Marc Perkel wrote: > > > Theo Van Dinter wrote: >> On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: >> >>> Why is spamd deciding what IP addresses are unauthorized when I told it >>> to listen on all ports. >>> >> >> Just because it's listening on a port doesn't mean the client is allowed to >> connect. You want to look at -A which is the listing of allowed client IPs. >> > > Yes - that's it. Thanks. > > So - why two different settings?
Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from.
