| Age | Commit message (Collapse) | Author |
|---|
|
|
|
from steve shockley
ok sthen
|
|
ok jmc@
|
|
divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.
Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.
Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)
Tested by many
With help from okan@
OK okan@ beck@ millert@
|
|
|
|
ok schwarze@
|
|
split it; while here, zap trailing whitespace;
|
|
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob
|
|
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom where it is irrelevant.
|
|
Fix example while here.
ok back@
|
|
|
|
ok beck@
|
|
to no longer be relevant;
ok beck
|
|
ok jmc@
|
|
problems because of the recent pf nat changes that caused problems;
i've fleshed out the example in spamd and just added a pointer to it
from spamlogd;
ok beck
|
|
|
|
ok henning@
|
|
|
|
A number of small improvements:
- patch for empty lines and comments in alloweddomains_file
- remove some whitespaces at end of line.
- document comment and empty line handling
- Remove unused parameter 'r' from getopt in spamd.c, it is removed in the 'switch statement'
but not in getopt.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/spamd/spamd.c.diff?r1=1.94;r2=1.95;f=h
- replace atoi with strtonum
- make debug output more usefull, display only what will be synced and not a second
message which prints always "sync trapped %s"
- some cosemtic and whitespace fixes.
|
|
ok beck
|
|
ok beck
|
|
- whitelisted entries are not synced
- entries added manually (using spamdb) are not synced
suggested by Stephan A. Rickauer; ok reyk
|
|
|
|
|
|
- this document talks about "default mode", not "greylisting mode"
- kill trailing whitespace
|
|
longer used in greylisting mode.
ok ckuethe@
|
|
from Saint Aardvark the Carpeted, documentation/5535;
|
|
|
|
|
|
also, this section is blacklist-only, so tweak .Sh
|
|
|
|
whitespace at eol
|
|
1) Implement the NOOP command, which now seems necessary for certain
windows mail wrappers and sender verification schemes. Tested by me
and sidcarter@symonds.net, who noticed the problem on his site.
ok millert@
2) Change the behaviour of the maxblack parameter, instead of hanging
up immediately on new blacklisted connections when the maxblack parameter
is reached, we instead make spamd not stutter at them, so the connection
is instead completed quickly. This seems to handle peaks and spikes
much better than the old way of doing this.
ok deraadt@, with some man page changes by jmc@
|
|
closes user/5408 from sthen
ok reyk
|
|
explicitly mentioning IP aliases, which is typically how you would
implement MX trapping using a single host.
OK beck@, trusted by deraadt@
|
|
|
|
|
|
kill whitespace at eol
|
|
address than the primary one. spamd will trap hosts that contact this
address first without first contacting the primary.
- get it in, deraadt@
|
|
|
|
- move some relevant bits of SYNCHRONISATION into -Yy descriptions
- tweaks for SYNCHRONISATION
ok reyk beck
|
|
|
|
ok jmc@, reyk@
|
|
|
|
create one? and so on...
help from jmc@
|
|
|
|
This adds an HMAC protected synchronization protocol for use by spamd and
spamlogd.
- spamd can receive updates from other hosts for GREY, WHITE, and TRAPPED db
entries, and will update the local /var/db/spamd accordingly.
- spamd can send updates when it makes changes to the GREY or TRAPPED
entries in the db to other hosts running spamd. (Note it does not send
WHITE entries because the other spamd will see the GREY changes and have
complete information to make appropritate decisions)
- spamlogd can send updates for WHITE db entries that it performs on the local
db to other hosts running spamd, which will then apply them on remote hosts.
note that while this diff provides synchronization for changes made to the
spamd db by the daemons, it does *not* provide for sychonizing changes
to the spamd db made manually with the spamdb command.
Synchronization protocol and most of the work by reyk@,
with a bunch of the spamd, and spamlogd stuff by me.
testing mostly at the U of A, running happily there under big load.
ok reyk@ jmc@
|
|
|
|
|
|
|
