> Sent: Tuesday, April 29, 2025 at 1:35 AM
> From: "Zé Loff" <zel...@zeloff.org>
> To: "ed bennett" <quogu...@yahoo.com>
> Cc: "misc@openbsd.org" <misc@openbsd.org>
> Subject: Re: I need help with pf and smtpd.conf to deal with an ongoing
> attack on port 25 that is sending out emails.
>
> On Mon, Apr 28, 2025 at 12:32:56PM +0000, ed bennett wrote:
> > I only want to receive incoming emails and only send emails from the server
> > itself,
> > either with scripts or while logged on with ssh.
> > I've completely blocked port 25 and the submission ports.
> > With 25 open, I can't even login and I have to use IPMI.
> > First what can I do with just pf? I haven't found any useful examples and
> > it's not
> > clear to me exactly how to only allow local connections to send out emails
> > work
> > but still receive outside emails.
> >
> > After that, what should I do with smtpd.conf. I find the built-in from
> > local defaults
> > to be more confusing than helpful. I had a lot of useful backups lost from
> > theft and
> > the failure of the last hard drive with copies. I'm also just getting clear
> > headed enough
> > after two surgeries to do more than keep everything blocked and monitor
> > continuously
> > with tcpdump. Port 25 is still getting hit. The ISP offers Edgelayer ACL
> > but I have not
> > found any documentation on how to use it.
> >
> > Any help deeply appreciated.
> >
>
> If you want to receive external emails, you need to have port 25 open.
> However, this leaves the chance that other machines in the network
> submit their messages to the server's port 25. So, to do this at the
> network level, with PF, you can block connections from every other host
> on your LAN, and only allow connections from your gateway (assuming
> you're using NAT) or from anything but your LAN (if this is an
> internet-facing machine, which I wouldn't advise). This leaves the
> corner case in which the gateway machine can send messages to your MTA.
>
> Apart from that, you might be able to do something different with your
> MTA: you can configure it to listen on the egress interface, allowing
> only for local delivery, *and* to listen on lo0, allowing those messages
> to be forwarded. This shouldn't be too hard to do with OpenSMTPD.
>
I've managed to get pf tweaked a good bit better blocking and passing.
I still need to tweak smtpd.conf a bit better.
But I did realize that I send mail out to very few domains, so I have
made a whitelist for outgoing messages. If it's not on that list, it's
not going out. Not a perfect solution but poor julia@imobust and yahoo
should be much less bothered.
Thank you.
