[Greylist-users] spamd question

Graham Toal gtoal at gtoal.com
Wed Oct 12 11:37:13 PDT 2005


Having spent the last week on the pf list tracking down a
nasty problem with transparent bridging, I now have a pf.conf
file for spamd which seems to work OK on a transparent
bridge.  However it does rely on me knowing the IP of the
target mail server and coding it in to the pf rules.

Is there a better way to do this that is independent of
the IP addresses used, so that the transparent bridge
greylist server can be put in front of *any* mail server
and just work, without reconfiguration?

Thanks

Graham
------------------
#########
ext_if="xl0"
int_if="fxp1"
in_mx="129.113.28.220"
# in_mx changes depending on where deployed.

table <spamd> persist file "/etc/spammers.txt"
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"

scrub in

# bypass test, for explicitly whitelisted IPs:

#    would be nice to just let this pass to the same IP as requested
#    so that we don't need to hard code the address of the mail server

rdr on $ext_if proto tcp from <whitelist> to port smtp -> $in_mx


# spamd redirection test for new connections or blacklisted ones

#   blacklisted?  tarpit them.  Note DO NOT use "pass"

rdr on $ext_if inet proto tcp from <spamd> to any \
				port smtp -> 127.0.0.1 port spamd

#   not whitelisted, add them to the database but don't tarpit...

rdr on $ext_if inet proto tcp from !<spamd-white> to any \
				port smtp -> 127.0.0.1 port spamd


# Allowed connections SHOULD go through by default from here on
# but unfortunately it is not working so we need this extra rule
# which explicitly redirects them to the server they were calling anyway  :-(

rdr on $ext_if proto tcp from <spamd-white> to port smtp -> $in_mx


# This line is CRITICAL.  "route-to lo0" is REQUIRED in order
# that the redirected packets stay on this machine, otherwise
# they are routed out of $int_if (it took 4 days of hell to work that out)

pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd


# I didn't think flags or keep state worked in bridge mode, but this
# is what I was told to do and it seems to work.

pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp \
	flags S/SA keep state
pass out quick on $int_if inet proto tcp from $int_if to any port smtp \
	flags S/SA keep state

# Everything else is to allow all traffic.  NOT a firewall.  These could
# be wrong.

pass out keep state
pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }

# is this redundant?
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state


More information about the Greylist-users mailing list