Will H. Backman wrote:
Will H. Backman wrote:
Is this a sane minimum configuration for "spamd -g" on a transparent
bridge? Is it unwise to only greylist?
----
1. Create bridge with no IP's.
2. pf=YES and spamd_flags="-g" in /etc/rc.conf.local
3. Simple three line /etc/pf.conf:
ext_if="xl0"
rdr pass inet proto tcp from !<spamd-white> to any \
port smtp -> 127.0.0.1 port spamd
pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port
spamd
----
The third line of pf.conf was inspired by the example given here:
http://marc.theaimsgroup.com/?l=openbsd-misc&m=108089194621750&w=2
I'm not sure if my modifications for this situation are correct.
Replying to myself:
Would the above rules also trap outbound connections from my MTA?
I would want my MTA to be able to make outbound connections through
the bridge.
Should I add something to the rdr line to only redirect connections
coming into the bridge?
Maybe "rdr on $ext_if pass inet..."
I think I have the answer now, thanks to those who replied to me.
1. Create bridge, but you need an IP because spamd needs to talk back.
2. Add pf=YES and spamd_flag="-g" to /etc/rc.conf.local
3 Simple /etc/pf.conf
table <spamd-white> persist
rdr pass on egress inet proto tcp from !<spamd-white> to any port smtp
-> 127.0.0.1 port spamd
pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd
Place this system in-line between Internet and your Mail Server.
Your Mail server should be connected to the bridge interface that
doesn't have an IP.
Now when a new SMTP connection comes in, it gets redirected to spamd and
greylisted.
When spamd eventually puts the outside MTA in spamd-white, connection
just passes through the bridge unmolested.
Your Mail Server should always be able to send outbound SMTP without
being caught in the rdr rule.
As far as I can tell, no need to allow forwarding between interfaces,
because traffic passes through over the bridge.
Now to see if this setup help more than it hurts.
