# pf + postfix + dspam puzzle



## cbrace (Apr 26, 2013)

Hi all,

I could use an extra pair of eyes to solve a something in my mailserver configuration.

I've set up mail/postfix and mail/dspam in a way which is probably familiar to you. Postfix passes incoming emails to dspam, which scans them, and returns them to postfix on port 10026, whereupon they are delivered.

For outgoing mails on the server, such as from a webmail client or a CMS, I use "localhost 10026", thereby bypassing dspam. No need to scan outgoing mails, right?

One final piece: I'd also like to use port 10026 to send mail from my permanent IP number, but for some reason I can't configure postfix to accept incoming mail from a remote IP. I've added my IP number to the mynetworks parameter in master.cf:

But no luck. Full entry:

```
localhost:10026 inet  n -       n       -       -        smtpd
  -o content_filter=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8,###.###.###.153/32
```

I've opened port 10026 in /etc/pf.conf

```
pass in on vtnet0 inet proto tcp from any to any port = 10026
```

Nmap indicates it is open:

```
PORT      STATE SERVICE
10026/tcp open  unknown
```
But if I try telnetting to 10026, I don't get the postfix prompt:

```
$ telnet ####.### 10026
Trying ##.##.##.##...
Connected to #####.###.
Escape character is '^]'.
```

This is what I expect:

```
Escape character is '^]'.
220 myhostname ESMTP Postfix
```
I expect the problem is here: 
	
	



```
-o mynetworks=127.0.0.0/8,##.###.###.153/32
```

Any ideas?


----------



## johnblue (Apr 26, 2013)

cbrace said:
			
		

> I've opened port 10026 in /etc/pf.conf
> 
> ```
> pass in on vtnet0 inet proto tcp from any to any port = 10026
> ```


Hi @cbrace,

Since you are explicitly creating a "pass in" statement for port 10026, depending on how you have your "block" statement constructed you may need to also provide a "pass out".


```
pass in on vtnet0 inet proto tcp from any to any port = 10026
pass out on vtnet0 inet proto tcp from any to any port = 10026
```


----------



## cbrace (Apr 26, 2013)

Thanks for the reply. Shouldn't this cover it?

```
pass out quick on $ext_if inet keep state
```


----------



## kpa (Apr 26, 2013)

It's not covered by either and there's no need to have a matching out rule because of stateful tracking. The pass in rule creates a state that then allows the return traffic to leave the same interface the connection came in.


----------



## johnblue (Apr 26, 2013)

kpa said:
			
		

> It's not covered by either and there's no need to have a matching out rule because of stateful tracking. The pass in rule creates a state that then allows the return traffic to leave the same interface the connection came in.


How do you reconcile this?

http://www.openbsd.org/faq/pf/filter.html#pass


----------



## kpa (Apr 26, 2013)

Because that is how stateful tracking works. Every pass rule creates a state that automatically allows the return traffic when matched unless explicitly disabled with no state.

http://www.openbsd.org/faq/pf/filter.html#state


----------



## kpa (Apr 26, 2013)

Back to the original problem, if I read this right the smtpd(8) is listening only on localhost port 10026, is this intended? You would need a port forward from the external address to localhost if you want to keep it that way and reach the port from the outside.


```
rdr on $ext_if from any to $ext_if port 10026 -> localhost
```


----------



## cbrace (Apr 26, 2013)

Thank you very much. This works the way I wanted:


> rdr pass on $ext_if proto tcp from any to $ext_if port 10026 -> localhost


I will have to study this a little longer to figure out why it works and my line above didn't.


----------



## cbrace (Apr 26, 2013)

Ah, it is this line in master.cf, no?


> localhost:10026 inet  n -       n       -       -        smtpd


This is what is binding smtpd to localhost I think.


----------



## kpa (Apr 26, 2013)

Yeah sorry proto tcp makes more sense, there's no UDP traffic involved.

The master.cf is what tells mail/postfix what services to start and the listening addresses/ports.


----------

