On 2022-05-27, Arete <a...@aretesystems.com> wrote: > I’m setting up spamd in front of a Postfix mail server, and am having > an issue with rdr-to rules not working the way I expect. > > My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix & > Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1 > running in a VirtualBox machine on the same Mac Mini, with bridged > networking enabled. > > Postfix on the Mac Mini can receive mail just fine from the internet > through the firewall. The mini has the IP address 192.168.20.15. > OpenBSD is configured and running with spamd (greylisting enabled) in > the VM, with IP address 192.168.20.16 - pf.conf rules as follows:
So if I understand correctly you have internet -> firewall -> 192.168.20.0/24 and in 192.168.20.0/24 you have - firewall - vm running spamd - machine running postfix incoming packet flow is internet -> firewall -> spamd -> postfix, but as the source address is unchanged by rdr-to, return packet flow is postfix -> firewall -> internet, bypassing the spamd vm, so there is nothing to "untranslate" the rdr-to. The classic spamd setup is where it's run on a firewall which is set as default gateway on the mail server. Alternatively it also works where the mail daemon is running directly on the machine running spamd. To run the mail daemon on another machine in the same subnet _alongside_ spamd, you need to provide a way to get the return packets back through the spamd machine; if the mail server was running OoenBSD you could probably do this with "pass in quick from !192.168.20.0/24 to port smtp reply-to 192.168.20.16". There might be a way to do this with the version of PF in MacOS but I couldn't say how. To be honest what I would do in your situation is forget about spamd. You could use postfix with postscreen and enable "after-greeting" tests, which means that an unknown client must attempt a connection, get a temporary failure, and reconnect (which it can do straight away) before being able to send mail. Or you could use explicit greylisting software (e.g. postgrey, policyd) or spam-filtering software that can also do greylisting (rspamd can do this and is typically configured to skip greylisting on mail with a low spam-score, which significantly reduces the negative impact of greylisting). -- Please keep replies on the mailing list.
