On Thu Sep 25, 2025 at 7:27 AM UTC, kasak wrote:
> Hello misc!
>
> I have opensmtpd smarthost on my router.
>
> It seems, some host on my lan network, sometimes send spam through my
> gateway (not through smarthost)
>
> and because of it, my ip get blacklisted.
>
> I want to deny using of 25 port from lan to wan. I need some advice here.
>
> This is my simplified pf.conf (i've cropped some variables, i think they
> are intuitive):
>
> ----
>
> block in on $ext_if
>
> pass in on $ext_if inet proto tcp from $admin to $ext_if port ssh
>
> pass in quick on em0 inet proto tcp to em0 port { smtp, www, https,
> submission }
>
> #Block 25 port from lan
> #block out quick on egress proto tcp from !self to any port 25
>
> #Enable NAT
> pass out on $ext_if inet from $newlan nat-to $ext_ip
> pass out on $ext_if inet from $guest_vpn to ! <mynets> received-on pppx
> nat-to $ext_ip
>
> ----
>
> Please have a look at the "#block 25 port from lan" string, unfortunate,
> it blocks all of mail traffic, including opensmtpd on self.
>
> Maybe there is better solution?
Hi Kasak,
One alternative option, maybe best coupled with pf, can be to have smtpd
listen on the minimum IP(s) possible. I am not sure how configurable
this is in smtpd, but if you only need to send emails from localhost,
you can bind to 127.0.0.1 or ::1.
-Henrich
