Re: spamd nonfunctioning due to power outage in SD

[Olli Hauer]

[EMAIL PROTECTED] wrote:

[EMAIL PROTECTED] wrote:

I had a power outage to our building due to the fires in San

Diego

 and it crashed those without UPSes. One of them is the spamd

machine.

 I've brought it back up and ran fsck on all volumes. However, mail

will

 not come into our mailboxes from outside but mail can be delivered

to

 outside recipients. I can telnet into the spamd machine and send

mail

 externally and internally. Postfix seems to be ok. When I stop pf,

mail

 from the outside of our LAN come pouring in. When I start up pf,

inbound

 mail comes to a stop. In the spamd log, I see all kinds of

connections

 being blacklisted and greylisted but still not one mail is

being

 delivered. I am using spamd-mywhite as my whitelist and put all known GMail

IP

 addresses on it. I then send an email from my GMail account to

this

 machine. It gets greylisted and eventually sits in the greylist for

quite

 a while. I also see ports 25 open on both external and internal

NICs

 and port 8025 open on the localhost interface.

I need assistance in troubleshooting this. Running spamd 4.1.2

on

 FreeBSD 6.2. We average 800 valid mail per day and so far in the last

24

 hours, not one mail has come through using the existing

spamd

 configuration.

mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf
ext_if = "rl0"
int_if = "xl0"
internal_net = "192.168.1.1/24"
external_addr = "216.70.250.4"
vpn_net = "10.8.0.0/24"
icmp_types = "echoreq"
NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12

10.0.0.0/8

 }"

webserver1 = "192.168.1.4"
set skip on { lo0 }
set skip on { gif0 }
@0 scrub in all fragment reassemble
@1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
@2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
@3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http

->

 192.168.1.4 port 80

table  persist
table  persist
table  persist

file

 "/usr/local/etc/spamd/spamd-mywhite"

@4 rdr inet proto tcp from  to 216.70.250.4 port

=

 smtp -> 127.0.0.1 port 25

@5 rdr inet proto tcp from  to 216.70.250.4 port

=

 smtp -> 127.0.0.1 port 25

@6 rdr pass inet proto tcp from  to 216.70.250.4 port =

smtp

 -> 127.0.0.1 port 8025

@7 rdr pass inet proto tcp from !  to

216.70.250.4

 port = smtp -> 127.0.0.1 port 8025

@8 pass in log inet proto tcp from any to 216.70.250.4 port =

smtp

 flags S/SA synproxy state

@9 pass out log inet proto tcp from 216.70.250.4 to any port =

smtp

 flags S/SA synproxy state

@10 pass in log inet proto tcp from 192.168.1.0/24 to

192.168.1.25

 port = smtp flags S/SA synproxy state

@11 block drop in log all
@12 pass in log quick on xl0 inet proto tcp from any to

192.168.1.25

 port = ssh flags S/SA synproxy state

@13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
@14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
@15 block drop in log quick on rl0 inet >from 172.16.0.0/12 to any
@16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
@17 block drop out log quick on rl0 inet from any to 127.0.0.0/8
@18 block drop out log quick on rl0 inet from any to 192.168.0.0/16
@19 block drop out log quick on rl0 inet from any to 172.16.0.0/12
@20 block drop out log quick on rl0 inet from any to 10.0.0.0/8
@21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
@22 block drop in log quick inet from 192.168.1.25 to any
@23 pass in on xl0 inet from 192.168.1.0/24 to any
@24 pass out log on xl0 inet from any to 192.168.1.0/24
@25 pass out log quick on xl0 inet from any to 10.8.0.0/24
@26 pass out on rl0 proto tcp all flags S/SA modulate state
@27 pass out on rl0 proto udp all keep state
@28 pass out on rl0 proto icmp all keep state
@29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =

http

 flags S/SA synproxy state

@30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =

ssh

 keep state

warning: macro 'icmp_types' not used

mailfilter-root@/usr/ports#

What's the quickest way to recover from this? Any

other

 troubleshooting techniques?

~Doug

with rule @11 (log) you can do a
tcpdump -net -i pflog0 and look at the block rule number.

This is what I am seeing:
303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 
863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 
3256136674:3256136674(0) win 57344 <mss 1460>
157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 
4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 
4237450357:4237450357(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 
2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 
1802046267:1802046267(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 
1996496288:1996496288(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 
863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 
1648209710:1648209710(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 
490829265:490829265(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 
4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 
3256136674:3256136674(0) win 57344 <mss 1460>
025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S 
598584256:598584256(0) win 16384 <mss 1380>
1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 
4237450357:4237450357(0) win 65535 <mss 1460,sackOK,eol>
214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 
2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 
1802046267:1802046267(0) w

Which of the rules above does rule 3/0(match) refer to?

It's easier to count the rules this way
Nat/rdr rules:
 # pfctl -sn
filter rues:
 # pfctl -sr  => now look at the 3'rd line

> @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA 
synproxy state
> @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags 
S/SA synproxy state
> @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = 
smtp flags S/SA synproxy state
> @11 block drop in log all

There is no quick keyword, so please place @11 before @8 reload the pf rules 
and post the output of
1) pfctl -sn
2) pfctl -sr
3) now take again a look with tcpdump -i pflog0
this makes things easier to count and refer

Also,
mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)

mailfilter-root@/usr/ports#

No forwarding to port 8025 is occurring at this point, or so it seems.

also do a sockstat -4 -p 25 and look if your mailserver listen
at 127.0.0.1:25 otherwise rule @4 and @5 have no effect

mailfilter-root@/usr/ports# sockstat -4 -p 25

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root master 841 11 tcp4 *:25 *:*

OK, so we are shure postfix is listening


_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"