Re: spamd on VirtualBox vm - rdr-to rules not working as expected
Peter- > My solution was this: Set up and OpenBSD box doing spamd plus any content > filtering > during receipt to a world-facing SMTP server on the same box. Make that box > the > publicly visible MX for the relevant domains, but set up the smtpd, postfix > or exim > (whatever you fancy) configuration to forward to the mail server the domain's > users > will be using. > > I vaguely rememeber possibly writing about the setup in some detail in a blog > post, but I forget which one. If I haven't, it's possible I should write that > up. I have a recollection of reading something along those lines in your blog some years ago as well, and I suspect that latent memory is what gave me the idea. Perhaps when I have some time I’ll do some more searching for that one. -Alex P.S. I should also say thanks for your writings. As someone who doesn’t do this kind of thing as a regular profession, I’ve found your articles both entertaining and highly informative over the years. Alex Johnson ax.john...@gmail.com
Re: spamd on VirtualBox vm - rdr-to rules not working as expected
Thank you for your insight. I believe you are exactly correct. I have previously run OpenBSD as my router and spamd in the classic setup, so that is my past experience base. I was hoping to use it in this situation as just a proxy in front of the mail server, but that seems to be getting outside of the typical use case, so I’ll look at other options/configuration. Again, thank you for your time. -Alex Alex Johnson ax.john...@gmail.com (P.S. Just changed the e-mail registered on the list, so this is the same Alex) > On May 27, 2022, at 12:29 AM, Stuart Henderson > wrote: > > On 2022-05-27, Arete wrote: >> I’m setting up spamd in front of a Postfix mail server, and am having >> an issue with rdr-to rules not working the way I expect. >> >> My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix & >> Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1 >> running in a VirtualBox machine on the same Mac Mini, with bridged >> networking enabled. >> >> Postfix on the Mac Mini can receive mail just fine from the internet >> through the firewall. The mini has the IP address 192.168.20.15. >> OpenBSD is configured and running with spamd (greylisting enabled) in >> the VM, with IP address 192.168.20.16 - pf.conf rules as follows: > > So if I understand correctly you have > > internet -> firewall -> 192.168.20.0/24 > > and in 192.168.20.0/24 you have > > - firewall > - vm running spamd > - machine running postfix > > incoming packet flow is internet -> firewall -> spamd -> postfix, but > as the source address is unchanged by rdr-to, return packet flow is > postfix -> firewall -> internet, bypassing the spamd vm, so there is > nothing to "untranslate" the rdr-to. > > The classic spamd setup is where it's run on a firewall which is set as > default gateway on the mail server. Alternatively it also works where the > mail daemon is running directly on the machine running spamd. > > To run the mail daemon on another machine in the same subnet _alongside_ > spamd, you need to provide a way to get the return packets back through > the spamd machine; if the mail server was running OoenBSD you could > probably do this with "pass in quick from !192.168.20.0/24 to port > smtp reply-to 192.168.20.16". There might be a way to do this with the > version of PF in MacOS but I couldn't say how. > > To be honest what I would do in your situation is forget about spamd. > You could use postfix with postscreen and enable "after-greeting" tests, > which means that an unknown client must attempt a connection, get a > temporary failure, and reconnect (which it can do straight away) > before being able to send mail. Or you could use explicit greylisting > software (e.g. postgrey, policyd) or spam-filtering software that can > also do greylisting (rspamd can do this and is typically configured > to skip greylisting on mail with a low spam-score, which significantly > reduces the negative impact of greylisting). > > > -- > Please keep replies on the mailing list. >
Re: spamd on VirtualBox vm - rdr-to rules not working as expected
On Thu, 26 May 2022, Arete wrote: My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix & Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1 running in a VirtualBox machine on the same Mac Mini, with bridged networking enabled. insert obvious comment about OpenBSD's ability to run Postfix and Dovecot. a connection is never made to the Postfix server on the host machine (192.168.20.15:25). Sounds like a routing triangle. The host machine should have its default gateway as 192.168.20.16 and not the internet firewall. (for other protocols, you could NAT inbound requests to the .16 address, but this is smtp... you want the source IPs for spamd purposes, etc.) I’m sure there’s something I’m missing, but I haven’t been able to figure out what. Any insight is most appreciated. tcpdump or wireshark are a good way to see requests and responses (or lack thereof) P.S. dmesg for the OpenBSD VM: I suggest adjusting your virtual hardware for higher performance/lower overhead: wd0 at pciide0 channel 0 drive 0: OpenBSD supports virtio-scsi, much faster than emulated IDE em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address 08:00:27:a4:36:7c OpenBSD supports virtio-net, which has lower overhead than a virtualized EM device. You also get much higher throughput with the host auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 1 int 21, ICH I suggest removing the emulated sound card
Re: spamd on VirtualBox vm - rdr-to rules not working as expected
On 2022-05-27, Arete wrote: > I’m setting up spamd in front of a Postfix mail server, and am having > an issue with rdr-to rules not working the way I expect. > > My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix & > Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1 > running in a VirtualBox machine on the same Mac Mini, with bridged > networking enabled. > > Postfix on the Mac Mini can receive mail just fine from the internet > through the firewall. The mini has the IP address 192.168.20.15. > OpenBSD is configured and running with spamd (greylisting enabled) in > the VM, with IP address 192.168.20.16 - pf.conf rules as follows: So if I understand correctly you have internet -> firewall -> 192.168.20.0/24 and in 192.168.20.0/24 you have - firewall - vm running spamd - machine running postfix incoming packet flow is internet -> firewall -> spamd -> postfix, but as the source address is unchanged by rdr-to, return packet flow is postfix -> firewall -> internet, bypassing the spamd vm, so there is nothing to "untranslate" the rdr-to. The classic spamd setup is where it's run on a firewall which is set as default gateway on the mail server. Alternatively it also works where the mail daemon is running directly on the machine running spamd. To run the mail daemon on another machine in the same subnet _alongside_ spamd, you need to provide a way to get the return packets back through the spamd machine; if the mail server was running OoenBSD you could probably do this with "pass in quick from !192.168.20.0/24 to port smtp reply-to 192.168.20.16". There might be a way to do this with the version of PF in MacOS but I couldn't say how. To be honest what I would do in your situation is forget about spamd. You could use postfix with postscreen and enable "after-greeting" tests, which means that an unknown client must attempt a connection, get a temporary failure, and reconnect (which it can do straight away) before being able to send mail. Or you could use explicit greylisting software (e.g. postgrey, policyd) or spam-filtering software that can also do greylisting (rspamd can do this and is typically configured to skip greylisting on mail with a low spam-score, which significantly reduces the negative impact of greylisting). -- Please keep replies on the mailing list.
spamd on VirtualBox vm - rdr-to rules not working as expected
Hello-
I’m setting up spamd in front of a Postfix mail server, and am having
an issue with rdr-to rules not working the way I expect.
My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix &
Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1
running in a VirtualBox machine on the same Mac Mini, with bridged
networking enabled.
Postfix on the Mac Mini can receive mail just fine from the internet
through the firewall. The mini has the IP address 192.168.20.15.
OpenBSD is configured and running with spamd (greylisting enabled) in
the VM, with IP address 192.168.20.16 - pf.conf rules as follows:
__
#macros
lan="192.168.10.0/24"
kootenai = "192.168.20.15"
set skip on lo
#default deny
block log all
#allow ssh from lan
pass in proto tcp from $lan to port ssh
#allow outbound connections for package, updates, time etc
pass out proto { tcp udp } to port { 22 53 80 123 443 }
# allow pings outbound
pass out inet proto icmp icmp-type { echoreq }
# rules for spamd(8)
table persist
table persist
table persist file "/etc/mail/whitelist.txt"
table persist file "/etc/mail/nospamd"
#mail traffic goes to spamd by default
pass in log on egress inetproto tcp from any to any port smtp \
divert-to 127.0.0.1 port smtp
#send traffic to the mail server from our white lists & who've
#passed greylisting
pass in log on egress proto tcp from to any port smtp \
rdr-to $kootenai port smtp
pass in log on egress proto tcp from to any port smtp \
rdr-to $kootenai port smtp
pass in log on egress proto tcp from to any port smtp \
rdr-to $kootenai port smtp
#allow smtp out
pass out log on egress proto tcp to any port smtp
When I switch my firewall to forward SMTP to the OpenBSD VM
(192.168.20.16:25), I get the following behavior:
Connections from the internet to port 25 get through to the OpenBSD
machine, connecting to port 25. If the connecting IP is not in any
whitelists, it gets forwarded to spamd (divert-to) as expected, and
the IP address added to the spamd table and greylisted. If the
connecting IP is in a whitelist (localwhite, nospamd, spamd-white),
the relevant rdr-to rule gets matched, but a connection is never made
to the Postfix server on the host machine (192.168.20.15:25).
- I can telnet from the OpenBSD VM to port 25 on the host machine and
connect just fine.
- If I telnet from another machine on the local network to port 25 on
the OpenBSD VM, and the machine is not in a whitelist, I talk to
spamd as expected.
- If I telnet from another machine on the local network to port 25 on
the OpenBSD VM, and the machine is in a whitelist, I get a connection
timeout. By monitoring the pflog0 interface, I can see the connection
coming in and matching the pass in rdr-to rule, and then going out
matching the pass out rule (last two rules in the above pf.conf).
I can also see the incoming and outgoing connections while monitoring
the em0 interface.
I’m sure there’s something I’m missing, but I
haven’t been able to figure out what. Any insight is most appreciated.
Thanks!
-Alex
P.S. dmesg for the OpenBSD VM:
littlechief$ dmesg
OpenBSD 7.1 (GENERIC) #151: Mon Apr 11 18:57:52 MDT 2022
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 1073168384 (1023MB)
avail mem = 1036857344 (988MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/23/99, BIOS32 rev. 0 @ 0xfda00, SMBIOS rev. 2.5 @
0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz ("GenuineIntel" 686-class) 2.03
GHz, 06-45-01
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,AVX2,INVPCID,MD_CLEAR,L1DF,MELTDOWN
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 999MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
"PNP0A03" at acpi0 not configured
acpiac0 at acpi0: AC unit online
acpicpu0 at acpi0: C1(@1 halt!)
acpivideo0 at acpi0: GFX0
bios0: ROM list: 0xc/0x8000 0xe2000/0xd400
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x0
Re: Spamd as a proxy
On 2022-04-15, alejan...@rogue-research.com wrote: > Hi Mr Hansteen, > > Thanks for the reply, I started my journey with OpenBSD this week and I > decided to buy your book to help me understand its PF system, it's been > very helpful. I've been reading man pages from pf,spamd,opensmtpd and > sysctl, perhaps I just need more reading and time to fully understand > what is wrong with my setup. > > Since I am using 2 hosts (1 antispamer, 1 smtp server) on the same LAN, > I thought `rdr-to` would not work as stated on: ><https://www.openbsd.org/faq/pf/rdr.html>, under the section > "Redirection and Reflection" which is why I used `divert-to`. But > neither work, thus, I am left with no ideas as of how to forward the > emails from the antispam machine to the email server. > > What's different from all the docs and examples I've found is that I'm > trying to use two hosts, and everything I've seen seems to assume spamd > and the smtp server are on the same host. If `rdr-to` is not the way to > go, how must I overcome this challenge? spamd expects to either be on the same host as the real SMTP service, or on a router/firewall in front of that host. the only way to do proxy like this on a host in a subnet alongside the smtp server (with another firewall "in front") is to rdr *and* nat. but for obvious reasons you really want the SMTP service to see the original source IP so nat isn't much help...
Re: Spamd as a proxy
Hi Mr Hansteen,
Thanks for the reply, I started my journey with OpenBSD this week and I
decided to buy your book to help me understand its PF system, it's been
very helpful. I've been reading man pages from pf,spamd,opensmtpd and
sysctl, perhaps I just need more reading and time to fully understand
what is wrong with my setup.
Since I am using 2 hosts (1 antispamer, 1 smtp server) on the same LAN,
I thought `rdr-to` would not work as stated on:
<https://www.openbsd.org/faq/pf/rdr.html>, under the section
"Redirection and Reflection" which is why I used `divert-to`. But
neither work, thus, I am left with no ideas as of how to forward the
emails from the antispam machine to the email server.
What's different from all the docs and examples I've found is that I'm
trying to use two hosts, and everything I've seen seems to assume spamd
and the smtp server are on the same host. If `rdr-to` is not the way to
go, how must I overcome this challenge?
On 2022-04-15 14:11, Peter Nicolai Mathias Hansteen wrote:
15. apr. 2022 kl. 19:56 skrev alejan...@rogue-research.com:
Greetings everyone,
First time posting here and so bear with me please :)
I have a mail server I don't want to touch; I want to set up another
machine in front of it running spamd.
I have tried using `rdr-to` instead of `divert-to` but neither seem to
work
This is what my pf rules look like in "/etc/pf.conf"
```
table persist
table persist file "/etc/mail/nospamd"
# Incoming connections that are whitelisted/nospamd go directly to the
smtp server
pass in quick log (all, to pflog0) on egress proto tcp from {
} \
to any port smtp divert-to mailserver.domain.com port smtp
No. Please read the man page. You do not need divert-to here. If you
do need it, your network design is wrong.
