gmane.os.openbsd.misc

Re: spamd greylisting: false positives

Nicolai — 2012-05-25T16:49:59

spamd acts up for me occasionally.  In such cases I just

 /etc/rc.d/spamd stop
 rm /var/db/spamd
 /etc/rc.d/spamd start


He might have assumed that because you described your problem more with
narration than with logs or copy/paste, and when you did copy and paste,
it was incomplete.  For example:


Is that from rc.conf.local?  The command line?  If it was the command
line, were you calling spamd directly, or using rc.d?  Is that the
entire argument list passed?  Only what you thought was relevant to the
issue?  We don't know.

And when you say spamd was deleting email... that's just not possible
because spamd returns a 4xy/5xy after DATA.

There's no reason to narrate when logs tell a better story.

Nicolai

Re: spamd greylisting: false positives

Matthew Weigel — 2012-05-25T16:49:49

In the greylist, or in the whitelist (both are stored in
/var/db/spamdb)?  I'm wondering now whether your /var/db/spamdb
got wiped out when you upgraded.  If that happened, then all
pre-existing whitelist entries would be gone, and emails would
have to go through greylisting again.

Also, if your standard procedure when making changes was as below
(wiping out spamdb), you would be pretty much guaranteed to drop
a lot of mail on the floor given exponential back off.


Presumably you have at least some whitelist entries there, and some
mail in transit that you would like to eventually receive.  Flushing
the database now would mean that anything currently greylisted is
very unlikely to be whitelisted, and anything whitelisted will be
greylisted next time it tries to deliver mail.


With default settings, you need to be patient for 4 hours.  Past 4
hours, the chances are close to nil that you'll get that mail.  Until
4 hours have passed, though, it's completely possible you'll still
receive the mail.


You will.


It's pretty straightforward to script pulling SPF records from Google
and whitelisting them.  Facebook is another company that sends a lot
of mail through many servers, but documents those servers in SPF
records you can poll (say, on a weekly basis).  There are very few
other mail server clusters that have that behavior, so once you
identify those two, and script it, the problem is basically solved.

For example, you could move your current nospamd file to
/etc/mail/nospamd.constant, and then do the following in
/etc/weekly.local:

next_part "Whitelisting Google mail servers"
/usr/sbin/dig _spf.google.com TXT + short | tr "\ " "\n" | grep ip4: \
  | cut -d: -f2 | sort -n > /etc/mail/nospamd.dynamic
cat /etc/mail/nospamd.constant /etc/mail/nospamd.dynamic > 
/etc/mail/nospamd
/sbin/pfctl -t gmail-white -T replace -f /etc/mail/nospamd 2>&1 \
  | grep -v 'no changes'

That's very close to something someone else shared on misc< at > many
moons ago, I don't remember who.

Re: HW upgrade options, opinions please?

David Diggles — 2012-05-25T16:04:41

Oh it just means the standalone geode redirects all inbound connections
from the internet, to the Pentium 4.

The other pair of carp geodes protect the office subnet, and the Pentium 4
does not have ip forwarding, but acts as a squid cache etc.

Any suggestions for improvement?  Is there a standard for this?

On Fri, May 25, 2012 at 05:14:31PM +0200, ropers wrote:

Re: spamd greylisting: false positives

David Diggles — 2012-05-25T15:50:40

I wasn't receiving email, from lists.openbsd.org and also from my
work email address, until I added the respective smtp servers to
the whitelist table in pf.

I could see them in the greylist when I typed spamdb.

Yes. I did misunderstand the spamd log entry about deletion.

Though I would not bother playing with settings if the expected
emails were being received.

I will go ahead and flush the spamdb database, and the pf tables
and start over with default everything, no whitelist pf entries.

This time I will sit on my hands and wait.  Maybe I was not
being patient enough.

When you say I misconfigured my setup, what do you mean?
What else is there to spamd other than adding it to rc.conf.local
and a few pf rules?

As for gmail;
I have not had this issue sending email from gmail to spamd.

