On 2006/04/07 14:55, Jeff Ross wrote:
> >>rdr pass on $if_ext proto tcp from <whitelist> to port smtp \
> >> -> ($if_ext) port 25
> >
> >Have you tested that your whitelist works by connecting from an IP
> >address that's listed on it?
>
> No, but until this last week or so I've never had reason to think I had
> a problem with the whitelist.
You need a fairly-clued-up user that cares enough to find an
out-of-band way to contact you with enough information to debug.
Unfortunately some email services are so shoddily-run that many
users think it's acceptable to sometimes lose emails without a
bounce message so they won't bother to contact the people who
do care.
> I'll have to think about how to do this, but thanks for the suggestion.
This is simple: add the address of your own workstation, or a
remote host where you have a shell account, to the whitelist,
then see what happens when you 'telnet a.mx.openvistas.net 25'
I'd recommend this as a matter of course when you're setting up
rdr rules unless you're absolutely sure how they work.
> >I usually use "no rdr" when I want to exempt servers from
> >greylisting, istr having some problem when I tried redirecting
> >back to port 25 (but that was a long time ago, so ymmv).
Ok, looks like it should work to rdr back to port 25, at least
with a simple networking setup; however I'm still not too keen
on rdr'ing packets that don't need it.
You might like to post output from 'pfctl -sn -v' (at any time)
and 'pfctl -ss' (when you spot an ongoing connection attempt with
tcpdump).
> Also, interesting. I've pretty much used the setup as described in the
> man page and haven't had a problem in like a year and a half of using
> spamd.
The man page example doesn't document exempting hosts from
the greylist (whitelists in spamd.conf are a separate thing
and there are good reasons for this as you may want to ensure
some people aren't blacklisted but still subject them to
greylisting, and you may want to disable greylisting for a
netblock but still divert connections from there to spamd
if they become blacklisted).
> Okay, I've had some good ideas and thing to check. In the meantime, I've
> had a chance to run tcpdump on port 25 while an aol e-mail was being
> bounced.
>
> Here's the relevant part of the capture:
Ok: I've isolated one of the several connections in there;
> 11:42:56.538391 heinlein.openvistas.net.smtp > imo-m16.mx.aol.com.64212: P
> 1:20(19) ack 1 win 17520 (DF)
> 0000: 4500 003b 293a 4000 4006 b2cb d843 bb99 E..;):@[EMAIL PROTECTED];.
> 0010: 400c 8ace 0019 fad4 05ae 3412 7b73 0899 @..N..zT..4.{s..
> 0020: 5018 4470 1ecf 0000 3232 3020 736d 7470 P.Dp.O..220 smtp
> 0030: 2e70 6173 7374 6872 750d 0a .passthru..
>
> 11:42:56.666606 imo-m16.mx.aol.com.64212 > heinlein.openvistas.net.smtp: P
> 1:26(25) ack 20 win 32768
> 0000: 4500 0041 a2a9 0000 2d06 8c56 400c 8ace E..A")[EMAIL PROTECTED]
> 0010: d843 bb99 fad4 0019 7b73 0899 05ae 3425 XC;.zT..{s....4%
> 0020: 5018 8000 4867 0000 4845 4c4f 2069 6d6f P...Hg..HELO imo
> 0030: 2d6d 3136 2e6d 782e 616f 6c2e 636f 6d0d -m16.mx.aol.com.
> 0040: 0a .
>
> 11:42:56.773419 heinlein.openvistas.net.smtp > imo-m16.mx.aol.com.64212: P
> 20:39(19) ack 26 win 17520 (DF)
> 0000: 4500 003b 688c 4000 4006 7379 d843 bb99 E..;[EMAIL
> PROTECTED]@.syXC;.
> 0010: 400c 8ace 0019 fad4 05ae 3425 7b73 08b2 @..N..zT..4%{s.2
> 0020: 5018 4470 1ea0 0000 3235 3020 736d 7470 P.Dp. ..250 smtp
> 0030: 2e70 6173 7374 6872 750d 0a .passthru..
>
> 11:42:56.882933 imo-m16.mx.aol.com.64212 > heinlein.openvistas.net.smtp: P
> 26:58(32) ack 39 win 32768
> 0000: 4500 0048 a2ab 0000 2d06 8c4d 400c 8ace E..H"[EMAIL PROTECTED]
> 0010: d843 bb99 fad4 0019 7b73 08b2 05ae 3438 XC;.zT..{s.2..48
> 0020: 5018 8000 a5f7 0000 4d41 494c 2046 726f P...%w..MAIL Fro
> 0030: 6d3a 3c4d 6164 6469 6573 6461 6440 616f m:<[EMAIL PROTECTED]
> 0040: 6c2e 636f 6d3e 0d0a l.com>..
>
> 11:42:56.987074 heinlein.openvistas.net.smtp > imo-m16.mx.aol.com.64212: P
> 39:58(19) ack 58 win 17520 (DF)
> 0000: 4500 003b 613b 4000 4006 7aca d843 bb99 E..;a;@[EMAIL PROTECTED];.
> 0010: 400c 8ace 0019 fad4 05ae 3438 7b73 08d2 @..N..zT..48{s.R
> 0020: 5018 4470 78a1 0000 3535 3020 4163 6365 P.Dpx!..550 Acce
> 0030: 7373 2064 656e 6965 640d 0a ss denied..
>
> 11:42:57.102134 imo-m16.mx.aol.com.64212 > heinlein.openvistas.net.smtp: P
> 58:64(6) ack 58 win 32768
> 0000: 4500 002e a2ad 0000 2d06 8c65 400c 8ace E..."[EMAIL PROTECTED]
> 0010: d843 bb99 fad4 0019 7b73 08d2 05ae 344b XC;.zT..{s.R..4K
> 0020: 5018 8000 702e 0000 5155 4954 0d0a P...p...QUIT..
>
> 11:42:57.219292 heinlein.openvistas.net.smtp > imo-m16.mx.aol.com.64212: P
> 58:101(43) ack 64 win 17520 (DF)
> 0000: 4500 0053 490a 4000 4006 92e3 d843 bb99 [EMAIL PROTECTED]@..cXC;.
> 0010: 400c 8ace 0019 fad4 05ae 344b 7b73 08d8 @..N..zT..4K{s.X
> 0020: 5018 4470 1918 0000 3232 3120 696d 6f2d P.Dp....221 imo-
> 0030: 6d31 362e 6d78 2e61 6f6c 2e63 6f6d 2063 m16.mx.aol.com c
> 0040: 6c6f 7369 6e67 2063 6f6e 6e65 6374 696f losing connectio
> 0050: 6e0d 0a n..
>
> 11:42:57.219422 heinlein.openvistas.net.smtp > imo-m16.mx.aol.com.64212: F
> 101:101(0) ack 64 win 17520 (DF)
> 0000: 4500 0028 050a 4000 4006 d70e d843 bb99 E..([EMAIL
> PROTECTED]@.W.XC;.
> 0010: 400c 8ace 0019 fad4 05ae 3476 7b73 08d8 @..N..zT..4v{s.X
> 0020: 5011 4470 534e 0000 P.DpSN..
>
> The "220 smtp.passthru." line looks suspicious to me. Does this mean that
> aol is trying to relay their mail through my server? That would explain
> the 550 error.
The "220 smtp.passthru" line is generated by your server.
Looks like there's some software you aren't telling us about:
googling suggests maybe ClamSMTP/ProxSMTP?