Try looking up http://home.nuug.no/~peter/pftutorial/#52
<http://home.nuug.no/~peter/pftutorial/#52> (or better yet for me, buy
the book :))
All the best,
Peter
—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Spamd as a proxy
Greetings everyone,
First time posting here and so bear with me please :)
I have a mail server I don't want to touch; I want to set up another
machine in front of it running spamd.
I have tried using `rdr-to` instead of `divert-to` but neither seem to
work
This is what my pf rules look like in "/etc/pf.conf"
```
table persist
table persist file "/etc/mail/nospamd"
# Incoming connections that are whitelisted/nospamd go directly to the
smtp server
pass in quick log (all, to pflog0) on egress proto tcp from {
} \
to any port smtp divert-to mailserver.domain.com port smtp
# Divert unknown tcp connections with destination port 25 to spamd
pass in quick log (all, to pflog0) on egress proto tcp from any to any
port smtp divert-to 127.0.0.1 port spamd
```
I have enabled packet forwarding with `doas sysctl
net.inet.ip.forwarding: 0 -> 1`
I am using `nc` to test my connection with the real smtp server through
the antispam server but I am getting connection timeout every time.
When I check the logs, I can see the client sends a first SYN packets to
the antispam and from there the packets get forwarded to the smtp
server, but I don’t see any replies from the smtp server. There are no
rules on the smtp server blocking the connections from my client and
this is all done locally.
Can anyone help me? Any ideas as of why my set up is not working?
Re: use pfctl to reread /etc/mail/spamd-white table
On Fri, Oct 29, 2021 at 09:49:43AM +0200, Peter N. M. Hansteen wrote: > > How do you maintain the contents of the /etc/mail/spamd-white file? > > As in, do you have a cron job or similar that dumps the contents of the > table there? > This little tidbit of necessary information is not really mentioned anywhere. (Forgive the noise if that has changed) My assumption years ago was that pf would update the files itself. Obviously, I didn't realize that for a while. Neither did my files. -- Chris Bennett
Re: use pfctl to reread /etc/mail/spamd-white table
On 2021-10-28 12:06:24, Zé Loff wrote: From the man page: For the add, delete, replace, and test commands, the list of addresses can be specified either directly on the command line and/or in an unformatted text file, using the -f flag. So: pfctl -t spamd-white -T add -f /etc/mail/spamd-white should do it. I am deeply sorry; I was too blind to see. Thank you very much for the pointer. Regards Harri
Re: use pfctl to reread /etc/mail/spamd-white table
On 2021-10-28 12:58, Otto Moerbeek wrote:
On Thu, Oct 28, 2021 at 11:55:33AM +0200, Harald Dunkel wrote:
Hi folks,
my pf.conf contains
table persist file "/etc/mail/spamd-white"
I understand that I can add and delete hosts from the table manually
later, but on very large tables this is pretty painful. There is a
high
risk that the table has just been flushed and is not up-to-date yet,
while the next EMail comes in.
Would it be possible to add some magic to pfctl -T to reread the whole
table from file and hand it off to pf in an atomic operation?
Regards
Harri
AFAIK
pfctl -t spamd-white -T replace -g /etc/mail/spamd-white
s/-g/-f/ :)
Mischa
does already do an update of the table in an atomic way.
-Otto
Re: use pfctl to reread /etc/mail/spamd-white table
>> I don't know how atomic that is: is the table either empty >> or does it contain all the addresses in the file? I would >> guess the addresses are added as they are read, just like >> when you add them manually. >> > >That is a wrong guess. pf tries to do things atomically when it makes >sense is the general rule. Yep, great effort was put into making the /dev/pf ioctl interface support a number of atomic request/changes.
Re: use pfctl to reread /etc/mail/spamd-white table
On Thu, Oct 28, 2021 at 12:15:45PM +0200, Jan Stary wrote: > On Oct 28 11:55:33, harald.dun...@aixigo.com wrote: > > Hi folks, > > > > my pf.conf contains > > > > table persist file "/etc/mail/spamd-white" > > > > I understand that I can add and delete hosts from the table manually > > later, but on very large tables this is pretty painful. > > There is a high risk that the table has just been flushed > > Why would the table be flushed? > > > and is not up-to-date yet, > > while the next EMail comes in. > > What do you mean by up to date > and what does it have to do with the "pain" > of adding addresses? An address is added when it is added. > > > table from file and hand it off to pf in an atomic operation? > > man pfctl says: > > For the add, delete, replace, and test commands, the list of > addresses can be specified either directly on the command line > and/or in an unformatted text file, using the -f flag. > > I don't know how atomic that is: is the table either empty > or does it contain all the addresses in the file? I would > guess the addresses are added as they are read, just like > when you add them manually. > That is a wrong guess. pf tries to do things atomically when it makes sense is the general rule. -Otto
Re: use pfctl to reread /etc/mail/spamd-white table
On Thu, Oct 28, 2021 at 11:55:33AM +0200, Harald Dunkel wrote: > Hi folks, > > my pf.conf contains > > table persist file "/etc/mail/spamd-white" > > I understand that I can add and delete hosts from the table manually > later, but on very large tables this is pretty painful. There is a high > risk that the table has just been flushed and is not up-to-date yet, > while the next EMail comes in. > > Would it be possible to add some magic to pfctl -T to reread the whole > table from file and hand it off to pf in an atomic operation? > > > Regards > Harri > AFAIK pfctl -t spamd-white -T replace -g /etc/mail/spamd-white does already do an update of the table in an atomic way. -Otto
Re: use pfctl to reread /etc/mail/spamd-white table
On Oct 28 11:55:33, harald.dun...@aixigo.com wrote: > Hi folks, > > my pf.conf contains > > table persist file "/etc/mail/spamd-white" > > I understand that I can add and delete hosts from the table manually > later, but on very large tables this is pretty painful. > There is a high risk that the table has just been flushed Why would the table be flushed? > and is not up-to-date yet, > while the next EMail comes in. What do you mean by up to date and what does it have to do with the "pain" of adding addresses? An address is added when it is added. > table from file and hand it off to pf in an atomic operation? man pfctl says: For the add, delete, replace, and test commands, the list of addresses can be specified either directly on the command line and/or in an unformatted text file, using the -f flag. I don't know how atomic that is: is the table either empty or does it contain all the addresses in the file? I would guess the addresses are added as they are read, just like when you add them manually.
Re: use pfctl to reread /etc/mail/spamd-white table
On Thu, Oct 28, 2021 at 11:55:33AM +0200, Harald Dunkel wrote: > Hi folks, > > my pf.conf contains > > table persist file "/etc/mail/spamd-white" > > I understand that I can add and delete hosts from the table manually > later, but on very large tables this is pretty painful. There is a high > risk that the table has just been flushed and is not up-to-date yet, > while the next EMail comes in. > > Would it be possible to add some magic to pfctl -T to reread the whole > table from file and hand it off to pf in an atomic operation? >From the man page: For the add, delete, replace, and test commands, the list of addresses can be specified either directly on the command line and/or in an unformatted text file, using the -f flag. So: pfctl -t spamd-white -T add -f /etc/mail/spamd-white should do it. > > Regards > Harri > --
use pfctl to reread /etc/mail/spamd-white table
Hi folks, my pf.conf contains table persist file "/etc/mail/spamd-white" I understand that I can add and delete hosts from the table manually later, but on very large tables this is pretty painful. There is a high risk that the table has just been flushed and is not up-to-date yet, while the next EMail comes in. Would it be possible to add some magic to pfctl -T to reread the whole table from file and hand it off to pf in an atomic operation? Regards Harri
Re: spamd IPv6 listener 6.9amd64
Hi Martin, On Wed, 12 May 2021 13:24:29 + Martin wrote: > I can't find in spamd(8) how to enable IPv6 listener ... I thought there was an unofficial patch put up somewhere several years ago, but I can't find it now. This is the nearest my searching got: https://undeadly.org/cgi?action=article=20131022072601 https://twitter.com/phessler/status/626312742367068160?lang=en https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223203 Not IpV6, but there is this well tested patch: https://github.com/bdijkstra82/OpenBSD-spamlogd Cheers, Craig.
Re: spamd IPv6 listener 6.9amd64
Hi Peter, Great book of PF. I've read it early in 2015, very useful. Since last updates all the incoming connections to my mail servers are IPv6, unfortunately. Just before the updates it was IPv4, so spamd has been used for all the incoming connections outside whitelists of known peers. Works like a charm. Now I'm looking forward to exchange spamd to rspamd (it has DKIM signing functionality) to replace spamd and dkimproxy which working in current configuration. Hope it can provide required functionality for IPv6 networks. Martin ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12, 2021 4:47 PM, Peter Nicolai Mathias Hansteen wrote: > > 12. mai 2021 kl. 15:24 skrev Martin martin...@protonmail.com: > > > > Hi list, > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 > > one. > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? > > Unfortunately spamd is IPv4 only. > > Back in the day (2014ish?, about the time I was finishing up the 3rd ed of > The Book of PF) there was talk of and possibly even an ambition of making it > IPv6 capable. I remember discussing some of this with phessler at the time > and left the descriptions in the book somewhat vague on the matter, hoping to > get back to the issue soon. However I never saw code ready for testing. > > I was under the impression that one of the hurdles to overcome was to define > a sane version of greylisting to implement for IPv6 with its much larger set > of addresses. But there could easily have been other issues that affected the > effort. > > So until other news on the matter turns up, it is better to rdr-to port spamd > only for inet, not inet6. > > All the best, > Peter > > — > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd IPv6 listener 6.9amd64
> 12. mai 2021 kl. 15:24 skrev Martin : > > Hi list, > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Unfortunately spamd is IPv4 only. Back in the day (2014ish?, about the time I was finishing up the 3rd ed of The Book of PF) there was talk of and possibly even an ambition of making it IPv6 capable. I remember discussing some of this with phessler at the time and left the descriptions in the book somewhat vague on the matter, hoping to get back to the issue soon. However I never saw code ready for testing. I was under the impression that one of the hurdles to overcome was to define a sane version of greylisting to implement for IPv6 with its much larger set of addresses. But there could easily have been other issues that affected the effort. So until other news on the matter turns up, it is better to rdr-to port spamd only for inet, not inet6. All the best, Peter — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. signature.asc Description: Message signed with OpenPGP
Re: spamd IPv6 listener 6.9amd64
afaik spamd(8) does not support ipv6 (yet). I also do not know if there is any ongoing effort for ipv6 to be added. On 5/12/21 9:24 AM, Martin wrote: Hi list, I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Martin
spamd IPv6 listener 6.9amd64
Hi list, I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 one. Is it possible to set spamd(8) to listen on both IPv4 and IPv6? Martin
Re: spamd IPv6 listener 6.9amd64
Am Wed, May 12, 2021 at 09:46:28AM -0400 schrieb Aisha Tammy: > afaik spamd(8) does not support ipv6 (yet). > I also do not know if there is any ongoing effort for ipv6 to be added. > > On 5/12/21 9:24 AM, Martin wrote: > > Hi list, > > > > I can't find in spamd(8) how to enable IPv6 listener in addition to IPv4 > > one. > > > > Is it possible to set spamd(8) to listen on both IPv4 and IPv6? > > > > Martin > > I'm using rspamd, that's a pretty good application.
Re: spamd vs IPv6
On Mon, Feb 22, 2021 at 06:28:29PM +, Nick Guenther wrote: > February 22, 2021 1:22 PM, "Edgar Pettijohn" wrote: > > > Have you tried starting spamd with '-l ::1' to alter its address to bind > > to? > > I hadn't! But it's no help: > > comms# /usr/libexec/spamd -l ::1 -d -v -G 15:4:864 -C > /etc/letsencrypt/live/comms.kousu.ca/fullchain.pem -K > /etc/letsencrypt/live/comms.kousu.ca/privkey.paranoid.pem > spamd: getaddrinfo: no address associated with name > Looks like its hardcoded to only support inet4.
