Spamdb Issues (not greylisting)
Hi All, We've recently upgraded our OpenBSD 4.0 servers running spamd (with NOOP patch and sender verification patch) to OpenBSD 4.1. I've got these in our pf.conf due to the large number of connections we get. set limit table-entries 500 set limit states 80 Spamd runs with these options: " -v -G5:4:864 -c 4000 -B 500" Since we've upgrade to OpenBSD 4.1, we have observed that after every couple of weeks, spamd stops whitelisting i.e. it just greylists incoming servers and spamdb doesn't show any "GREY" entries either. Restarting spamd fixes the problem. Any suggestions to fix this problem permanently would be appreciated. Cheers Sid
PF/Hoststated and Internal hosts
Hi All, I am using Hoststated with carp/pfsync. All of the machines behind (internal to) the OpenBSD boxes use public IPs. The OpenBSD boxes are running spamd. So, all external hosts go through spamd and and appropriately get greylisted. There is no SMTP server on the OpenBSD boxes themselves. The problem lies with the internal hosts i.e. hosts sitting behind the OpenBSD boxes. They also need to connect to the same MX host i.e. OpenBSD box. But when I try to connect from the internal hosts to SMTP on OpenBSD's carp interface, I get a connection refused. Obviously, my SMTP connection is trying the local SMTP on the OpenBSD box and failing. I believe I should be doing some sort of NAT so that connections from internal hosts get through properly to the load balanced hosts (hoststated). All internal hosts are already in the override/whitelist. Current (relevant) pf.conf config: rdr-anchor "hoststated/smtp" on $ext_if proto tcp from to port smtp rdr pass on $ext_if proto tcp from to port smtp \ -> 127.0.0.1 port spamd rdr pass on $ext_if proto tcp from ! to port smtp \ -> 127.0.0.1 port spamd rdr-anchor "hoststated/smtp" on $ext_if proto tcp from to port smtp -- snip -- pass in on $mail_if inet from $internal_net to any keep state -- snip -- I am assuming I need to use something similar mentioned on this page -> http://www.openbsd.org/faq/pf/rdr.html Any help related to this would be appreciated. Cheers Sid
Re: NOOP and Spamd
"Darren Spruell" <[EMAIL PROTECTED]> writes:
> On 3/18/07, Sid Carter <[EMAIL PROTECTED]> wrote:
>> greylisting. On further investigation, we found out that the MS Mail
>> servers send a NOOP before they start sending other SMTP commands and
>> spamd returns a 451 even for a NOOP causing the SMTP connection to
>> terminate and the connecting mail server doesn't even get greylisted,
>> since it hasn't even sent a "MAIL FROM" and "RCPT TO".
>>
> Might be useful if you would include details, and lots of them, on a
> subject like this. "MS Mail Servers" is generic and meaningless; is it
> Exchange? Is it the SMTP Server? Something else? What software
> version(s)? OSes and versions?
I would just connect back to the IP which was showing this sympton and
those gave me the greeting as "Microsoft Mail Server". I could be wrong
though.
> More than anything, packet captures illustrating the behavior would be
> useful too.
Packet capture enclosed, taken on March 16th, before we applied the NOOP
patch.
Sid
11:05:23.401112 IP mail.client.57542 > spamd.server.smtp: . ack 3849587282 win
5840
[EMAIL PROTECTED]
R.A.
b...
11:05:24.086139 IP spamd.server.smtp > mail.client.57542: P 1:2(1) ack 0 win
17376
[EMAIL PROTECTED]@.3..*..1...t
RB.C..%.
b...
11:05:24.127337 IP mail.client.57542 > spamd.server.smtp: . ack 2 win 5840
[EMAIL PROTECTED]
S...
...5b...
11:05:25.075553 IP spamd.server.smtp > mail.client.57542: P 2:3(1) ack 0 win
17376
[EMAIL PROTECTED]@.*..1...t
SB.C
b..5b
11:05:25.119287 IP mail.client.57542 > spamd.server.smtp: . ack 3 win 5840
[EMAIL PROTECTED]
T...
b...
11:05:26.012268 IP spamd.server.smtp > mail.client.57542: P 3:4(1) ack 0 win
17376
[EMAIL PROTECTED]@.3,..*..1...t
TB.C..s.
b...a
11:05:26.052768 IP mail.client.57542 > spamd.server.smtp: . ack 4 win 5840
[EMAIL PROTECTED]
U./.
b...
11:05:27.137071 IP spamd.server.smtp > mail.client.57542: P 4:5(1) ack 0 win
17376
[EMAIL PROTECTED]@.5...*..1...t
UB.C.x..
b...s
11:05:27.180269 IP mail.client.57542 > spamd.server.smtp: . ack 5 win 5840
[EMAIL PROTECTED]
V...
...fb...
