Re: spamd: unauthorized connection
Marc Perkel wrote: DAve wrote: Marc Perkel wrote: Matt Kettler wrote: Marc Perkel wrote: Theo Van Dinter wrote: On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. Yes - that's it. Thanks. So - why two different settings? Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from. If I may suggest - it is a very confusing configuration because I don't see why you would configure these two things to different vaules. However, you should at least donument it better so that the -i and -A sections refer to each other. You can surely see why if someone did -i then they would not be looking for another switch that does almost the same thing. I recomment changint it so that both switches do the same thing. But they don't do the same thing. For example, I have one spamd server, and three mail toasters. I use both the -i and the -A switch. My spamd server is at 10.0.240.253 and my toasters are lumped in with everything else at 10.0.240.50-200. (all my servers have two faces, a 100mb public interface and a 1gb private interface) I run spamd like so, #!/sbin/sh PATH=/usr/bin:/usr/local/bin exec /usr/local/bin/softlimit -a 12800 \ /usr/local/bin/spamd -i 10.0.240.253 \ -p 1783 \ -A 10.0.240.134, \ 10.0.240.135, \ 10.0.240.136 \ -m 25 \ --max-conn-per-child=500 \ -u vpopmail -x -q -s stderr 2>&1 -i tells spamd to listen only on the 10.0.240.253 interface, ignore the 10.0.241.xxx interface, that one is public. -A tells spamd to only accept connectione from 10.0.240.134-136, my toasters. Do *NOT* accept connections from my Frontpage server, my webservers, my shared hosting box, my MSSQL box, etc. The two switches do very different things. DAve Well then the DOCS should be changed so that the docs for -i and -A at least refer to each other. They don't have to refer to each other. One switch tells where spamd should listen for connections, the other tells spamd what connections to listen for. You can use one, the other, both, or neither as you require. DAve http://spamassassin.apache.org/full/3.1.x/dist/doc/spamd.html -i [ipaddress], --listen-ip[=ipaddress], --ip-address[=ipaddress] Tells spamd to listen on the specified IP address (defaults to 127.0.0.1). If you specify no IP address after the switch, spamd will listen on all interfaces. (This is equal to the address 0.0.0.0). You can also use a valid hostname which will make spamd listen on the first address that name resolves to. -A host,..., --allowed-ips=host,... Specify a list of authorized hosts or networks which can connect to this spamd instance. Single IP addresses can be given, ranges of IP addresses in address/masklength CIDR format, or ranges of IP addresses by listing 3 or less octets with a trailing dot. Hostnames are not supported, only IP addresses. This option can be specified multiple times, or can take a list of addresses separated by commas. Examples: -A 10.11.12.13 -- only allow connections from 10.11.12.13. -A 10.11.12.13,10.11.12.14 -- only allow connections from 10.11.12.13 and 10.11.12.14. -A 10.200.300.0/24 -- allow connections from any machine in the range 10.200.300.*. -A 10. -- allow connections from any machine in the range 10.*.*.*. By default, connections are only accepted from localhost [127.0.0.1].
Re: spamd: unauthorized connection
DAve wrote: Marc Perkel wrote: Matt Kettler wrote: Marc Perkel wrote: Theo Van Dinter wrote: On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. Yes - that's it. Thanks. So - why two different settings? Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from. If I may suggest - it is a very confusing configuration because I don't see why you would configure these two things to different vaules. However, you should at least donument it better so that the -i and -A sections refer to each other. You can surely see why if someone did -i then they would not be looking for another switch that does almost the same thing. I recomment changint it so that both switches do the same thing. But they don't do the same thing. For example, I have one spamd server, and three mail toasters. I use both the -i and the -A switch. My spamd server is at 10.0.240.253 and my toasters are lumped in with everything else at 10.0.240.50-200. (all my servers have two faces, a 100mb public interface and a 1gb private interface) I run spamd like so, #!/sbin/sh PATH=/usr/bin:/usr/local/bin exec /usr/local/bin/softlimit -a 12800 \ /usr/local/bin/spamd -i 10.0.240.253 \ -p 1783 \ -A 10.0.240.134 \ 10.0.240.135 \ 10.0.240.136 \ -m 25 \ --max-conn-per-child=500 \ -u vpopmail -x -q -s stderr 2>&1 -i tells spamd to listen only on the 10.0.240.253 interface, ignore the 10.0.241.xxx interface, that one is public. -A tells spamd to only accept connectione from 10.0.240.134-136, my toasters. Do *NOT* accept connections from my Frontpage server, my webservers, my shared hosting box, my MSSQL box, etc. The two switches do very different things. DAve Well then the DOCS should be changed so that the docs for -i and -A at least refer to each other.
