Marc Perkel wrote:
DAve wrote:Well then the DOCS should be changed so that the docs for -i and -A at least refer to each other.Marc Perkel wrote:Matt Kettler wrote:Marc Perkel wrote:Theo Van Dinter wrote:On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote:Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports.Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs.Yes - that's it. Thanks. So - why two different settings?Because they control two totally different things.-i controls which interfaces of the SERVER that spamd will listen for connections n.-A controls which CLIENTS it will accept connections from.Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's noreason to allow the webservers to do so.In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrogfrom the webserver to the spamd server.Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about whatmachines you should accept connections from.If I may suggest - it is a very confusing configuration because I don't see why you would configure these two things to different vaules. However, you should at least donument it better so that the -i and -A sections refer to each other. You can surely see why if someone did -i then they would not be looking for another switch that does almost the same thing.I recomment changint it so that both switches do the same thing.But they don't do the same thing. For example, I have one spamd server, and three mail toasters. I use both the -i and the -A switch. My spamd server is at 10.0.240.253 and my toasters are lumped in with everything else at 10.0.240.50-200. (all my servers have two faces, a 100mb public interface and a 1gb private interface)I run spamd like so, #!/sbin/sh PATH=/usr/bin:/usr/local/bin exec /usr/local/bin/softlimit -a 128000000 \ /usr/local/bin/spamd -i 10.0.240.253 \ -p 1783 \ -A 10.0.240.134, \ 10.0.240.135, \ 10.0.240.136 \ -m 25 \ --max-conn-per-child=500 \ -u vpopmail -x -q -s stderr 2>&1-i tells spamd to listen only on the 10.0.240.253 interface, ignore the 10.0.241.xxx interface, that one is public.-A tells spamd to only accept connectione from 10.0.240.134-136, my toasters. Do *NOT* accept connections from my Frontpage server, my webservers, my shared hosting box, my MSSQL box, etc.The two switches do very different things. DAve
They don't have to refer to each other. One switch tells where spamd should listen for connections, the other tells spamd what connections to listen for. You can use one, the other, both, or neither as you require.
DAve http://spamassassin.apache.org/full/3.1.x/dist/doc/spamd.html -i [ipaddress], --listen-ip[=ipaddress], --ip-address[=ipaddress]Tells spamd to listen on the specified IP address (defaults to 127.0.0.1). If you specify no IP address after the switch, spamd will listen on all interfaces. (This is equal to the address 0.0.0.0). You can also use a valid hostname which will make spamd listen on the first address that name resolves to.
-A host,..., --allowed-ips=host,...Specify a list of authorized hosts or networks which can connect to this spamd instance. Single IP addresses can be given, ranges of IP addresses in address/masklength CIDR format, or ranges of IP addresses by listing 3 or less octets with a trailing dot. Hostnames are not supported, only IP addresses. This option can be specified multiple times, or can take a list of addresses separated by commas. Examples:
-A 10.11.12.13 -- only allow connections from 10.11.12.13.
-A 10.11.12.13,10.11.12.14 -- only allow connections from
10.11.12.13 and 10.11.12.14.
-A 10.200.300.0/24 -- allow connections from any machine in the range 10.200.300.*.
-A 10. -- allow connections from any machine in the range 10.*.*.*.
By default, connections are only accepted from localhost [127.0.0.1].