Re: spamd vs IPv6
February 22, 2021 1:22 PM, "Edgar Pettijohn" wrote: > Have you tried starting spamd with '-l ::1' to alter its address to bind > to? I hadn't! But it's no help: comms# /usr/libexec/spamd -l ::1 -d -v -G 15:4:864 -C /etc/letsencrypt/live/comms.kousu.ca/fullchain.pem -K /etc/letsencrypt/live/comms.kousu.ca/privkey.paranoid.pem spamd: getaddrinfo: no address associated with name
Re: spamd vs IPv6
Have you tried starting spamd with '-l ::1' to alter its address to bind to? Edgar On Feb 22, 2021 10:11 AM, Nick Guenther wrote: July 1, 2020 7:34 AM, "Harald Dunkel" wrote: > Hi folks, > > spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. > Looking on Google for "openbsd spamd ipv6" gives me some entries of > 2015 and 2016, but no up-to-date information. Please excuse if I am > too blind to see. > > I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP > address families? Would you recommend "IPv4 only" for EMail? I was just wondering about this too! I can't see a clear answer anywhere online either. I went looking because I realized that # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd was becoming # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 I wondered where that `inet` was coming from. Eventually I realized that maybe pf was implying it from the divert-to, since, according to pf.conf(5): > divert-to [...] The packets will not be modified [...] so if a packet comes in as IPv4 (inet) is has to stay IPv4. I tried # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd pass in log proto tcp to any port smtp divert-to ::1 port spamd and this became # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 pass in log inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 However if I actually tried to connect via IPv6 (`nc -6 mail.myserver.com 25`) I just get an immediately closed connection, presumably because ::1:8025 isn't open. Come to think of it, because spamd uses IP addresses to do its job, for this to happen the database format needs to be augmented to store the longer addresses, so it's not necessarily a simple change, and that's probably why it hasn't happened yet. I just double-checked by digging around in the code (which I am not finally experienced enough for, phew) and found: https://github.com/openbsd/src/blob/cf8f31167b4af5c8ea769ff3d8a5974a24fec6bb/libexec/spamd/spamd.c#L1427 smtplisten = socket(AF_INET, SOCK_STREAM, 0); So yeah, it looks like it's still inet-only, no inet6 here. -Nick
Re: spamd vs IPv6
July 1, 2020 7:34 AM, "Harald Dunkel" wrote: > Hi folks, > > spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. > Looking on Google for "openbsd spamd ipv6" gives me some entries of > 2015 and 2016, but no up-to-date information. Please excuse if I am > too blind to see. > > I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP > address families? Would you recommend "IPv4 only" for EMail? I was just wondering about this too! I can't see a clear answer anywhere online either. I went looking because I realized that # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd was becoming # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 I wondered where that `inet` was coming from. Eventually I realized that maybe pf was implying it from the divert-to, since, according to pf.conf(5): > divert-to [...] The packets will not be modified [...] so if a packet comes in as IPv4 (inet) is has to stay IPv4. I tried # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd pass in log proto tcp to any port smtp divert-to ::1 port spamd and this became # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 pass in log inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 However if I actually tried to connect via IPv6 (`nc -6 mail.myserver.com 25`) I just get an immediately closed connection, presumably because ::1:8025 isn't open. Come to think of it, because spamd uses IP addresses to do its job, for this to happen the database format needs to be augmented to store the longer addresses, so it's not necessarily a simple change, and that's probably why it hasn't happened yet. I just double-checked by digging around in the code (which I am not finally experienced enough for, phew) and found: https://github.com/openbsd/src/blob/cf8f31167b4af5c8ea769ff3d8a5974a24fec6bb/libexec/spamd/spamd.c#L1427 smtplisten = socket(AF_INET, SOCK_STREAM, 0); So yeah, it looks like it's still inet-only, no inet6 here. -Nick
spamd vs IPv6
Hi folks, spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. Looking on Google for "openbsd spamd ipv6" gives me some entries of 2015 and 2016, but no up-to-date information. Please excuse if I am too blind to see. I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP address families? Would you recommend "IPv4 only" for EMail? Regards Harri
Re: BGP spamd AS working addresses to have realtime list updates
Hello, Peter.
How can I help you to maintain EU server in a good shape? I think spam related
AS is really good tool to all the people in the community who use spamd engine.
Martin
‐‐‐ Original Message ‐‐‐
On Sunday, April 19, 2020 4:40 PM, Peter Hessler wrote:
> Hi Martin
>
> The eu.bgp-spamd.net server is no longer available. I have not had any
> time for maintanence of these systems for several years, so do not
> expect many future updates.
>
> -peter
>
> On 2020 Apr 19 (Sun) at 14:39:08 + (+), Martin wrote:
> :I'm going to have spamdb updates from AS using BGP as configured.
> :But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address
> according to ping:
> :
> :ping eu.bgp-spamd.net
> :217.31.80.170
> :ping rs.bgp-spamd.net
> :217.31.80.170
> :
> :Which system can be used for redundancy? Any other spamd-AS online?
> :
> :$ cat /etc/bgpd.conf
> :AS 65xxx
> :fib-update no
> :
> :group "spam" {
> : remote-as 65066
> : multihop 64
> : export none
> : neighbor 64.142.121.62 {
> : descr "rs.bgp-spamd.net"
> : }
> : neighbor 217.31.80.170 {
> : descr "eu.bgp-spamd.net"
> : }
> :}
> :...
> :
> :Martin
>
> ---
>
> Did you know ...
>
> That no-one ever reads these things?
Re: BGP spamd AS working addresses to have realtime list updates
Hi Martin
The eu.bgp-spamd.net server is no longer available. I have not had any
time for maintanence of these systems for several years, so do not
expect many future updates.
-peter
On 2020 Apr 19 (Sun) at 14:39:08 + (+), Martin wrote:
:I'm going to have spamdb updates from AS using BGP as configured.
:But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address
according to ping:
:
:ping eu.bgp-spamd.net
:217.31.80.170
:ping rs.bgp-spamd.net
:217.31.80.170
:
:Which system can be used for redundancy? Any other spamd-AS online?
:
:$ cat /etc/bgpd.conf
:AS 65xxx
:fib-update no
:
:group "spam" {
: remote-as 65066
: multihop 64
: export none
: neighbor 64.142.121.62 {
: descr "rs.bgp-spamd.net"
: }
: neighbor 217.31.80.170 {
: descr "eu.bgp-spamd.net"
: }
:}
:...
:
:Martin
--
Did you know ...
That no-one ever reads these things?
BGP spamd AS working addresses to have realtime list updates
I'm going to have spamdb updates from AS using BGP as configured.
But both AS rs.bgp-spamd.net eu.bgp-spamd.net points to the same IP address
according to ping:
ping eu.bgp-spamd.net
217.31.80.170
ping rs.bgp-spamd.net
217.31.80.170
Which system can be used for redundancy? Any other spamd-AS online?
$ cat /etc/bgpd.conf
AS 65xxx
fib-update no
group "spam" {
remote-as 65066
multihop 64
export none
neighbor 64.142.121.62 {
descr "rs.bgp-spamd.net"
}
neighbor 217.31.80.170 {
descr "eu.bgp-spamd.net"
}
}
...
Martin
Re: Contributing to spamd
Indeed ! Good luck, and thank you ! Le 3 avril 2020 18:49:56 GMT+02:00, Aisha Tammy a écrit : >Oh that is really good to hear :) >Thanks a lot phessler! > >Here is to hoping it can be included in the next release. > >Thanks a lot again, >Aisha > >On 4/3/20 12:28 PM, Denis Fondras wrote: >> On Fri, Apr 03, 2020 at 08:54:22AM -0400, Aisha Tammy wrote: >>> Hi devs and all, >>> I have been using spamd for quite a while and have been loving it. >>> I've seen that spamd currently only supports ipv4 and have been >>> wondering if it was possible to extend it to ipv6. I know that >workforce >>> is always limited so I wanted to know if there is anyway to >contribute >>> help towards this :) >>> I admit I'm not the most knowledgeable about ipv6 so I was wondering >if >>> there is any small place to start to contribute to spamd and build >up >>> from there. >>> Hoping for some positive response. >>> >>> Thanks a lot for your work and hope you are safe, >>> Aisha >>> >> >> phessler@ did almost all the work. There are still one issue so it >did not get >> in. >>
Re: Contributing to spamd
Oh that is really good to hear :) Thanks a lot phessler! Here is to hoping it can be included in the next release. Thanks a lot again, Aisha On 4/3/20 12:28 PM, Denis Fondras wrote: > On Fri, Apr 03, 2020 at 08:54:22AM -0400, Aisha Tammy wrote: >> Hi devs and all, >> I have been using spamd for quite a while and have been loving it. >> I've seen that spamd currently only supports ipv4 and have been >> wondering if it was possible to extend it to ipv6. I know that workforce >> is always limited so I wanted to know if there is anyway to contribute >> help towards this :) >> I admit I'm not the most knowledgeable about ipv6 so I was wondering if >> there is any small place to start to contribute to spamd and build up >> from there. >> Hoping for some positive response. >> >> Thanks a lot for your work and hope you are safe, >> Aisha >> > > phessler@ did almost all the work. There are still one issue so it did not get > in. >
Re: Contributing to spamd
On Fri, Apr 03, 2020 at 08:54:22AM -0400, Aisha Tammy wrote: > Hi devs and all, > I have been using spamd for quite a while and have been loving it. > I've seen that spamd currently only supports ipv4 and have been > wondering if it was possible to extend it to ipv6. I know that workforce > is always limited so I wanted to know if there is anyway to contribute > help towards this :) > I admit I'm not the most knowledgeable about ipv6 so I was wondering if > there is any small place to start to contribute to spamd and build up > from there. > Hoping for some positive response. > > Thanks a lot for your work and hope you are safe, > Aisha > phessler@ did almost all the work. There are still one issue so it did not get in.
Re: Contributing to spamd
Thanks a lot Ingo. I'm currently looking through spamd.c and trying to learn. I'm way too far behind to send any patches yet, lol. I'll slowly work to it. Much appreciated, Aisha On 4/3/20 9:40 AM, Ingo Schwarze wrote: > Hi Aisha, > > Aisha Tammy wrote on Fri, Apr 03, 2020 at 08:54:22AM -0400: > >> I have been using spamd for quite a while and have been loving it. >> I've seen that spamd currently only supports ipv4 and have been >> wondering if it was possible to extend it to ipv6. I know that workforce >> is always limited so I wanted to know if there is anyway to contribute >> help towards this :) > > The way to contribute to OpenBSD is by sending patches - ideally > small, incremental patches that work and are well tested, but when > you get stuck, you can also send something like: "I hope to do > FOOBAR, and here is what i have so far; the FOO part already seems > to work in my preliminary testing, but i have doubts whether my > approach to the BAR part is ideal. Feedback is welcome." > >> I admit I'm not the most knowledgeable about ipv6 so I was wondering if >> there is any small place to start to contribute to spamd and build up >> from there. >> Hoping for some positive response. > > Being able to learn on your own is among the key qualifications > required to contribute to OpenBSD. Learning by doing is recommended: > First find an issue you would like to fix. Good judgement of your > own abilities is essential here: don't pick a task so much over > your head that you have no chance of ever getting it done. Picking > something *slightly* more difficult than what you have experience > with may be OK if you are willing to learn and can tolerate the > frustration that unavoidably comes with the first try likely not > being good enough for commit yet. Then again, getting used to the > the processes of sending patches, receiving feeback, and improving > and re-sending the patches such that they get ready for commit may > also require some effort, so it is not a bad idea to start with > tasks you are absolutely sure you can easily manage, until you get > used to the processes, then progress to more difficult stuff in order > to learn and grow. > > When asking questions, be as specific as possible, ideally showing > specific patches or specific sequences of commands and asking > specific questions about them. > > Avoid questions similar to "what should i do" or "where should i > start" or "is there a todo list". That depends on what you are > interested in and what your abilities are, and you need to know > that yourself, no one else who doesn't know you personally can help > you with that. > > Sorry that i can't give you specifics about spamd(8), but your > question wasn't very specific anyway. In general, seamless IPv6 > support is welcome in OpenBSD, but i'm not sure about the requirements > of spamd(8) in particular since i never used it nor worked on it. > > Yours, > Ingo >
Re: Contributing to spamd
Hi Aisha, Aisha Tammy wrote on Fri, Apr 03, 2020 at 08:54:22AM -0400: > I have been using spamd for quite a while and have been loving it. > I've seen that spamd currently only supports ipv4 and have been > wondering if it was possible to extend it to ipv6. I know that workforce > is always limited so I wanted to know if there is anyway to contribute > help towards this :) The way to contribute to OpenBSD is by sending patches - ideally small, incremental patches that work and are well tested, but when you get stuck, you can also send something like: "I hope to do FOOBAR, and here is what i have so far; the FOO part already seems to work in my preliminary testing, but i have doubts whether my approach to the BAR part is ideal. Feedback is welcome." > I admit I'm not the most knowledgeable about ipv6 so I was wondering if > there is any small place to start to contribute to spamd and build up > from there. > Hoping for some positive response. Being able to learn on your own is among the key qualifications required to contribute to OpenBSD. Learning by doing is recommended: First find an issue you would like to fix. Good judgement of your own abilities is essential here: don't pick a task so much over your head that you have no chance of ever getting it done. Picking something *slightly* more difficult than what you have experience with may be OK if you are willing to learn and can tolerate the frustration that unavoidably comes with the first try likely not being good enough for commit yet. Then again, getting used to the the processes of sending patches, receiving feeback, and improving and re-sending the patches such that they get ready for commit may also require some effort, so it is not a bad idea to start with tasks you are absolutely sure you can easily manage, until you get used to the processes, then progress to more difficult stuff in order to learn and grow. When asking questions, be as specific as possible, ideally showing specific patches or specific sequences of commands and asking specific questions about them. Avoid questions similar to "what should i do" or "where should i start" or "is there a todo list". That depends on what you are interested in and what your abilities are, and you need to know that yourself, no one else who doesn't know you personally can help you with that. Sorry that i can't give you specifics about spamd(8), but your question wasn't very specific anyway. In general, seamless IPv6 support is welcome in OpenBSD, but i'm not sure about the requirements of spamd(8) in particular since i never used it nor worked on it. Yours, Ingo
Contributing to spamd
Hi devs and all, I have been using spamd for quite a while and have been loving it. I've seen that spamd currently only supports ipv4 and have been wondering if it was possible to extend it to ipv6. I know that workforce is always limited so I wanted to know if there is anyway to contribute help towards this :) I admit I'm not the most knowledgeable about ipv6 so I was wondering if there is any small place to start to contribute to spamd and build up from there. Hoping for some positive response. Thanks a lot for your work and hope you are safe, Aisha
rDNS checks in spamd
Hello,
I notice quite a few hosts without rDNS/FCrDNS getting whitelisted by
spamd.
