Date: Sun, 17 Jun 2012 09:40:58 -0700 From: Doug Hardie <bc979@lafn.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Problem with spamlogd Message-ID: <BE1E61FE-451B-454F-81E3-9E493258F30A@lafn.org> In-Reply-To: <4FDDDBC5.9070206@infracaninophile.co.uk> References: <F9842FD4-2197-4787-9185-C58DB633A938@lafn.org> <4FDDDBC5.9070206@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 June 2012, at 06:29, Matthew Seaman wrote: > On 17/06/2012 11:45, Doug Hardie wrote: >> I am using spamd on several systems and started encountering a = problem awhile ago with FreeBSD 7.2 servers, but let it go since I am in = the process of upgrading the servers. However, I now am encountering = the same issue on FreeBSD 9.0 with spamlogd. It never reads pflog0. = pflogd reads the entries just fine. I set up syslog to log all the = spamlogd messages and when spamlogd is started it gives: >>=20 >> spamlogd: Listening on pflog0 for all interfaces.=20 >>=20 >> lsof shows that it is connected to bpf0 as is pflogd. However, = pflogd shows an offset into the file that appears to be the end of the = file. spamlogd shows an offset of 0. It is periodically reading the = file as shown by ktrace but always getting back a 0 size return. spamd = itself is working just fine. However, the expiration times are not = being updated so white entries are timed out way too often. spamlogd = used to update them. The rc.conf entries are: >>=20 >> obspamd_enable=3D"YES" >> obspamd_flags=3D"-G 2:1:1728" >> obspamd_setup_flags=3D"" >> obspamd_grey=3DYES >> obspamlogd_enable=3D"YES" >> obspamlogd_flags=3D"-W 1728" >>=20 >>=20 >> These were established a few years ago and worked up till short while = ago. I don't recall any changes I made to anything, but=85 >>=20 >> Looking through the spamlogd source it appears to be building a = filter for the pcap routines with: >>=20 >> "ip and port 25 and action pass and tcp[13]&0x12=3D0x2" >>=20 >> Using that filter on pflog yields no output. I believe the pass item = requires there to be some logging of the pass actions and those are not = appearing in the pflog or in the pfctl counts for those rules. I = suspect that is the problem. The pf.conf is: (mail server is on this = machine) >>=20 >> ext_if=3D"em0" >>=20 >> table <blackhole> persist file "/etc/blackhole" >> table <spamd> persist >> table <spamd-white> persist >> table <spamd-white-local> persist file "/etc/mail/whitelist" >>=20 >>=20 >> no rdr on { lo0, lo1 } from any to any >>=20 >> no rdr on { lo0, lo1 } from any to any >> MAILHOSTS =3D "{zool.lafn.org 10.0.1.10}" >>=20 >> rdr pass log on $ext_if inet proto tcp from <spamd-white-local> to = port smtp -> 127.0.0.1 port smtp >> rdr pass log on $ext_if inet proto tcp from <spamd-white> to port = smtp -> 127.0.0.1 port smtp >> rdr pass log on $ext_if inet proto tcp to $MAILHOSTS port smtp -> = 127.0.0.1 port spamd >>=20 >>=20 >> pass in on lo0 >>=20 >> pass in log on $ext_if inet proto tcp to 127.0.0.1 port smtp >> pass out log on $ext_if inet proto tcp from 127.0.0.1 to any port = smtp >>=20 >> block in quick log on $ext_if from <blackhole> to any >=20 > You seem to be logging all the SMTP traffic that passes through pf in > any direction. Which doesn't make a lot of sense to me -- obspamlogd > will see the logged SMTP packets, assume that's valid traffic and add > the hosts to the whitelist. Even if that's the incoming SYN packet = from > some dubious mailer trying to inject you full of spam. Right now, I would like spamlogd to be a bit confused ;-) However, its = not seeing any of the logging. It never receives any input from pflog0. = =46rom the filter, the pass action indicates it won't look at any of = the rdr logging (which is in the log) but is waiting for the pass rules = to log something. The tcp[13]&0x12=3D0x2 item is the TCP SYN flag so it = should be able to separate out what it wants from the log. However, the = pass rules are never being used and hence they never generate any log = entries. pfctl -vvsr shows all zeros for both of those rules. =20 I understand that the pass rules are applied after the rdr rules but = apparently I am getting the matching criteria wrong. At this point = switching them to a separate log stream won't help since it would never = get anything logged to it. >=20 > You should only log the SYN packets going out of your upstream = (egress) > interface for obspamlogd -- that way it immediately whitelists anyone > you send email to, so they can reply without delay due to greylisting. >=20 > A good way of doing that is to log SMTP traffic to a separate log > device. eg: >=20 > pass log (to pflog1) on $ext_if proto tcp \ > from any to any port smtp \ > flags S/SA keep state >=20 > then in /etc/rc.conf, tell obspamlogd to use pflog1: >=20 > obspamlogd_enable=3D"YES" > obspamlogd_flags=3D"-i em0" > obspamlogd_pflog_if=3D"pflog1" >=20 > That way you can keep pflog0 for doing the normal packet logging that = is > usual with pf -- typically, logging anything that gets dropped by the > firewall -- without getting obspamlogd confused. >=20 > Cheers, >=20 > Matthew >=20 > --=20 > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW >=20 >=20 >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BE1E61FE-451B-454F-81E3-9E493258F30A>