Hello-
I’m setting up spamd in front of a Postfix mail server, and am having
an issue with rdr-to rules not working the way I expect.
My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix &
Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1
running in a VirtualBox machine on the same Mac Mini, with bridged
networking enabled.
Postfix on the Mac Mini can receive mail just fine from the internet
through the firewall. The mini has the IP address 192.168.20.15.
OpenBSD is configured and running with spamd (greylisting enabled) in
the VM, with IP address 192.168.20.16 - pf.conf rules as follows:
__________________________
#macros
lan="192.168.10.0/24"
kootenai = "192.168.20.15"
set skip on lo
#default deny
block log all
#allow ssh from lan
pass in proto tcp from $lan to port ssh
#allow outbound connections for package, updates, time etc
pass out proto { tcp udp } to port { 22 53 80 123 443 }
# allow pings outbound
pass out inet proto icmp icmp-type { echoreq }
# rules for spamd(8)
table <spamd> persist
table <spamd-white> persist
table <localwhite> persist file "/etc/mail/whitelist.txt"
table <nospamd> persist file "/etc/mail/nospamd"
#mail traffic goes to spamd by default
pass in log on egress inetproto tcp from any to any port smtp \
divert-to 127.0.0.1 port smtp
#send traffic to the mail server from our white lists & who've
#passed greylisting
pass in log on egress proto tcp from <localwhite> to any port smtp \
rdr-to $kootenai port smtp
pass in log on egress proto tcp from <nospamd> to any port smtp \
rdr-to $kootenai port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp \
rdr-to $kootenai port smtp
#allow smtp out
pass out log on egress proto tcp to any port smtp
________________________________________
When I switch my firewall to forward SMTP to the OpenBSD VM
(192.168.20.16:25), I get the following behavior:
Connections from the internet to port 25 get through to the OpenBSD
machine, connecting to port 25. If the connecting IP is not in any
whitelists, it gets forwarded to spamd (divert-to) as expected, and
the IP address added to the spamd table and greylisted. If the
connecting IP is in a whitelist (localwhite, nospamd, spamd-white),
the relevant rdr-to rule gets matched, but a connection is never made
to the Postfix server on the host machine (192.168.20.15:25).
- I can telnet from the OpenBSD VM to port 25 on the host machine and
connect just fine.
- If I telnet from another machine on the local network to port 25 on
the OpenBSD VM, and the machine is not in a whitelist, I talk to
spamd as expected.
- If I telnet from another machine on the local network to port 25 on
the OpenBSD VM, and the machine is in a whitelist, I get a connection
timeout. By monitoring the pflog0 interface, I can see the connection
coming in and matching the pass in rdr-to rule, and then going out
matching the pass out rule (last two rules in the above pf.conf).
I can also see the incoming and outgoing connections while monitoring
the em0 interface.
I’m sure there’s something I’m missing, but I
haven’t been able to figure out what. Any insight is most appreciated.
Thanks!
-Alex
P.S. dmesg for the OpenBSD VM:
littlechief$ dmesg
OpenBSD 7.1 (GENERIC) #151: Mon Apr 11 18:57:52 MDT 2022
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 1073168384 (1023MB)
avail mem = 1036857344 (988MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 06/23/99, BIOS32 rev. 0 @ 0xfda00, SMBIOS rev. 2.5 @
0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4260U CPU @ 1.40GHz ("GenuineIntel" 686-class) 2.03
GHz, 06-45-01
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,AVX2,INVPCID,MD_CLEAR,L1DF,MELTDOWN
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 999MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
"PNP0A03" at acpi0 not configured
acpiac0 at acpi0: AC unit online
acpicpu0 at acpi0: C1(@1 halt!)
acpivideo0 at acpi0: GFX0
bios0: ROM list: 0xc0000/0x8000 0xe2000/0xd400
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <VBOX HARDDISK>
wd0: 128-sector PIO, LBA, 16384MB, 33554432 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
vga1 at pci0 dev 2 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 1 int 19, address
08:00:27:a4:36:7c
"InnoTek Guest Service" rev 0x00 at pci0 dev 4 function 0 not configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 1 int 21,
ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 1 int 22,
version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 1 int 23
iic0 at piixpm0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev 1.00/1.00
addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (c47cf0fe33a19d09.a) swap on wd0b dump on wd0b