I reject hosts with no rDNS using the following in my crontab:
(spamdb|for i in `awk -F'|' '/GREY/{print $2}'`; do if ! host $i >/dev/null;
then spamdb -dG $i; fi; done)
It works, but it does not feel like it is the best way to do it.
OpenSMTPD rejects the hosts without RCrDNS using a filter anyways, but
it feels better to know that smtpd is not talking directly to these
likely suspicious hosts.
Does it make sense to add a rDNS check option to spamd?
(if not a full FCrDNS check)
If so then I could work on it.
Thanks, Dimitrios
Re: How to synchronise 2 spamd instances
Op Fri, 31 May 2019 00:34:39 +0200 schreef Mik J : Hello, I'm back again with spamd synchronisation. I made further tests and it seems to me that only new entries in spamd are synchronised. All existing entries before the synchronisation and not sent to the other spamd instance. Is it supposed to work like that ? Yes. From the spamd(8) manual: "The databases are synchronised for greylisted and trapped entries; whitelisted entries and entries made manually using spamdb(8) are not updated." -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: How to synchronise 2 spamd instances
Hello, I'm back again with spamd synchronisation. I made further tests and it seems to me that only new entries in spamd are synchronised. All existing entries before the synchronisation and not sent to the other spamd instance. Is it supposed to work like that ? Thank you Le dimanche 26 mai 2019 à 22:49:25 UTC+2, Sean Kamath a écrit : On May 26, 2019, at 04:41, Mik J wrote: > > Hello, > > I'm coming back on this topic. I added the -K option > # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h > myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n > ABCD > # spamd: need key and certificate for TLS > > So it seems it expects some kind of certificat/privatekey rather than a key > > Does anyone uses the -K option successfully ? Yes. :-). Looks like you forgot the '-C /etc/ssl/.crt’ option. Granted, this is on 6.3. My full args are: -h -v -G 2:4:864 -y vio0 -Y -K /etc/ssl/private/.key -C /etc/ssl/.crt Works fine. Sean > So far I didn't manage to make the synchro to work. udp packets on port 8025 > are not dropped. > However spamd doesn't seem to send any 8025/udp packet at all. > > Regards > > Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker >a écrit : > > On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > >> * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: >>> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: >>> >>>> Hello, >>>> I read the man but it's not so clear to me >>>> https://man.openbsd.org/spamd#SYNCHRONISATION >>>> a) I chose unicast synchronisation but I don't know which port should >> I open on the firewall ? >>>> Is it going to use the spamd-cfg service ? >>> >>> It will use spamd-sync (udp port 8025) >> >> Good to know, I was blocking this traffic. It might be interesting to >> add a word about this in the manpage, what do you think? >> > > tcpdump -nettti pflog0 > > That command tells you if anything is being blocked. I normally start > there. You would have seen port 8025 being blocked right away > >> >> >
Re: How to synchronise 2 spamd instances
On May 26, 2019, at 04:41, Mik J wrote: > > Hello, > > I'm coming back on this topic. I added the -K option > # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h > myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n > ABCD > # spamd: need key and certificate for TLS > > So it seems it expects some kind of certificat/privatekey rather than a key > > Does anyone uses the -K option successfully ? Yes. :-). Looks like you forgot the '-C /etc/ssl/.crt’ option. Granted, this is on 6.3. My full args are: -h -v -G 2:4:864 -y vio0 -Y -K /etc/ssl/private/.key -C /etc/ssl/.crt Works fine. Sean > So far I didn't manage to make the synchro to work. udp packets on port 8025 > are not dropped. > However spamd doesn't seem to send any 8025/udp packet at all. > > Regards > >Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker > a écrit : > > On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > >> * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: >>> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: >>> >>>> Hello, >>>> I read the man but it's not so clear to me >>>> https://man.openbsd.org/spamd#SYNCHRONISATION >>>> a) I chose unicast synchronisation but I don't know which port should >> I open on the firewall ? >>>> Is it going to use the spamd-cfg service ? >>> >>> It will use spamd-sync (udp port 8025) >> >> Good to know, I was blocking this traffic. It might be interesting to >> add a word about this in the manpage, what do you think? >> > > tcpdump -nettti pflog0 > > That command tells you if anything is being blocked. I normally start > there. You would have seen port 8025 being blocked right away > >> >> >
Re: How to synchronise 2 spamd instances
Hello, I'm coming back on this topic. I added the -K option # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n ABCD # spamd: need key and certificate for TLS So it seems it expects some kind of certificat/privatekey rather than a key Does anyone uses the -K option successfully ? So far I didn't manage to make the synchro to work. udp packets on port 8025 are not dropped. However spamd doesn't seem to send any 8025/udp packet at all. Regards Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker a écrit : On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > > > Hello, > > > I read the man but it's not so clear to me > > > https://man.openbsd.org/spamd#SYNCHRONISATION > > > a) I chose unicast synchronisation but I don't know which port should > I open on the firewall ? > > > Is it going to use the spamd-cfg service ? > > > > It will use spamd-sync (udp port 8025) > > Good to know, I was blocking this traffic. It might be interesting to > add a word about this in the manpage, what do you think? > tcpdump -nettti pflog0 That command tells you if anything is being blocked. I normally start there. You would have seen port 8025 being blocked right away > >
Re: How to synchronise 2 spamd instances
On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > > > Hello, > > > I read the man but it's not so clear to me > > > https://man.openbsd.org/spamd#SYNCHRONISATION > > > a) I chose unicast synchronisation but I don't know which port should > I open on the firewall ? > > > Is it going to use the spamd-cfg service ? > > > > It will use spamd-sync (udp port 8025) > > Good to know, I was blocking this traffic. It might be interesting to > add a word about this in the manpage, what do you think? > tcpdump -nettti pflog0 That command tells you if anything is being blocked. I normally start there. You would have seen port 8025 being blocked right away > >
Re: How to synchronise 2 spamd instances
* Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > Hello, > > I read the man but it's not so clear to me > > https://man.openbsd.org/spamd#SYNCHRONISATION > > a) I chose unicast synchronisation but I don't know which port should I > > open on the firewall ? > > Is it going to use the spamd-cfg service ? > > It will use spamd-sync (udp port 8025) Good to know, I was blocking this traffic. It might be interesting to add a word about this in the manpage, what do you think?
Re: How to synchronise 2 spamd instances
Hello Otto, Thank you for your answer. I'm working on it right now. Regards Le dimanche 21 avril 2019 à 12:50:08 UTC+2, Otto Moerbeek a écrit : On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > Hello, > I read the man but it's not so clear to me > https://man.openbsd.org/spamd#SYNCHRONISATION > a) I chose unicast synchronisation but I don't know which port should I open > on the firewall ? > Is it going to use the spamd-cfg service ? It will use spamd-sync (udp port 8025) > > b) The synchronisation section mention a key and there's an option -K > regarding that key but in the example the -K option is not used. So it's not > clear. -K is optional. BUt if you use it, all instances syncing should use the same key. > > c) It's not clear which instance is going to contact which. Is there a > master/slave relationship ? What if one IP is WHITELIST on one instance and > BLACKLIST on the other. > Also should I use the -Y option on both instances ? Both are going to try to > start a tcp session ? It's symmetrical. All spamd's send updates to each other. No tcp involved, only udp. Specify A's IP on B and vice-versa. > > d) The message digest is calculated in md5 ? It uses a sha1 hmac message authentication code, so no md5 digest. > > e) Should I specify the -M option on all instance or just on the low priority > MX, which IP adress should I specify the one on that host or the remote MX > > Thank you Never used -M myself, but reading spamd.conf it looks like you only specify an -M IP on the host serving that IP. Note that -M is optional. -Otto
Re: How to synchronise 2 spamd instances
On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > Hello, > I read the man but it's not so clear to me > https://man.openbsd.org/spamd#SYNCHRONISATION > a) I chose unicast synchronisation but I don't know which port should I open > on the firewall ? > Is it going to use the spamd-cfg service ? It will use spamd-sync (udp port 8025) > > b) The synchronisation section mention a key and there's an option -K > regarding that key but in the example the -K option is not used. So it's not > clear. -K is optional. BUt if you use it, all instances syncing should use the same key. > > c) It's not clear which instance is going to contact which. Is there a > master/slave relationship ? What if one IP is WHITELIST on one instance and > BLACKLIST on the other. > Also should I use the -Y option on both instances ? Both are going to try to > start a tcp session ? It's symmetrical. All spamd's send updates to each other. No tcp involved, only udp. Specify A's IP on B and vice-versa. > > d) The message digest is calculated in md5 ? It uses a sha1 hmac message authentication code, so no md5 digest. > > e) Should I specify the -M option on all instance or just on the low priority > MX, which IP adress should I specify the one on that host or the remote MX > > Thank you Never used -M myself, but reading spamd.conf it looks like you only specify an -M IP on the host serving that IP. Note that -M is optional. -Otto
How to synchronise 2 spamd instances
Hello, I read the man but it's not so clear to me https://man.openbsd.org/spamd#SYNCHRONISATION a) I chose unicast synchronisation but I don't know which port should I open on the firewall ? Is it going to use the spamd-cfg service ? b) The synchronisation section mention a key and there's an option -K regarding that key but in the example the -K option is not used. So it's not clear. c) It's not clear which instance is going to contact which. Is there a master/slave relationship ? What if one IP is WHITELIST on one instance and BLACKLIST on the other. Also should I use the -Y option on both instances ? Both are going to try to start a tcp session ? d) The message digest is calculated in md5 ? e) Should I specify the -M option on all instance or just on the low priority MX, which IP adress should I specify the one on that host or the remote MX Thank you
Re: spamd and low priority MX
Hi Thuban, On Sat, 2 Mar 2019 09:20:42 +0100 Thuban wrote: > On the server with the highest priority (lower MX), I must set "-M > nn.nn.nn.nn" where nn.nn.nn.nn is the IP of a lower priority MX? Where nn.nn.nn.nn is the public IP of a fake backup MX server, which *DOES* have an SMTP daemon running, which 450/451 soft defers _ALL_ mail. > If there is more than 1 backup MX (lower priority), does the -M > flag can be called more than once? Just once, e.g: $ dig Britvault.Co.UK MX +short 12 smtp.Britvault.Co.UK. <--- real primary MX 144 mx-backup.smtp.Britvault.Co.UK. <--- real backup MX 666 highlisting.smtp.Britvault.Co.UK. <--- fake backup MX The fake's public IP address needs to be another IP address, on a real MX machine (an alias or another network port). This sort of fake DNS MX record is called highlisting. (Works well with greylisting.) Having a fake primary DNS MX record is called nolisting. (Practically has to be on the real primary MX server. Doesn't work great with greylisting.) Greylisting is in between no & high listing. But it doesn't need more DNS records, more public IP addresses, a deferring daemon, nor TCP rejection on port 25. Yet it does introduce delays. There is also unlisting... All these tricks reduce spam, and all have operational problems. Nolisting + highlisting is a viable alternative to greylisting: Primary MX only:57% (DNSBL:98%) MX backup only: 20% (DNSBL:90%) Nolisting + multiple fake highlisters killed 98% of spam for this bloke: http://blog.whitesites.com/Stop-Spam-with-fake-MX-records__633764658986714568_blog.htm Some articles to read:- http://wiki.apache.org/spamassassin/OtherTricks http://wiki.junkemailfilter.com/index.php/Project_tarbaby http://nolisting.org/ https://en.wikipedia.org/wiki/Nolisting http://www.junkemailfilter.com/spam/how_it_works.html Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
spamd and low priority MX
Hello, I ran into the spamd "-M" flag in the manpage, and I'm not sure to understand it correctly. On the server with the highest priority (lower MX), I must set "-M nn.nn.nn.nn" where nn.nn.nn.nn is the IP of a lower priority MX ? If there is more than one backup MX (lower priority), does the -M flag can be called more than once ? Am I wrong ? Regards. thuban
Re: spamd blacklist-mode logging
Ok. Thanks a lot, will try that On 2019-02-23 00:50, Admin Thorshammare wrote: > Hello all. > > When running spamd in blcklist-mode, does it log it's actions anywhere? > can't find any info on it, and I'm not even sure it's working. > > /Hasse >
Re: spamd blacklist-mode logging
On Feb 22, 2019 5:51 PM, Geir Svalland wrote: > > Hello all. > > When running spamd in blcklist-mode, does it log it's actions anywhere? > can't find any info on it, and I'm not even sure it's working. > > /Hasse > Pretty sure it logs to /var/log/daemon Maybe start it with the -d flag to see if it's starting.
spamd blacklist-mode logging
Hello all. When running spamd in blcklist-mode, does it log it's actions anywhere? can't find any info on it, and I'm not even sure it's working. /Hasse
Re: spamd and google smtp ips
On 11/4/2018 3:06 PM, Mik J wrote: Thank you Peter for this opinion. Misc User, these gmail, live, yahoo spams you're talking about are really comming from IP addresses that belong to them ? Because on my side it seems it's not the case. In my greylist right now I have rosaronald70s...@gmail.com but if I check the IP that originated the spam it's from China Unicom Henan province network. I check a second one and it's also from that ISP. On the other hand if spam is coming from gmail, live, outlook we can blame them for not filtering out these spams and high volume sent mails. With google you cannot send mails to more than 500 people within 24h Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User a écrit : On 11/4/2018 2:25 PM, Mik J wrote: Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points. Yep, coming from legitimate servers. All the mail I look after goes through a filter that does both a reverse-lookup of the IP address as well as a lookup of the owner for the AS number that that IP belongs to and will flag up any differences (I have a table that it uses to list what domains are owned by what corporate entities assembled from whois lookups against the domain and recording the entity). This also goes into a set of filters to flag email from domains registered within the last 30 days. I work for an MSSP that does virtual SOC work for a lot of high profile clients where a successful piece of spam has a high chance of a massive return. I've noticed that a lot of spam will cycle through a bunch of different accounts with the accounts never being used twice for the same destination (I presume to avoid wasting time hitting personal spam filters) and will only send a few messages to the same destination domain (Probably to avoid company-wide filters). The sending account seems to also only be used to send 100 messages per day before the next account is used (At least this is what I've seen when looking at data across all clients), probably to avoid the mail providers sending limit.
