Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
Spam

Journal Saint Aardvark's Journal: Aha! 3

Journal by Saint Aardvark
A while back I set up greylisting on Postfix for my home server. It works well, but I have the same concerns now that I did then. The script (smtpd-policy.pl from the examples section of Postfix' source) feels like a bit of a crock; yes, it's just the example script, but I don't like the Berkeley DB files, and comments in the code like "DO NOT create the greylist database in a file system that can run out of space" make me nervous. It hasn't been a problem -- in, oh, six months of running the file is only up to about 5.5 MB. But still: there's no provision for removing old entries, which means an awful soul-searching battle with the database if you ever need to trim it.

I had a brief look at the script tonight, hoping to find a way to maybe hack in MySQL support, but decided to check with Saint Google first. Sure enough, there's gps, the Greylist Policy Service for Postfix. Uses C++ for speed and MySQL/PostgreSQL for the backend, which is nice. I should be able to hack up a migration script for the old entries (just as soon as I hack up a migration script for all the old journal entries...), and all should be good.

One thing I'm noticing with greylisting, though, is just how many attempts are being made from multiple IP addresses within a short time; one attempt, today, had attempts from four different IP addresses within five minutes, all from the same made-up email address. The original Perl script has the advantage that I can change it easily -- I know Perl, and I'd be pretty much starting from scratch with C++ -- and maybe add the ability to track this sort of thing. It'd be nice to be able to tarpit attempts to do this, say on the third attempt.

Tarpitting...another problem with Linux. The TARPIT module for netfilter has yet to be updated to work with the 2.6 kernel, and I really don't want to switch back to 2.4 just for this. LaBrea is nice, and I'm running a lashed-together natd configuration on my FreeBSD firewall box in conjunction with LaBrea running on my desktop on a second interface. It works, but it doesn't work in the case of a Linux webserver running on its own, outside the main firewall. I'm even less a kernel hacker than I am a C++ programmer, and figuring out the compiling problems and changed skbuff route structures (say) is beyond me. It's things like this that make me want to move to OpenBSD. Yeah, rebuilding a server and learning a new firewall language is a pain in the ass, but at least it's one I can handle.

This discussion has been archived. No new comments can be posted.

Aha! More

Aha!

Comments Filter:
  • OpenBSD's pf syntax is far easier to remember and understand than iptables. Linux makes a great desktop and server OS, but it's vastly inferior to OpenBSD for your perimeter security.

    OpenBSD's installer looks daunting at first (it's like Linux was in 1993), but just do it whilst reading the install guide, and by the time you do your second machine you can have the installs done in around 10 minutes for a complete install.

    The documentation in OpenBSD is also excellent - with iptables I found myself having
    • well, alioth was spot on, so there's not much more too add. =)

      however, openbsd ships with spamd(8) [openbsd.org], which now supports greylisting, and is able to speak directly to pf. pretty slick, check it out!

      at work, we have a few linux boxes, one of which is involved with the mars rovers. the first battle was getting cisco's vpn to get through it. then, it was ftp. in the end, it was too much of a PITA. put an openbsd bridging firewall on a soekris in front and have forgotten about it heh

Slashdot Top Deals

Human beings were created by water to transport it uphill.

Close