Anyone here use spamdyke? Check it out here: http://www.spamdyke.org/
It has a huge amount of spam filters and doesn't require you to change qmail at all. Its sits in from of qmail doing most of the dirtywork. Basically you just edit your xinet.d smtp_psa file ...
What I thought was cool is that it supports PER DOMAIN greylisting!
Any thoughts on how spamdyke stands up compared to spamassassin?
spamdyke
Yes that's what I was thinking. I've wanted to use greylisting but for some clients the mail delay is unacceptable for them. Being able to turn it on per domain would be great. Scott do you know if spamdyke would interfere with spammassin? Would it be safe to run both at the same time .. or would this add too much extra load on the server?
Update
O.K. I took the plunge and enabled it on one of our production servers. So far I'm pretty impressed!!
It only took me around 15 minutes to set up .. all the options are pretty straight forward.
I'm using some of the RBL and GreyListing options ... I love the fact that with the spamdyke RBL authenticated users are NOT blocked by the RBL list .. I was always having trouble with the default RBLS in plesk as it blocks users even if they are authenticated but in an RBL list.
The extra server load seems minimal and the extra logging that spamdyke does is great. Seems to run fine with spamassasin also! Great tool!
It only took me around 15 minutes to set up .. all the options are pretty straight forward.
I'm using some of the RBL and GreyListing options ... I love the fact that with the spamdyke RBL authenticated users are NOT blocked by the RBL list .. I was always having trouble with the default RBLS in plesk as it blocks users even if they are authenticated but in an RBL list.
The extra server load seems minimal and the extra logging that spamdyke does is great. Seems to run fine with spamassasin also! Great tool!
An old topic I know, but WOW. I just came accross spamdyke and it looks great. I was going to add a post in the requests section but thought I'd better search to see if anybody had mentioned it before ... and found this post.
For me, the per-domain greylisting, and smtp-auth bypassing the filters (like it should) are the very best features. This is a very nice bit of software. And just for a change it is also nicely documented on the website.
It is not hard to compile and install but obviously an RPM would be nice at some point, especially one that automatically parses the domain list file in rcpthosts (and morescpthosts if it exists) and automatically creates the appropriate subdirectories for greylisting. Heck...this is an ideal little project for me. Not the RPM (beyond my ability) but a script to read the files and create the subdirectories. Also a little add/remove script to manually add or remove a subdir based on the domain.
A way to integrate it into the plesk CP would be nice. Obviously this is possible since there are plenty of third party tools that do so. Hmmm....no, I won't try that. I don't want to accidentally compromise security.
For me, the per-domain greylisting, and smtp-auth bypassing the filters (like it should) are the very best features. This is a very nice bit of software. And just for a change it is also nicely documented on the website.
It is not hard to compile and install but obviously an RPM would be nice at some point, especially one that automatically parses the domain list file in rcpthosts (and morescpthosts if it exists) and automatically creates the appropriate subdirectories for greylisting. Heck...this is an ideal little project for me. Not the RPM (beyond my ability) but a script to read the files and create the subdirectories. Also a little add/remove script to manually add or remove a subdir based on the domain.
A way to integrate it into the plesk CP would be nice. Obviously this is possible since there are plenty of third party tools that do so. Hmmm....no, I won't try that. I don't want to accidentally compromise security.
I couldn't help myself and had a go with this today. It could not be easier.
download, compile, copy binary, edit smtp_psa, create config file, restart xinetd, done. (though you need to add some directories and chown them if you want greylisting too)
Here's something else spamdyke does for plesk users too: port 587 (which a lot of people are using and more should be using) is supposed to be authenticated only. But it isn't if you just duplicate the smtp_psa and change smtp to submission.
Now maybe there is another way to do it by with spamdyke you can make it auth-only by adding a single line to a config file.
Scott...would there be any conflict between spamdyke and qmail-scanner? I'm thinking in terms of how qmail-scanner will send a refused SMTP message back if spamassassin decides the message is spam, and how spandyke initially takes control of the SMTP session and might not like that.
However, as I understand it, spamdyke would be transparent to qmail as long as the email passes the spamdyke filters, so in theory it should work. I'll give it a go over the weekend and see if it breaks anything
Oh! I forgot. It also fixes the CR/LF thing that qmail doesn't like, so people with really old copies of certain mailservers will finally be able to email!
download, compile, copy binary, edit smtp_psa, create config file, restart xinetd, done. (though you need to add some directories and chown them if you want greylisting too)
Here's something else spamdyke does for plesk users too: port 587 (which a lot of people are using and more should be using) is supposed to be authenticated only. But it isn't if you just duplicate the smtp_psa and change smtp to submission.
Now maybe there is another way to do it by with spamdyke you can make it auth-only by adding a single line to a config file.
