Thank you for your insight. I believe you are exactly correct. I have previously run OpenBSD as my router and spamd in the classic setup, so that is my past experience base. I was hoping to use it in this situation as just a proxy in front of the mail server, but that seems to be getting outside of the typical use case, so I’ll look at other options/configuration.
Again, thank you for your time. -Alex Alex Johnson ax.john...@gmail.com (P.S. Just changed the e-mail registered on the list, so this is the same Alex) > On May 27, 2022, at 12:29 AM, Stuart Henderson <stu.li...@spacehopper.org> > wrote: > > On 2022-05-27, Arete <a...@aretesystems.com> wrote: >> I’m setting up spamd in front of a Postfix mail server, and am having >> an issue with rdr-to rules not working the way I expect. >> >> My setup: Re-purposed Mac Mini running MacOS 12.4 Monterey, Postfix & >> Dovecot, smtp port-forwarded to this box from my firewall. OpenBSD 7.1 >> running in a VirtualBox machine on the same Mac Mini, with bridged >> networking enabled. >> >> Postfix on the Mac Mini can receive mail just fine from the internet >> through the firewall. The mini has the IP address 192.168.20.15. >> OpenBSD is configured and running with spamd (greylisting enabled) in >> the VM, with IP address 192.168.20.16 - pf.conf rules as follows: > > So if I understand correctly you have > > internet -> firewall -> 192.168.20.0/24 > > and in 192.168.20.0/24 you have > > - firewall > - vm running spamd > - machine running postfix > > incoming packet flow is internet -> firewall -> spamd -> postfix, but > as the source address is unchanged by rdr-to, return packet flow is > postfix -> firewall -> internet, bypassing the spamd vm, so there is > nothing to "untranslate" the rdr-to. > > The classic spamd setup is where it's run on a firewall which is set as > default gateway on the mail server. Alternatively it also works where the > mail daemon is running directly on the machine running spamd. > > To run the mail daemon on another machine in the same subnet _alongside_ > spamd, you need to provide a way to get the return packets back through > the spamd machine; if the mail server was running OoenBSD you could > probably do this with "pass in quick from !192.168.20.0/24 to port > smtp reply-to 192.168.20.16". There might be a way to do this with the > version of PF in MacOS but I couldn't say how. > > To be honest what I would do in your situation is forget about spamd. > You could use postfix with postscreen and enable "after-greeting" tests, > which means that an unknown client must attempt a connection, get a > temporary failure, and reconnect (which it can do straight away) > before being able to send mail. Or you could use explicit greylisting > software (e.g. postgrey, policyd) or spam-filtering software that can > also do greylisting (rspamd can do this and is typically configured > to skip greylisting on mail with a low spam-score, which significantly > reduces the negative impact of greylisting). > > > -- > Please keep replies on the mailing list. >