Re: problem with spamd-white table and greylisting

peter dunaskin Wed, 06 Dec 2006 11:13:02 -0800

>> What could be wrong? What have I been missing?
>
>       probably a pf rules thing, (not logging port 25 connections, etc.)


This is content of my pf.conf:
# -----------------------------------------------------
# TABLES AND VARIABLES:
ext_if="rl0"
table <spamd> persist
table <spamd-white> persist


# -----------------------------------------------------
# FILTER SETTINGS:
set block-policy drop
set skip on lo0
set loginterface $ext_if
set limit table-entries 250000


# -----------------------------------------------------
# PACKET NORMALIZATION:
scrub in  on $ext_if inet all fragment reassemble
scrub out on $ext_if inet all random-id


# -----------------------------------------------------
# NAT/RDR RULES:
# spamd:
rdr inet proto tcp from <spamd> to any \
        port 25 -> 127.0.0.1 port 8025
rdr inet proto tcp from !<spamd-white> to any \
        port 25 -> 127.0.0.1 port 8025


# -----------------------------------------------------
# FILTER RULES:
# default policy:
block log all

# ssh access:
pass  in  on $ext_if inet proto tcp from any to $ext_if port 22 \
        flags S/SA keep state

# icmp echo and traceroute:
pass  in  on $ext_if inet proto icmp from any to $ext_if \
        icmp-type 8 keep state
pass  in  on $ext_if inet proto udp from any to $ext_if \
        port 33435:33524 keep state

# allow outgoing traffic:
pass  out on $ext_if inet proto tcp all flags S/SA keep state
pass  out on $ext_if inet proto { udp, icmp } all keep state

# services:
# mail:
pass  in  log on $ext_if inet proto tcp from any to \
        $ext_if port 25 flags S/SA keep state
pass  out log on $ext_if inet proto tcp from $ext_if to \
        any port 25 flags S/SA keep state
pass  in  log on $ext_if inet proto tcp from any to \
        127.0.0.1 port 8025 flags S/SA keep state
pass  in  on $ext_if inet proto tcp from any to \
        $ext_if port { 465, 587, 110, 143, 993, 995 } flags S/SA keep state

# antispoof:
block in  log on $ext_if inet from $ext_if to any
--


>       turn on debug level syslogging in /etc/syslog.conf 
>
>i.e.
>
>*.debug                                                 /var/log/debug
>
>       and you should see spamlogd yapping in there for every
>inbound and outbound connection, as well as spamd talking about
>everything that hits it and everything that it whitelists. 
I see messages from spamlogd:
--
Dec  6 20:10:57 sargon spamlogd[26673]: inbound 193.95.195.234 
Dec  6 20:11:03 sargon spamlogd[26673]: inbound 85.74.161.17 
Dec  6 20:11:09 sargon spamlogd[26673]: inbound 201.225.200.146 
Dec  6 20:11:13 sargon spamlogd[26673]: inbound 65.31.67.90 
Dec  6 20:11:15 sargon spamlogd[26673]: inbound 189.13.203.218 
Dec  6 20:11:23 sargon spamlogd[26673]: inbound 196.206.22.130 
--
(no outbound connections as clients can't connect to the SMTP at
the moment)

Or theese from spamd:
--
Dec  6 20:12:00 sargon spamd[8277]: 89.37.50.15: connected (8/5)
Dec  6 20:12:07 sargon spamd[8277]: 195.2.96.10: connected (9/5)
Dec  6 20:12:08 sargon spamd[8277]: (GREY) 193.109.211.175:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Dec  6 20:12:08 sargon spamd[8277]: 193.109.211.175: disconnected after
11 seconds.
Dec  6 20:12:08 sargon spamd[8277]: 193.109.211.175: connected (9/5)
Dec  6 20:12:12 sargon spamd[8277]: (GREY) 89.37.50.15:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Dec  6 20:12:12 sargon spamd[8277]: 89.37.50.15: disconnected after 12
seconds.
--