Scott...would there be any conflict between spamdyke and qmail-scanner? I'm thinking in terms of how qmail-scanner will send a refused SMTP message back if spamassassin decides the message is spam, and how spandyke initially takes control of the SMTP session and might not like that.
However, as I understand it, spamdyke would be transparent to qmail as long as the email passes the spamdyke filters, so in theory it should work. I'll give it a go over the weekend and see if it breaks anything
Oh! I forgot. It also fixes the CR/LF thing that qmail doesn't like, so people with really old copies of certain mailservers will finally be able to email!
Indeed it works perfectly and so does my rcpthosts to directories script which I'll tidy up and post later if anybody wants it.
Unfortunately I've found a massive GOTCHA with the otherwise perfect spamdyke - according to the FAQ it won't support pop-before-relay which we have to enable in order to allow Mac Entourage and Office 2008 users to actually use the SMTP facilities on the servers.
Bah...
If there was a text-based file of just-POPed IPs then that's fine - you just get spamdyke to read it but I'll bet plesk does it via a database.
Humbug!
Faris.
EDIT: Hmmm.. seems that with Spamdyke installed, Outlook 2008's proper smtp auth now works without problems. I expect it will work with Entourage now too. I'll test it later but if it does then there will be no need for pop-before-relay.
EDIT2: Yes, Entourage auth works correctly with it too, which is doesn't with the plan plesk qmail.
So, as long as you don't need pop-before-relay (which you should not since the two proggies that had problems with normal smtp auth with qmail work with spamdyke) this is the perfect solution.
Unfortunately I've found a massive GOTCHA with the otherwise perfect spamdyke - according to the FAQ it won't support pop-before-relay which we have to enable in order to allow Mac Entourage and Office 2008 users to actually use the SMTP facilities on the servers.
Bah...
If there was a text-based file of just-POPed IPs then that's fine - you just get spamdyke to read it but I'll bet plesk does it via a database.
Humbug!
Faris.
EDIT: Hmmm.. seems that with Spamdyke installed, Outlook 2008's proper smtp auth now works without problems. I expect it will work with Entourage now too. I'll test it later but if it does then there will be no need for pop-before-relay.
EDIT2: Yes, Entourage auth works correctly with it too, which is doesn't with the plan plesk qmail.
So, as long as you don't need pop-before-relay (which you should not since the two proggies that had problems with normal smtp auth with qmail work with spamdyke) this is the perfect solution.
Hello,
faris, can you please post some details on your installation? I would like to know especially what smtp-command option do you use.
I use plesk 8.2.1. It's working fine in some situations, allowing me to relay email if I authenticate. But after I login to check mail over imap or pop3d, I get DENIED_RBL_MATCH. I assume this is relaylock's doing, since it doesn't advertise athentication anymore, considering me already authenticated.
I tryed to get rid of relaylock, If I try to enable authentication in spamdyke, I get
I used all the possible combinations of smtp-auth-command-encryption and smtp-auth-command.
Curently spamdykes config file it looks like this:
I have no access file, and I can't find any access file on plesk. Pop before smtp uses a table (smtp_poplock) to store the authenticated ips. I don't like users being authenticated based on ip, so I'd really would like to have authentication working in spamdyke.
smtp_psa looks like this (I tryed both with and without relaylock)
Thanks in advanced for any pointers in fixing spamdyke.
faris, can you please post some details on your installation? I would like to know especially what smtp-command option do you use.
I use plesk 8.2.1. It's working fine in some situations, allowing me to relay email if I authenticate. But after I login to check mail over imap or pop3d, I get DENIED_RBL_MATCH. I assume this is relaylock's doing, since it doesn't advertise athentication anymore, considering me already authenticated.
I tryed to get rid of relaylock, If I try to enable authentication in spamdyke, I get
Code: Select all
ERROR: authentication misuse (no input given or no additional command path given, e.g. /bin/true): someemail address
Dec 10 10:29:34 vhost-plesk smtp_auth: smtp_auth: exit 3 at point 1
Curently spamdykes config file it looks like this:
Code: Select all
log-level=3
local-domains-file=/var/qmail/control/rcpthosts
max-recipients=5
idle-timeout-secs=300
connection-timeout-secs=8600
greeting-delay-secs=1
check-dnsrbl=zen.spamhaus.org
tls-certificate-file=/etc/pki/tls/certs/localhost.crt
tls-privatekey-file=/etc/pki/tls/private/localhost.key
smtp-auth-command-encryption=/var/qmail/bin/smtp_auth /var/qmail/bin/true
smtp-auth-command-encryption=/var/qmail/bin/cmd5checkpw /var/qmail/bin/true
smtp_psa looks like this (I tryed both with and without relaylock)
Code: Select all
service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /usr/local/florinc/bin/spamdyke -f /usr/local/florinc/etc/spamdyke/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}
Do you mean that after you login with pop3/imap or whatever, although you can collect your email, after that you then cannot send email using smtp auth because you get the DENIED_RBL_MATCH?
