On 06/26/2013 07:11 AM, Faris Raouf wrote: > This is a bit of a long message and is on a topic that has been > discussed a few times in the past - sorry L > > I’ve just installed spamdyke on a particular server. Unlike every other > spamdyke installation I’ve ever done, this one is generating various TLS > errors when receiving mail via TLS connections. > > There is nothing unusual about this server. Like the rest of the > spamdyke-enabled machines I deal with, it uses Plesk 10.4.4, Plesk’s > qmail implementation, and qmail-scanner. It does use Centos 5 as opposed > to Centos 6 though. > > The error messages vary from connection to connection, but are usually > one or more of the following: > > ERROR: unable to write to SSL/TLS stream: The operation failed due to an > I/O error, Connection reset by peer > > ERROR: unable to read from SSL/TLS stream: The operation failed due to > an I/O error, Unexpected EOF found > > ERROR: unable to read from SSL/TLS stream: The connection was > unexpectedly ended/closed > > The last error is one that I can generate at will by sending a message > from one of my other qmail-based servers to this problem server. > > In all the tests that I’ve done from my server to the problem server, > the email in question does arrive in the recipient’s mailbox. For the > other two types of error, all I know for sure is that the email does at > least get to qmail-scanner for spam/virus checking and it does seem to > be arriving in the recipient’s mailbox (but I have not absolutely made > sure it happens on every occasion). > > (Qmail-scanner works via a wrapper around the normal qmail-whateveritis > file, and rejects messages at what I refer to as the “MTA level” – i.e. > it rejects while the sending server is still connected, just like > spamdyke, as opposed to accepting the email then processing it and later > dropping it if the message is considered spam or contains a virus) > > I’ve read every thread I could find via google where people have been > having various spamdyke TLS issues in the past, but there didn’t seem to > be a conclusive suggestion or solution – at least not one I could find. > The posts mentioning TLS errors also seemed to be slightly different to > my issue, in that email didn’t seem to be arriving in the recipient’s > mailbox (I think). > > Given that this list is populated with people who live and breath qmail > and spamdyke, and that I might have missed a vital post from the past, I > was hoping someone could offer some advice on this issue. > > Thanks, > > Faris. > > ** additional info ** > > In the process of writing this email, I did discover why this server is > acting differently to all the others: > > When a TLS connection happens on the other servers, I see this: > > encryption: TLS_PASSTHROUGH > > But on the problem server, I see this: > > encryption: TLS > > This is VERY interesting. TLS_PASSTHROUGH means the client started a TLS > with qmail, not spamdyke, and explains why the other servers don’t > generate any spamdyke tls errors. Exactly why there is this difference > in the way TLS is handled is a mystery to investigate another day, I think. > > ** > > using --config-test gives a clean bill of health, including the qmail > .pem certificate location. > > tls-certificate-file=/var/qmail/control/servercert.pem > > (this is the only tls-related option I have added in spamdyke.conf) > > I’m using exactly the same config in both spamdyke.conf and > /etc/xinetd/smtp[s]_psa for all servers. > > log-level=debug gives no additional useful info compared to verbose > > The certificate in use is an expired self-signed certificate (there was > some talk that TLS errors might be caused by the certificate in some > past posts I found, but this possibility seems to have been discounted > in the end, I think?) > > > > _______________________________________________
Please answer for both new and existing servers. What is the tls-level you have in the configuration file? Are you certain that spamdyke was built with TLS support? Of course, something's must be different between the old and new. Keep hunting. Might also check library versions. Was spamdyke built on the errant host, or perhaps copied from another host which has different OpenSSL library versions? -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