Seriously though, if I have to keep manually adding smtp servers
to a whitelist, I will run in blacklist only mode.

On Fri, May 25, 2012 at 11:07:12AM -0400, Kurt Mosiejczuk wrote:

Re: HW upgrade options, opinions please?

ropers — 2012-05-25T15:14:31

The way you use that ======= in your graphic, even with the
explanatory comment, is hella confusing. I think I got what you mean:
That's where it goes, but it goes there via the carp geodes, not via
any direct connection. But even if I did now understand that correctly
(which I'm not entirely sure about), it's still a hella confusing way
to document that.

On 24 May 2012 08:51, David Diggles <david< at >elven.com.au> wrote:
http://www.supermicro.com.tw/products/system/1U/5015/SYS-5015A-EHF-D525.cfm

Re: spamd greylisting: false positives

Kurt Mosiejczuk — 2012-05-25T15:07:12

Stop playing with those settings, you are freaking out about log entries 
that don't mean what you think they mean.

spamd seems to have a queue for updates to the database.  This is based 
off of a 2 minute look at the code in question, but it seems to use the 
to do all changes from a scan run at once, so it can do all the 
necessary changes in one burst.

What you are seeing are messages about it deleting stuff from its own 
database, not email.  spamd doesn't accept email.  The email never gets 
to your smtp daemon until it's gotten through spamd's delays.

Are you actually not receiving email?  Or assuming there is a problem 
based upon your panicked look at the logs?

If emails aren't getting through, they may either need to be explicitly 
whitelisted (providers like gmail do things that mean they may never get 
through graylisting), or you have misconfigured your setup.

--Kurt

Re: German Government claims to be able to break PGP and SSH

Peter Laufenberg — 2012-05-25T14:11:30

"Autoeimer", with unlimited strcat() known to overflow students' brains.

Yes the "Bundestrojaner". I pictured a fat politician's soggy condom on the back of his doggy-style mistress: "one for the country!" Mild stuff considering German pr0n culture.

Re: IBM x3850/x3950 OpenBSD dmesg

Jonathan Gray — 2012-05-25T14:08:28

If they are anything like the x3550 M4 you'll want to test with a -current
snapshot.  As per usual dmesgs sent to dmesg< at >openbsd.org are appreciated.

Re: spamd greylisting: false positives

David Diggles — 2012-05-25T13:28:55

The spamd pf.conf rules I have are:

table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in on egress proto tcp from any to any port smtp \
    rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to any port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass out log on egress proto tcp to any port smtp

Henning, the clock seems fine.  Ntpd is not complaining about losing time.
I will return all the spamd options to default.

spamd-setup is running from cron, 13 mins after every hour.

On 15th of May, I upgraded to 5.1 with a clean install.  Maybe the problem
is not spamd, but my configuration of sendmail.

On Fri, May 25, 2012 at 12:20:45PM +0200, obsd wrote:

Re: Recent BIND ports

Simon Perreault — 2012-05-25T13:10:15

Le 12-05-25 06:24, Kostas Zorbadelos a icrit :

purely out of curiosity: why?

Re: German Government claims to be able to break PGP and SSH

Joe Gain — 2012-05-25T12:25:16

car + eimer? ay carambas?!!

On Thu, May 24, 2012 at 10:13 PM, Stuart VanZee <StuartV< at >datalinesys.com> wrote:

Re: spamd greylisting: false positives

obsd — 2012-05-25T10:05:14

-----Ursprungligt meddelande-----
Fren: owner-misc< at >openbsd.org [mailto:owner-misc< at >openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc< at >openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:

Hello

Not a behavior I can recognize.
I would recommend to start over the configuration from the beginning, after
checking the obvious system settings.
Standard settings should be fine as a starter. Later on, adjust to your
likings.
You can find some good instructions (explainations) here :
http://www.pantz.org/software/spamd/configspamd.html
https://calomel.org/spamd_config.html

Regards Hasse

IBM x3850/x3950 OpenBSD dmesg

Jiri B — 2012-05-25T11:27:48

Hi,

we will be deactivating some old servers. I will try to boot OpenBSD
and provide dmesg.

   |----Product Name................................................IBM x3850-[88634SG]-
   |----Product Name................................................IBM 3850 M2 / x3950 M2 -[71414RG]-

Anybody interested in output and details? I cannot give access :(

jirib

Ljetovanje na Bolu - Brač

Apartmani Karla — 2012-05-25T09:44:47

Dragi oboavatelji Bola i Braha,

PROVEDITE 7 DANA NA BOLU U APARTMANU
ZA SAMO 1.321 kn

Od 1.5. do 23.6.