Re: spamd and google smtp ips
On Sun, Nov 04, 2018 at 02:49:44PM -0800, Misc User wrote: > On 11/4/2018 2:25 PM, Mik J wrote: > > Hello Peter, > > > > Thank you for this article. > > Do you know why, and particularly Microsoft, use very random IPs to send > > mails. > > In that way, they make greylisting not as reliable as it should be. We > > could all use greylisting if google or microsoft would use the same 4 or 5 > > IPs to retry sending the mails. > > Google and Microsoft don't help to fight against spam. > > > > In my experience Google and Microsoft are the source of most of my spam. > About 80% of it comes from a hijacked gmail, live.com, or outlook.com > accounts. The rest from yahoo and gmx.com addresses with a sprinkling > of one-off spam domains making up the last percentage points. I recently learned of the Email Blocklist project, https://msbl.org/ebl.html It's a DNSBL for drop boxes at GMail, etc. You query the RBL using the hash of the canonicalized sender address (e.g. Reply-To). I haven't tried it yet; am curious about false positive rate.
Re: spamd and google smtp ips
Thank you Peter for this opinion. Misc User, these gmail, live, yahoo spams you're talking about are really comming from IP addresses that belong to them ? Because on my side it seems it's not the case. In my greylist right now I have rosaronald70s...@gmail.com but if I check the IP that originated the spam it's from China Unicom Henan province network. I check a second one and it's also from that ISP. On the other hand if spam is coming from gmail, live, outlook we can blame them for not filtering out these spams and high volume sent mails. With google you cannot send mails to more than 500 people within 24h Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User a écrit : On 11/4/2018 2:25 PM, Mik J wrote: > Hello Peter, > > Thank you for this article. > Do you know why, and particularly Microsoft, use very random IPs to send > mails. > In that way, they make greylisting not as reliable as it should be. We could > all use greylisting if google or microsoft would use the same 4 or 5 IPs to > retry sending the mails. > Google and Microsoft don't help to fight against spam. > In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points.
Re: spamd and google smtp ips
On 11/4/2018 2:25 PM, Mik J wrote: Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points.
Re: spamd and google smtp ips
On 11/4/18 11:25 PM, Mik J wrote: > Do you know why, and particularly Microsoft, use very random IPs to send > mails. > In that way, they make greylisting not as reliable as it should be. We could > all use greylisting if google or microsoft would use the same 4 or 5 IPs to > retry sending the mails. > Google and Microsoft don't help to fight against spam. The larger providers such as the ones you mention seem to have concluded that they need to send their mail from a large number of different IP addresses. As long as they actually use only addresses they have published as valid senders via their SPF info, we can let them bypass greylisting as described in the article (or referenced material) and determining whether any given message was spam becomes the task of other software such as your favorite content filtering. I would personally have preferred a clarification of the retry requirement to specify 'retry from the same IP address', which would have made greylisting *a lot* easier, but unfortunately that did not happen (cf https://bsdly.blogspot.com/2008/10/ietf-failed-to-account-for-greylisting.html). Cheers, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. Le dimanche 4 novembre 2018 à 21:56:35 UTC+1, Peter N. M. Hansteen a écrit : A final followup on this issue - I wrote a (relatively) short piece on greylisting vs domains with multiple outbound SMTP servers, which includes the little script I use to create a nospamd from a list of domains, of course by feeding to 'smtpctl spf walk'. You can find the article at https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html - TL;DR: don't download *my* nospamd, use smtpctl to generate your own :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
A final followup on this issue - I wrote a (relatively) short piece on greylisting vs domains with multiple outbound SMTP servers, which includes the little script I use to create a nospamd from a list of domains, of course by feeding to 'smtpctl spf walk'. You can find the article at https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html - TL;DR: don't download *my* nospamd, use smtpctl to generate your own :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd >> man pages) is for. >> >> To some extent it helps to whitelist IP addresses and networks that >> domains list in their SPF info. > > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. I've replaced the manually maintained list with a generated one - basically what you'll find at that URL now is the result of running 'smtpctl spf walk' over a list of interesting domains. I run this now at quasi-random intervals at bsdly.net. I took a look at the old list over last few days and did find some odd sediments such as addresses that no longer had a reverse lookup. I've preserved the old sedimentary collection at https://www.bsdly.net/~peter/nospamd.preserved_20181103.txt for reference. The file at https://www.bsdly.net/~peter/nospamd is now the generated version, without those artifacts. The script that generates the new version provides information about the domains in a more consistent fashion. The script is as you can imagine truly trivial (you should be able to recreate it from just reading the output), but I might put it somewhere accessible if there's interest (or if I can make a writeup that I can make interesting enough to accompany it). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
W dniu 30/10/2018 o 23:39, Stuart Henderson pisze: I haven't run spamd myself for years, I got fed up with delayed and lost mails. Thanks. That was probably the tipping comment for me - I decided to search for alternative spam protection. It's the lost e-mails bing the the thing I cannot afford and in absence of *reliable* whitelist, I decided not to go this route. Best regards, Chris
Re: spamd and google smtp ips
On 31.10.2018 17:09, Kevin Chadwick wrote: On 10/30/18 8:05 PM, Mario Theodoridis wrote: I ran into this problem as well. I ended up writing a script that parses the SPF entries out of the greylist and if reasonable, whitelists those ranges and removes the grey list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script? Thanks Kevin. That'd be one less wheel to invent. -- Mit freundlichen Grüßen/Best regards Mario Theodoridis
Re: spamd and google smtp ips
On 10/30/18 8:05 PM, Mario Theodoridis wrote: > I ran into this problem as well. > I ended up writing a script that parses the SPF entries out of the greylist > and > if reasonable, whitelists those ranges and removes the grey > list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script?
Re: spamd and google smtp ips
On 30.10.2018 20:46, Chris Narkiewicz wrote:
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
yes, a well-known problem, and it's what nospamd (hinted at in the spamd
man pages) is for.
To some extent it helps to whitelist IP addresses and networks that
domains list in their SPF info.
Yeah, I hoped there are some reputable sources of validated mail
sources based on SPF and DKIM.
I'll give a try to your compiled list, but the fact you maintain
it manually is a bit discouraging.
I ran into this problem as well.
I ended up writing a script that parses the SPF entries out of the
greylist and if reasonable, whitelists those ranges and removes the grey
list entries. It runs every 15 minutes.
This works with the following rules
pass in quick on $extIf proto tcp from to $pubIp port smtp \
rdr-to $mailsrv
pass in quick on $extIf proto tcp from ! to $pubIp port smtp \
rdr-to 127.0.0.1 port $spamdPort
The trapping function when it goes to the wrong recipient works for me
and probably does not scale.
The spamdb -Gd calls to remove the greylist entries are something i
patched into spamd, but it seems that functionality has somehow made it
into the regular binary.
The script is fairly debugged and has run for me over a year with good
results, but seriously lacks tests of any kind.
Your mileage may vary.
--
Mit freundlichen Grüßen/Best regards
Mario Theodoridis
#!/usr/bin/env python2.7
import subprocess, traceback, os, re, sys, time
import dns.resolver, dns.name, dns.exception
import socket,struct
def doLog(msg, caller=2):
debugLog = '/var/log/scanSpam.log'
stk = traceback.extract_stack()
orig = ''
for i in range(0, len(stk)-caller):
if stk[i][3] == None:
orig += '__main__:'
else:
orig += stk[i][3] + ':'
x = stk[-caller][1]
out = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) + ' ' + msg \
+ ' STACK[' + orig + str(x) + ']\n'
wh = open(debugLog, 'a')
wh.write(out)
wh.close()
def run(command, caller=3):
""" run(command) -> (returncode, stdout, stderr)
Runs the given command in the shell and returns the output and return code """
proc = subprocess.Popen(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()
doLog("COM:[" + command + "] RC:[" + str(proc.returncode) + "185 OUT:[" \
+ out.strip() + "] ERR:[" + err.strip() + "]", caller)
return (proc.returncode, out, err)
def makeMask(n):
"return a mask of n bits as a long integer"
return (2L< 1:
try:
mask = int(pcs[1])
except ValueError:
mask = 32
else:
mask = 32
return (ip, mask)
def addressInNet(ip, net_n_bits):
ipaddr = struct.unpack('>L', socket.inet_aton(ip))[0]
net, bits = getIpNetMask(net_n_bits)
netaddr = struct.unpack('>L', socket.inet_aton(net))[0]
netmask = (1 << 32) - (1 << 32 - bits)
return ipaddr & netmask == netaddr & netmask
def getIplist(dName, ipl, isRecursive=False):
global recursions, hosts
domain = dName.to_text()
if hosts.has_key(domain):
doLog("Ignoring duplicate domain {0:s}".format(domain))
return
hosts[domain] = True
recursions += 1
if recursions > 50:
doLog("Over {0:d} recursions, quitting".format(recursions))
return
try:
answers = dns.resolver.query(dName, 'TXT')
except dns.exception.DNSException:
if len(dName.labels) > 3:
p = dName.parent()
getIplist(p, ipl)
return
for data in answers:
for txt in data.strings:
doLog("recursion {0:d} queried [{1:s}]".format(recursions, txt))
f = txt.split(' ')
if re.match('v=spf1', f[0].strip()):
parseSpf(f[1:], ipl, dName)
def getARecord(dName, ipl, subnet=''):
try:
answers = dns.resolver.query(dName, 'A')
except dns.exception.DNSException:
return
for data in answers:
ipl.append(data.address+subnet)
def getMxRecord(dName, ipl, subnet=''):
try:
answers = dns.resolver.query(dName, 'MX')
except dns.exception.DNSException:
return
for data in answers:
mx = data.exchange.to_text()
if re.match('^[\d\.]{7,15}$', mx):
ipl.append(mx+subnet)
continue
getARecord(mx, ipl, subnet)
def parseSpf(fields, ipl, dName):
for fld in fields:
doLog('parsing [{0:s}]'.format(fld))
kv = fld.split(':')
key = kv[0].strip()
m = re.search('^(a|mx)(/|:|$)', key)
if m:
type = m.group(1)
if type == 'a':
getter = getARecord
else:
Re: spamd and google smtp ips
* Stuart Henderson le [30-10-2018 23:39:23 +]:
> On 2018-10-30, Chris Narkiewicz wrote:
> > Hi,
> >
> > I'm configuring spamd and I noticed that when I send an e-mail from
> > GMail, each time the e-mail is submitted by a different IP address.
> >
> > Here is spamdb output after sending a test email to myself:
> >
> > GREY|209.85.219.182|mail-yb1-f182.google.com|...
> > GREY|209.85.219.177|mail-yb1-f177.google.com|...
> > GREY|209.85.219.176|mail-yb1-f176.google.com|...
> > GREY|209.85.219.172|mail-yb1-f172.google.com|...
> > GREY|209.85.219.180|mail-yb1-f180.google.com|...
> > GREY|209.85.219.175|mail-yb1-f175.google.com|...
> > GREY|209.85.219.173|mail-yb1-f173.google.com|...
> > GREY|209.85.219.179|mail-yb1-f179.google.com|...
> > GREY|209.85.208.46|mail-ed1-f46.google.com|...
> > GREY|209.85.161.52|mail-yw1-f52.google.com|...
> > ... snip ...
> >
> > Of course they are not whitelisted, as each submission
> > attempt is done by a different node and I guess google has A LOT of
> > them. I see 2 issues with that:
> >
> > 1) e-mail delivery takes a lot of time (as google uses exponential
> > backoff and stops frequent retries after few failures)
> >
> > 2) whitelisted IPs are more likely being expired, as my server is
> > not getting a lot of gmail traffic
> >
> > I suppose different big e-mail providers will
> > have similar issues.