Does the error go away after the number of minutes that pop-before relay is set to in Plesk?
How do you have your email client set up to do smtp auth? With the full username/password (e.g. "use same settings as incoming" in Outlook)?
Do you have more than one account setup in your email client? Could one of them be using the wrong type of auth? spamdyke should totally bypass all its filters, including the RBL ones, if you ure using full auth so the error you are getting sort of point to something not sending the username/password when authenticating after you have logged in to collect email somehow. Most odd.
(I'm assuming your IP is listed in zen.spamhaus.org which is what is generating the error in the first place)
I do not have any lines at all to do with smtp auth in my conf:
Your smtp_psa is fine.
Does the error go away after the number of minutes that pop-before relay is set to in Plesk?
How do you have your email client set up to do smtp auth? With the full username/password (e.g. "use same settings as incoming" in Outlook)?
Do you have more than one account setup in your email client? Could one of them be using the wrong type of auth? spamdyke should totally bypass all its filters, including the RBL ones, if you ure using full auth so the error you are getting sort of point to something not sending the username/password when authenticating after you have logged in to collect email somehow. Most odd.
(I'm assuming your IP is listed in zen.spamhaus.org which is what is generating the error in the first place)
I do not have any lines at all to do with smtp auth in my conf:
Code: Select all
log-level=3
local-domains-file=/var/qmail/control/rcpthosts
local-domains-file=/var/qmail/control/morercpthosts
max-recipients=5
idle-timeout-secs=60
graylist-dir=/var/qmail/graylist
graylist-min-secs=300
graylist-max-secs=1814400
reject-empty-rdns
reject-unresolvable-rdns
greeting-delay-secs=5
check-dnsrbl=dnsbl.sorbs.net
check-dnsrbl=bogons.cymru.com
check-dnsrbl=zen.spamhaus.org
check-dnsrbl=bl.spamcop.net
reject-missing-sender-mx
tls-certificate-file=/var/qmail/control/servercert.pem
Exactly. My ip is logged in psa.smtp_poplock table mysql table, and relaylock says:Do you mean that after you login with pop3/imap or whatever, although you can collect your email, after that you then cannot send email using smtp auth because you get the DENIED_RBL_MATCH?
"503 you are already authenticated".
Authentication is not advertised either anymore, this is what probably confuse spamdyke in the first place.
I am allowed to relay email when I authenticate, after I remove my ip from smtp_poplock table.Does the error go away after the number of minutes that pop-before relay is set to in Plesk?
I use thunderbird. It looks configured properly. I mean I'm sure it's configured properly. I can relay with authentication when my ip is not logged as already authenticated.How do you have your email client set up to do smtp auth? With the full username/password (e.g. "use same settings as incoming" in Outlook)?
Do you have more than one account setup in your email client? Could one of them be using the wrong type of auth? spamdyke should totally bypass all its filters, including the RBL ones, if you ure using full auth so the error you are getting sort of point to something not sending the username/password when authenticating after you have logged in to collect email somehow. Most odd.
(I'm assuming your IP is listed in zen.spamhaus.org which is what is generating the error in the first place)
Damn. I was really hoping you used spamdyke authentication. The pointers I found in spamdyke-users list archive doesn't work.I do not have any lines at all to do with smtp auth in my conf:
Your smtp_psa is fine.Code: Select all
log-level=3 local-domains-file=/var/qmail/control/rcpthosts local-domains-file=/var/qmail/control/morercpthosts max-recipients=5 idle-timeout-secs=60 graylist-dir=/var/qmail/graylist graylist-min-secs=300 graylist-max-secs=1814400 reject-empty-rdns reject-unresolvable-rdns greeting-delay-secs=5 check-dnsrbl=dnsbl.sorbs.net check-dnsrbl=bogons.cymru.com check-dnsrbl=zen.spamhaus.org check-dnsrbl=bl.spamcop.net reject-missing-sender-mx tls-certificate-file=/var/qmail/control/servercert.pem
This is really annoying. Especially after I though for a few days that I have it running (I was using plesk only to relay, my imap server was hosted on another machine)
Hmmm...
Check your thunderbird settings. make sure the option at the bottom of the smtp page says "no" as opposed to tls, or "tls if available" or anything else.
I assume there's a tick in the box that says "use name and password" and your full email address (not just the bit before the @) is in the box?
Faris.
Check your thunderbird settings. make sure the option at the bottom of the smtp page says "no" as opposed to tls, or "tls if available" or anything else.
I assume there's a tick in the box that says "use name and password" and your full email address (not just the bit before the @) is in the box?
Faris.