> tls-certificate-file=/var/qmail/control/servercert.pem >>>> ---------------end my spamdyke.conf------------ >>>> >>>> >>>> ------------ my xinetd.d config for smtp_psa --------- >>>> server = /var/qmail/bin/tcp-env >>>> server_args = -Rt0 /usr/local/bin/spamdyke -f >>>> /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd >>>> /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw >>>> /var/qmail/bin/true >>>> ------------ my xinetd.d config for smtp_psa --------- >>>> _______________________________________________ >>>> spamdyke-users mailing list >>>> [email protected] >>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>>> >>>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >>> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
