After sleeping on it 6 hours, this is what I can report from
the logs.
root@skitL:log:0# cat spamd|fgrep 192.43.244.163|fgrep "May 28"
May 28 00:07:55 skitL spamd[21325]: 192.43.244.163: connected (1/0)
May 28 00:08:06 skitL spamd[21325]: (GREY) 192.43.244.163:
<owner-misc+M122933=david=elven.com...@openbsd.org> -> <da...@elven.com.au>
May 28 00:08:07 skitL spamd[21325]: 192.43.244.163: disconnected after 12
seconds.
May 28 00:49:51 skitL spamd[20306]: 192.43.244.163: connected (1/0)
May 28 00:50:03 skitL spamd[20306]: (GREY) 192.43.244.163:
<owner-misc+M122934=david=elven.com...@openbsd.org> -> <da...@elven.com.au>
May 28 00:50:03 skitL spamd[20306]: 192.43.244.163: disconnected after 12
seconds.
root@skitL:log:0# spamdb
WHITE|202.58.38.80|||1338136570|1338140183|1341250605|2|0
TRAPPED|106.79.132.74|1338226638
TRAPPED|180.215.141.229|1338226988
GREY|186.206.211.111|baced36f.virtua.com.br|<packer8...@reb.com>|<d...@elven.com.au>|1338143338|1338157738|1338157738|1|0
GREY|95.180.252.146|59.167.212.41|<and...@bb-dsh.org>|<d...@elven.com.au>|1338152111|1338166511|1338166511|1|0
TRAPPED|64.20.227.133|1338241213
TRAPPED|217.149.28.204|1338241498
TRAPPED|174.123.14.196|1338232031
TRAPPED|83.169.61.34|1338235874
TRAPPED|95.180.252.146|1338238511
Bummer, I have forgotten to pflog the spamd connections to lo0
root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port spamd
tcpdump: WARNING: snaplen raised from 116 to 160
root@skitL:log:0# tcpdump -n -e -r /var/log/pflog port smtp
tcpdump: WARNING: snaplen raised from 116 to 160
01:00:38.572058 rule 16/(match) pass out on xl0: 172.25.101.7.33057 >
66.49.254.25.25: S 3802061083:3802061083(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 2973717195[|tcp]> (DF)
01:30:37.983151 rule 17/(match) pass out on xl0: 172.25.101.7.23127 >
66.49.254.25.25: S 3663599646:3663599646(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 862970203[|tcp]> (DF)
04:36:24.378104 rule 16/(match) pass in on xl0: 202.58.38.80.25350 >
172.25.101.7.25: S 1021603063:1021603063(0) win 16384 <mss
1420,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop>
04:36:31.105838 rule 17/(match) pass out on xl0: 172.25.101.7.3605 >
173.194.79.27.25: S 2304184706:2304184706(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 451645464[|tcp]> (DF)
So I have just loaded a new pf.conf with logging turned on for spamd,
this is what I have running now.
#-----------------------------------------------------------------------
# defaults
#-----------------------------------------------------------------------
set loginterface egress
set skip on lo
match in all scrub (no-df max-mss 1440)
antispoof quick for egress
pass
pass proto tcp modulate state
pass proto udp keep state
block in log on egress
#-----------------------------------------------------------------------
# ssh
#-----------------------------------------------------------------------
table <ssh-black> persist file "/etc/pf/ssh-black"
table <ssh-white> persist file "/etc/pf/ssh-white"
pass in on egress inet proto tcp from <ssh-white> to egress \
port ssh modulate state
pass in on egress inet proto tcp from !<ssh-black> to egress \
port ssh modulate state \
(max-src-conn-rate 1/30, overload <ssh-black> flush)
#-----------------------------------------------------------------------
# squid
#-----------------------------------------------------------------------
table <squid-white> persist file "/etc/pf/squid-white"
pass in on egress inet proto tcp from <squid-white> to egress \
port 3128 modulate state
#-----------------------------------------------------------------------
# authpf
#-----------------------------------------------------------------------
table <authpf_users> persist
pass in on egress from <authpf_users>
pass in on egress proto tcp from <authpf_users> modulate state
pass in on egress proto udp from <authpf_users> keep state
#-----------------------------------------------------------------------
# spamd - greylist mode
#-----------------------------------------------------------------------
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in log on egress proto tcp from any to egress \
port smtp rdr-to 127.0.0.1 port spamd synproxy state
pass in on egress proto tcp from <nospamd> to egress \
port smtp synproxy state
pass in log on egress proto tcp from <spamd-white> to egress \
port smtp synproxy state
pass out log on egress proto tcp to any port smtp modulate state
#-----------------------------------------------------------------------
