[email protected] wrote: > Quoting "Eric Shubert" <[email protected]>: >> >> To be clear about this, the symptom/result of this bug is defunct >> qmail-spamd processes. Their parents are spamdyke processes that are >> waiting for "TLS ended and closed" events that never occur. This is >> typically after a TIMEOUT error message that is issued after any one of >> the spamdyke DENIED_* rejections. Killing the parent spamdyke processes >> clears things up effectively. > > > I may change my mind about this :-/ > > (I do hate making myself look like an idiot) > > The attached patch adds a timeout on STARTTLS, if idle-timeout-secs is set.
Does this patch activate a timeout effects all (subsequent) read commands? If not, it won't solve the problem. spamdyke usually hangs long after the STARTTLS when it does, and the STARTTLS is successful. So even with this patch, using TLS with no idle-timeout-secs setting leaves a server vulnerable. Is there some way of requiring an idle-timeout-secs value when TLS is used? Perhaps giving it a relatively high (300) default? If nothing else, --config-test should at least give a warning when TLS is in use and there's no idle-timeout-secs setting. Personally, I'd like to see the idle-timeout-secs setting activated by default. > You may get some offset warnings from patch, but that's because I have > other patches installed. > > AFAICT, other SSL usage is fine (quick check), but I'll have another > look at some point. > > Apologies for doubting you. > > -trog > Thanks for your work on this trog. It took me a while as well to realize this is a bug. Patch applied ok, but compile gave: tls.c: In function ‘tls_start’: tls.c:325: warning: suggest explicit braces to avoid ambiguous ‘else’ I added braces in accordance with indentation. After running the patched version a while, still getting defunct processes. :( I double checked that it's running the patched version (I made it 4.0.10a in the config). I should mention that this host is running CentOS 4.6, with openssl-0.9.7a-43.17.el4_7.2. I did see the problem with CentOS5 though, on a server with much less activity. Several QMT users are reporting that they're seeing this problem as well. What next? -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
