Re: simple spamd greylisting on transparent bridge
Will H. Backman wrote: Will H. Backman wrote: Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct. Replying to myself: Would the above rules also trap outbound connections from my MTA? I would want my MTA to be able to make outbound connections through the bridge. Should I add something to the rdr line to only redirect connections coming into the bridge? Maybe rdr on $ext_if pass inet... I think I have the answer now, thanks to those who replied to me. 1. Create bridge, but you need an IP because spamd needs to talk back. 2. Add pf=YES and spamd_flag=-g to /etc/rc.conf.local 3 Simple /etc/pf.conf table spamd-white persist rdr pass on egress inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port spamd pass out route-to lo0 proto tcp from any to 127.0.0.1 port spamd Place this system in-line between Internet and your Mail Server. Your Mail server should be connected to the bridge interface that doesn't have an IP. Now when a new SMTP connection comes in, it gets redirected to spamd and greylisted. When spamd eventually puts the outside MTA in spamd-white, connection just passes through the bridge unmolested. Your Mail Server should always be able to send outbound SMTP without being caught in the rdr rule. As far as I can tell, no need to allow forwarding between interfaces, because traffic passes through over the bridge. Now to see if this setup help more than it hurts.
simple spamd greylisting on transparent bridge
Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct.
Re: simple spamd greylisting on transparent bridge
Will H. Backman wrote: Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct. Replying to myself: Would the above rules also trap outbound connections from my MTA? I would want my MTA to be able to make outbound connections through the bridge. Should I add something to the rdr line to only redirect connections coming into the bridge? Maybe rdr on $ext_if pass inet...
Re: simple spamd greylisting on transparent bridge
Will H. Backman wrote: Is this a sane minimum configuration for spamd -g on a transparent bridge? Is it unwise to only greylist? I white-, black- and greylist (in that order). Greylisting requires regular administration due to mail server pools and such. I have not tested, but I strongly suspect that blacklisting blocks server pools that you otherwise would have to consider whitelisting. Of course, you could use greylisting as-is (without administrating/whitelisting), but then you should calculate with the risk of making legitimate legitimate mail bounce. 1. Create bridge with no IP's. 2. pf=YES and spamd_flags=-g in /etc/rc.conf.local 3. Simple three line /etc/pf.conf: ext_if=xl0 rdr pass inet proto tcp from !spamd-white to any \ port smtp - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd I have not set up a transparent bridge (with spamd, anyway), but i suspect you might have to remove the pass in rdr pass to make the pass in... rule being evaluated at all. The third line of pf.conf was inspired by the example given here: http://marc.theaimsgroup.com/?l=openbsd-miscm=108089194621750w=2 I'm not sure if my modifications for this situation are correct. Sounds reasonable. /alexander