Re: Spamd as a proxy

2022-04-15 Thread Stuart Henderson 
On 2022-04-15, alejan...@rogue-research.com  
wrote:
> Hi Mr Hansteen,
>
> Thanks for the reply, I started my journey with OpenBSD this week and I 
> decided to buy your book to help me understand its PF system, it's been 
> very helpful. I've been reading man pages from pf,spamd,opensmtpd and 
> sysctl, perhaps I just need more reading and time to fully understand 
> what is wrong with my setup.
>
> Since I am using 2 hosts (1 antispamer, 1 smtp server) on the same LAN, 
> I thought `rdr-to` would not work as stated on: 
>, under the section 
> "Redirection and Reflection" which is why I used `divert-to`. But 
> neither work, thus, I am left with no ideas as of how to forward the 
> emails from the antispam machine to the email server.
>
> What's different from all the docs and examples I've found is that I'm 
> trying to use two hosts, and everything I've seen seems to assume spamd 
> and the smtp server are on the same host. If `rdr-to` is not the way to 
> go, how must I overcome this challenge?

spamd expects to either be on the same host as the real SMTP service,
or on a router/firewall in front of that host. the only way to do proxy
like this on a host in a subnet alongside the smtp server (with another
firewall "in front") is to rdr *and* nat. but for obvious reasons you
really want the SMTP service to see the original source IP so nat isn't
much help...

Re: Spamd as a proxy

2022-04-15 Thread alejandro 

Hi Mr Hansteen,

Thanks for the reply, I started my journey with OpenBSD this week and I 
decided to buy your book to help me understand its PF system, it's been 
very helpful. I've been reading man pages from pf,spamd,opensmtpd and 
sysctl, perhaps I just need more reading and time to fully understand 
what is wrong with my setup.


Since I am using 2 hosts (1 antispamer, 1 smtp server) on the same LAN, 
I thought `rdr-to` would not work as stated on: 
, under the section 
"Redirection and Reflection" which is why I used `divert-to`. But 
neither work, thus, I am left with no ideas as of how to forward the 
emails from the antispam machine to the email server.


What's different from all the docs and examples I've found is that I'm 
trying to use two hosts, and everything I've seen seems to assume spamd 
and the smtp server are on the same host. If `rdr-to` is not the way to 
go, how must I overcome this challenge?




On 2022-04-15 14:11, Peter Nicolai Mathias Hansteen wrote:

15. apr. 2022 kl. 19:56 skrev alejan...@rogue-research.com:

Greetings everyone,
First time posting here and so bear with me please :)
I have a mail server I don't want to touch; I want to set up another 
machine in front of it running spamd.
I have tried using `rdr-to` instead of `divert-to` but neither seem to 
work

This is what my pf rules look like in "/etc/pf.conf"
```
table  persist
table  persist file "/etc/mail/nospamd"

# Incoming connections that are whitelisted/nospamd go directly to the 
smtp server
pass in quick log (all, to pflog0) on egress proto tcp from { 
  } \

to any port smtp divert-to mailserver.domain.com port smtp


No. Please read the man page. You do not need divert-to here. If you
do need it, your network design is wrong.

Try looking up http://home.nuug.no/~peter/pftutorial/#52
 (or better yet for me, buy
the book :))

All the best,
Peter

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Spamd as a proxy

2022-04-15 Thread alejandro 

Greetings everyone,
First time posting here and so bear with me please :)
I have a mail server I don't want to touch; I want to set up another 
machine in front of it running spamd.
I have tried using `rdr-to` instead of `divert-to` but neither seem to 
work

This is what my pf rules look like in "/etc/pf.conf"
```
table  persist
table  persist file "/etc/mail/nospamd"

# Incoming connections that are whitelisted/nospamd go directly to the 
smtp server
pass in quick log (all, to pflog0) on egress proto tcp from {  
 } \

to any port smtp divert-to mailserver.domain.com port smtp

# Divert unknown tcp connections with destination port 25 to spamd
pass in quick log (all, to pflog0) on egress proto tcp from any to any 
port smtp divert-to 127.0.0.1 port spamd

```
I have enabled packet forwarding with `doas sysctl 
net.inet.ip.forwarding: 0 -> 1`


I am using `nc` to test my connection with the real smtp server through 
the antispam server but I am getting connection timeout every time.
When I check the logs, I can see the client sends a first SYN packets to 
the antispam and from there the packets get forwarded to the smtp 
server, but I don’t see any replies from the smtp server. There are no 
rules on the smtp server blocking the connections from my client and 
this is all done locally.

Can anyone help me? Any ideas as of why my set up is not working?