Running the config test gave me some ERRORS. I added access-file and local-domains-file to my config file in order to remove some of them. Here is my result but remember I was root.
:/etc# /usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf --config-test-smtpauth-username user --config-test-smtpauth-password password --config-test /usr/sbin/qmail-smtpd 2>&1 spamdyke 4.0.10+TLS+CONFIGTEST+DEBUG (C)2008 Sam Clippinger, samc (at) silence (dot) org http://www.spamdyke.org/ Use -h for an option summary or see README.html for complete option details. Testing configuration... WARNING: Running tests as superuser root(0), group root(0). These test results may not be valid if the mail server runs as another user. SUCCESS: spamdyke binary (/usr/local/bin/spamdyke) is not owned by root and/or is not marked setuid. INFO: Running command to test capabilities: /usr/sbin/qmail-smtpd SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer TLS support. spamdyke will offer, intercept and decrypt TLS traffic. SUCCESS: /usr/sbin/qmail-smtpd does not appear to offer SMTP AUTH support. spamdyke will offer and process authentication. INFO(access-file): Testing file read: /etc/spam-relays SUCCESS(access-file): Opened for reading: /etc/spam-relays INFO(config-file): Testing file read: /etc/spamdyke-smtps.conf SUCCESS(config-file): Opened for reading: /etc/spamdyke-smtps.conf INFO(local-domains-file): Testing file read: /etc/qmail/rcpthosts SUCCESS(local-domains-file): Opened for reading: /etc/qmail/rcpthosts INFO(smtp-auth-level): Examining authentication command: /usr/bin/chkpw.sh /bin/true ERROR(smtp-auth-level): File is not executable: /usr/bin/chkpw.sh: Owner permissions apply but owner executable bit is not set Is this not good enough? >> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh INFO(smtp-auth-level): Running authentication command with unencrypted input: /usr/bin/chkpw.sh /bin/true SUCCESS(smtp-auth-level): Authentication succeeded with unencrypted input: /usr/bin/chkpw.sh /bin/true INFO(smtp-auth-level): Running authentication command with encrypted input: /usr/bin/chkpw.sh /bin/true ERROR: authentication failure (bad username/password, vchkpw uses this to indicate SMTP access is not allowed): user ERROR(smtp-auth-level): Authentication failed with encrypted input: /usr/bin/chkpw.sh /bin/true Is that a problem? I am using unencrypted login INFO(tls-certificate-file): Testing TLS by initializing SSL/TLS library with certificate and key SUCCESS(tls-certificate-file): Opened for reading: /etc/ssl/certs/stunnel.pem SUCCESS(tls-certificate-file): Certificate and key loaded; SSL/TLS library successfully initialized ERROR: Tests complete. Errors detected. When spamdyke runs as qmaild, my mail client tells me that the connection was closed and in /var/log/mail.info I get Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to load SSL/TLS certificate from file: /etc/ssl/certs/stunnel.pem : The operation failed due to an I/O error, Unexpected EOF found, error:0200100D:lib(2):func(1):reason(13), error:20074002:lib(32):func(116):reason(2), error:140DC002:lib(20):func(220):reason(2) Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: incorrect SSL/TLS private key password or SSL/TLS certificate/privatekey mismatch/etc/ssl/certs/stunnel.pem : A protocol or library failure occurred, error:140A80B1:lib(20):func(168):reason(177) Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to initialize SSL/TLS library Sep 25 17:36:01 alleservices spamdyke[12289]: ERROR: unable to start SMTPS because TLS support is not available or an SSL/TLS certificate is not available; closing connection This is very much the same errors I get if stunnel.pem is wrongly generated. (ex. missing certificate) ----- Original Message ----- From: "Sam Clippinger" <[email protected]> To: "spamdyke users" <[email protected]> Sent: Friday, September 25, 2009 5:54 PM Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection > OK, I guess I'll bite... why can't you replace `id -u root` with `id -u > qmaild`? Do you get errors? Does it crash? Does it