> >
> > I'm also running BGP server to download a whitelist,
> > but it does not contain google servers.
> >
> > Are there any solutions get around this problem? Ideally I'd like
> > to just whitelist reputable mail providers as I see little chance
> > that any spammer will outsmart Google/Yahoo/Microsoft/etc.
To solve this problem, I use two methods :
## whitelist from bsdly.net (thaniks again peter : )
In /etc/pf.conf
table persist file "/etc/mail/nospamd"
pass in on egress proto tcp from to any port smtp
/in /etc/weekly.local :
echo "update nospamd file"
ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd
## whitelist from spf walk :
In /etc/mail/spamd.conf :
all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:
...
whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt
In /etc/weekly.local :
/usr/local/bin/domain-white-spamd
In /usr/local/bin/domain-white-spamd, adjust with domins you need :
TMP=$(mktemp)
WHITELIST=/etc/mail/whitelist.txt
DOMAINS='outlook.com
gmail.com
google.com
hotmail.com
yahoo.com
yahoo.fr
live.fr
mail-out.ovh.net
mxb.ovh.net
gandi.net
laposte.net
github.com
protonmail.com
'
for d in $DOMAINS; do
echo "$d" | smtpctl spf walk >> "$TMP"
done
mv "$TMP" "$WHITELIST"
exit 0
--
thuban
Re: spamd and google smtp ips
On Tue, 30 Oct 2018 18:54:43 + Chris Narkiewicz wrote: > Are there any solutions get around this problem? Ideally I'd like > to just whitelist reputable mail providers ... Yes Chris, see: http://web.Britvault.Co.UK/products/ungrey-robins/ Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: spamd and google smtp ips
On 2018-10-30, Chris Narkiewicz wrote: > Hi, > > I'm configuring spamd and I noticed that when I send an e-mail from > GMail, each time the e-mail is submitted by a different IP address. > > Here is spamdb output after sending a test email to myself: > > GREY|209.85.219.182|mail-yb1-f182.google.com|... > GREY|209.85.219.177|mail-yb1-f177.google.com|... > GREY|209.85.219.176|mail-yb1-f176.google.com|... > GREY|209.85.219.172|mail-yb1-f172.google.com|... > GREY|209.85.219.180|mail-yb1-f180.google.com|... > GREY|209.85.219.175|mail-yb1-f175.google.com|... > GREY|209.85.219.173|mail-yb1-f173.google.com|... > GREY|209.85.219.179|mail-yb1-f179.google.com|... > GREY|209.85.208.46|mail-ed1-f46.google.com|... > GREY|209.85.161.52|mail-yw1-f52.google.com|... > ... snip ... > > Of course they are not whitelisted, as each submission > attempt is done by a different node and I guess google has A LOT of > them. I see 2 issues with that: > > 1) e-mail delivery takes a lot of time (as google uses exponential > backoff and stops frequent retries after few failures) > > 2) whitelisted IPs are more likely being expired, as my server is > not getting a lot of gmail traffic > > I suppose different big e-mail providers will > have similar issues. > > I'm also running BGP server to download a whitelist, > but it does not contain google servers. > > Are there any solutions get around this problem? Ideally I'd like > to just whitelist reputable mail providers as I see little chance > that any spammer will outsmart Google/Yahoo/Microsoft/etc. Opinions definitely vary, but my 2p: I haven't run spamd myself for years, I got fed up with delayed and lost mails. My opinion is that unless you have a really busy mail system behind spamd you're unlikely to get a good set of hosts kept in the whitelist without a bunch of work. It's not just office365 and gmail (which are a pain but can be mostly dealt with by iterating through SPF records and figuring out the addresses of the outgoing mail servers), it's also "transactional" email. Password resets, email address verification, information about orders, tickets, etc. In the past I've particularly noticed this as a problem on mail sent directly from webservers which are often quite poorly setup, sometimes they haven't retried at all, sometimes they've been on a VERY slow retry schedule. Funnily enough the majority of spam that makes it to my inbox is received forwarded from a box that *is* running spamd. Maybe spamd would stop some junk but I get the impression it's likely to be junk that would be fairly easily blockable by other methods anyway and the pain isn't worth it for me.
Re: spamd and google smtp ips
On 30.10.2018 13:59, Peter N. M. Hansteen wrote: > On 10/30/18 8:46 PM, Chris Narkiewicz wrote: W dniu 30/10/2018 o 19:31, Peter > N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd > (hinted at in the spamd > man pages) is for. > > To some extent it helps to whitelist IP addresses and networks that > domains list in their SPF info. > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. Fortunately MX records and by extension SPF info per domain changes infrequently enough that a semi-manually maintained list will be mostly right, most of the time. But you're right in principle -- I *should* really take the time out to recreate the list of domains that went into it and just re-generate with smtpctl spf walk something like once per day or once per week. All the best, Peter I regenerate once an hour at least and still get burned by some major domains changing SPF IP's constantly. It's pretty frustrating, but once you get an update process in place it settles down and doesn't require much handholding. Thanks Scott
Re: spamd and google smtp ips
On Tue, Oct 30, 2018 at 08:59:07PM +0100, Peter N. M. Hansteen wrote: > On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > > W dniu 30/10/2018 o??19:31, Peter N. M. Hansteen pisze: > >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd > >> man pages) is for. > >> > >> To some extent it helps to whitelist IP addresses and networks that > >> domains list in their SPF info. > > > > Yeah, I hoped there are some reputable sources of validated mail > > sources based on SPF and DKIM. > > > > I'll give a try to your compiled list, but the fact you maintain > > it manually is a bit discouraging. > > Fortunately MX records and by extension SPF info per domain changes > infrequently enough that a semi-manually maintained list will be mostly > right, most of the time. > > But you're right in principle -- I *should* really take the time out to > recreate the list of domains that went into it and just re-generate with > smtpctl spf walk something like once per day or once per week. > Like this ? https://github.com/Mailbrix/lists :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: spamd and google smtp ips
On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd >> man pages) is for. >> >> To some extent it helps to whitelist IP addresses and networks that >> domains list in their SPF info. > > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. Fortunately MX records and by extension SPF info per domain changes infrequently enough that a semi-manually maintained list will be mostly right, most of the time. But you're right in principle -- I *should* really take the time out to recreate the list of domains that went into it and just re-generate with smtpctl spf walk something like once per day or once per week. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. Yeah, I hoped there are some reputable sources of validated mail sources based on SPF and DKIM. I'll give a try to your compiled list, but the fact you maintain it manually is a bit discouraging. Best regards, Chris
Re: spamd and google smtp ips
On 10/30/18 7:54 PM, Chris Narkiewicz wrote: > Hi, > > I'm configuring spamd and I noticed that when I send an e-mail from > GMail, each time the e-mail is submitted by a different IP address. yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. feeding interesting domains into smtpctl spf walk is good for keeping an up to date list to be fed into your nospamd table. If you trust me to keep the list up to date, you're of course welcome to fetch my hand maintained one at https://home.nuug.no/~peter/nospamd (later parts generated by echo $domain | smtpctl spf walk, older parts by host -ttxt $domain). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
spamd and google smtp ips
Hi, I'm configuring spamd and I noticed that when I send an e-mail from GMail, each time the e-mail is submitted by a different IP address. Here is spamdb output after sending a test email to myself: GREY|209.85.219.182|mail-yb1-f182.google.com|... GREY|209.85.219.177|mail-yb1-f177.google.com|... GREY|209.85.219.176|mail-yb1-f176.google.com|... GREY|209.85.219.172|mail-yb1-f172.google.com|... GREY|209.85.219.180|mail-yb1-f180.google.com|... GREY|209.85.219.175|mail-yb1-f175.google.com|... GREY|209.85.219.173|mail-yb1-f173.google.com|... GREY|209.85.219.179|mail-yb1-f179.google.com|... GREY|209.85.208.46|mail-ed1-f46.google.com|... GREY|209.85.161.52|mail-yw1-f52.google.com|... ... snip ... Of course they are not whitelisted, as each submission attempt is done by a different node and I guess google has A LOT of them. I see 2 issues with that: 1) e-mail delivery takes a lot of time (as google uses exponential backoff and stops frequent retries after few failures) 2) whitelisted IPs are more likely being expired, as my server is not getting a lot of gmail traffic I suppose different big e-mail providers will have similar issues. I'm also running BGP server to download a whitelist, but it does not contain google servers. Are there any solutions get around this problem? Ideally I'd like to just whitelist reputable mail providers as I see little chance that any spammer will outsmart Google/Yahoo/Microsoft/etc.
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 16:58, Chris Narkiewicz pisze: W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. I'm sorry, you were right. I misread both your e-mail and man page. Thank you all for help. Best regards, Chris
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:53, Solene Rapenne pisze:> do you run spamd-setup(8)? Yes, I see that it downloads nixspam and loads 20k IPs into spamd. Best regards, Chris
Re: spamd does not update /var/db/spamd
W dniu 30/10/2018 o 15:56, Ricardo Mestre pisze: Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. According to man spamdb(8) this is how to list all entries, which I wanted to do. I see no entries, so I assume the database is empty. Best regards, Chris
Re: spamd does not update /var/db/spamd
On 10/30/18 4:44 PM, Chris Narkiewicz wrote: > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > I think what you are seeing is that spamdb doesn't expect the database filename as a command line argument. Try running spamdb with no arguments, that should produce a dump of database content to standard output, something along the lines of [Tue Oct 30 17:52:27] peter@skapet:~$ doas spamdb | head SPAMTRAP|"._-c2b82d2"@bsdly.com SPAMTRAP|"<-to...@bsdly.net>" SPAMTRAP|0...@dataped.no SPAMTRAP|1dd5...@bsdly.net SPAMTRAP|257aa8...@bsdly.net SPAMTRAP|31a38c...@bsdly.net SPAMTRAP|5cfbc...@bsdly.net SPAMTRAP|62ea02...@bsdly.net SPAMTRAP|817ac...@bsdly.net SPAMTRAP|aat...@bsdly.net and you can of course look for GREY entries only, such as [Tue Oct 30 17:54:19] peter@skapet:~/$ doas spamdb | grep GREY | head GREY|198.210.40.39|4c8w39.spinnbitez.biz|||1540899509|1540900120|1540928309|2|0 GREY|78.142.63.211|fresh.vivawebhost.com|||1540905382|1540934182|1540934182|2|0 GREY|193.92.125.157|newsletter9.email-business.net|||1540891280|1540920080|1540920080|2|0 GREY|43.243.166.69|mail3069.app1.reasonables2.com|||1540893857|1540894233|1540922657|4|0 GREY|105.159.253.224|[105.159.253.225]|||1540902518|1540931318|1540931318|1|0 GREY|66.211.185.136|mxphxpool1033.ebay.com|||1540898855|1540907901|1540927655|2|0 GREY|77.241.66.209|mapmyinvestments.com|||1540890070|1540918870|1540918870|1|0 GREY|216.105.168.252|mail.dechaise.info|||1540905637|1540905959|1540934437|2|0 GREY|194.135.153.127|[194.135.153.127]|||1540901213|1540930013|1540930013|2|0 GREY|201.148.104.36|raven10436.ninjahosting.cl|<>||1540916570|1540945370|1540945370|2|0 See if that doesn't turn up the entries you were looking for. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd does not update /var/db/spamd
Hi Chris, You are running spamdb /var/db/spamdb, that's not the way to use it. The proper way is to use spamdb key, where key is one of the IP entries you are getting through spamd. Running just spamdb will show you all entries. /mestre On 15:44 Tue 30 Oct , Chris Narkiewicz wrote: > Hi, > > I'm trying to use spamd to block spam using graylisting, but the spamd > database is not updated. > > I run /usr/libexec/spamd -v -d to see what's happening and I definitely see > hosts connecting to it: > > (GREY) 209.85.219.176: mytestem...@gmail.com> -> > Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from > to > added 209.85.219.176 > mail-yb1-f176.google.com > > > 209.85.219.176 connected for 11 seconds. > > I also tried to submit an email using Python SMTP library and I confirmed > 451 Temporary failure response. > > But when I browse /var/db/spamd, there is nothing there. > > My spamd is running and is referring to a correct file: > > # ps aux | grep spamd > _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: (pf > update) (spamd) > _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: > [priv] (greylist) (spamd) > _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: > (/var/db/spamd update) (spamd) > > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > > > My spamd config is default. > OpenBSD 6.3. > > What is wrong with it? > > Best regards, > Chris >
Re: spamd does not update /var/db/spamd
Chris Narkiewicz wrote: > Hi, > > I'm trying to use spamd to block spam using graylisting, but the spamd > database is not updated. > > I run /usr/libexec/spamd -v -d to see what's happening and I definitely > see hosts connecting to it: > > (GREY) 209.85.219.176: mytestem...@gmail.com> -> > Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from > to > added 209.85.219.176 > mail-yb1-f176.google.com > > > 209.85.219.176 connected for 11 seconds. > > I also tried to submit an email using Python SMTP library and I > confirmed 451 Temporary failure response. > > But when I browse /var/db/spamd, there is nothing there. > > My spamd is running and is referring to a correct file: > > # ps aux | grep spamd > _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: > (pf update) (spamd) > _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: > [priv] (greylist) (spamd) > _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: > (/var/db/spamd update) (spamd) > > Database file has correct perms: > > # ls- l /var/db/spamd > -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd > > # spamdb /var/db/spamd > > > My spamd config is default. > OpenBSD 6.3. > > What is wrong with it? > > Best regards, > Chris do you run spamd-setup(8)?
spamd does not update /var/db/spamd
Hi, I'm trying to use spamd to block spam using graylisting, but the spamd database is not updated. I run /usr/libexec/spamd -v -d to see what's happening and I definitely see hosts connecting to it: (GREY) 209.85.219.176: mytestem...@gmail.com> -> Got Grey HELO mail-yb1-f176.google.com, IP 209.85.219.176 from to added 209.85.219.176 mail-yb1-f176.google.com 209.85.219.176 connected for 11 seconds. I also tried to submit an email using Python SMTP library and I confirmed 451 Temporary failure response. But when I browse /var/db/spamd, there is nothing there. My spamd is running and is referring to a correct file: # ps aux | grep spamd _spamd 93211 0.0 0.1 9672 1492 ?? Isp5:29AM0:00.00 spamd: (pf update) (spamd) _spamd 59023 0.0 0.5 10012 4836 ?? Ip 5:29AM0:00.02 spamd: [priv] (greylist) (spamd) _spamd 13468 0.0 0.1 9640 1172 ?? Ip 5:29AM0:00.00 spamd: (/var/db/spamd update) (spamd) Database file has correct perms: # ls- l /var/db/spamd -rw-r--r-- 1 _spamd _spamd 65536 Oct 30 05:30 /var/db/spamd # spamdb /var/db/spamd My spamd config is default. OpenBSD 6.3. What is wrong with it? Best regards, Chris
Re: SPAMD - GREY Listing Question
On 10/01/18 23:36, Antonino Sidoti wrote: > I notice that Spamd when seeing a first time sender is not being labelled > with “GREY” even though the log says it is. > > /var/log/maillog shows a sender being flagged as ‘GREY’; > > Oct 1 17:43:24 obsd-svr3 spamd[84545]: (GREY) 67.219.xxx.250: > -> > Oct 1 17:43:24 obsd-svr3 spamd[16185]: Trapping 67.219.xxx.250 for tuple > 67.219.xxx.250 test.network-tools.com > > Oct 1 17:43:24 obsd-svr3 spamd[84545]: 67.219.149.250: disconnected after 13 > seconds. This is a sender getting greytrapped. The most likely explanation is that b...@example.com is either an explicit spamtrap or fails to match the allowed suffixes in /etc/mail/spamd.alloweddomains -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
SPAMD - GREY Listing Question
Hi, I notice that Spamd when seeing a first time sender is not being labelled with “GREY” even though the log says it is. /var/log/maillog shows a sender being flagged as ‘GREY’; Oct 1 17:43:24 obsd-svr3 spamd[84545]: (GREY) 67.219.xxx.250: -> Oct 1 17:43:24 obsd-svr3 spamd[16185]: Trapping 67.219.xxx.250 for tuple 67.219.xxx.250 test.network-tools.com Oct 1 17:43:24 obsd-svr3 spamd[84545]: 67.219.149.250: disconnected after 13 seconds. obsd-svr3$ spamdb | grep GREY No result obsd-svr3$ spamdb | grep 67.219.xxx.250 TRAPPED|67.219.xxx.250|1541490191 As noted above the sender is “TRAPPED” for which I understand it is blacklisted. I am running ‘spamd’ in default mode and only added -v flag in '/etc/rc.conf.local’; spamd_flags=-v The ‘spamd’ process is like so; obsd-svr3$ ps -aux | grep spam _spamd 54244 0.0 0.1 580 1496 ?? Ssp Sat03PM0:15.98 /usr/libexec/spamlogd -l pflog1 _spamd 10589 0.0 0.1 9712 1552 ?? Ssp5:40PM0:00.11 spamd: (pf update) (spamd) _spamd 84545 0.0 0.2 9924 5012 ?? Sp 5:40PM0:00.19 spamd: [priv] (greylist) (spamd) _spamd 16185 0.0 0.1 9692 1524 ?? Ip 5:40PM0:00.00 spamd: (/var/db/spamd update) (spamd) Can anyone confirm if this is normal or I have an issue with ‘spamd’? Thanks
Re: stuck on spamd (SOLVED)
On Thu, Jun 14, 2018 at 11:42:12AM +0100, Craig Skinner wrote: > Hej hej Hasse, > > On Wed, 13 Jun 2018 22:05:29 +0200 Hasse Hansson wrote: > > I've adjusted my settings according to your advice, but now it looks > > like it just directly whitelist every connection without greylisting. > > > > . > > > > ... > > > > This is how my files look like now. spamd.conf is the original one. > > Your spamd.conf file was missing a line terminator. Double quotes are > opened, but not closed. Could this confuse spamd? Fix & restart spamd. > > Next, check your syslogs for spamd, spamlogd & spamd-setup activity. > > If that doesn't provide the answer, try removing all quick words from > pf.conf. Block everything, then progressively pass traffic down the > file. Reload your new rules & check spam* syslog entries. > > Cheers, > -- > Craig Skinner | http://linkd.in/yGqkv7 > Hello and thank you for answering. Yes, the problem was with my pf.conf :-) after adjusting the rules, and using the original spamd.conf, it's now working as I expected. TY for all help. /Hasse
Re: stuck on spamd
Hej hej Hasse, On Wed, 13 Jun 2018 22:05:29 +0200 Hasse Hansson wrote: > I've adjusted my settings according to your advice, but now it looks > like it just directly whitelist every connection without greylisting. > > . > > ... > > This is how my files look like now. spamd.conf is the original one. Your spamd.conf file was missing a line terminator. Double quotes are opened, but not closed. Could this confuse spamd? Fix & restart spamd. Next, check your syslogs for spamd, spamlogd & spamd-setup activity. If that doesn't provide the answer, try removing all quick words from pf.conf. Block everything, then progressively pass traffic down the file. Reload your new rules & check spam* syslog entries. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: stuck on spamd (SOLVED)
Thank you for your answer.
I made some adjustments to my pf.conf according to your advice,
and now it's working as I expected.
smtp$ cat spamd
Jun 14 11:30:39 smtp spamd[12751]: 185.234.216.204: disconnected after 12
seconds.
Jun 14 11:30:46 smtp spamd[12751]: 91.121.119.198: connected (1/0)
Jun 14 11:30:49 smtp spamd[12751]: 91.121.119.198: disconnected after 3 seconds.
Jun 14 11:33:06 smtp spamd[12751]: 185.234.216.189: connected (1/0)
Jun 14 11:33:18 smtp spamd[12751]: 185.234.216.189: disconnected after 12
seconds.
Jun 14 11:35:36 smtp spamd[12751]: 8.8.178.116: connected (1/0)
Jun 14 11:35:48 smtp spamd[12751]: (GREY) 8.8.178.116:
->
Jun 14 11:35:48 smtp spamd[12751]: 8.8.178.116: disconnected after 12 seconds.
Jun 14 11:41:38 smtp spamd[12751]: 8.8.178.116: connected (1/0)
Jun 14 11:41:49 smtp spamd[12751]: (GREY) 8.8.178.116:
->
Jun 14 11:41:50 smtp spamd[12751]: 8.8.178.116: disconnected after 12 seconds.
Jun 14 11:42:16 smtp spamd[12751]: 185.234.216.189: connected (1/0)
Jun 14 11:42:27 smtp spamd[12751]: 185.234.216.189: disconnected after 11
seconds.
--
$sudo spamdb | sort
GREY|91.136.10.242|mail37c50.megamailservers.eu|||1528971077|1528985477|1528985477|1|0
GREY|91.136.10.246|mail56c50.megamailservers.eu|<||1528971015|1528985415|1528985415|1|0
GREY|91.136.10.248|mail56c50.megamailservers.eu|||1528970741|1528971075|1528985141|2|0
WHITE|209.85.213.47|||1528970463|1528970663|1532081115|2|0
WHITE|8.8.178.116|||1528968948|1528969309|1532080298|2|1
WHITE|91.136.10.240|||1528970713|1528971017|1532081475|2|0
WHITE|91.136.10.248|||1528970741|1528971075|1532081535|2|0
--
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
#mail_services = "{ smtp, smtps, submission }"
mail_services = "{ smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }
table persist
table persist file "/etc/abusers"
table persist
table persist file "/etc/mail/nospamd"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $ext_if int_if }
block in quick on egress from to any
block return out quick on egress from any to
block in quick log on egress from to any label "abusers"
block all
#pass out quick inet
pass in on egress inet proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from to any port smtp
pass in log on egress proto tcp from to any port smtp
pass out log on egress proto tcp to any port smtp
#pass in on { $ext_if } inet
pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload flush
global)
pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA
keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload flush
global)
pass log quick proto tcp from any to (egress) port $mail_services flags S/SA
keep state \
(max-src-conn 50, max-src-conn-rate 25/5, overload flush
global)
pass in on egress inet proto tcp from any to (egress) port { 80 443 }
pass inet proto tcp from { self, $localnet }
pass log inet proto tcp to port $tcp_services keep state
pass log inet proto tcp to port $mail_services keep state
pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types
Re: stuck on spamd
Am Mittwoch, den 13.06.2018, 22:05 +0200 schrieb Hasse Hansson:
> Hello and thank you for your answer.
> I've adjusted my settings according to your advice, but now it looks
> like
> it just directly whitelist every connection without greylisting.
>
> smtp$ sudo spamdb | sort
> WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0
> WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0
> WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3
> WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0
> WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0
> WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0
> WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0
> WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0
> WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0
> WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0
> WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0
>
> This is how my files look like now. spamd.conf is the original one.
>
> smtp$ sudo cat /etc/rc.conf.local
> httpd_flags=
> pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon
> messagebus mysqld php70_fpm
> smtpd_flags=NO
> unbound_flags=
> spamd_flags="-v -G 2:4:864"
> spamd_grey=YES
> spamlogd_flags="-I"
> -
> smtp$ sudo cat /etc/pf.conf
> ext_if = "em0"
> int_if = "fxp0"
> localnet = $int_if:network
> tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
> mail_services = "{ smtp, smtps, submission }"
> udp_services = "{ domain, ntp }"
> icmp_types = "echoreq"
>
> table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8
> 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
> 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15
> 198.51.100.0/24\
>203.0.113.0/24 }
>
> table persist
> table persist file "/etc/abusers"
> table persist
> table persist file "/etc/mail/nospamd"
>
> set block-policy drop
> set loginterface egress
> set skip on lo0
>
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to
> (egress:0)
>
> antispoof quick for { egress $ext_if int_if }
>
> block in quick on egress from to any
> block return out quick on egress from any to
>
> block in quick log on egress from to any label "abusers"
>
> block all
> pass out quick inet
>
> pass in on egress inet proto tcp from any to any port smtp \
> divert-to 127.0.0.1 port spamd
> pass in on egress proto tcp from to any port smtp
> pass in log on egress proto tcp from to any port smtp
> pass out log on egress proto tcp to any port smtp
>
> pass in on { $ext_if } inet
>
> pass log quick proto tcp from any to (egress) port ssh flags S/SA
> keep state \
> (max-src-conn 15, max-src-conn-rate 5/3, overload
> flush global)
>
> pass log quick proto tcp from any to (egress) port $tcp_services
> flags S/SA keep state \
> (max-src-conn 50, max-src-conn-rate 15/5, overload
> flush global)
>
> pass log quick proto tcp from any to (egress) port $mail_services
> flags S/SA keep state \
> (max-src-conn 50, max-src-conn-rate 25/5, overload
> flush global)
>
> pass in on egress inet proto tcp from any to (egress) port { 80 443 }
>
> pass inet proto tcp from { self, $localnet }
>
> pass quick inet proto tcp to port $tcp_services keep state
> pass quick inet proto tcp to port $mail_services keep state
>
> pass quick inet proto udp to port $udp_services keep state
> pass out on $ext_if inet proto udp to port 33433 >< 33626
> pass inet proto icmp all icmp-type $icmp_types
>
As far as my knowledge goes, since you say 'pass out quick inet' early
on in the ruleset, the other 'pass out rules' don't get a chance to be
triggered. Also, quick only makes sense if you put them at first, not
somewhere at the end of your ruleset.
--
Tony
GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580
Threema: DN8PJX4Z
XMPP: tb@bsd.services
Re: stuck on spamd
Hello and thank you for your answer.
