Re: How to synchronise 2 spamd instances
Op Fri, 31 May 2019 00:34:39 +0200 schreef Mik J : Hello, I'm back again with spamd synchronisation. I made further tests and it seems to me that only new entries in spamd are synchronised. All existing entries before the synchronisation and not sent to the other spamd instance. Is it supposed to work like that ? Yes. From the spamd(8) manual: "The databases are synchronised for greylisted and trapped entries; whitelisted entries and entries made manually using spamdb(8) are not updated." -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: How to synchronise 2 spamd instances
Hello, I'm back again with spamd synchronisation. I made further tests and it seems to me that only new entries in spamd are synchronised. All existing entries before the synchronisation and not sent to the other spamd instance. Is it supposed to work like that ? Thank you Le dimanche 26 mai 2019 à 22:49:25 UTC+2, Sean Kamath a écrit : On May 26, 2019, at 04:41, Mik J wrote: > > Hello, > > I'm coming back on this topic. I added the -K option > # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h > myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n > ABCD > # spamd: need key and certificate for TLS > > So it seems it expects some kind of certificat/privatekey rather than a key > > Does anyone uses the -K option successfully ? Yes. :-). Looks like you forgot the '-C /etc/ssl/.crt’ option. Granted, this is on 6.3. My full args are: -h -v -G 2:4:864 -y vio0 -Y -K /etc/ssl/private/.key -C /etc/ssl/.crt Works fine. Sean > So far I didn't manage to make the synchro to work. udp packets on port 8025 > are not dropped. > However spamd doesn't seem to send any 8025/udp packet at all. > > Regards > > Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker >a écrit : > > On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > >> * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: >>> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: >>> Hello, I read the man but it's not so clear to me https://man.openbsd.org/spamd#SYNCHRONISATION a) I chose unicast synchronisation but I don't know which port should >> I open on the firewall ? Is it going to use the spamd-cfg service ? >>> >>> It will use spamd-sync (udp port 8025) >> >> Good to know, I was blocking this traffic. It might be interesting to >> add a word about this in the manpage, what do you think? >> > > tcpdump -nettti pflog0 > > That command tells you if anything is being blocked. I normally start > there. You would have seen port 8025 being blocked right away > >> >> >
Re: How to synchronise 2 spamd instances
On May 26, 2019, at 04:41, Mik J wrote: > > Hello, > > I'm coming back on this topic. I added the -K option > # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h > myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n > ABCD > # spamd: need key and certificate for TLS > > So it seems it expects some kind of certificat/privatekey rather than a key > > Does anyone uses the -K option successfully ? Yes. :-). Looks like you forgot the '-C /etc/ssl/.crt’ option. Granted, this is on 6.3. My full args are: -h -v -G 2:4:864 -y vio0 -Y -K /etc/ssl/private/.key -C /etc/ssl/.crt Works fine. Sean > So far I didn't manage to make the synchro to work. udp packets on port 8025 > are not dropped. > However spamd doesn't seem to send any 8025/udp packet at all. > > Regards > >Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker > a écrit : > > On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > >> * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: >>> On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: >>> Hello, I read the man but it's not so clear to me https://man.openbsd.org/spamd#SYNCHRONISATION a) I chose unicast synchronisation but I don't know which port should >> I open on the firewall ? Is it going to use the spamd-cfg service ? >>> >>> It will use spamd-sync (udp port 8025) >> >> Good to know, I was blocking this traffic. It might be interesting to >> add a word about this in the manpage, what do you think? >> > > tcpdump -nettti pflog0 > > That command tells you if anything is being blocked. I normally start > there. You would have seen port 8025 being blocked right away > >> >> >
Re: How to synchronise 2 spamd instances
Hello, I'm coming back on this topic. I added the -K option # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n ABCD # spamd: need key and certificate for TLS So it seems it expects some kind of certificat/privatekey rather than a key Does anyone uses the -K option successfully ? So far I didn't manage to make the synchro to work. udp packets on port 8025 are not dropped. However spamd doesn't seem to send any 8025/udp packet at all. Regards Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker a écrit : On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > > > Hello, > > > I read the man but it's not so clear to me > > > https://man.openbsd.org/spamd#SYNCHRONISATION > > > a) I chose unicast synchronisation but I don't know which port should > I open on the firewall ? > > > Is it going to use the spamd-cfg service ? > > > > It will use spamd-sync (udp port 8025) > > Good to know, I was blocking this traffic. It might be interesting to > add a word about this in the manpage, what do you think? > tcpdump -nettti pflog0 That command tells you if anything is being blocked. I normally start there. You would have seen port 8025 being blocked right away > >
Re: How to synchronise 2 spamd instances
On Mon, Apr 22, 2019, 10:43 AM Thuban, wrote: > * Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > > > Hello, > > > I read the man but it's not so clear to me > > > https://man.openbsd.org/spamd#SYNCHRONISATION > > > a) I chose unicast synchronisation but I don't know which port should > I open on the firewall ? > > > Is it going to use the spamd-cfg service ? > > > > It will use spamd-sync (udp port 8025) > > Good to know, I was blocking this traffic. It might be interesting to > add a word about this in the manpage, what do you think? > tcpdump -nettti pflog0 That command tells you if anything is being blocked. I normally start there. You would have seen port 8025 being blocked right away > >
Re: How to synchronise 2 spamd instances
* Otto Moerbeek le [21-04-2019 12:49:07 +0200]: > On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > > > Hello, > > I read the man but it's not so clear to me > > https://man.openbsd.org/spamd#SYNCHRONISATION > > a) I chose unicast synchronisation but I don't know which port should I > > open on the firewall ? > > Is it going to use the spamd-cfg service ? > > It will use spamd-sync (udp port 8025) Good to know, I was blocking this traffic. It might be interesting to add a word about this in the manpage, what do you think?
