Re: getting started with spamd/pf

Wed, 07 Mar 2007 14:30:44 -0800 

Didier Wiroth wrote:


scenario:

pf fw running as inet gateway & NATs smtp to postfix on different 
host. this works just fine but of course receives spam occasionally!
spamd appears to be a drop-on-top of your existing (working) MTA 
config - i.e. no changes are required to my pf fw & postfix setup at 
all. am i right?


changes - all on postfix box only:

- enabled pf & set a pf.conf (below)
- use default spamd.conf

this seems to work but -

i don't see a greylist table anywhere in pfctl -s all. is one needed?

ok sorted this out, these are found using spamdb... :-)





pf in-memory table spamd-white doesn't persist between reboots. is 
this expected?

Are you running spamdlogd, this is the daemon that should read and 
load the IPs (from spamd) in the pf table?



yes i'm running spamlogd. however the issue is that i didn't understand 
the pf table - it loads a file from disk, but doesn't use the same table 
for updates. so i added a second table for the permanent whitelist in 
pf.conf

Please note, to use your whitelist entry in spamd.conf you should 
have something like:

all:\
   :spews1:whitelist:china:whitelist:korea:whitelist:

now yes - this makes sense.

You should really consider to use the latest "current" 
/etc/mail/spamd.conf from the cvs repository, as there are far better 
hosts in it.



ok done. thanks for your comments Didier!


so now i have (maybe) 1 last problem - i want to pass through the 
connections on disk before the spamd rules take place. but my modified 
pf.conf  won't parse,  due to an error. i understand *why* but not how 
to set this up correctly. basically this rule needs to be moved 
somewhere else:


#pass in log on $ext_if proto tcp from <spamd-clear> to port smtp

a+
scorch

# pfctl -gnf /etc/pf.conf

/etc/pf.conf:xxxxx: Rules must be in order: options, normalization, 
queueing, translation, filtering

...

file:/etc/pf.conf
ext_if="fxp0"
int_if="lo0"

table <spamd> persist
table <spamd-white> persist
table <spamd-clear> persist file "/etc/whitelist.txt"

set skip on lo
scrub in


# spam filters - spamd-clear go straight through, the rest grey/tar as 
needed

#pass in log on $ext_if proto tcp from <spamd-clear> to port smtp
rdr pass on $ext_if proto tcp from <spamd> to port smtp \
       -> 127.0.0.1 port spamd
rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
       -> 127.0.0.1 port spamd

pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp























					Reply via email to