I have an OpenBSD 7.1 mail server running OpenSMTPD with spamd.
I notice mysterious IP addresses in /var/log/maillog, such as:
smtp connected address=162.142.125.222 host=scanner-25.ch1.censys-scanner.com
These IPs keep getting whitelisted in the spamdb, which I don't want to happen. Should they not talk to spamd first, rather than go straight to SMTPD?
My /etc/pf.conf reads:
emailserver = "192.168.7.5"
email = "{ smtp, imaps }"
set skip on lo
block all
block return # block stateless traffic
pass # establish keep-state
By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
Port build user does not need network
block return out log proto {tcp udp} user _pbuild
#pass in on egress proto tcp to any port smtp
pass in on egress proto tcp to any port submission
table <badhosts> persist file "/etc/badhosts"
table <sshguard> persist
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"
block in quick from <sshguard>
block in quick from <badhosts>
pass in log on egress proto tcp to any port smtp
divert-to 127.0.0.1 port spamd
pass in log on egress proto tcp from <nospamd> to any port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass out log on egress proto tcp to any port smtp
pass log (to pflog1) proto tcp to $emailserver port $email
pass log (to pflog1) proto tcp from $emailserver to port smtp
I don't see why these IPs are getting whitelisted. They don't appear on the /etc/mail/nospamd whitelist.
Would it have something to do with the bottom two statements?
pass log (to pflog1) proto tcp to $emailserver port $email
pass log (to pflog1) proto tcp from $emailserver to port smtp
I was trying to add IPs of outgoing email to the whitelist, and added those two statements and created the pflog1 interface, after reading The Book of PF.
