Spamd configuration for OpenBSD 3.9 - BSD

This is a discussion on Spamd configuration for OpenBSD 3.9 - BSD ; Howdy all. I had some difficulty getting spamd up and running correctly, so I thought I would post my pf.conf as an example. The permanent link is: http://home.xnet.com/~ansible/openbsd_spamd_conf.html And here's a copy of the /etc/pf.conf anyway: # PF configuration for ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Spamd configuration for OpenBSD 3.9

  1. Spamd configuration for OpenBSD 3.9

    Howdy all. I had some difficulty getting spamd up and running
    correctly, so I thought I would post my pf.conf as an example.

    The permanent link is:

    http://home.xnet.com/~ansible/openbsd_spamd_conf.html

    And here's a copy of the /etc/pf.conf anyway:



    # PF configuration for example.com
    # Standard small-office NAT, with e-mail and webserver
    # behind the firewall.
    # Also added spamd running in greylisting mode.

    #####################
    # Macros
    #####################

    # internal and external network interfaces
    int_if = "xl0"
    ext_if = "rl0"

    # internal servers
    mail_host = "mail-int.example.com"
    external_web = "www-int.example.com"

    icmp_types = "{ echoreq, unreach }"

    # We should never see these coming from the Internet.
    martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
    10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
    0.0.0.0/8, 240.0.0.0/4 }"

    # options
    set block-policy return
    set loginterface $ext_if

    # scrub
    scrub in all

    #######################
    # NAT / Redirection
    #######################

    # NAT the internal network to the Internet.
    nat on $ext_if from $int_if:network to any -> ($ext_if)

    # FTP
    nat-anchor "ftp-proxy/*"
    rdr-anchor "ftp-proxy/*"
    rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 \
    port 8021

    # our WWW appears on the Internet
    rdr pass on $ext_if proto tcp from any to \
    $ext_if port http -> $external_web port http

    ############
    # Spamd
    ############

    # grey host list
    table persist
    # white host list
    table persist file "/var/mail/whitelist.txt"

    # send all suspects to the spamd daemon
    # must have the pass option here!
    rdr pass on $ext_if inet proto tcp from to \
    $ext_if port smtp -> 127.0.0.1 port 8025
    rdr pass on $ext_if inet proto tcp from ! to \
    $ext_if port smtp -> 127.0.0.1 port 8025

    # send whitelisted hosts to the actual mail server
    # I'm fairly sure we _don't_ want the pass option for this rdr.
    rdr on $ext_if proto tcp from to \
    $ext_if port smtp -> $webmail_host port smtp

    #################
    # Filter Rules
    #################

    block all

    pass quick on lo0 all

    antispoof for $ext_if
    antispoof for $int_if

    # Martians
    block drop in quick on $ext_if from $martians to any
    block drop out quick on $ext_if from any to $martians

    # Allow ping and path MTU discovery
    pass in inet proto icmp all icmp-type $icmp_types keep state

    # FTP - FIXME
    #anchor "ftp-proxy/*"
    #pass out proto tcp from $proxy to any port ftp keep state

    # for spamlogd to update the whitelists
    # Check to see if it is working by running spamdb before and
    # after sending out e-mails, and receiving e-mails.
    pass in log quick on $ext_if inet proto tcp from \
    to port smtp flags S/SA keep state
    pass out log quick on $ext_if inet proto tcp \
    to any port smtp flags S/SA keep state

    # Allow anything on the internal interface
    pass in on $int_if from $int_if:network to any keep state
    pass out on $int_if from any to $int_if:network keep state

    # Allow anything from the internal network out onto the Internet
    pass out on $ext_if proto tcp all modulate state flags S/SA
    pass out on $ext_if proto { udp, icmp } all keep state





    James Graves

  2. Re: Spamd configuration for OpenBSD 3.9

    We've made updates to our spamd setup. Thanks to some hints from a
    mailing list, we now have whitelists implemented correctly.

    http://home.xnet.com/~ansible/openbsd_spamd_conf.html

    James Graves

+ Reply to Thread