malfunction? I > really want to help, but you're not giving enough information to work > with. > > Have you tried running spamdyke's "config-test" feature to look for > problems? > > -- Sam Clippinger > > David Bo Jensen wrote: >> I solved the problem with >> >> server:/# cat /etc/spamdyke-smtps.conf >> log-level=verbose >> tls-level=smtps >> tls-certificate-file=/etc/ssl/certs/stunnel.pem >> filter-level=require-auth >> smtp-auth-level=ondemand >> smtp-auth-command=/usr/bin/chkpw.sh /bin/true >> relay-level=normal >> >> please notice the "filter-level", further more I have >> >> server:/etc# cat tcp.smtps >> :allow,RELAYCLIENT="" >> >> However I have another issue. First look at >> >> server:/etc/ssl/certs# ls -la stunnel.pem >> -rw-r----- 1 root qmaild 2402 2009-09-23 10:03 stunnel.pem >> >> and /usr/bin >> -rwxr-xr-x 1 root root 12360 2007-06-30 11:52 checkpassword >> -rwSr-x--- 1 root qmaild 38 2009-09-24 21:26 chkpw.sh >> >> chkpw.sh is a wrapper for checkpassword >> >> In /etc/init.d/qmail >> >> sh -c "start-stop-daemon --start --quiet --user qmaild \ >> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >> smtps >> \ >> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >> | $logger &" >> >> >> ($rblsmtpd2 is spamdyke see the whole file below.) >> I cannot replace `id -u root` with `id -u qmaild` why? It would be nice >> if >> spamdyke didn't have to run with root permissions for SSL connections. >> I am using debian etch 2.6.18. Please also notice my other thread about >> missing loggings for authentication. >> >> >> >> >> >> >> >> >> >> >> >> server:/usr/bin# cat /etc/init.d/qmail >> #!/bin/bash >> # >> # /etc/init.d/qmail : start or stop the qmail mail subsystem. >> # >> # Written by Christian Hudon <[email protected]> >> # Currently maintained by Jon Marler <[email protected]> >> # >> # Configuration >> # >> >> >> # set default delivery method >> >> #alias_empty="|/usr/sbin/qmail-procmail" # procmail delivery to >> /var/spool/mail >> alias_empty="./Maildir/" # This uses qmail prefered ~/Maildir/ >> directory >> # You may want to maildirmake >> /etc/skel/Maildir >> #alias_empty="./Mailbox" # This uses Mailbox file in users $HOME >> >> logger="splogger qmail 2" # facility mail == 2 >> #logger="|accustamp >>/var/log/qmail.log" # If you have accustamp >> installed. >> #logger=">>/var/log/qmail.log" # Does not give timing info. >> >> # If you uncommented one of the lines that appends to /var/log/qmail.log, >> you >> # need to uncomment the following two lines. >> #touch /var/log/qmail.log >> #chown qmaill /var/log/qmail.log >> >> # If you want to use one or more of the Relay Black Lists, uncomment >> # the appropriate lines. >> >> rblmsg= >> rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf" >> rblsmtpd2="/usr/local/bin/spamdyke -l -f /etc/spamdyke-smtps.conf" >> #rblmsg=" (with rblsmtpd)" >> #rblsmtpd="/usr/bin/rblsmtpd -r list.dsbl.org -r relays.ordb.org" >> >> # >> # End of configuration >> # >> >> test -x /usr/sbin/qmail-start || exit 0 >> test -x /usr/sbin/qmail-send || exit 0 >> >> case "$1" in >> start) >> echo -n "Starting mail-transfer agent: qmail" $rblmsg >> sh -c "start-stop-daemon --start --quiet --user qmails \ >> --exec /usr/sbin/qmail-send \ >> --startas /usr/sbin/qmail-start -- \"$alias_empty\" >> $logger >> &" >> # prevent denial-of-service attacks, with ulimit >> ulimit -v 16384 >> sh -c "start-stop-daemon --start --quiet --user qmaild \ >> --pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> -u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 >> smtp >> \ >> $rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \ >> | $logger &" >> >> sh -c "start-stop-daemon --start --quiet --user qmaild \ >> --pidfile /var/run/tcpserver_smtpsd.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> -u `id -u root` -g `id -g nobody` -x /etc/tcp.smtps.cdb 0 >> smtps >> \ >> $rblsmtpd2 /usr/sbin/qmail-smtpd 2>&1 \ >> | $logger &" >> >> >> >> #Uncomment the following lines to automatically start the pop3 >> server >> sh -c "start-stop-daemon --start --quiet --user root \ >> --pidfile /var/run/tcpserver_pop3d.