Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist

Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist mode this same codepath is not
chroot'ed but once again it gets the same pledge(2).

Therefore we can remove the BUGS section from spamd(8)'s manpage.

OK millert@ deraadt@

show more ...

note that some hosts never generate tuples and are ignored;
ok beck

define the role of spamd-setup a little better;

use one way to show filter rules, not two. the bits and pieces of the
spamd setup are complex enough without freestyling the pf rules;

while here, Bk/Ek no longer required

start replacing some \*([GL]t;

divert-to a table needs an address family;
from steve shockley

ok sthen

use file system path (.Pa) semantic markup macros where appropriate.

ok jmc@

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)

Tested by many
With help from okan@
OK okan@ beck@ millert@

show more ...

wrap a long line

Don't use Aq macros when <> is intended; they are not the same thing.

ok schwarze@

put -G and it's args back onto one line in SYNOPSIS, to avoid having mandoc
split it; while here, zap trailing whitespace;

add STARTTLS support, using the shiny libtls.
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that wo

add STARTTLS support, using the shiny libtls.
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob

show more ...

/dev/random has created the same effect as /dev/arandom (and /dev/urandom)
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom wh

/dev/random has created the same effect as /dev/arandom (and /dev/urandom)
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom where it is irrelevant.

show more ...

Fix manpage: -y only takes interface names, and doesnt take ip addresses.
Fix example while here.
ok back@

less sendmail;

Simplify the syslog.conf example: .info means that *and higher*

ok beck@

remove some history details which have been around for long enough
to no longer be relevant;

ok beck

fix rdr-to example (requires direction); from James Turner

ok jmc@

merge/update the spamlogd rules into spamd - there were some subtle
problems because of the recent pf nat changes that caused problems;
i've fleshed out the example in spamd and just added a pointer

merge/update the spamlogd rules into spamd - there were some subtle
problems because of the recent pf nat changes that caused problems;
i've fleshed out the example in spamd and just added a pointer to it
from spamlogd;

ok beck

show more ...

the example pf rules should be "pass in", not just "pass"; ok henning

match samples here with pf.conf(5) sample ruleset following recent pf changes
ok henning@

tweak previous;

PR 6090 - from Olli Hauer <ohauer@gmx.de>

A number of small improvements:

- patch for empty lines and comments in alloweddomains_file
- remove some whitespaces at end of line.
- document comment an

PR 6090 - from Olli Hauer <ohauer@gmx.de>

A number of small improvements:

- patch for empty lines and comments in alloweddomains_file
- remove some whitespaces at end of line.
- document comment and empty line handling
- Remove unused parameter 'r' from getopt in spamd.c, it is removed in the 'switch statement'
but not in getopt.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/spamd/spamd.c.diff?r1=1.94;r2=1.95;f=h
- replace atoi with strtonum
- make debug output more usefull, display only what will be synced and not a second
message which prints always "sync trapped %s"

- some cosemtic and whitespace fixes.

show more ...

clarification for the MX stuff; requested by Stephan A. Rickauer
ok beck

document spamd log entry format; requested by Stephan A. Rickauer
ok beck