Re: spamd: unauthorized connection
Marc Perkel wrote: Matt Kettler wrote: Marc Perkel wrote: Theo Van Dinter wrote: On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. Yes - that's it. Thanks. So - why two different settings? Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from. If I may suggest - it is a very confusing configuration because I don't see why you would configure these two things to different vaules. However, you should at least donument it better so that the -i and -A sections refer to each other. You can surely see why if someone did -i then they would not be looking for another switch that does almost the same thing. I recomment changint it so that both switches do the same thing. But they don't do the same thing. For example, I have one spamd server, and three mail toasters. I use both the -i and the -A switch. My spamd server is at 10.0.240.253 and my toasters are lumped in with everything else at 10.0.240.50-200. (all my servers have two faces, a 100mb public interface and a 1gb private interface) I run spamd like so, #!/sbin/sh PATH=/usr/bin:/usr/local/bin exec /usr/local/bin/softlimit -a 12800 \ /usr/local/bin/spamd -i 10.0.240.253 \ -p 1783 \ -A 10.0.240.134 \ 10.0.240.135 \ 10.0.240.136 \ -m 25 \ --max-conn-per-child=500 \ -u vpopmail -x -q -s stderr 2>&1 -i tells spamd to listen only on the 10.0.240.253 interface, ignore the 10.0.241.xxx interface, that one is public. -A tells spamd to only accept connectione from 10.0.240.134-136, my toasters. Do *NOT* accept connections from my Frontpage server, my webservers, my shared hosting box, my MSSQL box, etc. The two switches do very different things. DAve
Re: spamd: unauthorized connection
Matt Kettler wrote: Marc Perkel wrote: Theo Van Dinter wrote: On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. Yes - that's it. Thanks. So - why two different settings? Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from. If I may suggest - it is a very confusing configuration because I don't see why you would configure these two things to different vaules. However, you should at least donument it better so that the -i and -A sections refer to each other. You can surely see why if someone did -i then they would not be looking for another switch that does almost the same thing. I recomment changint it so that both switches do the same thing.
Re: spamd: unauthorized connection
Marc Perkel wrote: > > > Theo Van Dinter wrote: >> On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: >> >>> Why is spamd deciding what IP addresses are unauthorized when I told it >>> to listen on all ports. >>> >> >> Just because it's listening on a port doesn't mean the client is allowed to >> connect. You want to look at -A which is the listing of allowed client IPs. >> > > Yes - that's it. Thanks. > > So - why two different settings? Because they control two totally different things. -i controls which interfaces of the SERVER that spamd will listen for connections n. -A controls which CLIENTS it will accept connections from. Say I have 3 webservers, 3 mailservers, and 1 backend spamd server in a DMZ subnet. I want the mailservers to connect to the backend spamd, but there's no reason to allow the webservers to do so. In fact, if the webservers are are running a lot of scripts that might get exploited, it's probably better that I not allow them to connect to spamd. If someone found a way of exploiting spamd over the network, they could leapfrog from the webserver to the spamd server. Admittedly -A is a bit redundant with iptables, you could achieve the same effect with any firewall on the spamd server. However, this way it is defaulting to accepting connections from nobody, just to force you to think about what machines you should accept connections from.
Re: spamd: unauthorized connection
Theo Van Dinter wrote: On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. Yes - that's it. Thanks. So - why two different settings?
Re: spamd: unauthorized connection
Marc Perkel wrote: > Trying to set up a spamassassin spamd server anfd getting errors when > other servers connect to the spamd server. I thied -i 0.0.0.0 and getting: > > spamd: unauthorized connection from 2.ctyme.com > > Why is spamd deciding what IP addresses are unauthorized when I told it > to listen on all ports. > Because you didn't specify -A, which is the list of allowed client IPs.
Re: spamd: unauthorized connection
Marc Perkel wrote: Trying to set up a spamassassin spamd server anfd getting errors when other servers connect to the spamd server. I thied -i 0.0.0.0 and getting: spamd: unauthorized connection from 2.ctyme.com Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports. -A host,..., --allowed-ips=..,.. Limit ip addresses which can connect Regards, Rick
Re: spamd: unauthorized connection
On Thu, Feb 16, 2006 at 05:36:32PM -0800, Marc Perkel wrote: > Why is spamd deciding what IP addresses are unauthorized when I told it > to listen on all ports. Just because it's listening on a port doesn't mean the client is allowed to connect. You want to look at -A which is the listing of allowed client IPs. -- Randomly Generated Tagline: "If you're running the latest version of IIS, then you're not vulnerable to this [security hole], but you're vulnerable to something new." - Phil Cox pgpIWTYyFXvNF.pgp Description: PGP signature
spamd: unauthorized connection
Trying to set up a spamassassin spamd server anfd getting errors when other servers connect to the spamd server. I thied -i 0.0.0.0 and getting: spamd: unauthorized connection from 2.ctyme.com Why is spamd deciding what IP addresses are unauthorized when I told it to listen on all ports.