MRatWork Forum by Mustafa Ramadhan
Sawo Project - Kloxo-MR Discussions => Kloxo-MR Tips and Tricks => Topic started by: chrisf on 2014-01-15, 09:05:25
-
Spamdyke has not worked with KloxoMR for a while. The reason is Mustafa added rblstmpd blacklist and it conflicts with spamdyke's ability to use auth. Also, spamdyke must be enabled for smtps and the server pem file must be configured.
I rewrote the spamdyke section of the neccessary files below. If you disable spamdyke, rblsmptd blacklist will automaticalky start working again automatically. Since spamdyke can manage blacklists, there is no reason for both anyhow.
/var/qmail/supervise/smtp/run
#!/bin/sh
QMAILDUID=$(id -u qmaild)
NOFILESGID=$(id -g qmaild)
MAXSMTPD=$(cat /var/qmail/control/concurrencyincoming)
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=$(hostname)
VCHKPW="/home/vpopmail/bin/vchkpw"
#RECORDIO="/usr/bin/recordio"
RECORDIO=""
RBLSMTPD=""
BLACKLIST=""
if [ -f /var/qmail/control/spamdyke ] ; then
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info"
else
SPAMDYKE=""
if [ -f /var/qmail/control/rblsmtpd ] ; then
RBLSMTPD=$(cat /var/qmail/control/rblsmtpd)
BLACKLIST=$(cat /var/qmail/control/blacklists)
fi
fi
### MR -- incresing SOFTLIMITVAR if not enough (example: because 'login fail')
if [ `uname -m` = 'x86_64' ] ; then
SOFTLIMITVAR="72000000"
else
SOFTLIMITVAR="18000000"
fi
IP=0
PORT=25
### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
SSL=0 \
REQUIRE_AUTH=0 \
FORCE_TLS=0 \
DENY_TLS=0 \
AUTH=1 \
REQUIRE_AUTH=0 \
ALLOW_INSECURE_AUTH=1
### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec /usr/bin/softlimit -m $SOFTLIMITVAR \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
$SPAMDYKE $RBLSMTPD $SMTPD $VCHKPW /bin/true 2>&1
/var/qmail/supervise/smtp-ssl/run
#!/bin/sh
QMAILDUID=$(id -u qmaild)
NOFILESGID=$(id -g qmaild)
MAXSMTPD=$(cat /var/qmail/control/concurrencyincoming)
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=$(hostname)
VCHKPW="/home/vpopmail/bin/vchkpw"
#RECORDIO="/usr/bin/recordio"
RECORDIO=""
RBLSMTPD=""
BLACKLIST=""
if [ -f /var/qmail/control/spamdyke ] ; then
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info --tls-level smtps --tls-certificate-file /var/qmail/control/servercert.pem"
else
SPAMDYKE=""
if [ -f /var/qmail/control/rblsmtpd ] ; then
RBLSMTPD=$(cat /var/qmail/control/rblsmtpd)
BLACKLIST=$(cat /var/qmail/control/blacklists)
fi
fi
### MR -- incresing SOFTLIMITVAR if not enough (example: because 'login fail')
if [ `uname -m` = 'x86_64' ] ; then
SOFTLIMITVAR="72000000"
else
SOFTLIMITVAR="18000000"
fi
IP=0
PORT=465
### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
SMTPS=1 \
SSL=1 \
REQUIRE_AUTH=0 \
FORCE_TLS=0 \
DENY_TLS=0 \
AUTH=1 \
REQUIRE_AUTH=0 \
ALLOW_INSECURE_AUTH=0
### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec /usr/bin/softlimit -m $SOFTLIMITVAR \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
$SPAMDYKE $RBLSMTPD $SMTPD $VCHKPW /bin/true 2>&1
/var/qmail/supervise/submission/run
#!/bin/sh
QMAILDUID=$(id -u qmaild)
NOFILESGID=$(id -g qmaild)
MAXSMTPD=$(cat /var/qmail/control/concurrencyincoming)
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=$(hostname)
VCHKPW="/home/vpopmail/bin/vchkpw"
#RECORDIO="/usr/bin/recordio"
RECORDIO=""
RBLSMTPD=""
BLACKLIST=""
if [ -f /var/qmail/control/spamdyke ] ; then
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info"
else
SPAMDYKE=""
if [ -f /var/qmail/control/rblsmtpd ] ; then
RBLSMTPD=$(cat /var/qmail/control/rblsmtpd)
BLACKLIST=$(cat /var/qmail/control/blacklists)
fi
fi
### MR -- incresing SOFTLIMITVAR if not enough (example: because 'login fail')
if [ `uname -m` = 'x86_64' ] ; then
SOFTLIMITVAR="64000000"
else
SOFTLIMITVAR="16000000"
fi
IP=0
PORT=587
### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
SSL=0 \
REQUIRE_AUTH=0 \
FORCE_TLS=1 \
DENY_TLS=0 \
AUTH=1 \
REQUIRE_AUTH=0 \
ALLOW_INSECURE_AUTH=0
### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec /usr/bin/softlimit -m $SOFTLIMITVAR \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
$SPAMDYKE $RBLSMTPD $SMTPD $VCHKPW /bin/true 2>&1
Replace those three files, then:
Goto KloxoMR panel -> Admin -> Mail Server Settings -> Enable spamdyke.