Od 26.8. do 31.10.

Broj aranmana je ogranihen.






Ukoliko vas je vie od dvoje u apartmanu, sljedefe dvije osobe plafaju cijenu
za jednu.



Otkrijte Bol - uivajte na najljepoj plai na Mediteranu  plai Zlatni rat.

Zanimljivi izleti
Kupanje u kristalno histom moru

etnje kroz zanimljive pejzae
Masae i tretmani u wellness centrima
Domafa hrana
I mnogo vie...
Vie informacija i rezervacije na naim web stranicama.
www.apartmani-karla.net



Slobodno nam se obratite sa svim pitanjima.


Ukoliko vie ne elite primati nae ponude odgovorite na ovaj mail porukom
ODJAVA.

Re: spamd greylisting: false positives

obsd — 2012-05-25T10:20:45

-----Ursprungligt meddelande-----
Fren: owner-misc< at >openbsd.org [mailto:owner-misc< at >openbsd.org] Fvr David
Diggles
Skickat: den 25 maj 2012 11:14
Till: misc< at >openbsd.org
Dmne: Re: spamd greylisting: false positives

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote:

Ahh...
Just struck me....  Please check the syntax of your pf rules
This is what's working for me :

table <spamd-white> persist

pass in log on egress proto tcp from <spamd-white> rdr-to 127.0.0.1 port
smtp
pass in log on egress proto tcp from !<spamd-white> rdr-to 127.0.0.1 port
spamd

/Hasse

Re: Recent BIND ports

Kostas Zorbadelos — 2012-05-25T10:24:57


filter-aaaa-on-v4 (9.7+) (needed now), stupid NXDOMAIN Redirection
(hopefully we won't need that) (9.9).

Also we haven't deployed DNSSEC yet, 9.7+ has many features for this
although unbound might be a good solution.
 
Kostas

Re: spamd greylisting: false positives

Kevin Chadwick — 2012-05-25T09:53:25

On Fri, 25 May 2012 17:22:04 +1000
David Diggles wrote:


I find it hard to believe lists.openbsd.org isn't RFC compliant. I
guess you have another problem.

If you send me an address privately. I'll send a mail from Yahoo. I
know Yahoo mails get through tighter than default settings.

Re: spamd greylisting: false positives

Henning Brauer — 2012-05-25T09:34:52

* David Diggles <david< at >elven.com.au> [2012-05-25 09:18]:

the defaults are fine, afaict almost everybody is running with them.
that is not your problem, something in your setup is very wrong. first
sanity check would be the clock, tho I have a hard time seeing how it
could jump repeatedly.

Re: Recent BIND ports

Henning Brauer — 2012-05-25T09:36:19

* Kostas Zorbadelos <kzorba< at >otenet.gr> [2012-05-25 10:06]:

purely out of curiosity: why?

Re: Strange MASTER/BACKUP behavior with carp

Henning Brauer — 2012-05-25T09:29:21

* Johan Ryberg <johan< at >securit.se> [2012-05-24 20:38]:

no.

the absolute advskew values don't really matter much, the difference
does. since that is a time in the end 1 could be a little too close.

Re: spamd greylisting: false positives

David Diggles — 2012-05-25T09:13:43

I am now trying it with -G120:6:864

Although I can't think how to reproduce the problem in a controlled way,
other than wait and see what emails I don't get :/

On Fri, May 25, 2012 at 02:07:33AM -0500, Matthew Weigel wrote: