Date: Sun, 17 Jun 2012 09:40:58 -0700 From: Doug Hardie <bc979@lafn.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Problem with spamlogd Message-ID: <BE1E61FE-451B-454F-81E3-9E493258F30A@lafn.org> In-Reply-To: <4FDDDBC5.9070206@infracaninophile.co.uk> References: <F9842FD4-2197-4787-9185-C58DB633A938@lafn.org> <4FDDDBC5.9070206@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 June 2012, at 06:29, Matthew Seaman wrote:
> On 17/06/2012 11:45, Doug Hardie wrote:
>> I am using spamd on several systems and started encountering a =
problem awhile ago with FreeBSD 7.2 servers, but let it go since I am in =
the process of upgrading the servers. However, I now am encountering =
the same issue on FreeBSD 9.0 with spamlogd. It never reads pflog0. =
pflogd reads the entries just fine. I set up syslog to log all the =
spamlogd messages and when spamlogd is started it gives:
>>=20
>> spamlogd: Listening on pflog0 for all interfaces.=20
>>=20
>> lsof shows that it is connected to bpf0 as is pflogd. However, =
pflogd shows an offset into the file that appears to be the end of the =
file. spamlogd shows an offset of 0. It is periodically reading the =
file as shown by ktrace but always getting back a 0 size return. spamd =
itself is working just fine. However, the expiration times are not =
being updated so white entries are timed out way too often. spamlogd =
used to update them. The rc.conf entries are:
>>=20
>> obspamd_enable=3D"YES"
>> obspamd_flags=3D"-G 2:1:1728"
>> obspamd_setup_flags=3D""
>> obspamd_grey=3DYES
>> obspamlogd_enable=3D"YES"
>> obspamlogd_flags=3D"-W 1728"
>>=20
>>=20
>> These were established a few years ago and worked up till short while =
ago. I don't recall any changes I made to anything, but=85
>>=20
>> Looking through the spamlogd source it appears to be building a =
filter for the pcap routines with:
>>=20
>> "ip and port 25 and action pass and tcp[13]&0x12=3D0x2"
>>=20
>> Using that filter on pflog yields no output. I believe the pass item =
requires there to be some logging of the pass actions and those are not =
appearing in the pflog or in the pfctl counts for those rules. I =
suspect that is the problem. The pf.conf is: (mail server is on this =
machine)
>>=20
>> ext_if=3D"em0"
>>=20
>> table <blackhole> persist file "/etc/blackhole"
>> table <spamd> persist
>> table <spamd-white> persist
>> table <spamd-white-local> persist file "/etc/mail/whitelist"
>>=20
>>=20
>> no rdr on { lo0, lo1 } from any to any
>>=20
>> no rdr on { lo0, lo1 } from any to any
>> MAILHOSTS =3D "{zool.lafn.org 10.0.1.10}"
>>=20
>> rdr pass log on $ext_if inet proto tcp from <spamd-white-local> to =
port smtp -> 127.0.0.1 port smtp
>> rdr pass log on $ext_if inet proto tcp from <spamd-white> to port =
smtp -> 127.0.0.1 port smtp
>> rdr pass log on $ext_if inet proto tcp to $MAILHOSTS port smtp -> =
127.0.0.1 port spamd
>>=20
>>=20
>> pass in on lo0
>>=20
>> pass in log on $ext_if inet proto tcp to 127.0.0.1 port smtp
>> pass out log on $ext_if inet proto tcp from 127.0.0.1 to any port =
smtp
>>=20
>> block in quick log on $ext_if from <blackhole> to any
>=20
> You seem to be logging all the SMTP traffic that passes through pf in
> any direction. Which doesn't make a lot of sense to me -- obspamlogd
> will see the logged SMTP packets, assume that's valid traffic and add
> the hosts to the whitelist. Even if that's the incoming SYN packet =
from
> some dubious mailer trying to inject you full of spam.
Right now, I would like spamlogd to be a bit confused ;-) However, its =
not seeing any of the logging. It never receives any input from pflog0. =
=46rom the filter, the pass action indicates it won't look at any of =
the rdr logging (which is in the log) but is waiting for the pass rules =
to log something. The tcp[13]&0x12=3D0x2 item is the TCP SYN flag so it =
should be able to separate out what it wants from the log. However, the =
pass rules are never being used and hence they never generate any log =
entries. pfctl -vvsr shows all zeros for both of those rules. =20
I understand that the pass rules are applied after the rdr rules but =
apparently I am getting the matching criteria wrong. At this point =
switching them to a separate log stream won't help since it would never =
get anything logged to it.
>=20
> You should only log the SYN packets going out of your upstream =
(egress)
> interface for obspamlogd -- that way it immediately whitelists anyone
> you send email to, so they can reply without delay due to greylisting.
>=20
> A good way of doing that is to log SMTP traffic to a separate log
> device. eg:
>=20
> pass log (to pflog1) on $ext_if proto tcp \
> from any to any port smtp \
> flags S/SA keep state
>=20
> then in /etc/rc.conf, tell obspamlogd to use pflog1:
>=20
> obspamlogd_enable=3D"YES"
> obspamlogd_flags=3D"-i em0"
> obspamlogd_pflog_if=3D"pflog1"
>=20
> That way you can keep pflog0 for doing the normal packet logging that =
is
> usual with pf -- typically, logging anything that gets dropped by the
> firewall -- without getting obspamlogd confused.
>=20
> Cheers,
>=20
> Matthew
>=20
> --=20
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
>=20
>=20
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BE1E61FE-451B-454F-81E3-9E493258F30A>