From owner-freebsd-questions@FreeBSD.ORG Sun Jun 17 10:45:32 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 44496106566C for ; Sun, 17 Jun 2012 10:45:32 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [108.92.93.123]) by mx1.freebsd.org (Postfix) with ESMTP id 002498FC16 for ; Sun, 17 Jun 2012 10:45:31 +0000 (UTC) Received: from [10.0.1.2] (pool-96-229-186-65.lsanca.fios.verizon.net [96.229.186.65]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id q5HAjO0Y095424 for ; Sun, 17 Jun 2012 03:45:25 -0700 (PDT) (envelope-from bc979@lafn.org) From: Doug Hardie Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Date: Sun, 17 Jun 2012 03:45:24 -0700 Message-Id: To: FreeBSD Mailing List Mime-Version: 1.0 (Apple Message framework v1278) X-Mailer: Apple Mail (2.1278) X-Virus-Scanned: clamav-milter 0.97 at zoom.lafn.org X-Virus-Status: Clean Subject: Problem with spamlogd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2012 10:45:32 -0000 I am using spamd on several systems and started encountering a problem = awhile ago with FreeBSD 7.2 servers, but let it go since I am in the = process of upgrading the servers. However, I now am encountering the = same issue on FreeBSD 9.0 with spamlogd. It never reads pflog0. pflogd = reads the entries just fine. I set up syslog to log all the spamlogd = messages and when spamlogd is started it gives: spamlogd: Listening on pflog0 for all interfaces.=20 lsof shows that it is connected to bpf0 as is pflogd. However, pflogd = shows an offset into the file that appears to be the end of the file. = spamlogd shows an offset of 0. It is periodically reading the file as = shown by ktrace but always getting back a 0 size return. spamd itself = is working just fine. However, the expiration times are not being = updated so white entries are timed out way too often. spamlogd used to = update them. The rc.conf entries are: obspamd_enable=3D"YES" obspamd_flags=3D"-G 2:1:1728" obspamd_setup_flags=3D"" obspamd_grey=3DYES obspamlogd_enable=3D"YES" obspamlogd_flags=3D"-W 1728" These were established a few years ago and worked up till short while = ago. I don't recall any changes I made to anything, but=85 Looking through the spamlogd source it appears to be building a filter = for the pcap routines with: "ip and port 25 and action pass and tcp[13]&0x12=3D0x2" Using that filter on pflog yields no output. I believe the pass item = requires there to be some logging of the pass actions and those are not = appearing in the pflog or in the pfctl counts for those rules. I = suspect that is the problem. The pf.conf is: (mail server is on this = machine) ext_if=3D"em0" table persist file "/etc/blackhole" table persist table persist table persist file "/etc/mail/whitelist" no rdr on { lo0, lo1 } from any to any no rdr on { lo0, lo1 } from any to any MAILHOSTS =3D "{zool.lafn.org 10.0.1.10}" rdr pass log on $ext_if inet proto tcp from to port = smtp -> 127.0.0.1 port smtp rdr pass log on $ext_if inet proto tcp from to port smtp = -> 127.0.0.1 port smtp rdr pass log on $ext_if inet proto tcp to $MAILHOSTS port smtp -> = 127.0.0.1 port spamd pass in on lo0 pass in log on $ext_if inet proto tcp to 127.0.0.1 port smtp pass out log on $ext_if inet proto tcp from 127.0.0.1 to any port smtp block in quick log on $ext_if from to any