11:05:28.072700 IP spamd.server.smtp > mail.client.57542: P 5:6(1) ack 0 win
17376
[EMAIL PROTECTED]@.*..1...t
VB.C
b..fi
11:05:28.112502 IP mail.client.57542 > spamd.server.smtp: . ack 6 win 5840
[EMAIL PROTECTED]
W.[.
b...
11:05:29.037260 IP spamd.server.smtp > mail.client.57542: P 6:7(1) ack 0 win
17376
[EMAIL PROTECTED]@. ...*..1...t
WB.C.~?.
b...l
11:05:29.078219 IP mail.client.57542 > spamd.server.smtp: . ack 7 win 5840
[EMAIL PROTECTED]
X...
...$b...
11:05:30.037350 IP spamd.server.smtp > mail.client.57542: P 7:8(1) ack 0 win
17376
[EMAIL PROTECTED]@.;...*..1...t
XB.C
b..$i
11:05:30.077915 IP mail.client.57542 > spamd.server.smtp: . ack 8 win 5840
[EMAIL PROTECTED]
Y...
b...
11:05:31.027281 IP spamd.server.smtp > mail.client.57542: P 8:86(78) ack 0 win
17376
[EMAIL PROTECTED]@..m..*..1...t
YB.C
b...sk.boing.org.nz ESMTP spamd I
11:05:31.069865 IP mail.client.57542 > spamd.server.smtp: . ack 86 win 5840
[EMAIL PROTECTED]
b...
11:05:31.069867 IP mail.client.57542 > spamd.server.smtp: P 0:30(30) ack 86 win
5840
[EMAIL PROTECTED]
b...NOOP
11:05:31.070423 IP spamd.server.smtp > mail.client.57542: P 86:134(48) ack 30
win 17376
[EMAIL PROTECTED]@..2..*..1...t
.B.C
b...451 Temporary failure, please
11:05:31.070541 IP spamd.server.smtp > mail.client.57542: F 134:134(0) ack 30
win 17376
[EMAIL PROTECTED]@.:3..*..1...t
.B.C..}.
b...
11:05:31.111720 IP mail.client.57542 > spamd.server.smtp: P 30:36(6) ack 134
win 5840
E..:[EMAIL PROTECTED]
.m..
b...QUIT
11:05:31.111764 IP spamd.server.smtp > mail.client.57542: R
3849587415:3849587415(0) win 0
E..([EMAIL PROTECTED]@.*..1...t
.
P...
11:05:31.111843 IP mail.client.57542 > spamd.server.smtp: F 36:36(0) ack 135
win 5840
[EMAIL PROTECTED]
b...
11:05:31.111866 IP spamd.server.smtp > mail.client.57542: R
3849587416:3849587416(0) win 0
E..([EMAIL PROTECTED]@.M...*..1...t
.
P...
11:05:35.784386 IP mail.client.57557 > spamd.server.smtp: S
1132947596:1132947596(0) win 5840
E..<[EMAIL PROTECTED]:..1*.C.h.{K.
11:05:35.784471 IP spamd.server.smtp > mail.client.57557: S
Re: NOOP and Spamd
"Shawn K. Quinn" <[EMAIL PROTECTED]> writes: > On Mon, 2007-03-19 at 14:04 +0800, Lars Hansson wrote: >> He probably mean MS Mail, an ancient Microsoft mail system >> that no sane person should be running in 2007. > > Regardless, if NOOP is in the SMTP standard, and spamd does not handle > it correctly, that is a bug that needs to be fixed. A typical response from spamd: # telnet shear.ucar.edu smtp Trying 192.43.244.163... Connected to shear.ucar.edu. Escape character is '^]'. 220 shear.ucar.edu ESMTP spamd IP-based SPAM blocker; Mon Mar 19 02:42:20 2007 helo openbsd.org 250 Hello, spam sender. Pleased to be wasting your time. noop 451 Temporary failure, please try again later. Connection closed by foreign host. # And this one from the SMTP RFC 821: NOOP (NOOP) This command does not affect any parameters or previously entered commands. It specifies no action other than that the receiver send an OK reply. This command has no effect on any of the reverse-path buffer, the forward-path buffer, or the mail data buffer. Sid
NOOP and Spamd
Hi, I am currently running OpenBSD 4.0 as a greylisting server. We have found that many Microsoft Mail Servers/Mail Marshal cannot get past the greylisting. On further investigation, we found out that the MS Mail servers send a NOOP before they start sending other SMTP commands and spamd returns a 451 even for a NOOP causing the SMTP connection to terminate and the connecting mail server doesn't even get greylisted, since it hasn't even sent a "MAIL FROM" and "RCPT TO". I've seen no mention of this in the archives, so was wondering if this is intended and if there is a permanent fix for this. We've temporarily patched spamd.c, so that spamd does nothing on a NOOP command as required by the SMTP RFC and we've seen that the MS Mail servers get properly greylisted and subsequently whitelisted. Sid
