> The executable error is occurring because the script is marked setuid > instead of just executable. The message is incorrect -- I'll fix it in > the next version. However (IIRC), I don't believe the setuid bit has > any effect on scripts in Linux environments. You are right but instead of a script I used a copy of checkpassword and got a similiar result. Please se my new thread.
> > The encrypted authentication failure is not a problem, as long as your > spamdyke configuration doesn't specify encryption in the > "smtp-auth-level" option. > > spamdyke's "config-test" didn't find any problems with your TLS > certificate but you're getting TLS errors when spamdyke actually runs... > this looks like a permission problem to me. Try running spamdyke's > "config-test" feature again with the "run-as-user" flag to force > spamdyke to use the qmaild user instead. spamdyke will likely report it > can't access the certificate file. > Please see my new thread > -- Sam Clippinger > > David Bo Jensen wrote: >> Running the config test gave me some ERRORS. I added access-file and >> local-domains-file to my config file >> in order to remove some of them. Here is my result but remember I was root. >> >> >> :/etc# /usr/local/bin/spamdyke -l -f >> /etc/spamdyke-smtps.conf --config-test-smtpauth-username >> user --config-test-smtpauth-password password --config-test >> /usr/sbin/qmail-smtpd 2>&1 >> spamdyke 4.0.10+TLS+CONFIGTEST+DEBUG (C)2008 Sam Clippinger, samc (at) >> silence (dot) org >> http://www.spamdyke.org/ >> >> Use -h for an option summary or see README.html for complete option details. >> >> Testing configuration... >> WARNING: Running tests as superuser root(0), group root(0). These test >> results may not be valid if the mail server runs as another user. >> SUCCESS: spamdyke binary (/usr/local/bin/spamdyke) is not owned by root >> and/or is not marked setuid. >> INFO: Running command to test capabilities: /usr/sbin/qmail-smtpd >> SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer TLS support. >> spamdyke will offer, intercept and decrypt TLS traffic. >> SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer SMTP AUTH support. >> spamdyke will offer and process authentication. >> INFO(access-file): Testing file read: /etc/spam-relays >> SUCCESS(access-file): Opened for reading: /etc/spam-relays >> INFO(config-file): Testing file read: /etc/spamdyke-smtps.conf >> SUCCESS(config-file): Opened for reading: /etc/spamdyke-smtps.conf >> INFO(local-domains-file): Testing file read: /etc/qmail/rcpthosts >> SUCCESS(local-domains-file): Opened for reading: /etc/qmail/rcpthosts >> INFO(smtp-auth-level): Examining authentication command: /usr/bin/chkpw.sh >> /bin/true >> ERROR(smtp-auth-level): File is not executable: /usr/bin/chkpw.sh: Owner >> permissions apply but owner executable bit is not set >> Is this not good enough? >> >>>> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh >>>> >> >> >> INFO(smtp-auth-level): Running authentication command with unencrypted >> input: /usr/bin/chkpw.sh /bin/true >> SUCCESS(smtp-auth-level): Authentication succeeded with unencrypted input: >> /usr/bin/chkpw.sh /bin/true >> INFO(smtp-auth-level): Running authentication command with encrypted input: >> /usr/bin/chkpw.sh /bin/true >> ERROR: authentication failure (bad username/password, vchkpw uses this to >> indicate SMTP access is not allowed): user >> ERROR(smtp-auth-level): Authentication failed with encrypted input: >> /usr/bin/chkpw.sh /bin/true >> Is that a problem? I am using unencrypted login >> >> INFO(tls-certificate-file): Testing TLS by initializing SSL/TLS library with >> certificate and key >> SUCCESS(tls-certificate-file): Opened for reading: >> /etc/ssl/certs/stunnel.pem >> SUCCESS(tls-certificate-file): Certificate and key loaded; SSL/TLS library >> successfully initialized >> ERROR: Tests complete. Errors detected. >> >> >> >> When spamdyke runs as qmaild, my mail client tells me that the connection >> was closed and in /var/log/mail.info I get >> >> >> Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to load SSL/TLS >> certificate from file: /etc/ssl/certs/stunnel.pem : The operation failed due >> to an I/O error, Unexpected EOF found, >> error:0200100D:lib(2):func(1):reason(13), >> error:20074002:lib(32):func(116):reason(2), >> error:140DC002:lib(20):func(220):reason(2) >> Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: incorrect SSL/TLS >> private key password or SSL/TLS certificate/privatekey >> mismatch/etc/ssl/certs/stunnel.pem : A protocol or library failure occurred, >> error:140A80B1:lib(20):func(168):reason(177) >> Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to initialize >> SSL/TLS library >> Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to start SMTPS >> because TLS