Date: Sun, 17 Jun 2012 14:29:41 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Doug Hardie <bc979@lafn.org> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Problem with spamlogd Message-ID: <4FDDDBC5.9070206@infracaninophile.co.uk> In-Reply-To: <F9842FD4-2197-4787-9185-C58DB633A938@lafn.org> References: <F9842FD4-2197-4787-9185-C58DB633A938@lafn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig671CBDAA13A7C5B4045E6FB9
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 17/06/2012 11:45, Doug Hardie wrote:
> I am using spamd on several systems and started encountering a problem =
awhile ago with FreeBSD 7.2 servers, but let it go since I am in the proc=
ess of upgrading the servers. However, I now am encountering the same is=
sue on FreeBSD 9.0 with spamlogd. It never reads pflog0. pflogd reads t=
he entries just fine. I set up syslog to log all the spamlogd messages a=
nd when spamlogd is started it gives:
>=20
> spamlogd: Listening on pflog0 for all interfaces.=20
>=20
> lsof shows that it is connected to bpf0 as is pflogd. However, pflogd =
shows an offset into the file that appears to be the end of the file. sp=
amlogd shows an offset of 0. It is periodically reading the file as show=
n by ktrace but always getting back a 0 size return. spamd itself is wor=
king just fine. However, the expiration times are not being updated so w=
hite entries are timed out way too often. spamlogd used to update them. =
The rc.conf entries are:
>=20
> obspamd_enable=3D"YES"
> obspamd_flags=3D"-G 2:1:1728"
> obspamd_setup_flags=3D""
> obspamd_grey=3DYES
> obspamlogd_enable=3D"YES"
> obspamlogd_flags=3D"-W 1728"
>=20
>=20
> These were established a few years ago and worked up till short while a=
go. I don't recall any changes I made to anything, but=85
>=20
> Looking through the spamlogd source it appears to be building a filter =
for the pcap routines with:
>=20
> "ip and port 25 and action pass and tcp[13]&0x12=3D0x2"
>=20
> Using that filter on pflog yields no output. I believe the pass item r=
equires there to be some logging of the pass actions and those are not ap=
pearing in the pflog or in the pfctl counts for those rules. I suspect t=
hat is the problem. The pf.conf is: (mail server is on this machine)
>=20
> ext_if=3D"em0"
>=20
> table <blackhole> persist file "/etc/blackhole"
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-white-local> persist file "/etc/mail/whitelist"
>=20
>=20
> no rdr on { lo0, lo1 } from any to any
>=20
> no rdr on { lo0, lo1 } from any to any
> MAILHOSTS =3D "{zool.lafn.org 10.0.1.10}"
>=20
> rdr pass log on $ext_if inet proto tcp from <spamd-white-local> to port=
smtp -> 127.0.0.1 port smtp
> rdr pass log on $ext_if inet proto tcp from <spamd-white> to port smtp =
-> 127.0.0.1 port smtp
> rdr pass log on $ext_if inet proto tcp to $MAILHOSTS port smtp -> 127.0=
=2E0.1 port spamd
>=20
>=20
> pass in on lo0
>=20
> pass in log on $ext_if inet proto tcp to 127.0.0.1 port smtp
> pass out log on $ext_if inet proto tcp from 127.0.0.1 to any port smtp
>=20
> block in quick log on $ext_if from <blackhole> to any
You seem to be logging all the SMTP traffic that passes through pf in
any direction. Which doesn't make a lot of sense to me -- obspamlogd
will see the logged SMTP packets, assume that's valid traffic and add
the hosts to the whitelist. Even if that's the incoming SYN packet from
some dubious mailer trying to inject you full of spam.
You should only log the SYN packets going out of your upstream (egress)
interface for obspamlogd -- that way it immediately whitelists anyone
you send email to, so they can reply without delay due to greylisting.
A good way of doing that is to log SMTP traffic to a separate log
device. eg:
pass log (to pflog1) on $ext_if proto tcp \
from any to any port smtp \
flags S/SA keep state
then in /etc/rc.conf, tell obspamlogd to use pflog1:
obspamlogd_enable=3D"YES"
obspamlogd_flags=3D"-i em0"
obspamlogd_pflog_if=3D"pflog1"
That way you can keep pflog0 for doing the normal packet logging that is
usual with pf -- typically, logging anything that gets dropped by the
firewall -- without getting obspamlogd confused.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
--------------enig671CBDAA13A7C5B4045E6FB9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/d29AACgkQ8Mjk52CukIyEzQCeLhHbzyGtYKKJY2MSKWUxo8F1
SF0AmgPkIiqRoreH59UA80dKfAvuMDON
=1hoS
-----END PGP SIGNATURE-----
--------------enig671CBDAA13A7C5B4045E6FB9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDDDBC5.9070206>