Hello list
I have a problem with spamd. It just don't seem to grey list or block,
or do anything else either. I can receive and send mail as usual.
First I had spamlogd_flags="" in my rc.conf local, but then it immediatly
whitelisted every conection on port 25, even the spammer I try to tarpit,
so after some "googling" I changed it to spamlogd_flags="-I -i lo0"
but now it don't seem to do anything useful at all, just pass traffic.
"spamdb | sort" shows nothing. It's empty, and so is "smtp# pfctl -t
spamd-white -T show"
The spammer I try to tarpit is showing up in the maillog with IP-address
158.69.204.241
which also added to the file /etc/mail/spammers.txt
Below are som info on my setup and some logfiles.
------------------------
smtp# uname -a
OpenBSD smtp.bara1.se 6.3 GENERIC.MP#0 amd64
-------------------------
smtp# cat /etc/rc.conf.local
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus
smtpd_flags=NO
spamd_black=NO
spamd_flags="-v -G 2:4:864"
spamlogd_flags="-I -i lo0"
unbound_flags=
---------------------------
smtp# cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
table <bruteforce> persist
table <abusers> persist file "/etc/abusers"
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $ext_if int_if }
#pass in on egress inet proto tcp from any to any port smtp divert-to 127.0.0.1
port spamd
pass in on egress inet proto tcp from any to any port $mail_services divert-to
127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to any port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass out log on egress proto tcp to any port smtp
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block in quick log on egress from <abusers> to any label "abusers"
block all
pass out quick inet
pass in on { $ext_if } inet
pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA
keep state (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
pass log quick proto tcp from any to (egress) port $mail_services flags S/SA
keep state (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce>
flush global)
# pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to
192.168.1.2
pass inet proto tcp from { self, $localnet }
pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state
pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types
--------------------------------------------
smtp# cat /etc/mail/spamd.conf
all:\
:nixspam:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
ymer:\
:black:\
:msg="SPAM. All spmmers get reported !
:method=file:\
:file=/etc/mail/spammers.txt
-------------------------------------
smtp# ps -aux | grep "_spamd"
_spamd 69313 0.0 0.0 9708 1552 ?? Ssp 4:13PM 0:00.07 spamd: (pf
<spamd-white> update) (spamd)
_spamd 98521 0.0 0.1 9892 4880 ?? Sp 4:13PM 0:00.03 spamd: [priv]
(greylist) (spamd)
_spamd 73091 0.0 0.0 9652 1096 ?? Ip 4:13PM 0:00.00 spamd:
(/var/db/spamd update) (spamd)
_spamd 45365 0.0 0.0 592 1180 ?? Ssp 4:13PM 0:00.07
/usr/libexec/spamlogd -I -i lo0
-------------------------------------
smtp# cat /var/log/spamd
Jun 11 12:10:33 smtp spamd[5122]: listening for incoming connections.
Jun 11 13:08:43 smtp spamd[83538]: listening for incoming connections.
Jun 11 13:17:57 smtp spamd[19498]: listening for incoming connections.
Jun 11 14:12:33 smtp spamd[56085]: listening for incoming connections.
Jun 11 15:01:20 smtp spamd[98811]: listening for incoming connections.
Jun 11 15:12:08 smtp spamd[93875]: listening for incoming connections.
Jun 11 16:07:36 smtp spamd[24550]: listening for incoming connections.
Jun 11 16:13:30 smtp spamd[98521]: listening for incoming connections.
Jun 11 19:39:54 smtp spamd[99504]: listening for incoming connections.
Jun 11 19:58:41 smtp spamd[60588]: listening for incoming connections.
--------------------------------------
smtp$ sudo tail -f /var/log/maillog
Jun 11 19:49:54 smtp postfix/anvil[24693]: statistics: max cache size 1 at Jun
11 19:43:21
Jun 11 19:56:34 smtp postfix/smtpd[16856]: connect from
241.ip-158-69-204.net[158.69.204.241]
Jun 11 19:56:35 smtp postfix/smtpd[16856]: NOQUEUE: reject: RCPT from
241.ip-158-69-204.net[158.69.204.241]: 454 4.7.1 <ad...@thorshammare.org>:
Relay access denied; from=<bounce-admin=thorshammare....@thepretymus.de>
to=<ad...@thorshammare.org> proto=ESMTP helo=<newsletters.hitupcake.eu>
Jun 11 19:56:55 smtp postfix/smtpd[16856]: disconnect from
241.ip-158-69-204.net[158.69.204.241] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1
commands=5/6
Jun 11 19:57:47 smtp dovecot: master: Warning: Killed with signal 15 (by pid=0
uid=0 code=kill)
Jun 11 19:57:48 smtp postfix/postfix-script[48101]: stopping the Postfix mail
system
Jun 11 19:57:48 smtp postfix/master[33424]: terminating on signal 15
Jun 11 19:58:42 smtp postfix/postfix-script[219]: starting the Postfix mail
system
Jun 11 19:58:42 smtp postfix/master[62660]: daemon started -- version 3.3.0,
configuration /etc/postfix
Jun 11 19:58:42 smtp dovecot: master: Dovecot v2.2.34 (874deae) starting up for
imap, pop3, lmtp
Jun 11 20:06:56 smtp postfix/smtpd[97276]: connect from
241.ip-158-69-204.net[158.69.204.241]
Jun 11 20:06:56 smtp postfix/smtpd[97276]: NOQUEUE: reject: RCPT from
241.ip-158-69-204.net[158.69.204.241]: 454 4.7.1 <ad...@thorshammare.org>:
Relay access denied; from=<bounce-admin=thorshammare....@thepretymus.de>
to=<ad...@thorshammare.org> proto=ESMTP helo=<newsletters.hitupcake.eu>
Jun 11 20:07:01 smtp postfix/smtpd[44122]: connect from
ns3116588.ip-91-121-119.eu[91.121.119.198]
Jun 11 20:07:17 smtp postfix/smtpd[97276]: disconnect from
241.ip-158-69-204.net[158.69.204.241] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1
commands=5/6
Jun 11 20:07:21 smtp postfix/smtpd[44122]: disconnect from
ns3116588.ip-91-121-119.eu[91.121.119.198] ehlo=1 auth=0/1 rset=1 quit=1
commands=3/4
Jun 11 20:10:41 smtp postfix/anvil[34336]: statistics: max connection rate
1/60s for (smtp:158.69.204.241) at Jun 11 20:06:56
Jun 11 20:10:41 smtp postfix/anvil[34336]: statistics: max connection count 1
for (smtp:158.69.204.241) at Jun 11 20:06:56
Jun 11 20:10:41 smtp postfix/anvil[34336]: statistics: max cache size 2 at Jun
11 20:07:01
Jun 11 20:17:16 smtp postfix/smtpd[24149]: connect from
241.ip-158-69-204.net[158.69.204.241]
Jun 11 20:17:17 smtp postfix/smtpd[24149]: NOQUEUE: reject: RCPT from
241.ip-158-69-204.net[158.69.204.241]: 454 4.7.1 <ad...@thorshammare.org>:
Relay access denied; from=<bounce-admin=thorshammare....@thepretymus.de>
to=<ad...@thorshammare.org> proto=ESMTP helo=<newsletters.hitupcake.eu>
Jun 11 20:17:37 smtp postfix/smtpd[24149]: disconnect from
241.ip-158-69-204.net[158.69.204.241] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1
commands=5/6
