How to synchronise 2 spamd instances

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

How to synchronise 2 spamd instances

Mik J
Hello,
I read the man but it's not so clear to me
https://man.openbsd.org/spamd#SYNCHRONISATION
a) I chose unicast synchronisation but I don't know which port should I open on the firewall ?
Is it going to use the spamd-cfg service ?

b) The synchronisation section mention a key and there's an option -K regarding that key but in the example the -K option is not used. So it's not clear.

c) It's not clear which instance is going to contact which. Is there a master/slave relationship ? What if one IP is WHITELIST on one instance and BLACKLIST on the other.
Also should I use the -Y option on both instances ? Both are going to try to start a tcp session ?
 
d) The message digest is calculated in md5 ?

e) Should I specify the -M option on all instance or just on the low priority MX, which IP adress should I specify the one on that host or the remote MX

Thank you
Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Otto Moerbeek
On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:

> Hello,
> I read the man but it's not so clear to me
> https://man.openbsd.org/spamd#SYNCHRONISATION
> a) I chose unicast synchronisation but I don't know which port should I open on the firewall ?
> Is it going to use the spamd-cfg service ?

It will use spamd-sync (udp port 8025)

>
> b) The synchronisation section mention a key and there's an option -K regarding that key but in the example the -K option is not used. So it's not clear.

-K is optional. BUt if you use it, all instances syncing should use
the same key.

>
> c) It's not clear which instance is going to contact which. Is there a master/slave relationship ? What if one IP is WHITELIST on one instance and BLACKLIST on the other.
> Also should I use the -Y option on both instances ? Both are going to try to start a tcp session ?

It's symmetrical. All spamd's send updates to each other. No tcp
involved, only udp. Specify A's IP on B and vice-versa.

>  
> d) The message digest is calculated in md5 ?

It uses a sha1 hmac message authentication code, so no md5 digest.

>
> e) Should I specify the -M option on all instance or just on the low priority MX, which IP adress should I specify the one on that host or the remote MX
>
> Thank you

Never used -M myself, but reading spamd.conf it looks like you only
specify an -M IP on the host serving that IP. Note that -M is
optional.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Mik J
 Hello Otto,
Thank you for your answer. I'm working on it right now.
Regards

    Le dimanche 21 avril 2019 à 12:50:08 UTC+2, Otto Moerbeek <[hidden email]> a écrit :  
 
 On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:

> Hello,
> I read the man but it's not so clear to me
> https://man.openbsd.org/spamd#SYNCHRONISATION
> a) I chose unicast synchronisation but I don't know which port should I open on the firewall ?
> Is it going to use the spamd-cfg service ?

It will use spamd-sync (udp port 8025)

>
> b) The synchronisation section mention a key and there's an option -K regarding that key but in the example the -K option is not used. So it's not clear.

-K is optional. BUt if you use it, all instances syncing should use
the same key.

>
> c) It's not clear which instance is going to contact which. Is there a master/slave relationship ? What if one IP is WHITELIST on one instance and BLACKLIST on the other.
> Also should I use the -Y option on both instances ? Both are going to try to start a tcp session ?

It's symmetrical. All spamd's send updates to each other. No tcp
involved, only udp. Specify A's IP on B and vice-versa.


> d) The message digest is calculated in md5 ?

It uses a sha1 hmac message authentication code, so no md5 digest.

>
> e) Should I specify the -M option on all instance or just on the low priority MX, which IP adress should I specify the one on that host or the remote MX
>
> Thank you

Never used -M myself, but reading spamd.conf it looks like you only
specify an -M IP on the host serving that IP. Note that -M is
optional.

    -Otto

 
Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Thuban
In reply to this post by Otto Moerbeek
* Otto Moerbeek <[hidden email]> le [21-04-2019 12:49:07 +0200]:
> On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:
>
> > Hello,
> > I read the man but it's not so clear to me
> > https://man.openbsd.org/spamd#SYNCHRONISATION
> > a) I chose unicast synchronisation but I don't know which port should I open on the firewall ?
> > Is it going to use the spamd-cfg service ?
>
> It will use spamd-sync (udp port 8025)

Good to know, I was blocking this traffic. It might be interesting to
add a word about this in the manpage, what do you think?

Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Rudy Baker
On Mon, Apr 22, 2019, 10:43 AM Thuban, <[hidden email]> wrote:

> * Otto Moerbeek <[hidden email]> le [21-04-2019 12:49:07 +0200]:
> > On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:
> >
> > > Hello,
> > > I read the man but it's not so clear to me
> > > https://man.openbsd.org/spamd#SYNCHRONISATION
> > > a) I chose unicast synchronisation but I don't know which port should
> I open on the firewall ?
> > > Is it going to use the spamd-cfg service ?
> >
> > It will use spamd-sync (udp port 8025)
>
> Good to know, I was blocking this traffic. It might be interesting to
> add a word about this in the manpage, what do you think?
>

tcpdump -nettti pflog0

That command tells you if anything is being blocked. I normally start
there. You would have seen port 8025 being blocked right away

>
>
Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Mik J
 Hello,

I'm coming back on this topic. I added the -K option
# /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n ABCD
# spamd: need key and certificate for TLS

So it seems it expects some kind of certificat/privatekey rather than a key

Does anyone uses the -K option successfully ?

So far I didn't manage to make the synchro to work. udp packets on port 8025 are not dropped.
However spamd doesn't seem to send any 8025/udp packet at all.

