os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial pass through greylisting section.

Browse source 
At some point, expanding on how to use spamdb would be useful.

Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne 2014-02-19 17:51:00 +00:00
parent 6378ce16c2
commit 48b29310cd
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=43992
1 changed files with 29 additions and 86 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
View file

@ -1336,117 +1336,60 @@ rdr pass on $ext_if inet proto tcp from !<spamd-white> to \
hosts will soon start getting trapped within a few seconds to
several minutes.</para>
<sect4 xml:id="pftut-spamd-greylist">
<title>Adding Greylisting to the Setup</title>
<para><application>spamd</application> also supports
<firstterm>greylisting</firstterm>, which works by
rejecting messages from unknown hosts temporarily with
<replaceable>45n</replaceable> codes, letting messages
from hosts which try again within a reasonable time
through. Traffic from well behaved hosts, that is,
<para><application>PF</application> also supports
<firstterm>greylisting</firstterm>, which temporarily
rejects messages from unknown hosts with
<replaceable>45n</replaceable> codes. Messages
from greylisted hosts which try again within a reasonable time
are let through. Traffic from
senders which are set up to behave within the limits set
up in the relevant RFCs
<footnote><para>The relevant RFCs are mainly RFC1123
and RFC2821.</para></footnote>, will be let
by RFC 1123
and RFC 2821 are immediately let
through.</para>
<para>Greylisting as a technique was presented in a 2003
paper by Evan Harris
<footnote><para>The original
Harris paper and a number of other useful articles
and resources can be found at the <link
<para>More information about greylisting as a technique
can be found at the <link
xlink:href="http://www.greylisting.org/">greylisting.org</link>
web site.</para></footnote>, and a number of
implementations followed over the next few months.
OpenBSD's <application>spamd</application> acquired its
ability to greylist in OpenBSD 3.5, which was released
in May 2004.</para>
<para>The most amazing thing about greylisting, apart
web site. The most amazing thing about greylisting, apart
from its simplicity, is that it still works. Spammers
and malware writers have been very slow to adapt.</para>
and malware writers have been very slow to adapt in order
to bypass this technique.</para>
<para>The basic procedure for adding greylisting to your
setup follows below.</para>
<para>The basic procedure for configuring greylisting is as
follows:</para>
<procedure>
<title>Configuring Greylisting</title>
<step>
<para>If not done already, make sure the
file descriptor file system (see &man.fdescfs.5;) is
mounted at <filename>/dev/fd/</filename>. Do this
by adding the following line to
<filename>/etc/fstab</filename>:</para>
<programlisting>fdescfs /dev/fd fdescfs rw 0 0</programlisting>
<para>and make sure the &man.fdescfs.5; code is in the
kernel, either compiled in or by loading the module
with &man.kldload.8;.</para>
<para>Make sure that &man.fdescfs.5; is
mounted as described in Step 1 of the previous Procedure.</para>
</step>
<step>
<para>To run <application>spamd</application> in
greylisting mode, <filename>/etc/rc.conf</filename>
must be changed slightly by adding</para>
greylisting mode, add this line to <filename>/etc/rc.conf</filename>:</para>
<programlisting>spamd_grey="YES" # use spamd greylisting if YES</programlisting>
<para>Several greylisting related parameters can be
fine-tuned with <command>spamd</command>'s command
line parameters and the corresponding
<filename>/etc/rc.conf</filename> settings. Check
the <application>spamd</application> man page to see
what the parameters mean.</para>
<para>Refer to the <application>spamd</application> man page
for descriptions of additional related parameters.</para>
</step>
<step>
<para>To complete the greylisting setup, restart
<application>spamd</application> using the
<filename>/usr/local/etc/rc.d/obspamd</filename>
script.</para>
<para>To complete the greylisting setup:</para>
<programlisting>&prompt.root; <command>service restart obspamd</command>
&prompt.root; <command>service start spamlogd</command></programlisting>
</step>
</procedure>
<para>Behind the scenes, rarely mentioned and barely
documented are two of <application>spamd</application>'s
helpers, the <application>spamdb</application> database
<para>Behind the scenes, the <application>spamdb</application> database
tool and the <application>spamlogd</application>
whitelist updater, which both perform essential
functions for the greylisting feature. Of the two
<application>spamlogd</application> works quietly in the
background, while <application>spamdb</application> has
been developed to offer some interesting
features.</para>
<note>
<title>Restart <application>spamd</application> to
Enable Greylisting</title>
<para>After following all steps in the tutorial
exactly up to this point,
<application>spamlogd</application> has been started
automatically already. However, if the initial
<application>spamd</application> configuration did not
include greylisting,
<application>spamlogd</application> may not have been
started, and there may be strange symptoms, such as
greylists and whitelists not getting updated
properly.</para>
<para>Under normal circumstances, it should not be
necessary to start <application>spamlogd</application>
by hand. Restarting <application>spamd</application>
after enabling greylisting ensures
<application>spamlogd</application> is loaded and
available too.</para>
</note>
<para><application>spamdb</application> is the
whitelist updater perform essential
functions for the greylisting feature. <application>spamdb</application> is the
administrator's main interface to managing the black,
grey and white lists via the contents of the
grey, and white lists via the contents of the
<filename>/var/db/spamdb</filename> database.</para>
</sect4>
</sect3>
<sect3 xml:id="pftut-hygiene">