NAME

       mxallowd - dynamically whitelist your Mail eXchanger

SYNOPSIS

       mxallowd  [-d]  [-c  configfile] [-t whitelist-time] [-p pflog-interface] [-l pcap-filter] [-F] [-s] [-q]
       [-p] -f fake-mailserver -r real-mailserver -n queue-num

DESCRIPTION

       mxallowd is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD) to allow (or deny)
       connections to a mailserver (or similar application) if the remote host hasn't connected to a fake daemon
       before.

       This is an improved version of the so-called nolisting (see http://www.nolisting.org/). The assumption is
       that spammers are not using  RFC  2821-compatible  SMTP-clients  and  are  sending  fire-and-forget  spam
       (directly  to the first or second MX-entry without retrying on error). This direct access is blocked with
       mxallowd, you'll only get a connection if you retry.

       NOTE: It is highly recommended to install nscd (nameserver caching daemon) or a similar software in order
       to speed-up DNS lookups. Since version 1.3, DNS lookups are done in a thread (so  they  don't  block  the
       main  process),  however,  on  very-high-traffic-sites,  mxallowd  may  show significantly better overall
       performance in combination with nscd.

OPTIONS

       -b, --no-rdns-whitelist
              Disable whitelisting all IP-addresses that have the same RDNS as the connecting one (necessary for
              google mail)

       -c, --config
              Specifies an alternative configuration file (instead of /etc/mxallowd.conf)

       -t, --whitelist-time
              Specify the amount of time (in seconds) until an IP-address will be removed from the whitelist

       -s, --stdout
              Log to stdout, not to syslog

       -q, --quiet
              Don't log anything but errors.

       -f, --fake-mailserver
              Specify which IP-address the fake mailserver has (connecting to it will whitelist you for the real
              mailserver)

       -r, --real-mailserver
              Specify which IP-address the real mailserver has

       -F, --foreground
              Do not fork into background, stay on console

       -n, --queue-num (only available when compiled for netfilter_queue)
              Specify the queue number which will be used for the netfilter_queue-link. This has to be the  same
              which is specified in the iptables-rule and it has to be specified, there is no default.

       -p, --pflog-interface (only available when compiled for pf)
              Specify  the pflog(4) interface which you configured in pf(4). The default is pflog0. Also see the
              pcap-filter-option if you use an interface which does not only get smtp-traffic.

       -l, --pcap-filter (only available when compiled for pf)
              Specify the filter for pcap. The default is "port 25". See tcpdump(8) for more information on  the
              filters.

FILES

       /etc/mxallowd.conf
              System-wide  configuration  file.  Use  the  long  options  without  the beginning two dashes. For
              example:

                   stdout
                   fake-mailserver 192.168.1.3
                   fake-mailserver 192.168.1.4
                   real-mailserver 192.168.1.5
                   queue-num 23

EXAMPLES FOR NETFILTER

       The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns  the
       mx-records  mx1.domain.com  (192.168.1.3)  with priority 5 and mx2.domain.com (192.168.1.4) with priority
       10.

       # modprobe nfnetlink_queue
       # iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see  the  connection
       attempt  being  dropped.  Now  connect  to  the  fake mailserver and watch mxallowd's output. Afterwards,
       connect to the real mailserver to verify your mailserver is still working.

EXAMPLES FOR PF

       The machine has two IP-addresses. The mailserver only listens on 192.168.1.4, the nameserver returns  the
       mx-records  mx1.domain.com  (192.168.1.3)  with priority 5 and mx2.domain.com (192.168.1.4) with priority
       10.

       Create a pf.conf like this:

            table <mx-white> persist

            real_mailserver="192.168.1.4"
            fake_mailserver="192.168.1.3"

            real_mailserver6="2001:dead:beef::1"
            fake_mailserver6="2001:dead:beef::2"

            pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
            pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
            block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
            block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp

       Afterwards, load it and start mxallowd using the following commands:

       # pfctl -f /etc/pf.conf
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see  the  connection
       attempt  being  dropped.  Now  connect  to  the  fake mailserver and watch mxallowd's output. Afterwards,
       connect to the real mailserver to verify your mailserver is still working.

       The ruleset for pf is actually longer because pf does more than netfilter on linux  --  netfilter  passes
       the packets and lets mxallowd decide whether to drop/accept whilst pf blocks/passes before even "passing"
       to mxallowd.

SEE ALSO

       iptables(8), pf(4), pflog(4), tcpdump(8)

AUTHOR

       Michael Stapelberg <michael+mxallowd at stapelberg dot de>

Linux                                              MARCH 2012                                        mxallowd(1)