Date: Sun, 21 May 2006 21:36:14 GMT From: Olli Hauer <ohauer@gmx.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/97579: [patch] ports mail/spamd to reflect the public hostname in helo dialog Message-ID: <200605212136.k4LLaEAJ093939@www.freebsd.org> Resent-Message-ID: <200605212140.k4LLe6kw078084@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 97579
>Category: ports
>Synopsis: [patch] ports mail/spamd to reflect the public hostname in helo dialog
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 21 21:40:06 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Olli Hauer
>Release: FreeBSD 6.1-RELEASE i386
>Organization:
>Environment:
>Description:
spamd gets the hostname via gethostname(3)
spamd reports the inside hostname in the initial dialog
sample public hostname: mx.example.org
sample real hostname: mx.dmz.example.local
the patches are replacments for
spamd/files/patch-spamd
spamd/files/patch-spamdm
>How-To-Repeat:
$ echo "helo test" | nc localhost 8025
220 mx.dmz.example.local ESMTP Fake-Banner
^^^^^^^^^^^^^^^^^^^^^^^^
With the patch and the following directive:
pfspamd_flags="-4 -g -b 127.0.0.1 -G 6:4:846 -H mx.example.org -n Fake-Banner"
^^^^^^^^^^^^^^^^^
$ echo "helo test" | nc localhost 8025
220 mx.example.org ESMTP Fake-Banner
^^^^^^^^^^^^^^^^^^
>Fix:
--- spamd/spamd.c.orig Tue Apr 12 19:21:48 2005
+++ spamd/spamd.c Sun May 21 18:14:51 2006
@@ -123,6 +123,10 @@
pid_t jail_pid = -1;
u_short cfg_port;
+#ifdef IPFW
+int tabno=1;
+#endif
+
extern struct sdlist *blacklists;
int conffd = -1;
@@ -150,9 +154,13 @@
fprintf(stderr,
"usage: spamd [-45dgv] [-B maxblack] [-b address] [-c maxcon]\n");
fprintf(stderr,
- " [-G mins:hours:hours] [-n name] [-p port]\n");
+ " [-G mins:hours:hours] [-H hostname] [-n name] [-p port]\n");
fprintf(stderr,
" [-r reply] [-s secs] [-w window]\n");
+#ifdef IPFW
+ fprintf(stderr,
+ " [-t table_no]\n");
+#endif
exit(1);
}
@@ -958,7 +966,11 @@
if (gethostname(hostname, sizeof hostname) == -1)
err(1, "gethostname");
- while ((ch = getopt(argc, argv, "45b:c:B:p:dgG:r:s:n:vw:")) != -1) {
+#ifdef IPFW
+ while ((ch = getopt(argc, argv, "45b:c:B:p:dgG:r:s:H:n:vw:t:")) != -1) {
+#else
+ while ((ch = getopt(argc, argv, "45b:c:B:p:dgG:r:s:H:n:vw:")) != -1) {
+#endif
switch (ch) {
case '4':
nreply = "450";
@@ -1009,12 +1021,22 @@
usage();
stutter = i;
break;
+ case 'H':
+ /* get hostname from optarg */
+ if (strlcpy(hostname, optarg, sizeof(hostname) ) >= sizeof(hostname))
+ err(1, "strlcpy hostname");
+ break;
case 'n':
spamd = optarg;
break;
case 'v':
verbose = 1;
break;
+#ifdef IPFW
+ case 't':
+ tabno = atoi(optarg);
+ break;
+#endif
case 'w':
window = atoi(optarg);
if (window <= 0)
--- spamd/spamd.8.orig Tue Apr 12 19:21:48 2005
+++ spamd/spamd.8 Sun May 21 18:27:45 2006
@@ -36,6 +36,7 @@
.Op Fl b Ar address
.Op Fl c Ar maxcon
.Op Fl G Ar passtime:greyexp:whiteexp
+.Op Fl H Ar hostname
.Op Fl n Ar name
.Op Fl p Ar port
.Op Fl r Ar reply
@@ -49,6 +50,8 @@
daemon which rejects false mail.
If the
.Xr pf 4
+or
+.Xr ipfw 4
packet filter is configured to redirect port 25 (SMTP) to this daemon,
it will attempt to waste the time and resources of the spam sender.
.Pp
@@ -95,6 +98,10 @@
Greylisting mode; see
.Sx GREYLISTING
below.
+.It Fl H Ar hostname
+The SMTP hostname that is reported upon initial connection.
+If unused the hostname is found with
+.Xr gethostname 3 .
.It Fl n Ar name
The SMTP version banner that is reported upon initial connection.
.It Fl p Ar port
@@ -151,11 +158,15 @@
which processes a list of spammers' addresses, and applies appropriate
.Xr pfctl 8
.Em rdr
+or
+.Xr ipfw 8
+.Em fwd
rules.
.Xr spamd-setup 8
is run from
.Xr cron 8 .
.Sh REDIRECTING SMTP CONNECTIONS
+.Ss "When using PF"
With
.Xr pf 4 ,
connections to port 25 (SMTP) can be redirected to another host or port,
@@ -189,6 +200,8 @@
can also be used to load addresses into the
.Em <spamd>
table.
+
+
.Xr spamd-setup 8
also has the added benefit of being able to remove addresses from
blacklists, and will connect to
@@ -203,6 +216,52 @@
This is important as it allows legitimate mail
senders to pressure spam sources into behaving properly so that they
may be removed from the relevant blacklists.
+
+.Ss "If compiled with IPFW"
+With
+.Xr ipfw 4 ,
+the syntax for redirection of TCP sessions is quite different
+from that of
+.Xr pf 4 .
+The
+.Em fwd
+rule used for this purpose are described in
+.Xr ipfw 8 .
+The rules should be added to the ruleset called by /etc/rc.firewall
+to be present at boot time.
+.Bd -literal -offset 4n
+fwd 127.0.0.1,8025 tcp from table(2) to me 25 in
+allow tcp from table(1) to me 25 in
+fwd 127.0.0.1,8025 tcp from any to me 25 in
+.Ed
+.Pp
+Any addresses in the blacklist table
+.Em 2
+and not in the whitelist table
+.Em 1
+are then redirected to
+.Nm
+running on port 8025.
+Addresses can be loaded into the blacklist
+.Em table ,
+like:
+.Bd -literal -offset 4n
+# ipfw table 1 add a.b.c.d/x
+.Ed
+.Pp
+.Xr spamd-setup 8
+can also be used to load addresses into the blacklist table
+.Em 2 .
+.Pp
+The
+.Op Fl t Ar table_no
+option to
+.Em spamd
+and
+.Em spamd-setup
+can be used to change the default table
+numbers.
+
.Sh CONFIGURATION CONNECTIONS
.Nm
listens for configuration connections on the port identified by the
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605212136.k4LLaEAJ093939>