[Greylist-users] spamd question
Graham Toal
gtoal at gtoal.com
Wed Oct 12 11:37:13 PDT 2005
Having spent the last week on the pf list tracking down a
nasty problem with transparent bridging, I now have a pf.conf
file for spamd which seems to work OK on a transparent
bridge. However it does rely on me knowing the IP of the
target mail server and coding it in to the pf rules.
Is there a better way to do this that is independent of
the IP addresses used, so that the transparent bridge
greylist server can be put in front of *any* mail server
and just work, without reconfiguration?
Thanks
Graham
------------------
#########
ext_if="xl0"
int_if="fxp1"
in_mx="129.113.28.220"
# in_mx changes depending on where deployed.
table <spamd> persist file "/etc/spammers.txt"
table <spamd-white> persist
table <whitelist> persist file "/etc/whitelist.txt"
scrub in
# bypass test, for explicitly whitelisted IPs:
# would be nice to just let this pass to the same IP as requested
# so that we don't need to hard code the address of the mail server
rdr on $ext_if proto tcp from <whitelist> to port smtp -> $in_mx
# spamd redirection test for new connections or blacklisted ones
# blacklisted? tarpit them. Note DO NOT use "pass"
rdr on $ext_if inet proto tcp from <spamd> to any \
port smtp -> 127.0.0.1 port spamd
# not whitelisted, add them to the database but don't tarpit...
rdr on $ext_if inet proto tcp from !<spamd-white> to any \
port smtp -> 127.0.0.1 port spamd
# Allowed connections SHOULD go through by default from here on
# but unfortunately it is not working so we need this extra rule
# which explicitly redirects them to the server they were calling anyway :-(
rdr on $ext_if proto tcp from <spamd-white> to port smtp -> $in_mx
# This line is CRITICAL. "route-to lo0" is REQUIRED in order
# that the redirected packets stay on this machine, otherwise
# they are routed out of $int_if (it took 4 days of hell to work that out)
pass in on $ext_if route-to lo0 proto tcp from any to 127.0.0.1 port spamd
# I didn't think flags or keep state worked in bridge mode, but this
# is what I was told to do and it seems to work.
pass out quick on $ext_if inet proto tcp from $ext_if to any port smtp \
flags S/SA keep state
pass out quick on $int_if inet proto tcp from $int_if to any port smtp \
flags S/SA keep state
# Everything else is to allow all traffic. NOT a firewall. These could
# be wrong.
pass out keep state
pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
# is this redundant?
pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state
More information about the Greylist-users
mailing list