I'm trying to migrate between upstream providers, and that involves changing the IP addresses. I'm using an OpenBSD 4.3 host with 4 NIC ports as the initial router to accomplish this.
On the mail server, I assigned two public addresses, the old and new ones, and announced both in DNS. Now when SMTP delivery is attempted through the pf scheme, the prompt for EHLO/HELO always gets through, then maybe the actual EHLO does. Sometimes it gets through MAIL, RCPT and DATA, but never gets to the final "." after the message content. If I disable pf, it works! All the other needed NAT, filtering, etc., obviously doesn't, though. I thought these rules would cover it, but somehow they don't: pass in quick on $ExtIF inet proto tcp to $MailServer pass out quick on $ExtIF inet from $MailServer pass in quick on $IntIF inet proto tcp to $MailServer pass out quick on $IntIF inet from $MailServer Using pfctl -xl exposes the "loose state match" messages mentioned in the subject. All the messages end either in,fwd or out,fwd, never ,rev -- maybe that's a clue. Aug 7 13:33:19 mgmp /bsd: pf: loose state match: TCP client-ip:52912 client-ip:52912 server-ip:25 [lo=3571839991 high=3571839880 win=54 modulator=0] [lo=0 high=54 win=1 modulator=0] 2:0 PA seq=3571839991 (3571839991) ack=0 len=2 ackskew=0 pkts=13:0 dir=out,fwd I can forward more details to anybody who thinks they might know how to fix this. Of course, this is happening to dozens of customer incoming e-mail messages per hour, some of them not even spam, so I want to fix it before the 4-day limit for mail queues expires. The sooner the better.
