This is a bit of a long message and is on a topic that has been discussed a few times in the past - sorry :(
I've just installed spamdyke on a particular server. Unlike every other spamdyke installation I've ever done, this one is generating various TLS errors when receiving mail via TLS connections. There is nothing unusual about this server. Like the rest of the spamdyke-enabled machines I deal with, it uses Plesk 10.4.4, Plesk's qmail implementation, and qmail-scanner. It does use Centos 5 as opposed to Centos 6 though. The error messages vary from connection to connection, but are usually one or more of the following: ERROR: unable to write to SSL/TLS stream: The operation failed due to an I/O error, Connection reset by peer ERROR: unable to read from SSL/TLS stream: The operation failed due to an I/O error, Unexpected EOF found ERROR: unable to read from SSL/TLS stream: The connection was unexpectedly ended/closed The last error is one that I can generate at will by sending a message from one of my other qmail-based servers to this problem server. In all the tests that I've done from my server to the problem server, the email in question does arrive in the recipient's mailbox. For the other two types of error, all I know for sure is that the email does at least get to qmail-scanner for spam/virus checking and it does seem to be arriving in the recipient's mailbox (but I have not absolutely made sure it happens on every occasion). (Qmail-scanner works via a wrapper around the normal qmail-whateveritis file, and rejects messages at what I refer to as the "MTA level" - i.e. it rejects while the sending server is still connected, just like spamdyke, as opposed to accepting the email then processing it and later dropping it if the message is considered spam or contains a virus) I've read every thread I could find via google where people have been having various spamdyke TLS issues in the past, but there didn't seem to be a conclusive suggestion or solution - at least not one I could find. The posts mentioning TLS errors also seemed to be slightly different to my issue, in that email didn't seem to be arriving in the recipient's mailbox (I think). Given that this list is populated with people who live and breath qmail and spamdyke, and that I might have missed a vital post from the past, I was hoping someone could offer some advice on this issue. Thanks, Faris. ** additional info ** In the process of writing this email, I did discover why this server is acting differently to all the others: When a TLS connection happens on the other servers, I see this: encryption: TLS_PASSTHROUGH But on the problem server, I see this: encryption: TLS This is VERY interesting. TLS_PASSTHROUGH means the client started a TLS with qmail, not spamdyke, and explains why the other servers don't generate any spamdyke tls errors. Exactly why there is this difference in the way TLS is handled is a mystery to investigate another day, I think. ** using --config-test gives a clean bill of health, including the qmail .pem certificate location. tls-certificate-file=/var/qmail/control/servercert.pem (this is the only tls-related option I have added in spamdyke.conf) I'm using exactly the same config in both spamdyke.conf and /etc/xinetd/smtp[s]_psa for all servers. log-level=debug gives no additional useful info compared to verbose The certificate in use is an expired self-signed certificate (there was some talk that TLS errors might be caused by the certificate in some past posts I found, but this possibility seems to have been discounted in the end, I think?)
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
