On Mon, Dec 10, 2007 at 04:24:03PM +0100, Renaud Allard wrote:
| Peter N. M. Hansteen wrote:
| > Renaud Allard <renaud@llorien.org> writes:
| > 
| >> I just noticed that spamd is trying to send ack packets from 127.0.0.1 to the IP
| >> of the sender when it hits the greytrap IP. I don't feel this is wanted
| >> behavior. Has anymone any idea of why it is doing so? 
| > 
| > ACK packets are part of any two-way TCP/IP communication.  Spamd's
| > mission with respect to blacklisted hosts is to waste spammers' time
| > by replying slowly.  If you primarily want to blackhole rather than
| > greylist and tarpit, spamd is not the tool you are looking for.
| > 
| 
| I know that ack packets are one part of the two-way TCP/IP communication.
| However sending ack packets with an originating IP of 127.0.0.1 to any non local
| (! 127.0.0.0/8) IP shouldn't happen, as they will never get back to (or at least
| be accepted by) the sender. So in my mind it is not normal behaviour or it is
| some kind of bug.

Have you actually seen these packets live on the wire ?

I doubt it. In general (the recommended setup), pf redirects incoming
requests to 127.0.0.1:8025, the port where spamd is listening *on
localhost*. Replies such as ACK's etc. *MUST* originate from
127.0.0.1:8025 in this case. PF will take care of rewriting the packet
to the address the client originally used to contact your mailserver
(spamdserver).

Unless you can demonstrate packets *on the wire* with 127.0.0.1 src
addresses, I think spamd and pf are doing their job just fine.

Cheers,

Paul 'WEiRD' de Weerd

-- 
quoted text
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/