But that's it. I can see only inbound connections on pflog0 interface as
clients are not able to connect to SMTP at this point:
--
20:18:37.430201 196.218.62.68.2125 > 127.0.0.1.8025: [|tcp] (DF)
20:18:48.992685 201.8.12.152.61364 > 127.0.0.1.8025: [|tcp] (DF)
20:18:49.933507 81.176.68.176.58866 > 127.0.0.1.8025: [|tcp] (DF)
20:18:49.960999 81.153.206.207.1946 > 127.0.0.1.8025: [|tcp] (DF)
20:18:59.710835 62.221.60.166.3082 > 127.0.0.1.8025: [|tcp] (DF)
20:19:01.826604 89.138.60.65.3639 > 127.0.0.1.8025: [|tcp] (DF)
--

And there is tcpdump process listening to SMTP connections:
--
_tcpdump 13159  0.0  0.2   664  1208 ??  S      7:51PM    0:00.02
tcpdump -l -n -e -i pflog0 -q -t port 25 and action pass and
tcp[13]&0x12=0x2
root       107  0.0  0.2   668   836 ??  I      7:51PM    0:00.01
tcpdump: [priv] (tcpdump)
--

This is how it looks when I'm sending email from other mailserver
that I maintain:
--
Dec  6 20:13:58 vedjma postfix/smtp[27269]: 66C90A15B: host
mail.drosiba.lv[193.109.211.134] said: 451 Temporary failure,
please try again later. (in reply to RCPT TO command)
--

Which is OK, but then again this host never gets whitelisted for real:
--
(on recieving server)
Dec  6 20:13:47 sargon spamd[8277]: 159.148.95.112: connected (13/5)
Dec  6 20:13:58 sargon spamd[8277]: (GREY) 159.148.95.112:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Dec  6 20:13:58 sargon spamd[8277]: 159.148.95.112: disconnected after
11 seconds.
Dec  6 20:15:37 sargon spamd[8277]: 159.148.95.112: connected (12/5)
Dec  6 20:15:48 sargon spamd[8277]: (GREY) 159.148.95.112:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Dec  6 20:15:48 sargon spamd[8277]: 159.148.95.112: disconnected after
11 seconds.
--

Which I even see whitelisted later:
--
(on recieving server)
Dec  6 20:40:41 sargon spamd[8277]: (GREY) 159.148.95.112:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Dec  6 20:40:44 sargon spamd[29056]: whitelisting 159.148.95.112 in
/var/db/spamd
--

But mail deliveries still don't work after it has been 'whitelisted':
--
(on sending server)
Dec  6 20:46:34 vedjma postfix/smtp[21433]: B191DA15F: host
mail.drosiba.lv[193.109.211.134] said: 451 Temporary failure, please try
again later. (in reply to RCPT TO command)
--

As we can see, it was whitelisted in spamdb, but spamd-white table is
still empty:
--
(on recieving server)
# date
Wed Dec  6 20:47:36 EET 2006
# pfctl -t spamd-white -T show | wc -l
       0 
# spamdb | grep 159.148.95.112
WHITE|159.148.95.112|||1165428838|1165430441|1168540844|8|0
--

As soon as I comment out this rdr rule from pf.conf:
--
rdr inet proto tcp from !<spamd-white> to any \
       port 25 -> 127.0.0.1 port 8025
--

I can see clearly that pflog0 sees both inbound and outbound
connections just fine:
--
# tcpdump -i pflog0 -n port 25
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
20:53:00.566432 201.215.36.31.64563 > 193.109.211.134.25: [|tcp] (DF)
20:53:01.489151 200.125.116.206.1603 > 193.109.211.134.25: [|tcp] (DF)
20:53:11.831770 80.171.105.25.10689 > 193.109.211.134.25: [|tcp] (DF)
20:53:12.338258 201.215.36.31.60295 > 193.109.211.134.25: [|tcp] (DF)

20:53:16.239631 193.109.211.134.12567 > 212.93.97.207.25: [|tcp] (DF)
(^^^^^^^^^^^ this one is outbound ^^^^^^^^^^^^)

20:53:16.885480 194.150.251.43.1638 > 193.109.211.134.25: [|tcp] (DF)
20:53:22.954886 159.148.85.60.57078 > 193.109.211.134.25: [|tcp] (DF)
20:53:29.155192 201.8.108.114.61398 > 193.109.211.134.25: [|tcp] (DF)
20:53:34.395495 80.6.145.205.61549 > 193.109.211.134.25: [|tcp] (DF)
20:53:36.831207 62.35.42.76.3991 > 193.109.211.134.25: [|tcp] (DF)
--

Any ideas?

p.

Re: problem with spamd-white table and greylisting

Reply via email to