Marc Perkel wrote:
Matt Kettler wrote:
Marc Perkel wrote:
Theo Van Dinter wrote:
On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote:
Why is spamd deciding what IP addresses are unauthorized when I
told it to listen on all ports.
Just because it's listening on a port doesn't mean the client is
allowed to
connect. You want to look at -A which is the listing of allowed
client IPs.
Yes - that's it. Thanks.
So - why two different settings?
Because they control two totally different things.
-i controls which interfaces of the SERVER that spamd will listen for
connections n.
-A controls which CLIENTS it will accept connections from.
Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in
a DMZ
subnet. I want the mailservers to connect to the backend spamd, but
there's no
reason to allow the webservers to do so.
In fact, if the webservers are are running a lot of scripts that might
get
exploited, it's probably better that I not allow them to connect to
spamd. If
someone found a way of exploiting spamd over the network, they could
leapfrog
from the webserver to the spamd server.
Admittedly -A is a bit redundant with iptables, you could achieve the
same
effect with any firewall on the spamd server. However, this way it is
defaulting
to accepting connections from nobody, just to force you to think about
what
machines you should accept connections from.
If I may suggest - it is a very confusing configuration because I don't
see why you would configure these two things to different vaules.
However, you should at least donument it better so that the -i and -A
sections refer to each other. You can surely see why if someone did -i
then they would not be looking for another switch that does almost the
same thing.
I recomment changint it so that both switches do the same thing.
But they don't do the same thing. For example, I have one spamd server,
and three mail toasters. I use both the -i and the -A switch. My spamd
server is at 10.0.240.253 and my toasters are lumped in with everything
else at 10.0.240.50-200. (all my servers have two faces, a 100mb public
interface and a 1gb private interface)
I run spamd like so,
#!/sbin/sh
PATH=/usr/bin:/usr/local/bin
exec /usr/local/bin/softlimit -a 128000000 \
/usr/local/bin/spamd -i 10.0.240.253 \
-p 1783 \
-A 10.0.240.134 \
10.0.240.135 \
10.0.240.136 \
-m 25 \
--max-conn-per-child=500 \
-u vpopmail -x -q -s stderr 2>&1
-i tells spamd to listen only on the 10.0.240.253 interface, ignore the
10.0.241.xxx interface, that one is public.
-A tells spamd to only accept connectione from 10.0.240.134-136, my
toasters. Do *NOT* accept connections from my Frontpage server, my
webservers, my shared hosting box, my MSSQL box, etc.
The two switches do very different things.
DAve
