spamd nonfunctioning due to power outage in SD

Wed Oct 24 11:15:20 PDT 2007

dssampson at yahoo.com wrote:
> I had a power outage to our building due to the fires in San Diego and it crashed those without UPSes. One of them is the spamd machine. I've brought it back up and ran fsck on all volumes. However, mail will not come into our mailboxes from outside but mail can be delivered to outside recipients. I can telnet into the spamd machine and send mail externally and internally. Postfix seems to be ok. When I stop pf, mail from the outside of our LAN come pouring in. When I start up pf, inbound mail comes to a stop. In the spamd log, I see all kinds of connections being blacklisted and greylisted but still not one mail is being delivered. I am using spamd-mywhite as my whitelist and put all known GMail IP addresses on it. I then send an email from my GMail account to this machine. It gets greylisted and eventually sits in the greylist for quite a while. I also see ports 25 open on both external and internal NICs and port 8025 open on the localhost interface.
> 
> I need assistance in troubleshooting this. Running spamd 4.1.2 on FreeBSD 6.2. We average 800 valid mail per day and so far in the last 24 hours, not one mail has come through using the existing spamd configuration.
> 
> mailfilter-root@/usr/ports# pfctl -vvnf /etc/pf.conf
> ext_if = "rl0"
> int_if = "xl0"
> internal_net = "192.168.1.1/24"
> external_addr = "216.70.250.4"
> vpn_net = "10.8.0.0/24"
> icmp_types = "echoreq"
> NoRouteIPs = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
> webserver1 = "192.168.1.4"
> set skip on { lo0 }
> set skip on { gif0 }
> @0 scrub in all fragment reassemble
> @1 nat on rl0 inet from 192.168.1.0/24 to any -> (rl0) round-robin
> @2 nat on rl0 inet from 10.8.0.0/24 to any -> (rl0) round-robin
> @3 rdr on rl0 inet proto tcp from any to 216.70.250.4 port = http -> 192.168.1.4 port 80
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-mywhite> persist file "/usr/local/etc/spamd/spamd-mywhite"
> @4 rdr inet proto tcp from <spamd-mywhite:0> to 216.70.250.4 port = smtp -> 127.0.0.1 port 25
> @5 rdr inet proto tcp from <spamd-white:0> to 216.70.250.4 port = smtp -> 127.0.0.1 port 25
> @6 rdr pass inet proto tcp from <spamd:0> to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025
> @7 rdr pass inet proto tcp from ! <spamd-white:0> to 216.70.250.4 port = smtp -> 127.0.0.1 port 8025
> @8 pass in log inet proto tcp from any to 216.70.250.4 port = smtp flags S/SA synproxy state
> @9 pass out log inet proto tcp from 216.70.250.4 to any port = smtp flags S/SA synproxy state
> @10 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = smtp flags S/SA synproxy state
> @11 block drop in log all
> @12 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = ssh flags S/SA synproxy state
> @13 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
> @14 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
> @15 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
> @16 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
> @17 block drop out log quick on rl0 inet from any to 127.0.0.0/8
> @18 block drop out log quick on rl0 inet from any to 192.168.0.0/16
> @19 block drop out log quick on rl0 inet from any to 172.16.0.0/12
> @20 block drop out log quick on rl0 inet from any to 10.0.0.0/8
> @21 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
> @22 block drop in log quick inet from 192.168.1.25 to any
> @23 pass in on xl0 inet from 192.168.1.0/24 to any
> @24 pass out log on xl0 inet from any to 192.168.1.0/24
> @25 pass out log quick on xl0 inet from any to 10.8.0.0/24
> @26 pass out on rl0 proto tcp all flags S/SA modulate state
> @27 pass out on rl0 proto udp all keep state
> @28 pass out on rl0 proto icmp all keep state
> @29 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags S/SA synproxy state
> @30 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep state
> warning: macro 'icmp_types' not used
> mailfilter-root@/usr/ports# 
> 
> What's the quickest way to recover from this? Any other troubleshooting techniques?
> 
> ~Doug
> 

with rule @11 (log) you can do a
tcpdump -net -i pflog0 and look at the block rule number.

also do a sockstat -4 -p 25 and look if your mailserver listen at 127.0.0.1:25 otherwise rule @4 and @5 have no effect

olli