Command line:
qmailctl stop
qmailctl start
look at the bottom of /var/log/maillog and you will see it working ;)
-
Do I have to disable Spamdyke before updating these files ?
-
Nope, just after updating them do the:
qmailctl stop
qmailctl start
;)
-
Latest version of qmail is already as the same as chrisf propose.
-
Mustafa, please check your rpm then, as I stated here:
http://forum.mratwork.com/kloxo-mr-technical-helps/update-breaks-spamdyke-smtp-ssl/ (http://forum.mratwork.com/kloxo-mr-technical-helps/update-breaks-spamdyke-smtp-ssl/)
After the update, smtp-ssl again stopped working. You did not use my code completely, just the 'idea' of it. Please look at the spamdyke section more closely. Also my findings when researching recordio, it is too resource intensive for production servers, it should be disabled by default.
My code above takes care of it. ;)
-
I didn't found issue related to RECORDIO. So, that why RECORDIO still exist.
-
what about smtps code?
I have had no issue with recordio either, however, in research found that it is resource intensive if running production server with a lot of mail being processed.
the code for smtps IS needed.
-
Yes, chrisf is right, Mustafa you are wrong. These codes works perfectly, and after Mustafa update SMTP-SSL stopped working so please check these codes again !
-
MUSTAFA update broke smtp-ssl AGAIN!
The recordio disable is nice addition but YOU MUST ADD THIS TO
/var/qmail/supervise/smtp-ssl/run
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info --tls-level smtps --tls-certificate-file /var/qmail/control/servercert.pem"
else
SPAMDYKE=""
Do you see the addition needed? THIS IS A MUST FOR SPAMDYKE SMTPS-SSL!
Also DKIM support was removed if you added it. Making a script to fix this crap!
-
For recordio disable I just need to 'touch' that file? Or are you adding option to KloxoMR panel?
-
I use this file:
#!/bin/sh
QMAILDUID=$(id -u qmaild)
NOFILESGID=$(id -g qmaild)
MAXSMTPD=$(cat /var/qmail/control/concurrencyincoming)
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=$(hostname)
VCHKPW="/home/vpopmail/bin/vchkpw"
#RECORDIO="/usr/bin/recordio"
RECORDIO=""
RBLSMTPD=""
BLACKLIST=""
if [ -f /var/qmail/control/spamdyke ] ; then
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info --tls-level smtps --tls-certificate-file /var/qmail/control/servercert.pem"
else
SPAMDYKE=""
if [ -f /var/qmail/control/rblsmtpd ] ; then
RBLSMTPD=$(cat /var/qmail/control/rblsmtpd)
BLACKLIST=$(cat /var/qmail/control/blacklists)
fi
fi
### MR -- incresing SOFTLIMITVAR if not enough (example: because 'login fail')
if [ `uname -m` = 'x86_64' ] ; then
SOFTLIMITVAR="72000000"
else
SOFTLIMITVAR="18000000"
fi
IP=0
PORT=465
### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
SMTPS=1 \
SSL=1 \
REQUIRE_AUTH=0 \
FORCE_TLS=0 \
DENY_TLS=0 \
AUTH=1 \
REQUIRE_AUTH=0 \
ALLOW_INSECURE_AUTH=0
### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec /usr/bin/softlimit -m $SOFTLIMITVAR \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
$SPAMDYKE $RBLSMTPD $SMTPD $VCHKPW /bin/true 2>&1
-
Mustafa, DKIM installed properly on latest update. :)
BUT, smtp-ssl broke again. You MUST change your rpm file!