Regards

    Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker <[hidden email]> a écrit :  
 
 On Mon, Apr 22, 2019, 10:43 AM Thuban, <[hidden email]> wrote:

> * Otto Moerbeek <[hidden email]> le [21-04-2019 12:49:07 +0200]:
> > On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:
> >
> > > Hello,
> > > I read the man but it's not so clear to me
> > > https://man.openbsd.org/spamd#SYNCHRONISATION
> > > a) I chose unicast synchronisation but I don't know which port should
> I open on the firewall ?
> > > Is it going to use the spamd-cfg service ?
> >
> > It will use spamd-sync (udp port 8025)
>
> Good to know, I was blocking this traffic. It might be interesting to
> add a word about this in the manpage, what do you think?
>

tcpdump -nettti pflog0

That command tells you if anything is being blocked. I normally start
there. You would have seen port 8025 being blocked right away

>
>
 
Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Sean Kamath-5
On May 26, 2019, at 04:41, Mik J <[hidden email]> wrote:

>
> Hello,
>
> I'm coming back on this topic. I added the -K option
> # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n ABCD
> # spamd: need key and certificate for TLS
>
> So it seems it expects some kind of certificat/privatekey rather than a key
>
> Does anyone uses the -K option successfully ?

Yes. :-). Looks like you forgot the '-C /etc/ssl/<whatever>.crt’ option.  Granted, this is on 6.3.

My full args are:

-h <myhost> -v -G 2:4:864 -y vio0 -Y <myotherhost> -K /etc/ssl/private/<myhost>.key -C /etc/ssl/<myhost>.crt

Works fine.

Sean

> So far I didn't manage to make the synchro to work. udp packets on port 8025 are not dropped.
> However spamd doesn't seem to send any 8025/udp packet at all.
>
> Regards
>
>    Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker <[hidden email]> a écrit :  
>
> On Mon, Apr 22, 2019, 10:43 AM Thuban, <[hidden email]> wrote:
>
>> * Otto Moerbeek <[hidden email]> le [21-04-2019 12:49:07 +0200]:
>>> On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:
>>>
>>>> Hello,
>>>> I read the man but it's not so clear to me
>>>> https://man.openbsd.org/spamd#SYNCHRONISATION
>>>> a) I chose unicast synchronisation but I don't know which port should
>> I open on the firewall ?
>>>> Is it going to use the spamd-cfg service ?
>>>
>>> It will use spamd-sync (udp port 8025)
>>
>> Good to know, I was blocking this traffic. It might be interesting to
>> add a word about this in the manpage, what do you think?
>>
>
> tcpdump -nettti pflog0
>
> That command tells you if anything is being blocked. I normally start
> there. You would have seen port 8025 being blocked right away
>
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Mik J
 Hello,

I'm back again with spamd synchronisation.

I made further tests and it seems to me that only new entries in spamd are synchronised.
All existing entries before the synchronisation and not sent to the other spamd instance.

Is it supposed to work like that ?

Thank you

    Le dimanche 26 mai 2019 à 22:49:25 UTC+2, Sean Kamath <[hidden email]> a écrit :  
 
 On May 26, 2019, at 04:41, Mik J <[hidden email]> wrote:

>
> Hello,
>
> I'm coming back on this topic. I added the -K option
> # /usr/libexec/spamd -v -s 5 -S 5 -w 1 -G5:24:2400 -l 127.0.0.1 -h myhost.mydomain.org -y vmx0 -Y myhost2.mydomain.org -K /etc/mail/spamd.key -n ABCD
> # spamd: need key and certificate for TLS
>
> So it seems it expects some kind of certificat/privatekey rather than a key
>
> Does anyone uses the -K option successfully ?

Yes. :-). Looks like you forgot the '-C /etc/ssl/<whatever>.crt’ option.  Granted, this is on 6.3.

My full args are:

-h <myhost> -v -G 2:4:864 -y vio0 -Y <myotherhost> -K /etc/ssl/private/<myhost>.key -C /etc/ssl/<myhost>.crt

Works fine.

Sean

> So far I didn't manage to make the synchro to work. udp packets on port 8025 are not dropped.
> However spamd doesn't seem to send any 8025/udp packet at all.
>
> Regards
>
>    Le mardi 23 avril 2019 à 02:57:31 UTC+2, Rudy Baker <[hidden email]> a écrit : 
>
> On Mon, Apr 22, 2019, 10:43 AM Thuban, <[hidden email]> wrote:
>
>> * Otto Moerbeek <[hidden email]> le [21-04-2019 12:49:07 +0200]:
>>> On Sun, Apr 21, 2019 at 09:53:52AM +0000, Mik J wrote:
>>>
>>>> Hello,
>>>> I read the man but it's not so clear to me
>>>> https://man.openbsd.org/spamd#SYNCHRONISATION
>>>> a) I chose unicast synchronisation but I don't know which port should
>> I open on the firewall ?
>>>> Is it going to use the spamd-cfg service ?
>>>
>>> It will use spamd-sync (udp port 8025)
>>
>> Good to know, I was blocking this traffic. It might be interesting to
>> add a word about this in the manpage, what do you think?
>>
>
> tcpdump -nettti pflog0
>
> That command tells you if anything is being blocked. I normally start
> there. You would have seen port 8025 being blocked right away
>
>>
>>
>

 
Reply | Threaded
Open this post in threaded view
|

Re: How to synchronise 2 spamd instances

Boudewijn Dijkstra-3
Op Fri, 31 May 2019 00:34:39 +0200 schreef Mik J <[hidden email]>:

>  Hello,
>
> I'm back again with spamd synchronisation.
>
> I made further tests and it seems to me that only new entries in spamd  
> are synchronised.
> All existing entries before the synchronisation and not sent to the  
> other spamd instance.
>
> Is it supposed to work like that ?

Yes. From the spamd(8) manual:
"The databases are synchronised for greylisted and trapped
entries; whitelisted entries and entries made manually using spamdb(8)
are not updated."





--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/