You're right that whitelisting and authentication have no effect on the relay filter. spamdyke allows relaying in three situations: when the RELAYCLIENT environment variable is set, when /etc/tcp.smtp has a matching rule that sets RELAYCLIENT or when a spamdyke option allows relaying. So... have you compared the /etc/tcp.smtp file on the two servers? I'd bet there's a line on the "can send" server that sets RELAYCLIENT for localhost connections and the "can't send" server doesn't have it (note spamdyke does not read this file itself; its CDB version is probably being read by tcp-env).
It's been quite a while since I've worked with Plesk but I seem to remember that option is set within the Plesk admin interface. It'd be a good idea to change it there -- otherwise if you change it on disk, it'll probably just get overwritten the next time Plesk saves a change. -- Sam Clippinger On Oct 3, 2016, at 7:58 AM, Faris Raouf via spamdyke-users <spamdyke-users@spamdyke.org> wrote: > Dear all, > > I’m absolutely confounded by a problem I’m having after upgrading five > systems from Spamdyke 4.3.1 to 5.0.1 > > On two of them, webmail (running locally, connecting from 127.0.0.1 to > 127.0.0.1 port 25 via smtp, no authentication) works fine and can send > messages. > > On the other three, spamdyke spits out a RELAYING_DENIED and blocks the > connection from 127.0.0.1 when trying to send messages. > > -------------- > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RDNS_MISSING ip: > 127.0.0.1 > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_WHITELIST_IP ip: > 127.0.0.1 file: /etc/spamdyke.d/whitelist_ip(6) > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RELAYING > > > > Oct 3 12:07:38 hostnameredacted spamdyke[4927]: DENIED_RELAYING from: (the > rest redacted) > ---------------- > > > All four systems use Plesk, which has 127.0.0.1 whitelisted for email – no > authentication is required for connections from that IP. > > I have read the upgrade notes, which explain that IPs that are whitelisted in > the ip whitelist (or whatever) file are no longer automatically also allowed > to relay, and obviously that’s at the heart of the problem in some way. > > What I cannot fathom is why two would work, and three would not. They are all > pretty much identical in every way that I can think of. Same Centos 6, same > versions of pretty much everything, very little differences anywhere. > > None of them have any form of relay or smtp auth settings in spamdyke.conf. > All of them do have 127.0.0.1 whitelisted in the ip whitelist file – not that > it makes any difference in 5.0.1 of course. > > Everything is controlled via smtp_psa file via xinetd > > (stuff) > server = /var/qmail/bin/tcp-env > server_args = -Rt0 /usr/local/bin/spamdyke -f > /etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock > /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true > /var/qmail/bin/cmd5checkpw /var/qmail/bin/true > > > So, to resolve the problem, in theory all I have to do is add > ip-relay-entry=127.0.0.1 and indeed that does solve the problem. > > I presume that’s safe enough, given that we do want anything in localhost to > be able to send email without authenticating? > > Is this a common setting? > > But I feel I must get to the bottom of why some work, and some don’t, out of > the box. It seems bonkers, and indicative of something else that might be > wrong. > None of the boxes are accidental open relays. Authentication is most > definitely required to send to non-local addresses. > > At one point I suspected it might have something to do with the webmail > configuration, but I can’t find any differences at all. They are all set to > use smtp to connect to port 25 with no authentication. > > > In the hope that someone may spot an error in my config files, here is one > from a server where webmail can send, and another from a server where webmail > cannot send. > > (--config-tests throws no errors on either of them) > (I do not know what I have qmail-rcpthosts / qmail-morescpthosts.cdb set but > they had been set when using 4.3.1 using the old syntax so I thought I’d > bring them over since I knew that configuration worked) > > ***************** > > CAN SEND: > > log-level=info > qmail-rcpthosts-file=/var/qmail/control/rcpthosts > > max-recipients=5 > idle-timeout-secs=60 > greeting-delay-secs=11 > > ip-blacklist-file=/etc/spamdyke.d/blacklist_ip > sender-blacklist-file=/etc/spamdyke.d/blacklist_sender > rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns > recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient > > ip-whitelist-file=/etc/spamdyke.d/whitelist_ip > rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns > recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient > sender-whitelist-file=/etc/spamdyke.d/whitelist_sender > > tls-certificate-file=/var/qmail/control/servercert.pem > tls-level=smtp > > config-dir-search=all-recipient > config-dir=/etc/spamdyke.d/configdir > config-dir=/etc/spamdyke.d/individuals > config-dir=/var/qmail/conf.d > #configs in the above directories are recipient-based only and enable/disable > dns blacklists and reject-empty-rdns type things > > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=bl.spamcop.net > > reject-empty-rdns > > > > > ************************************ > > CANNOT SEND > > log-level=verbose > qmail-rcpthosts-file=/var/qmail/control/rcpthosts > qmail-morercpthosts-cdb=/var/qmail/control/morercpthosts.cdb > #*** I have tried removing the above two lines – makes no difference to > webmail sending > > > max-recipients=5 > idle-timeout-secs=60 > greeting-delay-secs=6 > > ip-blacklist-file=/etc/spamdyke.d/blacklist_ip > sender-blacklist-file=/etc/spamdyke.d/blacklist_sender > rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns > recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient > > ip-whitelist-file=/etc/spamdyke.d/whitelist_ip > rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns > recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient > sender-whitelist-file=/etc/spamdyke.d/whitelist_sender > > tls-certificate-file=/var/qmail/control/servercert.pem > tls-level=smtp > > dns-blacklist-entry=zen.spamhaus.org > dns-blacklist-entry=bl.spamcop.net > dns-blacklist-entry=b.barracudacentral.org > reject-empty-rdns=1 > reject-unresolvable-rdns=1 > > config-dir=/etc/spamdyke.d/configdir > config-dir=/etc/spamdyke.d/individuals > #configs in the above two are recipient-based only and enable/disable dns > blacklists and reject-empty-rdns type things. > > config-dir-search=all-recipient > > ***************** > > > > > > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
