[Greylist-users] some comments on spamd

Graham Toal gtoal at gtoal.com
Wed Apr 27 12:57:36 PDT 2005


I've just found a major snag with spamd on openbsd
*the way I have it set up* which is not mentioned in
any of the documentation:

I am *not* using transparent bridging mode yet (though
now it looks like I'll have to do that in a hurry)
with the result that when connections turn up on
the real MTA, they look like they have come from
the greylisting box's IP (which is on campus and
considered local) rather than from the real sender's
IP.

This blows away 3rd-party relay checking, because
spamd itsel doesn't check.  (And if it did, could
be easily faked out)

Hopefully anyone trying to abuse our server as a
third-party relay will hit the same reject as a
spambot would, but that's just a band-aid - it does
have to be handled properly or we're making the
spam situation worse rather than better.

Two obvious choices are either use transparent
bridge mode, *or* move the greylisting box outside
of the set of IP addresses which is trusted as
local.  (Actually that's near impossible for me
and what I'll have to do is get the MTA admin to
configure that as an exception in the destination
mailer itself)

Again, this is probably all intuitively obvious
to existing spamd users, but for first-timers like
me it comes as a surprise. Old hands with openbsd+spamd
are probably saying "well why didn't you implement
transparent bridging in the first place?" (answer:
I don't have easy access to place this in front of
a live server for testing, plus I can test on a
small subdomain by MXing only that domain to my
openbsd box, rather than forcing all domains hosted
by the mailer to be greylisted)

Anyway, this post mainly google-fodder in case
anyone else can be usefully forewarned by it.
Hope it isn't too off-topic for the rest of you.

G


More information about the Greylist-users mailing list