On 06/26/2013 01:10 PM, Faris Raouf wrote: >> >> Please answer for both new and existing servers. >> >> What is the tls-level you have in the configuration file? > > None at all -- as in I don't have a tls-level option set on any system. > Given the way things behave, I'm assuming the default is smtp? I can't tell > from the docs.
While the docs don't specify a default value, I think no value is the default. The doc says: spamdyke supports TLS in several ways. First, with no TLS options given, spamdyke will identify a TLS conversation and simply pass the data back and forth between qmail and the remote client. In this mode, spamdyke cannot read the SMTP data (obviously -- it's encrypted). This prevents some of its filters from functioning, including graylisting, sender and recipient blacklisting, limiting the number of recipients, checking the sender's domain name for an MX record and relaying. > > On this issue, is it necessary to specifically specify smtps (note the s) > for the service that listens on port 465? I believe so. > The way Plesk does things is to have two separate services (or whatever they > are called): smtp_psa (listening on port 25) and smtps_psa (465) run via > xinetd. Currently, both have the same spamdyke config being used so both are > using whatever the default really is. I don't use Plesk, but I believe you need a separate config to run smtps. > I will try manually specifying smtp to start with to see if it makes any > difference, but I'm guessing it won't. I'll report back on this. > FWIW, here's what I use (no 465 in my world though) tls-certificate-file=/var/qmail/control/servercert.pem tls-level=smtp >> Are you certain that spamdyke was built with TLS support? > > Having checked, the server causing me problems says "spamdyke > 4.3.1+TLS+CONFIGTEST+DEBUG" while the ones that don't (i.e. the > TLS_PASSTHOUGH" ones say "spamdyke 4.3.1+CONFIGTEST+DEBUG" so I think that > proves those other ones didn't have the required libraries and basically > aren't going to do TLS. Thank you for this pointer. Excellent! Right on. Unless of course your version of qmail-smtpd has the TLS patch and is handling it. > So, that brings us back to the main problem of WHY I'm seeing the errors: > > ERROR: unable to write to SSL/TLS stream: The operation failed due to an I/O > error, Connection reset by peer > ERROR: unable to read from SSL/TLS stream: The operation failed due to an > I/O error, Unexpected EOF found > ERROR: unable to read from SSL/TLS stream: The connection was unexpectedly > ended/closed > > I wonder if it is a result of qmail-scanner's interaction with the data > stream in some way? I take it nobody else gets them, and since qmail-scanner > isn't widely used by people in this list, I may be out of luck for an easy > "just do this" answer :-) Perhaps so. I'm not familiar with how qmail-scanner is invoked. Don't let that deter you though. > I'll see if I can remove qmail-scanner temporarily without totally breaking > things. I fear it is not as simple as it might be. Worth a shot. > Thank you for your input -- it has been really useful and has got me looking > in places I didn't think of looking :-) :-) Certainly. Glad to help. Every little thing we do to help ourselves also helps Sam, which I think everyone agrees is a good thing. :) -- -Eric 'shubes' _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
