[Greylist-users] Which greylist system for fastest & easiest
installation? [SUMMARY]
Graham Toal
gtoal at gtoal.com
Tue Apr 26 14:16:17 PDT 2005
Thank you everyone for the advice and especially Mark Pecaut for
far more help offline than I had a right to ask for!
I know the procedure below is not ideal, but it does work, so I'm
posting this more as a summary of how I got it running than as
something for other people to follow. As I find improvements
(eg avoiding the use of the redir program) I'll put up a better
version of this info on my wiki.
===========================================================================
12-step plan for linux junkies who need to set up
spamd on OpenBSD for the first time.
(aka the "ULTRA-MINI-HOWTO")
There are several topologies that you can use when configuring
OpenBSD and spamd to sit in front of an existing mailer. The one that
this document assumes is that the BSD system is "off to one side"
rather than being inline in front of the MTA as a bridge or router.
I.e. it has only one ether interface, and is *not* running the
final delivery mailer.
(Running inline as a bridge is probably a better design but it's not
the one I did; however it *is* the one documented in most of the
online documents, so if that's what you'd rather do, you don't
need this...)
Once installed, you'll need to reconfigure the MX for your domain
to point to the BSD box, and hard-code the IP of your real MTA in
the files below:
Connections to the MX host first hit the greylist box. After 2 attempts,
the greylist box marks the connecting IP as a good mailer, and subsequent
connection attempts are proxied to the real mail server.
Unfortunately this design does mean that there are two resend delays instead
of the original one as envisioned by the original greylist design spec.
"Here's what I did to get this working on my system." That's about as
far as I'm willing to stick my neck out by way of grandiose claims :-)
1) Off-the-shelf BSD install (must set up your networking) - download CD image
and install via ftp. www.openbsd.org. Watch out for the timezone.
2) create your personal login with adduser (which will also create
the default adduser profile the first time); log in, and su root.
Or be lazy and don't.
3) Turn this on in /etc/sysctl.conf:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
4) Remove sendmail from root's crontab? (Probably wasn't needed. It's only a "sendmail -q".)
5) kill the sendmail process that's running, and turn off sendmail in /etc/rc.conf:
#sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
sendmail_flags=NO
6) Reset your clock if need be (using "date" as root) and turn on ntpd before you
start working on greylisting. Start ntpd from /etc/rc.conf:
ntpd_flags="" # for normal use: ""
#ntpd_flags=NO # for normal use: ""
7) Make sure pf is turned on in /etc/rc.conf (it should be on already)
pf=YES # Packet filter / NAT
8) Set spamd flags in /etc/rc.conf:
spamd_flags="-v -G 1:4:864" # short timeouts (in min:hr:hr) for testing only
# wait at least 1 minute but no longer than 4 hrs
# verbose logging during test
# spamd_flags=NO # for normal use: "" and see spamd-setup(8)
spamd_grey=YES # use spamd greylisting if YES
#spamd_grey=NO # use spamd greylisting if YES
9) In /etc/spamd.conf, remove the blacklists (for now) by changing the "all" entry to:
all:
# :spamhaus:china:korea:
10) Add spamlog to /etc/rc.conf (which is not there by default):
#spamlogd_flags="-I -i xl0" # Incoming mail only, plus change ether if need be
# for outgoing mail, use the sniffer port on your switch
# and another ether interface on this box
spamlogd_flags="" # Plain defaults
11) Now, create pf.conf. YOU MUST PUT THE ADDRESS OF YOUR REAL MAILER IN THE LINE BELOW:
in_mx="XXX.XXX.XXX.XXX"
ext_if="xl0"
table <spamd> persist
table <spamd-white> persist
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
-> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from <spamd-white> to port 25 -> 127.0.0.1 port 2500
pass in log on $ext_if proto tcp to $in_mx port smtp keep state
pass out log on $ext_if proto tcp from $in_mx to any port smtp keep state
12) And fetch/compile/start "redir":
Title: redir
Version: 2.2
Entered-date: 15DEC1999
Description: TCP Port redirector (for firewalls etc).
Keywords: tcp port redirector bouncer proxy
Author: sammy at oh.verio.com
Primary-site: sunsite.unc.edu /pub/Linux/system/Network/daemons
39936 redir-2.2.tar.gz
Copying-policy: GPL
set up something to invoke "redir --caddr=targetmailer.mysite.com --lport=2500 --cport=25"
at startup time.
You'll probably need to reboot at this point. Hopefully greylisting will now be running.
More information about the Greylist-users
mailing list