kpriv/pkgsrc-wip
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc-wip/mxallowd/patches/patch-aa
Michael Stapelberg 5efb9dac95 Import mxallowd-1.6 as wip/mxallowd. 
mxallowd is a daemon for pf/pflog which implements a slightly improved
nolisting mechanism. Basically your nameserver has to be configured to
return two MX ip addresses of which one does not run a mail server on
port 25 (the one with higher priority). Most spammers try to connect
directly to the first mailserver -- mxallowd blocks that. You have to
connect to the first one and then to the second one, direct connections
do not work. Real mailservers (not spammers) have to try all MX ip
addresses in order (sorted by priority) until they succeed in delivering
the mail.
2008-08-10 15:48:45 +00:00

105 lines
4.8 KiB
Text
Raw Blame History

$NetBSD: patch-aa,v 1.1.1.1 2008/08/10 15:48:46 mstapelberg Exp $
--- mxallowd.1.orig 2008-06-28 04:04:20.000000000 +0200
+++ mxallowd.1
@@ -8,7 +8,7 @@
.fi
..
-.TH mxallowd 1 "JULY 2008" Linux "User Manuals"
+.TH mxallowd 1 "JULY 2008" NetBSD "User Manuals"
.SH NAME
mxallowd \- dynamically whitelist your Mail eXchanger
@@ -31,13 +31,11 @@ mxallowd \- dynamically whitelist your M
.IR fake-mailserver \|
.RB \|\-r
.IR real-mailserver \|
-.RB \|\-n
-.IR queue-num \|
.SH DESCRIPTION
.B mxallowd
-is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD) to allow (or deny) connections to a mailserver (or similar application) if the remote host hasn't connected to a fake daemon before.
+is a daemon which uses or pf and pflog to allow (or deny) connections to a mailserver (or similar application) if the remote host hasn't connected to a fake daemon before.
This is an improved version of the so-called nolisting (see http://www.nolisting.org/). The assumption is that spammers are not using RFC 2821-compatible SMTP-clients and are sending fire-and-forget spam (directly to the first or second MX-entry without retrying on error). This direct access is blocked with mxallowd, you'll only get a connection if you retry.
@@ -77,10 +75,6 @@ Specify which IP-address the real mailse
Do not fork into background, stay on console
.TP
-.B \-n, \-\-queue\-num (only available when compiled for netfilter_queue)
-Specify the queue number which will be used for the netfilter_queue-link. This has to be the same which is specified in the iptables-rule and it has to be specified, there is no default.
-
-.TP
.B \-p, \-\-pflog\-interface (only available when compiled for pf)
Specify the pflog(4) interface which you configured in pf(4). The default is pflog0. Also see the pcap-filter-option if you use an interface which does not only get smtp-traffic.
@@ -92,32 +86,20 @@ Specify the filter for pcap. The default
.TP
.B /etc/mxallowd.conf
System-wide configuration file. Use the long options without the beginning two dashes. For example:
-.Vb 6
+.Vb 5
\&
\& stdout
\& fake-mailserver 192.168.1.3
\& fake-mailserver 192.168.1.4
\& real-mailserver 192.168.1.5
-\& queue-num 23
.Ve
-.SH EXAMPLES FOR NETFILTER
-The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.
-.PP
-.Vb 3
-\&# modprobe nfnetlink_queue
-\&# iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
-\&# mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23
-.Ve
-
-Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now connect to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.
-
-.SH EXAMPLES FOR PF
+.SH EXAMPLES
The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.
Create a pf.conf like this:
.PP
-.Vb 11
+.Vb 16
\& table <mx-white> persist
\&
\& real_mailserver="192.168.1.4"
@@ -126,10 +108,14 @@ Create a pf.conf like this:
\& real_mailserver6="2001:dead:beef::1"
\& fake_mailserver6="2001:dead:beef::2"
\&
-\& pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
-\& pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
-\& block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
-\& block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp
+\& pass in quick log on fxp0 proto tcp from <mx-white> \\
+\& to $real_mailserver port smtp
+\& pass in quick log on fxp0 inet6 proto tcp from <mx-white> \\
+\& to $real_mailserver6 port smtp
+\& block in log on fxp0 proto tcp \\
+\& to { $fake_mailserver $real_mailserver } port smtp
+\& block in log on fxp0 inet6 proto tcp \\
+\& to { $fake_mailserver6 $real_mailserver6 } port smtp
.Ve
Afterwards, load it and start mxallowd using the following commands:
@@ -141,10 +127,7 @@ Afterwards, load it and start mxallowd u
Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now connect to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.
-The ruleset for pf is actually longer because pf does more than netfilter on linux -- netfilter passes the packets and lets mxallowd decide whether to drop/accept whilst pf blocks/passes before even "passing" to mxallowd.
-
.SH SEE ALSO
-.BR iptables (8),
.BR pf (4),
.BR pflog (4),
.BR tcpdump (8)
Reference in a new issue View git blame Copy permalink