Dear all,
I'm absolutely confounded by a problem I'm having after upgrading five
systems from Spamdyke 4.3.1 to 5.0.1
On two of them, webmail (running locally, connecting from 127.0.0.1 to
127.0.0.1 port 25 via smtp, no authentication) works fine and can send
messages.
On the other three, spamdyke spits out a RELAYING_DENIED and blocks the
connection from 127.0.0.1 when trying to send messages.
--------------
Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RDNS_MISSING ip:
127.0.0.1
Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_WHITELIST_IP ip:
127.0.0.1 file: /etc/spamdyke.d/whitelist_ip(6)
Oct 3 12:07:38 hostnameredacted spamdyke[4927]: FILTER_RELAYING
Oct 3 12:07:38 hostnameredacted spamdyke[4927]: DENIED_RELAYING from: (the
rest redacted)
----------------
All four systems use Plesk, which has 127.0.0.1 whitelisted for email - no
authentication is required for connections from that IP.
I have read the upgrade notes, which explain that IPs that are whitelisted
in the ip whitelist (or whatever) file are no longer automatically also
allowed to relay, and obviously that's at the heart of the problem in some
way.
What I cannot fathom is why two would work, and three would not. They are
all pretty much identical in every way that I can think of. Same Centos 6,
same versions of pretty much everything, very little differences anywhere.
None of them have any form of relay or smtp auth settings in spamdyke.conf.
All of them do have 127.0.0.1 whitelisted in the ip whitelist file - not
that it makes any difference in 5.0.1 of course.
Everything is controlled via smtp_psa file via xinetd
(stuff)
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /usr/local/bin/spamdyke -f
/etc/spamdyke.d/spamdyke.conf /var/qmail/bin/relaylock
/var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true
/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
So, to resolve the problem, in theory all I have to do is add
ip-relay-entry=127.0.0.1 and indeed that does solve the problem.
I presume that's safe enough, given that we do want anything in localhost to
be able to send email without authenticating?
Is this a common setting?
But I feel I must get to the bottom of why some work, and some don't, out of
the box. It seems bonkers, and indicative of something else that might be
wrong.
None of the boxes are accidental open relays. Authentication is most
definitely required to send to non-local addresses.
At one point I suspected it might have something to do with the webmail
configuration, but I can't find any differences at all. They are all set to
use smtp to connect to port 25 with no authentication.
In the hope that someone may spot an error in my config files, here is one
from a server where webmail can send, and another from a server where
webmail cannot send.
(--config-tests throws no errors on either of them)
(I do not know what I have qmail-rcpthosts / qmail-morescpthosts.cdb set but
they had been set when using 4.3.1 using the old syntax so I thought I'd
bring them over since I knew that configuration worked)
*****************
CAN SEND:
log-level=info
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=60
greeting-delay-secs=11
ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient
ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
sender-whitelist-file=/etc/spamdyke.d/whitelist_sender
tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp
config-dir-search=all-recipient
config-dir=/etc/spamdyke.d/configdir
config-dir=/etc/spamdyke.d/individuals
config-dir=/var/qmail/conf.d
#configs in the above directories are recipient-based only and
enable/disable dns blacklists and reject-empty-rdns type things
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
reject-empty-rdns
************************************
CANNOT SEND
log-level=verbose
qmail-rcpthosts-file=/var/qmail/control/rcpthosts
qmail-morercpthosts-cdb=/var/qmail/control/morercpthosts.cdb
#*** I have tried removing the above two lines - makes no difference to
webmail sending
max-recipients=5
idle-timeout-secs=60
greeting-delay-secs=6
ip-blacklist-file=/etc/spamdyke.d/blacklist_ip
sender-blacklist-file=/etc/spamdyke.d/blacklist_sender
rdns-blacklist-file=/etc/spamdyke.d/blacklist_rdns
recipient-blacklist-file=/etc/spamdyke.d/blacklist_recipient
ip-whitelist-file=/etc/spamdyke.d/whitelist_ip
rdns-whitelist-file=/etc/spamdyke.d/whitelist_rdns
recipient-whitelist-file=/etc/spamdyke.d/whitelist_recipient
sender-whitelist-file=/etc/spamdyke.d/whitelist_sender
tls-certificate-file=/var/qmail/control/servercert.pem
tls-level=smtp
dns-blacklist-entry=zen.spamhaus.org
dns-blacklist-entry=bl.spamcop.net
dns-blacklist-entry=b.barracudacentral.org
reject-empty-rdns=1
reject-unresolvable-rdns=1
config-dir=/etc/spamdyke.d/configdir
config-dir=/etc/spamdyke.d/individuals
#configs in the above two are recipient-based only and enable/disable dns
blacklists and reject-empty-rdns type things.
config-dir-search=all-recipient
*****************
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