Re: How to synchronise 2 spamd instances
Hello Otto, Thank you for your answer. I'm working on it right now. Regards Le dimanche 21 avril 2019 à 12:50:08 UTC+2, Otto Moerbeek a écrit : On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > Hello, > I read the man but it's not so clear to me > https://man.openbsd.org/spamd#SYNCHRONISATION > a) I chose unicast synchronisation but I don't know which port should I open > on the firewall ? > Is it going to use the spamd-cfg service ? It will use spamd-sync (udp port 8025) > > b) The synchronisation section mention a key and there's an option -K > regarding that key but in the example the -K option is not used. So it's not > clear. -K is optional. BUt if you use it, all instances syncing should use the same key. > > c) It's not clear which instance is going to contact which. Is there a > master/slave relationship ? What if one IP is WHITELIST on one instance and > BLACKLIST on the other. > Also should I use the -Y option on both instances ? Both are going to try to > start a tcp session ? It's symmetrical. All spamd's send updates to each other. No tcp involved, only udp. Specify A's IP on B and vice-versa. > > d) The message digest is calculated in md5 ? It uses a sha1 hmac message authentication code, so no md5 digest. > > e) Should I specify the -M option on all instance or just on the low priority > MX, which IP adress should I specify the one on that host or the remote MX > > Thank you Never used -M myself, but reading spamd.conf it looks like you only specify an -M IP on the host serving that IP. Note that -M is optional. -Otto
Re: How to synchronise 2 spamd instances
On Sun, Apr 21, 2019 at 09:53:52AM +, Mik J wrote: > Hello, > I read the man but it's not so clear to me > https://man.openbsd.org/spamd#SYNCHRONISATION > a) I chose unicast synchronisation but I don't know which port should I open > on the firewall ? > Is it going to use the spamd-cfg service ? It will use spamd-sync (udp port 8025) > > b) The synchronisation section mention a key and there's an option -K > regarding that key but in the example the -K option is not used. So it's not > clear. -K is optional. BUt if you use it, all instances syncing should use the same key. > > c) It's not clear which instance is going to contact which. Is there a > master/slave relationship ? What if one IP is WHITELIST on one instance and > BLACKLIST on the other. > Also should I use the -Y option on both instances ? Both are going to try to > start a tcp session ? It's symmetrical. All spamd's send updates to each other. No tcp involved, only udp. Specify A's IP on B and vice-versa. > > d) The message digest is calculated in md5 ? It uses a sha1 hmac message authentication code, so no md5 digest. > > e) Should I specify the -M option on all instance or just on the low priority > MX, which IP adress should I specify the one on that host or the remote MX > > Thank you Never used -M myself, but reading spamd.conf it looks like you only specify an -M IP on the host serving that IP. Note that -M is optional. -Otto
How to synchronise 2 spamd instances
Hello, I read the man but it's not so clear to me https://man.openbsd.org/spamd#SYNCHRONISATION a) I chose unicast synchronisation but I don't know which port should I open on the firewall ? Is it going to use the spamd-cfg service ? b) The synchronisation section mention a key and there's an option -K regarding that key but in the example the -K option is not used. So it's not clear. c) It's not clear which instance is going to contact which. Is there a master/slave relationship ? What if one IP is WHITELIST on one instance and BLACKLIST on the other. Also should I use the -Y option on both instances ? Both are going to try to start a tcp session ? d) The message digest is calculated in md5 ? e) Should I specify the -M option on all instance or just on the low priority MX, which IP adress should I specify the one on that host or the remote MX Thank you