NAME

       mxallowd - dynamically whitelist your Mail eXchanger

SYNOPSIS

       mxallowd  [-d]  [-c  configfile] [-t whitelist-time] [-p pflog-interface] [-l pcap-filter]
       [-F] [-s] [-q] [-p] -f fake-mailserver -r real-mailserver -n queue-num

DESCRIPTION

       mxallowd is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD)  to
       allow  (or  deny)  connections to a mailserver (or similar application) if the remote host
       hasn't connected to a fake daemon before.

       This is an improved version of the so-called  nolisting  (see  http://www.nolisting.org/).
       The  assumption  is  that  spammers are not using RFC 2821-compatible SMTP-clients and are
       sending fire-and-forget spam (directly to the first or second MX-entry without retrying on
       error).  This  direct access is blocked with mxallowd, you'll only get a connection if you
       retry.

       NOTE: It is highly recommended to install nscd (nameserver caching daemon)  or  a  similar
       software  in  order  to speed-up DNS lookups. Since version 1.3, DNS lookups are done in a
       thread (so they don't  block  the  main  process),  however,  on  very-high-traffic-sites,
       mxallowd may show significantly better overall performance in combination with nscd.

OPTIONS

       -b, --no-rdns-whitelist
              Disable whitelisting all IP-addresses that have the same RDNS as the connecting one
              (necessary for google mail)

       -c, --config
              Specifies an alternative configuration file (instead of /etc/mxallowd.conf)

       -t, --whitelist-time
              Specify the amount of time (in seconds) until an IP-address will  be  removed  from
              the whitelist

       -s, --stdout
              Log to stdout, not to syslog

       -q, --quiet
              Don't log anything but errors.

       -f, --fake-mailserver
              Specify  which  IP-address the fake mailserver has (connecting to it will whitelist
              you for the real mailserver)

       -r, --real-mailserver
              Specify which IP-address the real mailserver has

       -F, --foreground
              Do not fork into background, stay on console

       -n, --queue-num (only available when compiled for netfilter_queue)
              Specify the queue number which will be used for the netfilter_queue-link. This  has
              to  be the same which is specified in the iptables-rule and it has to be specified,
              there is no default.

       -p, --pflog-interface (only available when compiled for pf)
              Specify the pflog(4) interface which  you  configured  in  pf(4).  The  default  is
              pflog0. Also see the pcap-filter-option if you use an interface which does not only
              get smtp-traffic.

       -l, --pcap-filter (only available when compiled for pf)
              Specify the filter for pcap. The default is "port  25".  See  tcpdump(8)  for  more
              information on the filters.

FILES

       /etc/mxallowd.conf
              System-wide  configuration  file.  Use  the  long options without the beginning two
              dashes. For example:

                   stdout
                   fake-mailserver 192.168.1.3
                   fake-mailserver 192.168.1.4
                   real-mailserver 192.168.1.5
                   queue-num 23

EXAMPLES FOR NETFILTER

       The machine has  two  IP-addresses.  The  mailserver  only  listens  on  192.168.1.4,  the
       nameserver  returns  the  mx-records  mx1.domain.com  (192.168.1.3)  with  priority  5 and
       mx2.domain.com (192.168.1.4) with priority 10.

       # modprobe nfnetlink_queue
       # iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23

       Then open a separate terminal and connect via telnet on your real mailserver.  You'll  see
       the  connection  attempt  being  dropped.  Now  connect  to  the fake mailserver and watch
       mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is
       still working.

EXAMPLES FOR PF

       The  machine  has  two  IP-addresses.  The  mailserver  only  listens  on 192.168.1.4, the
       nameserver returns  the  mx-records  mx1.domain.com  (192.168.1.3)  with  priority  5  and
       mx2.domain.com (192.168.1.4) with priority 10.

       Create a pf.conf like this:

            table <mx-white> persist

            real_mailserver="192.168.1.4"
            fake_mailserver="192.168.1.3"

            real_mailserver6="2001:dead:beef::1"
            fake_mailserver6="2001:dead:beef::2"

            pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
            pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
            block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
            block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp

       Afterwards, load it and start mxallowd using the following commands:

       # pfctl -f /etc/pf.conf
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4

       Then  open  a separate terminal and connect via telnet on your real mailserver. You'll see
       the connection attempt being dropped.  Now  connect  to  the  fake  mailserver  and  watch
       mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is
       still working.

       The ruleset for pf is actually longer because pf does more  than  netfilter  on  linux  --
       netfilter  passes  the  packets  and lets mxallowd decide whether to drop/accept whilst pf
       blocks/passes before even "passing" to mxallowd.

SEE ALSO

       iptables(8), pf(4), pflog(4), tcpdump(8)

AUTHOR

       Michael Stapelberg <michael+mxallowd at stapelberg dot de>