The "tls-level" option isn't strictly necessary in most setups; it defaults to "tls" when a certificate is given.
>From what you're saying, it looks like your other servers definitely don't >have TLS/SSL support compiled into spamdyke, so they can't do anything but >pass the TLS traffic through to qmail. Those servers must be missing the >OpenSSL header files or static libraries, otherwise the "configure" script >would have added TLS support automatically. Given the errors you're seeing, I'd bet the problem is an SSL/non-SSL conflict. In other words, either spamdyke is speaking SSL and the client is not, or the client is speaking SSL and spamdyke is not. On my Plesk servers, my smtps_psa script doesn't start spamdyke directly; it starts stunnel instead to handle the SSL. When spamdyke starts, it sees only the unencrypted traffic. (I can't remember if I set it up this way or if stunnel was part of the default install, it's been too long now.) If your smtps_psa file starts stunnel, then make sure the spamdyke command (in stunnel's config file) does not use SSL (i.e. make sure to remove "tls-level=smtps"). If your smtps_psa file simply starts spamdyke like your smtp_psa file does, then you need to add a the "tls-level=smtps" option to use SSL for incoming connections. If none of that makes any sense, try enabling the "full-log-dir" option on this new server and capturing the output from one of these broken connections. In that file, you should be able to see the traffic that is being sent from one end to the other to determine who is sending encrypted data and who is sending plaintext. -- Sam Clippinger On Jun 26, 2013, at 3:10 PM, Faris Raouf wrote: >> >> Please answer for both new and existing servers. >> >> What is the tls-level you have in the configuration file? > > None at all -- as in I don't have a tls-level option set on any system. > Given the way things behave, I'm assuming the default is smtp? I can't tell > from the docs. > > On this issue, is it necessary to specifically specify smtps (note the s) > for the service that listens on port 465? > The way Plesk does things is to have two separate services (or whatever they > are called): smtp_psa (listening on port 25) and smtps_psa (465) run via > xinetd. Currently, both have the same spamdyke config being used so both are > using whatever the default really is. > > I will try manually specifying smtp to start with to see if it makes any > difference, but I'm guessing it won't. I'll report back on this. > > > >> Are you certain that spamdyke was built with TLS support? > > Having checked, the server causing me problems says "spamdyke > 4.3.1+TLS+CONFIGTEST+DEBUG" while the ones that don't (i.e. the > TLS_PASSTHOUGH" ones say "spamdyke 4.3.1+CONFIGTEST+DEBUG" so I think that > proves those other ones didn't have the required libraries and basically > aren't going to do TLS. Thank you for this pointer. Excellent! > > So, that brings us back to the main problem of WHY I'm seeing the errors: > > ERROR: unable to write to SSL/TLS stream: The operation failed due to an I/O > error, Connection reset by peer > ERROR: unable to read from SSL/TLS stream: The operation failed due to an > I/O error, Unexpected EOF found > ERROR: unable to read from SSL/TLS stream: The connection was unexpectedly > ended/closed > > I wonder if it is a result of qmail-scanner's interaction with the data > stream in some way? I take it nobody else gets them, and since qmail-scanner > isn't widely used by people in this list, I may be out of luck for an easy > "just do this" answer :-) > > I'll see if I can remove qmail-scanner temporarily without totally breaking > things. I fear it is not as simple as it might be. > > Thank you for your input -- it has been really useful and has got me looking > in places I didn't think of looking :-) :-) > > > > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