/var/qmail/supervise/smtp-ssl/run
YOUR LINE:
SPAMDYKE=$(cat /var/qmail/control/spamdyke)
MUST BE CHANGED TO
SPAMDYKE=$(cat /var/qmail/control/spamdyke)" --log-level=info --tls-level smtps --tls-certificate-file /var/qmail/control/servercert.pem"
Spamdyke REQUIRES this to operate smtps. PLEASE make this change.
-
Try modified content of /var/qmail/control/spamdyke with '/usr/bin/spamdyke -f /etc/spamdyke.conf --log-level=info --tls-level smtps --tls-certificate-file /var/qmail/control/servercert.pem'
As alternative, with '/usr/bin/spamdyke -f /etc/spamdyke.conf --log-level=info --tls-level=smtps --tls-certificate-file=/var/qmail/control/servercert.pem'
-
Doesn't work. If you place it anywhere but in the smtp-ssl run file, it will allow smtp-ssl but will block non-ssl connections. Just change it as I have suggested and spamdyke will work with KloxoMR properly.
;)
-
1. What's about ' --log-level=info --tls-level=smtps --tls-certificate-file=/var/qmail/control/servercert.pem' ?. Work or not?.
2. What's about submission?. Also using additional code like smtp-ssl or not?.
-
1. yes, that is needed for smtp-ssl ONLY
2. Since everytime you make a change in KloxoMR panel to spamdyke configuration (add blacklist, rbldns) it changes the entire spamdyke.conf. I added ' --log-level=info' to submission and smtp so I could log what spamdyke was doing (by default logging is off).
-
newest update, qmail. 35 - DKIM working, smtp-ssl working.
;)
Everything is working.
-
It shows:
update-simscan v0.1 - /var/qmail/bin/simscanmk not found
This file should contain:
#!/bin/sh
# script to update simscan cdb files
# invoked when clamav, spamassassin are updated
# 03/25/12 shubes - created from qmailctl script
me=${0##*/}
myver=v0.1
bindir=/var/qmail/bin
ctldir=/var/qmail/control
simscanmk=$bindir/simscanmk
simcontrol=$ctldir/simcontrol
if [ -f $simscanmk ]; then
$simscanmk -g 2>/dev/null
# echo "$me $myver - reloaded $ctldir/simversions.cdb"
if [ -f $simcontrol ] ; then
$simscanmk
# echo "$me $myver - reloaded $simcontrol.cdb"
else
echo "$me $myver - $simcontrol not found"
exit 2
fi
else
echo "$me $myver - $simscanmk not found"
exit 1
fi
exit 0
Now Mustafa should fix removing of DNS entries and changing document root ! This is really urgent !
-
What about reinstall simscan with 'yum simscan-toaster'.
-
I had no issue with simscan. All is working now.
-
I had to disable checking RevDNS and MX it stopped valid e-mails like PayPal from being delivered !
-
@spacedust, I can't confirm this. if it is really PayPal, and not a scammer, rdns is set properly from PayPal. This is from my logs yesterday
Feb 2 07:38:18 server smtp: 1391344698.002655 8530 < RCPT TO
:<sales@.com>?
