spamd nonfunctioning due to power outage in SD

dssampson at yahoo.com dssampson at yahoo.com
Wed Oct 24 14:01:35 PDT 2007 

> dssampson at yahoo.com wrote:
> > I had a power outage to our building due to the fires in San
> Diego
> 
 and it crashed those without UPSes. One of them is the spamd
> machine.
> 
 I've brought it back up and ran fsck on all volumes. However, mail
> will
> 
 not come into our mailboxes from outside but mail can be delivered
> to
> 
 outside recipients. I can telnet into the spamd machine and send
> mail
> 
 externally and internally. Postfix seems to be ok. When I stop pf,
> mail
> 
 from the outside of our LAN come pouring in. When I start up pf,
> inbound
> 
 mail comes to a stop. In the spamd log, I see all kinds of
> connections
> 
 being blacklisted and greylisted but still not one mail is
> being
> 
 delivered. I am using spamd-mywhite as my whitelist and put all known GMail
> IP
> 
 addresses on it. I then send an email from my GMail account to
> this
> 
 machine. It gets greylisted and eventually sits in the greylist for
> quite
> 
 a while. I also see ports 25 open on both external and internal
> NICs
> 
 and port 8025 open on the localhost interface.
> > 
> > I need assistance in troubleshooting this. Running spamd 4.1.2
> on
> 
 FreeBSD 6.2. We average 800 valid mail per day and so far in the last
> 24
> 
 hours, not one mail has come through using the existing
> spamd
> 
 configuration.
> > 
> > mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf
> > ext_if = "rl0"
> > int_if = "xl0"
> > internal_net = "192.168.1.1/24"
> > external_addr = "216.70.250.4"
> > vpn_net = "10.8.0.0/24"
> > icmp_types = "echoreq"
> > NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
> 10.0.0.0/8
> 
 }"
> > webserver1 = "192.168.1.4"
> > set skip on { lo0 }
> > set skip on { gif0 }
> > @0 scrub in all fragment reassemble
> > @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> > @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> > @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http
> ->
> 
 192.168.1.4 port 80
> > table  persist
> > table  persist
> > table  persist
> file
> 
 "/usr/local/etc/spamd/spamd-mywhite"
> > @4 rdr inet proto tcp from  to 216.70.250.4 port
> =
> 
 smtp -> 127.0.0.1 port 25
> > @5 rdr inet proto tcp from  to 216.70.250.4 port
> =
> 
 smtp -> 127.0.0.1 port 25
> > @6 rdr pass inet proto tcp from  to 216.70.250.4 port =
> smtp
> 
 -> 127.0.0.1 port 8025
> > @7 rdr pass inet proto tcp from !  to
> 216.70.250.4
> 
 port = smtp -> 127.0.0.1 port 8025
> > @8 pass in log inet proto tcp from any to 216.70.250.4 port =
> smtp
> 
 flags S/SA synproxy state
> > @9 pass out log inet proto tcp from 216.70.250.4 to any port =
> smtp
> 
 flags S/SA synproxy state
> > @10 pass in log inet proto tcp from 192.168.1.0/24 to
> 192.168.1.25
> 
 port = smtp flags S/SA synproxy state
> > @11 block drop in log all
> > @12 pass in log quick on xl0 inet proto tcp from any to
> 192.168.1.25
> 
 port = ssh flags S/SA synproxy state
> > @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> > @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> > @15 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> > @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> > @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> > @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> > @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> > @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> > @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> > @22 block drop in log quick inet from 192.168.1.25 to any
> > @23 pass in on xl0 inet from 192.168.1.0/24 to any
> > @24 pass out log on xl0 inet from any to 192.168.1.0/24
> > @25 pass out log quick on xl0 inet from any to 10.8.0.0/24
> > @26 pass out on rl0 proto tcp all flags S/SA modulate state
> > @27 pass out on rl0 proto udp all keep state
> > @28 pass out on rl0 proto icmp all keep state
> > @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port =
> http
> 
 flags S/SA synproxy state
> > @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port =
> ssh
> 
 keep state
> > warning: macro 'icmp_types' not used
> > mailfilter-root@/usr/ports# 
> > 
> > What's the quickest way to recover from this? Any
> other
> 
 troubleshooting techniques?
> > 
> > ~Doug
> > 
> 
> with rule @11 (log) you can do a
> tcpdump -net -i pflog0 and look at the block rule number.

This is what I am seeing:
303784 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
1. 266221 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 <mss 1460>
157399 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
1. 139142 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
199803 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
039859 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
101924 rule 3/0(match): block in on rl0: 200.46.204.71.61323 > 127.0.0.1.25: S 1996496288:1996496288(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
295669 rule 3/0(match): block in on rl0: 66.218.67.246.30833 > 127.0.0.1.25: S 863049525:863049525(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
192006 rule 3/0(match): block in on rl0: 38.100.230.154.1856 > 127.0.0.1.25: S 1648209710:1648209710(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
639961 rule 3/0(match): block in on rl0: 207.158.59.100.60302 > 127.0.0.1.25: S 490829265:490829265(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
391948 rule 3/0(match): block in on rl0: 207.158.59.100.38643 > 127.0.0.1.25: S 4015967731:4015967731(0) win 5840 <mss 1460,sackOK,timestamp[|tcp]>
042299 rule 3/0(match): block in on rl0: 63.209.114.3.1923 > 127.0.0.1.25: S 3256136674:3256136674(0) win 57344 <mss 1460>
025190 rule 3/0(match): block in on rl0: 209.11.60.21.14104 > 127.0.0.1.25: S 598584256:598584256(0) win 16384 <mss 1380>
1. 310404 rule 3/0(match): block in on rl0: 200.46.204.71.49347 > 127.0.0.1.25: S 4237450357:4237450357(0) win 65535 <mss 1460,sackOK,eol>
214949 rule 3/0(match): block in on rl0: 200.46.204.71.53512 > 127.0.0.1.25: S 2390205679:2390205679(0) win 65535 <mss 1460,nop,wscale 1,[|tcp]>
038980 rule 3/0(match): block in on rl0: 200.46.204.71.65136 > 127.0.0.1.25: S 1802046267:1802046267(0) w

Which of the rules above does rule 3/0(match) refer to?

Also,
mailfilter-root@/usr/ports# tcpdump -n -e -ttt -r /var/log/pflog port 8025
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
mailfilter-root@/usr/ports# 

No forwarding to port 8025 is occurring at this point, or so it seems.

> 
> also do a sockstat -4 -p 25 and look if your mailserver listen
> at 127.0.0.1:25 otherwise rule @4 and @5 have no effect
 

mailfilter-root@/usr/ports# sockstat -4 -p 25
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     master     841   11 tcp4   *:25                  *:*

I should mention that this is a relay for our internal Exchange server. I'm going to test if Postfix is relaying correctly. From all indications it does seem to relay correctly but I need to make sure it does!

~Doug


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the freebsd-pf mailing list