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ >> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >> >> sh -c "start-stop-daemon --start --quiet --user root \ >> --pidfile /var/run/tcpserver_pop3sd.pid --make-pidfile \ >> --exec /usr/bin/tcpserver -- -R -H \ >> 0 995 /usr/bin/stunnel -f -l /usr/sbin/qmail-popup -- >> qmail-popup `hostname`.`dnsdomainname` \ >> /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &" >> >> echo "." >> ;; >> stop) >> echo -n "Stopping mail-transfer agent: qmail" $rblmsg >> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >> start-stop-daemon --user >> qmails --stop --quiet --oknodo --exec >> /usr/sbin/qmail-send >> start-stop-daemon --user >> qmaild --stop --quiet --oknodo --pidfile >> /var/run/tcpserver_smtpd.pid --exec >> /usr/bin/tcpserver >> start-stop-daemon --user >> qmaild --stop --quiet --oknodo --pidfile >> /var/run/tcpserver_smtpsd.pid --exec /usr/bin/tcpserver >> # Uncomment the following line if you have enabled the pop3 >> server >> start-stop-daemon --user >> root --stop --quiet --oknodo --pidfile >> /var/run/tcpserver_pop3d.pid --exec /usr/bin/tcpserver >> start-stop-daemon --user >> root --stop --quiet --oknodo --pidfile >> /var/run/tcpserver_pop3sd.pid --exec /usr/bin/tcpserver >> # Wait until the timeout for qmail processes to die. >> count=120 >> numdots=0 >> while ([ $count != 0 ]) do >> let count=$count-1 >> if [ "`pidof /usr/sbin/qmail-send`" ] ; then >> echo -n . >> let numdots=$numdots+1 >> sleep 1 >> else >> count=0 >> fi >> done >> >> # If it's not dead yet, kill it. >> # if [ "`pidof /usr/sbin/qmail-send`" ] ; then >> # echo -n " TIMEOUT!" >> # kill -KILL `pidof /usr/sbin/qmail-send` >> # else >> case $numdots in >> 0) echo "." ;; >> 1) echo ;; >> *) echo " done." ;; >> esac >> # fi >> else >> echo " not running."; >> fi >> >> ;; >> restart) >> $0 stop >> $0 start >> ;; >> cdb) >> echo "Rebuilding tcp.smtp.cdb." >> cd /etc >> tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp >> ;; >> flush) >> /usr/sbin/qmail-tcpok >> start-stop-daemon --stop --quiet --oknodo --signal ALRM --exec >> /usr/sbin/qmail-send >> echo "Queue flushed." >> ;; >> stat) >> /usr/sbin/qmail-qread >> /usr/sbin/qmail-qstat >> ;; >> reload|force-reload) >> echo "Reloading 'locals' and 'virtualdomains' control files." >> start-stop-daemon --stop --quiet --oknodo --signal HUP --exec >> /usr/sbin/qmail-send >> ;; >> *) >> echo 'Usage: /etc/init.d/qmail >> {start|stop|stat|cdb|restart|reload}' >> exit 1 >> esac >> >> exit 0 >> >> >> >> >> ----- Original Message ----- >> From: "Sam Clippinger" <[email protected]> >> To: "spamdyke users" <[email protected]> >> Sent: Friday, September 25, 2009 5:34 AM >> Subject: Re: [spamdyke-users] I can hardly make a SMTPS connection >> >> >> >>> I don't think I understand enough about your setup to answer this >>> question. Could you post your full startup script and full spamdyke >>> configuration file? Also, what operating system and version are you >>> using? Have you tried running spamdyke's "config-test" feature? Is >>> spamdyke logging any errors? >>> >>> -- Sam Clippinger >>> >>> David Bo Jensen wrote: >>> >>>> It seems to be a client (I am using Outlook express) issue changing the >>>> port >>>> to 465 and removing unlinit somewhat solved the issue. >>>> >>>> But in I have >>>> grep spamdyke /var/log/mail.info >>>> Sep 22 07:46:17 server spamdyke[4311]: ALLOWED from: [email protected] >>>> to: >>>> [email protected] origin_ip: 127.0.0.1 origin_rdns: (unknown) auth: >>>> (unknown) >>>> >>>> It doesn't ask for authentication 127.0.0.1 is enveloped in the ssl >>>> protocol. In fact in many cases users will be able to use my server as >>>> open >>>> relay. That is not what intended >>>> >>>> >> >> _______________________________________________ >> spamdyke-users mailing list >> [email protected] >> http://www.spamdyke.org/mailman/listinfo/spamdyke-users >> > _______________________________________________ > spamdyke-users mailing list > [email protected] > http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