I've adjusted my settings according to your advice, but now it looks like
it just directly whitelist every connection without greylisting.
smtp$ sudo spamdb | sort
WHITE|104.47.1.210|||1528919648|1528919648|1532030048|1|0
WHITE|104.47.6.201|||1528919611|1528919611|1532030011|1|0
WHITE|185.234.216.189|||1528917936|1528917936|1532029991|1|3
WHITE|185.234.216.204|||1528919598|1528919598|1532029998|1|0
WHITE|209.85.213.46|||1528918933|1528918933|1532029333|1|0
WHITE|209.85.213.53|||1528918873|1528918873|1532029273|1|0
WHITE|40.92.67.106|||1528918696|1528918696|1532029096|1|0
WHITE|40.92.68.98|||1528918725|1528918725|1532029125|1|0
WHITE|59.70.207.21|||1528918455|1528918455|1532028855|1|0
WHITE|91.121.119.198|||1528919326|1528919326|1532029726|1|0
WHITE|91.136.10.81|||1528919583|1528919583|1532029983|1|0
This is how my files look like now. spamd.conf is the original one.
smtp$ sudo cat /etc/rc.conf.local
httpd_flags=
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus
mysqld php70_fpm
smtpd_flags=NO
unbound_flags=
spamd_flags="-v -G 2:4:864"
spamd_grey=YES
spamlogd_flags="-I"
-
smtp$ sudo cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }
table persist
table persist file "/etc/abusers"
table persist
table persist file "/etc/mail/nospamd"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $ext_if int_if }
block in quick on egress from to any
block return out quick on egress from any to
block in quick log on egress from to any label "abusers"
block all
pass out quick inet
pass in on egress inet proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from to any port smtp
pass in log on egress proto tcp from to any port smtp
pass out log on egress proto tcp to any port smtp
pass in on { $ext_if } inet
pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload flush
global)
pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA
keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload flush
global)
pass log quick proto tcp from any to (egress) port $mail_services flags S/SA
keep state \
(max-src-conn 50, max-src-conn-rate 25/5, overload flush
global)
pass in on egress inet proto tcp from any to (egress) port { 80 443 }
pass inet proto tcp from { self, $localnet }
pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state
pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types
Re: stuck on spamd
Hi Hasse, I see a few problems: On Mon, 11 Jun 2018 20:36:12 +0200 Hasse Hansson wrote: > smtp# cat /etc/rc.conf.local > ... > spamlogd_flags="-I -i lo0" I'd remove the localhost interface then restart spamlogd. > smtp# cat /etc/pf.conf > ext_if = "em0" > ... > > > pass in log on egress proto tcp from to any port smtp This line follows spamd's man page, i.e. you log incoming traffic on the egress interface (em0) for spamlogd - correct. But you have configured spamlogd to listen on lo0 in /etc/rc.conf.local - no match. > > ... > block all The block rules need to be above the pass rules, otherwise their matched traffic is blocked. Move all the block rules up above the pass rules and reload. > smtp# cat /etc/mail/spamd.conf > > ... > :msg="SPAM. All spmmers get reported ! This line is not closed. It needs ":\ Then restart spamd to invoke spamd-setup. Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
stuck on spamd
Hello list
I have a problem with spamd. It just don't seem to grey list or block,
or do anything else either. I can receive and send mail as usual.
First I had spamlogd_flags="" in my rc.conf local, but then it immediatly
whitelisted every conection on port 25, even the spammer I try to tarpit,
so after some "googling" I changed it to spamlogd_flags="-I -i lo0"
but now it don't seem to do anything useful at all, just pass traffic.
"spamdb | sort" shows nothing. It's empty, and so is "smtp# pfctl -t
spamd-white -T show"
The spammer I try to tarpit is showing up in the maillog with IP-address
158.69.204.241
which also added to the file /etc/mail/spammers.txt
Below are som info on my setup and some logfiles.
smtp# uname -a
OpenBSD smtp.bara1.se 6.3 GENERIC.MP#0 amd64
-
smtp# cat /etc/rc.conf.local
pkg_scripts=postfix dovecot saslauthd dbus_daemon avahi_daemon messagebus
smtpd_flags=NO
spamd_black=NO
spamd_flags="-v -G 2:4:864"
spamlogd_flags="-I -i lo0"
unbound_flags=
---
smtp# cat /etc/pf.conf
ext_if = "em0"
int_if = "fxp0"
localnet = $int_if:network
tcp_services = "{ domain, ntp, imap, imaps, pop3, pop3s }"
mail_services = "{ smtp, smtps, submission }"
udp_services = "{ domain, ntp }"
icmp_types = "echoreq"
table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }
table persist
table persist file "/etc/abusers"
table persist
table persist file "/etc/mail/nospamd"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $ext_if int_if }
#pass in on egress inet proto tcp from any to any port smtp divert-to 127.0.0.1
port spamd
pass in on egress inet proto tcp from any to any port $mail_services divert-to
127.0.0.1 port spamd
pass in on egress proto tcp from to any port smtp
pass in log on egress proto tcp from to any port smtp
pass out log on egress proto tcp to any port smtp
block in quick on egress from to any
block return out quick on egress from any to
block in quick log on egress from to any label "abusers"
block all
pass out quick inet
pass in on { $ext_if } inet
pass log quick proto tcp from any to (egress) port ssh flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)
pass log quick proto tcp from any to (egress) port $tcp_services flags S/SA
keep state (max-src-conn 50, max-src-conn-rate 15/5, overload
flush global)
pass log quick proto tcp from any to (egress) port $mail_services flags S/SA
keep state (max-src-conn 50, max-src-conn-rate 25/5, overload
flush global)
# pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to
192.168.1.2
pass inet proto tcp from { self, $localnet }
pass quick inet proto tcp to port $tcp_services keep state
pass quick inet proto tcp to port $mail_services keep state
pass quick inet proto udp to port $udp_services keep state
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass inet proto icmp all icmp-type $icmp_types
smtp# cat /etc/mail/spamd.conf
all:\
:nixspam:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
ymer:\
:black:\
:msg="SPAM. All spmmers get reported !
:method=file:\
:file=/etc/mail/spammers.txt
-
smtp# ps -aux | grep "_spamd"
_spamd 69313 0.0 0.0 9708 1552 ?? Ssp4:13PM0:00.07 spamd: (pf
update) (spamd)
_spamd 98521 0.0 0.1 9892 4880 ?? Sp 4:13PM0:00.03 spamd: [priv]
(greylist) (spamd)
_spamd 73091 0.0 0.0 9652 1096 ?? Ip 4:13PM0:00.00 spamd:
(/var/db/spamd update) (spamd)
_spamd 45365 0.0 0.0 592 1180 ?? Ssp4:13PM0:00.07
/usr/libexec/spamlogd -I -i lo0
-----
smtp# cat /var/log/spamd
Jun 11 12:10:33 smtp spamd[5122]: listening for incoming connections.
Jun 11 13:08:43 smtp spamd[83538]: listening for incoming connections.
Jun 11 13:17:57 smtp spamd[19498]: listening for incoming connections.
Jun 11 14:12:33 smtp spamd[56085]: listening for incoming connections.
Jun 11 15:01:20 smtp spamd[98811]: listening for incoming connections.
Jun 11 15:12:08 smtp spamd[93875]: listening for incom
Re: spamd and IPv6
> Sent: Wednesday, February 14, 2018 at 11:30 AM > From: "Denis Fondras" <de...@openbsd.org> > To: misc@openbsd.org > Subject: Re: spamd and IPv6 > > > does anyone can tell me what the state of spamd and IPv6 is? I would > > have expected it to work but I can't set for exampe ::1 or [::1] as a > > listening address (neither alone or together with 127.0.0.1). > > > > Unsupported yet. phessler@ has a diff for it. > > Hi Denis, Thank you for the information. Hi phessler@, I am interested in the spamd and IPv6 functionality, primarily because an IPv4 address costs a lot and I wish to run an IPv6-only mail server. If possible, I would request you to please merge the IPv6 functionality in the base spamd. I understand that most volks will consider this to be stupid for someone like me who is still learning his way around an OS. However, OpenBSD has been relatively straight forward and hence my IPv6-only (mis?)adventure. Thanks. Regards, ab -|-|-|-|-|-|-|--
Re: spamd and IPv6
On 18/02/14 11:30, Denis Fondras wrote: does anyone can tell me what the state of spamd and IPv6 is? I would have expected it to work but I can't set for exampe ::1 or [::1] as a listening address (neither alone or together with 127.0.0.1). Unsupported yet. phessler@ has a diff for it. Thanks
Re: spamd and IPv6
> does anyone can tell me what the state of spamd and IPv6 is? I would > have expected it to work but I can't set for exampe ::1 or [::1] as a > listening address (neither alone or together with 127.0.0.1). > Unsupported yet. phessler@ has a diff for it.
spamd and IPv6
Hi, does anyone can tell me what the state of spamd and IPv6 is? I would have expected it to work but I can't set for exampe ::1 or [::1] as a listening address (neither alone or together with 127.0.0.1). Niels
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi again, I looked further and notice not the syslogd was the cause but somehow spamd died while talking to a server. Could something in the body screw up spamd? here are my logs on that: - the spamd log file part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" <osze...@sobainon.co.ua> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: <sb.gorb...@awo-sonnenstein.de> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: This is a multi-part message in MIME format. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0006_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: multipart/alternative; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: boundary="=_NextPart_000_0007_01D349CD.8A885470" Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: --=_NextPart_000_0007_01D349CD.8A885470 Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: Content-Type: text/plain; Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Body: charset="windows-1251" 2017-10-22T06:00:01.101Z heimdal newsyslog[25423]: logfile turned over - and the daemon log part Oct 21 20:24:54 heimdal spamd[46664]: 60.167.119.193: disconnected after 420 seconds. Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: From: "Valgosocks" <osze...@sobainon.co.ua> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: To: <sb.gorb...@awo-sonnenstein.de> Oct 21 20:24:56 heimdal spamd[46664]: 217.12.203.2: Subject: =?utf-8?B?ZmFjaG3DpG5uaXNjaGUga29ycmVrdHVyIGRlcyBoYWxsdXggdmFsZ3VzIGFtIGZ1c3M=?= Am 22.10.2017 um 12:59 schrieb Markus Rosjat: Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Hi there, spamd just died silently again tonight. whats the best way to approach the debugging of this kind of behaviour. As I looked at my logs it seems that Syslogd causes this because so here is my syslog.conf entry: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd but in my opinion this shouldnt cause trouble at all. If I can produce more verbose output in anyway give me a hint I'll do :) Regards Markus Am 06.10.2017 um 10:49 schrieb rosjat: Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
spamd pf rule question
Hi there, it's a quiet simple question :) I have a rule like this pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to 127.0.0.1 port spamd and was wondering if it's better to use pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp divert-to 127.0.0.1 port spamd the mailserver isn't the same machine. regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: spamd randomly and silently dying on OpenBSD 6.1
Op Fri, 06 Oct 2017 10:49:39 +0200 schreef rosjat <ros...@ghweb.de>: [...] Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. Depends on your syslog.conf; I have: !!spamd daemon.err;daemon.warn;daemon.info;daemon.debug /var/log/spamd !* Have you checked whether interaction with spamd-setup is causing any problems? -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
spamd randomly and silently dying on OpenBSD 6.1
Hi there, it seems spamd daemon is siliently and randomly dying on a OpenBSd 6.1 machine. The logs show nothing that would give some hint and If my script for bgp-spamd wouldn tell me it cant connect to spamd I would even notice it till the next daily job that tells me that spamlogd should run but isnt. Is there some way to get a more verbose autput when the process is daemonized? the -v switch only seems to aplay to the foreground mode. here is my spamd setting spamd_class=daemon spamd_flags=-v -G10:12:864 -B 50 -c 100 -s 10 spamd_rtable=0 spamd_timeout=30 spamd_user=root and spamlogd spamlogd_class=daemon spamlogd_flags=-l pflog3 spamlogd_rtable=0 spamlogd_timeout=30 spamlogd_user=root If someone had the same issue and could resolve it Iwould be nice to here. In the end I can always make a cron job that checks if spamd is running and if not just restart it but this isnt really a solution ... regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: running spamd on firewall ord on the mailsystem
Op Tue, 19 Sep 2017 09:35:04 +0200 schreef Peter N. M. Hansteen <pe...@bsdly.net>: On 09/19/17 09:10, rosjat wrote: I like to get some opinions on where to use the spamd daemon. Is it better to do the heavy stuff on the firewall or let it all pass to the mailsystem and do the filtering there? OpenBSD's spamd is not in any way a 'heavy' service. Indeed. On my site, with 12k messages tarpitted last week, spamd (with -v) took about the same cpu time as ntpd. Spamlogd even less. Together about 7.5M resident memory. It's entirely possible to run it on the actual mail server, but I tend to recommend stopping unwanted traffic early and set up on the directly internet-facing host (aka the firewall). Note that the spamd(8) manual page assumes it's the same machine, so using different machines is a less trivial pf.conf setup. IIRC it requires route-to in stead of divert-to for your whitelist(s), or a divert-to with a relayd/nc relay. -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: running spamd on firewall ord on the mailsystem
On 09/19/17 09:10, rosjat wrote: > I like to get some opinions on where to use the spamd daemon. Is it > better to do the heavy stuff on the firewall or let it all pass to the > mailsystem and do the filtering there? OpenBSD's spamd is not in any way a 'heavy' service. It's entirely possible to run it on the actual mail server, but I tend to recommend stopping unwanted traffic early and set up on the directly internet-facing host (aka the firewall). Whichever way you do it, after enabling spamd you will see the load on the content filtering machines drop considerably. There will be a lot less of the heavy computation tasks involved in content filtering that need to be performed. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