Feb 2 07:38:18 server spamdyke[8530]: DENIED_GRAYLISTED from
: service@paypal.com to: sales@.com origin_ip:
173.0.84.226 origin_rdns: mx1.slc.paypal.com auth: (unknown) en
cryption: (none) reason: (empty)
Feb 2 07:38:18 server smtp: 1391344698.003633 8530 > 421 You
r address has been graylisted. Try again later.?
then, as any legitimate mail server would do, it tried again and mail was delivered
Feb 2 07:44:19 server smtp: 1391345059.468122 CHKUSER accept
ed sender: from <service@paypal.com::> remote <mx0.slc.paypal.co
m:unknown:173.0.84.227> rcpt <> : sender accepted
Sender accepted. Mail was delivered.
Spamdyke rdns appears, from my logs, to work very well.
-
@spacedust, I can't confirm this. if it is really PayPal, and not a scammer, rdns is set properly from PayPal. This is from my logs yesterday
Feb 2 07:38:18 server smtp: 1391344698.002655 8530 < RCPT TO
:<sales@.com>?
Feb 2 07:38:18 server spamdyke[8530]: DENIED_GRAYLISTED from
: service@paypal.com to: sales@.com origin_ip:
173.0.84.226 origin_rdns: mx1.slc.paypal.com auth: (unknown) en
cryption: (none) reason: (empty)
Feb 2 07:38:18 server smtp: 1391344698.003633 8530 > 421 You
r address has been graylisted. Try again later.?
then, as any legitimate mail server would do, it tried again and mail was delivered
Feb 2 07:44:19 server smtp: 1391345059.468122 CHKUSER accept
ed sender: from <service@paypal.com::> remote <mx0.slc.paypal.co
m:unknown:173.0.84.227> rcpt <> : sender accepted
Sender accepted. Mail was delivered.
Spamdyke rdns appears, from my logs, to work very well.
Yes, but mails are delayed about 1 day and that's not acceptable.
-
1 day? 5 minutes. Look at my log times. that's only because I have graylisting enabled. Turn off graylisting in spamdyke configuration in panel, then there won't even be the initial delay.
This is not a MX or rDNS issue. Spamdyke does the reverse lookups without any problems. If you are getting refused due to rDNS from PayPal someone is scamming. PayPal and any legitimate company will have these records set.
-
1 day? 5 minutes. Look at my log times. that's only because I have graylisting enabled. Turn off graylisting in spamdyke configuration in panel, then there won't even be the initial delay.
This is not a MX or rDNS issue. Spamdyke does the reverse lookups without any problems. If you are getting refused due to rDNS from PayPal someone is scamming. PayPal and any legitimate company will have these records set.
No, no, no !!! It was not a scam. I've specially made a payment request between my Paypal account and you know what - it didn't arrived...
That was valid PayPal e-mail and they 100% have a working MX and correct RevDNS.
-
It blocked spammers anyway so other spamdyke check works fine. Only MX and RevDNS does not work ok so they need to be disabled.
"Feb 6 20:39:11 onlinecity pop3: 1391715551.245554 tcpserver: end 18540 status 256
Feb 6 20:39:11 onlinecity pop3: 1391715551.245573 tcpserver: status: 0/200
Feb 6 20:39:12 onlinecity smtp: 1391715552.203370 18527 < MAIL FROM:<>?
Feb 6 20:39:12 onlinecity smtp: 1391715552.203639 18527 > 250 Refused. Your reverse DNS entry does not resolve.?
Feb 6 20:39:13 onlinecity smtp: 1391715553.125934 18527 < RCPT TO:<anna.xxx@xxx.pl>?
Feb 6 20:39:13 onlinecity smtp: 1391715553.126437 18527 > 421 Refused. Your reverse DNS entry does not resolve.?"
-
@spacedust - vim /etc/spamdyke.conf and set log-level to verbose.
I am not getting the reverse DNS issues. My installation is performing as it should.
-
Seems to be working now. PayPal e-mails are getting ok.
-
I have to disable all 4 checks, because we've got customers with RevDNS like this:
host-81-123-34-123.szczecin.mm.pl
Which is ok, but spamdyke refuses mails from such customers which is wrong !
-
All four? You should only have to disable the reverse DNS contains IP check.
-
All four? You should only have to disable the reverse DNS contains IP check.
Disabled all four because some proper servers were rejected.
I almost don't have SPAM now, because of RBL checks and some customer cannot contact us because of these checks.