is it ok to run smtpd on 127.0.0.1 and have pf rdr-to it

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

is it ok to run smtpd on 127.0.0.1 and have pf rdr-to it

Gabriel Guzman-2
Hi list,

The spamd(8) man page has the following example:

    table <spamd-white> persist
    table <nospamd> persist file "/etc/mail/nospamd"
    pass in on egress proto tcp from any to any port smtp \
        rdr-to 127.0.0.1 port spamd
    pass in on egress proto tcp from <nospamd> to any port smtp
    pass in log on egress proto tcp from <spamd-white> to any port smtp
    pass out log on egress proto tcp to any port smtp

Here, spamd is listening on 127.0.0.1, and smtpd is (presumably) listening on any interface.  Is there a problem with only allowing smtpd to listen on 127.0.0.1 as well, and change the pass in rule to:

    pass in on egress proto tcp from <nospamd> to port smtp \
    rdr-to 127.0.0.1 port smtp

This configuration is working, but I want to be sure I'm not doing something stupid w/out realizing it.


pf.conf and smtpd.conf files below.

Thanks,
gabe.


==pf.conf==
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
# cat pf.conf
cat: pf.conf: No such file or directory
# cat /etc/pf.conf                                                            
#       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
tcp_services="{ 53, 80, 113, 143, 443, 465 }"
udp_services="{ 53 }"
icmp_types="echoreq"

# options
set block-policy return
set loginterface egress
set skip on lo

#scrub incoming packets
match in all scrub (no-df)

#setup a default deny policy
block all

#activate spoofing protection for all interfaces
block in quick from urpf-failed

#allow l2tp tunnels
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any \
        port {500, 4500, 1701} keep state
pass on enc0 from any to any keep state (if-bound)

#allow tcp_services
pass in on egress proto tcp to port $tcp_services keep state

#allow udp_services
pass in on egress proto udp to port $udp_services keep state

# pass in icmp traffic
pass in inet proto icmp all icmp-type $icmp_types

#let this machine pass anything out
pass out quick

# rules for sshd(8)
block quick from <bad_hosts>
pass in on egress proto tcp to port ssh keep state \
        (max-src-conn-rate 5/30, overload <bad_hosts> flush global)

# rules for spamd(8)
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
pass in on egress proto tcp to port smtp \
    rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to port smtp \
    rdr-to 127.0.0.1 port smtp
pass in log on egress proto tcp from <spamd-white> to port smtp \
    rdr-to 127.0.0.1 port smtp
pass out log on egress proto tcp to port smtp

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

==smtpd.conf==
#       $OpenBSD: smtpd.conf,v 1.6 2013/01/26 09:38:25 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

listen on lo0 tls
listen on egress smtps auth

table aliases db:/etc/mail/aliases.db

accept for local alias <aliases> deliver to mbox
accept from any for domain dojocho.org deliver to mbox
accept from any for domain lifewaza.com deliver to mbox
accept for any relay