support is not available or an SSL/TLS certificate is not >> available; closing connection >> >> >> >> This is very much the same errors I get if stunnel.pem is wrongly generated. >> (ex. missing certificate) >> >> >> >> >> >> ----- Original Message ----- >> From: "Sam Clippinger" <[email protected]> >> To: "spamdyke users" <[email protected]> >> Sent: Friday, September 25, 2009 5:54 PM >> Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection >> >> >> >>> OK, I guess I'll bite... why can't you replace `id -u root` with `id -u >>> qmaild`? Do you get errors? Does it crash? Does it malfunction? I >>> really want to help, but you're not giving enough information to work >>> with. >>> >>> Have you tried running spamdyke's "config-test" feature to look for >>> problems? >>> >>> -- Sam Clippinger >>> >>> David Bo Jensen wrote: >>> >>>> I solved the problem with >>>> >>>> server:/# cat /etc/spamdyke-smtps.conf >>>> log-level=verbose >>>> tls-level=smtps >>>> tls-certificate-file=/etc/ssl/certs/stunnel.pem >>>> filter-level=require-auth >>>> smtp-auth-level=ondemand >>>> smtp-auth-command=/usr/bin/chkpw.sh /bin/true >>>> relay-level=normal >>>> >>>> please notice the "filter-level", further more I have >>>> >>>> server:/etc# cat tcp.smtps >>>> :allow,RELAYCLIENT="" >>>> >>>> However I have another issue. First look at >>>> >>>> server:/etc/ssl/certs# ls -la stunnel.pem >>>> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >>>> >>>> and /usr/bin >>>> -rwxr-xr-x 1 root root 12360 2007-06-30 11:52 checkpassword >>>> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh >>>> >>>> chkpw.sh is a wrapper for checkpassword >>>> >>>> In /etc/init.d/qmail >>>> >>>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>>> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >>>> --exec /usr/bin/tcpserver -- -R -H \ >>>> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >>>> smtps >>>> \ >>>> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >>>> | $logger &" >>>> >>>> >>>> ($rblsmtpd2 is spamdyke see the whole file below.) >>>> I cannot replace `id -u root` with `id -u qmaild` why? It would be nice >>>> if >>>> spamdyke didn't have to run with root permissions for SSL connections. >>>> I am using debian etch 2.6.18. Please also notice my other thread about >>>> missing loggings for authentication. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> server:/usr/bin# cat /etc/init.d/qmail >>>> #!/bin/bash >>>> # >>>> # /etc/init.d/qmail : start or stop the qmail mail subsystem. >>>> # >>>> # Written by Christian Hudon <[email protected]> >>>> # Currently maintained by Jon Marler <[email protected]> >>>> # >>>> # Configuration >>>> # >>>> >>>> >>>> # set default delivery method >>>> >>>> #alias_empty="|/usr/sbin/qmail-procmail" # procmail delivery to >>>> /var/spool/mail >>>> alias_empty="./Maildir/" # This uses qmail prefered ~/Maildir/ >>>> directory >>>> # You may want to maildirmake >>>> /etc/skel/Maildir >>>> #alias_empty="./Mailbox" # This uses Mailbox file in users $HOME >>>> >>>> logger="splogger qmail 2" # facility mail == 2 >>>> #logger="|accustamp >>/var/log/qmail.log" # If you have accustamp >>>> installed. >>>> #logger=">>/var/log/qmail.log" # Does not give timing info. >>>> >>>> # If you uncommented one of the lines that appends to /var/log/qmail.log, >>>> you >>>> # need to uncomment the following two lines. >>>> #touch /var/log/qmail.log >>>> #chown qmaill /var/log/qmail.log >>>> >>>> # If you want to use one or more of the Relay Black Lists, uncomment >>>> # the appropriate lines. >>>> >>>> rblmsg= >>>> rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf" >>>> rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" >>>> #rblmsg=" (with rblsmtpd)" >>>> #rblsmtpd="/usr/bin/rblsmtpd -r list.dsbl.org -r relays.ordb.org" >>>> >>>> # >>>> # End of configuration >>>> # >>>> >>>> test -x /usr/sbin/qmail-start || exit 0 >>>> test -x /usr/sbin/qmail-send || exit 0 >>>> >>>> case "$1" in >>>> start) >>>> echo -n "Starting mail-transfer agent: qmail" $rblmsg >>>> sh -c "start-stop-daemon --start --quiet --user qmails \ >>>> --exec /usr/sbin/qmail-send \ >>>> --startas /usr/sbin/qmail-start -- \"$alias_empty\" >>>> $logger >>>> &" >>>> # prevent denial-of-service attacks, with ulimit >>>> ulimit -v 16384 >>>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>>> --pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \ >>>> --exec /usr/bin/tcpserver -- -R -H \ >>>> -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 >>>> smtp >>>> \ >>>> $rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \ >>>> | $logger &" >>>> >>>> sh -c "start-stop-daemon --start --quiet --user qmaild \ >>>> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >>>> --exec /usr/bin/tcpserver -- -R -H \ >>>> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >>>> smtps >>>> \ >>>> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >>>> | $logger &" >>>> >>>> >>>> >>>> #Uncomment the following lines to automatically start the pop3 >>>> server >>>> sh -c "start-stop-daemon --start --quiet --user root \ >>>> --pidfile /var/run/tcpserver_pop3d.pid --make-pidfile \ >>>> --exec /usr/bin/tcpserver -- -R -H \ >>>> 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ >>>> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >>>> >>>> sh -c "start-stop-daemon --start --quiet --user root \ >>>> --pidfile /var/run/tcpserver_pop3sd.pid --make-pidfile \ >>>> --exec /usr/bin/tcpserver -- -R -H \ >>>> 0 995 /usr/bin/stunnel -f -l /usr/sbin/qmail-popup -- >>>> qmail-popup `hostname`.`dnsdomainname` \ >>>> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >>>> >>>> echo "." >>>> ;; >>>> stop) >>>> echo -n "Stopping mail-transfer agent: qmail" $rblmsg >>>> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>>> start-stop-daemon --user >>>> qmails --stop --quiet --oknodo --exec >>>> /usr/sbin/qmail-send >>>> start-stop-daemon --user >>>> qmaild --stop --quiet --oknodo --pidfile >>>> /var/run/tcpserver_smtpd.pid --exec >>>> /usr/bin/tcpserver >>>> start-stop-daemon --user >>>> qmaild --stop --quiet --oknodo --pidfile >>>> /var/run/tcpserver_smtpsd.pid --exec /usr/bin/tcpserver >>>> # Uncomment the following line if you have enabled the pop3 >>>> server >>>> start-stop-daemon --user >>>> root --stop --quiet --oknodo --pidfile >>>> /var/run/tcpserver_pop3d.pid --exec /usr/bin/tcpserver >>>> start-stop-daemon --user >>>> root --stop --quiet --oknodo --pidfile >>>> /var/run/tcpserver_pop3sd.pid --exec /usr/bin/tcpserver >>>> # Wait until the timeout for qmail processes to die. >>>> count=120 >>>> numdots=0 >>>> while ([ $count != 0 ]) do >>>> let count=$count-1 >>>> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>>> echo -n . >>>> let numdots=$numdots+1 >>>> sleep 1 >>>> else >>>> count=0 >>>> fi >>>> done >>>> >>>> # If it's not dead yet, kill it. >>>> # if [ "`pidof /usr/sbin/qmail-send`" ] ; then >>>> # echo -n " TIMEOUT!" >>>> # kill -KILL `pidof /usr/sbin/qmail-send` >>>> # else >>>> case $numdots in >>>> 0) echo "." ;; >>>> 1) echo ;; >>>> *) echo " done." ;; >>>> esac >>>> # fi >>>> else >>>> echo " not running."; >>>> fi >>>> >>>> ;; >>>> restart) >>>> $0 stop >>>> $0 start >>>> ;; >>>> cdb) >>>> echo "Rebuilding tcp.smtp.cdb." >>>> cd /etc >>>> tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp >>>> ;; >>>> flush) >>>> /usr/sbin/qmail-tcpok >>>> start-stop-daemon --stop --quiet --oknodo --signal ALRM --exec >>>> /usr/sbin/qmail-send >>>> echo "Queue flushed." >>>> ;; >>>> stat) >>>> /usr/sbin/qmail-qread >>>> /usr/sbin/qmail-qstat >>>> ;; >>>> reload|force-reload) >>>> echo "Reloading 'locals' and 'virtualdomains' control files." >>>> start-stop-daemon --stop --quiet --oknodo --signal HUP --exec >>>> /usr/sbin/qmail-send >>>> ;; >>>> *) >>>> echo 'Usage: /etc/init.d/qmail >>>> {start|stop|stat|cdb|restart|reload}' >>>> exit 1 >>>> esac >>>> >>>> exit 0 >>>> >>>> >>>> >>>> >>>> ----- Original Message ----- >>>> From: "Sam Clippinger" <[email protected]> >>>> To: "spamdyke users" <[email protected]> >>>> Sent: Friday, September 25, 2009 5:34 AM >>>> Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection >>>> >>>> >>>> >>>> >>>>> I don't think I understand enough about your setup to answer this >>>>> question. Could you post your full startup script and full spamdyke >>>>> configuration file? Also, what operating system and version are you >>>>> using? Have you tried running spamdyke's "config-test" feature? Is >>>>> spamdyke logging any errors? >>>>> >>>>> -- Sam Clippinger >>>>> >>>>> David Bo Jensen wrote: >>>>> >>>>> >>>>>> It seems to be a client (I am using Outlook express) issue changing the >>>>>> port >>>>>> to 465 and removing unlinit somewhat solved the issue. >>>>>> >>>>>> But in I have >>>>>> grep spamdyke /var/log/mail.info >>>>>> Sep 22 07:46:17 server spamdyke[4311]: ALLOWED from: [email protected] >>>>>> to: >>>>>> [email protected] origin_ip: 127.0.0.1 origin_rdns: (unknown) auth: >>>>>> (unknown) >>>>>> >>>>>> It doesn't ask for authentication 127.0.0.1 is enveloped in the ssl >>>>>> protocol. In fact in many cases users will be able to use my server as >>>>>> open >>>>>> relay. That is not what intended >>>>>> >>>>>> >>>>>> >>>> _______________________________________________ >>>> spamdyke-users mailing list >>>> [email protected] >>>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>>> >>>> >>> _______________________________________________ >>> spamdyke-users mailing list >>> [email protected] >>> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >>> >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
