Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if running
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist mode this same codepath is not
chroot'ed but once again it gets the same pledge(2).

Therefore we can remove the BUGS section from spamd(8)'s manpage.

OK millert@ deraadt@

note that some hosts never generate tuples and are ignored;
ok beck

define the role of spamd-setup a little better;

use one way to show filter rules, not two. the bits and pieces of the
spamd setup are complex enough without freestyling the pf rules;

while here, Bk/Ek no longer required

start replacing some \*([GL]t;

divert-to a table needs an address family;
from steve shockley

ok sthen

use file system path (.Pa) semantic markup macros where appropriate.

ok jmc@

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)

Tested by many
With help from okan@
OK okan@ beck@ millert@

wrap a long line

Don't use Aq macros when <> is intended; they are not the same thing.

ok schwarze@

put -G and it's args back onto one line in SYNOPSIS, to avoid having mandoc
split it; while here, zap trailing whitespace;

add STARTTLS support, using the shiny libtls.
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob

/dev/random has created the same effect as /dev/arandom (and /dev/urandom)
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom where it is irrelevant.

Fix manpage: -y only takes interface names, and doesnt take ip addresses.
Fix example while here.
ok back@

less sendmail;

Simplify the syslog.conf example: .info means that *and higher*

ok beck@

remove some history details which have been around for long enough
to no longer be relevant;

ok beck

fix rdr-to example (requires direction); from James Turner

ok jmc@

merge/update the spamlogd rules into spamd - there were some subtle
problems because of the recent pf nat changes that caused problems;
i've fleshed out the example in spamd and just added a pointer to it
from spamlogd;

ok beck

the example pf rules should be "pass in", not just "pass"; ok henning

match samples here with pf.conf(5) sample ruleset following recent pf changes
ok henning@

tweak previous;

PR 6090 - from Olli Hauer <ohauer@gmx.de>

A number of small improvements:

- patch for empty lines and comments in alloweddomains_file
- remove some whitespaces at end of line.
- document comment and empty line handling
- Remove unused parameter 'r' from getopt in spamd.c, it is removed in the 'switch statement'
but not in getopt.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/spamd/spamd.c.diff?r1=1.94;r2=1.95;f=h
- replace atoi with strtonum
- make debug output more usefull, display only what will be synced and not a second
message which prints always "sync trapped %s"

- some cosemtic and whitespace fixes.

clarification for the MX stuff; requested by Stephan A. Rickauer
ok beck

document spamd log entry format; requested by Stephan A. Rickauer
ok beck

some documentation updates for spamd synchronisation:
- whitelisted entries are not synced
- entries added manually (using spamdb) are not synced

suggested by Stephan A. Rickauer; ok reyk

typo, ok beck@

simplify the suggested pf ruleset; ok beck

tweak previous:
- this document talks about "default mode", not "greylisting mode"
- kill trailing whitespace

Add note to the effect that the spamd pf table is no
longer used in greylisting mode.
ok ckuethe@

document maximum values for -S and -s;
from Saint Aardvark the Carpeted, documentation/5535;

s/is is/it is/. From Jim Razmus, jim (at) bonetruck (dot) org; thanks.

convert to new .Dd format;

remove a redundant paragraph; ok beck
also, this section is blacklist-only, so tweak .Sh

spamd-setup needs -b for blacklist-only mode; from Nick Templeton

kill trailing whitespace...shame on me if i sent bob a diff w/
whitespace at eol

A couple of spamd improvements

1) Implement the NOOP command, which now seems necessary for certain
windows mail wrappers and sender verification schemes. Tested by me
and sidcarter@symonds.net, who noticed the problem on his site.
ok millert@

2) Change the behaviour of the maxblack parameter, instead of hanging
up immediately on new blacklisted connections when the maxblack parameter
is reached, we instead make spamd not stutter at them, so the connection
is instead completed quickly. This seems to handle peaks and spikes
much better than the old way of doing this.
ok deraadt@, with some man page changes by jmc@

fix -y example;

closes user/5408 from sthen
ok reyk

Add some emphasis for easier reading and clarify MX trapping by
explicitly mentioning IP aliases, which is typically how you would
implement MX trapping using a single host.
OK beck@, trusted by deraadt@

clean up the greytrap stuff;

some spelling fixes;

new sentence, new line
kill whitespace at eol

Add -M option to specify a local address that is a lower priority MX
address than the primary one. spamd will trap hosts that contact this
address first without first contacting the primary.
- get it in, deraadt@

tweak -c; sort FILES;

- move LOGGING into the main body
- move some relevant bits of SYNCHRONISATION into -Yy descriptions
- tweaks for SYNCHRONISATION

ok reyk beck

document allowing -c to increase to within 200 of kern.maxfiles

remove -r option that didn't work anyway.
ok jmc@, reyk@

better dd options for the spamd.key generation example.

document spamd.key better. what format does the file take? how do i
create one? and so on...

help from jmc@

correct location of spamd.key

Database synchronizaton for spamd/spamlogd

This adds an HMAC protected synchronization protocol for use by spamd and
spamlogd.

- spamd can receive updates from other hosts for GREY, WHITE, and TRAPPED db
entries, and will update the local /var/db/spamd accordingly.

- spamd can send updates when it makes changes to the GREY or TRAPPED
entries in the db to other hosts running spamd. (Note it does not send
WHITE entries because the other spamd will see the GREY changes and have
complete information to make appropritate decisions)

- spamlogd can send updates for WHITE db entries that it performs on the local
db to other hosts running spamd, which will then apply them on remote hosts.

note that while this diff provides synchronization for changes made to the
spamd db by the daemons, it does *not* provide for sychonizing changes
to the spamd db made manually with the spamdb command.

Synchronization protocol and most of the work by reyk@,
with a bunch of the spamd, and spamlogd stuff by me.

testing mostly at the U of A, running happily there under big load.

ok reyk@ jmc@

improve the sections on pf rules; ok beck

first pass at simplifying the language in this page; more to come

double word: be be

prevent .Em abuse:
.Dq for services
.Aq for tables

forgot to remove this comment;

- don;t mark up colons
- no need for <> for tables
- use escapes for <> where needed

no -g flag for spamd-setup;

explain the concepts of black/white/greylisting, briefly;
diff from Okan Demirmen, tweaked by myself and beck

ok beck

the tempfail message happens after the DATA command, and
has for a little while now - it got changed so people don't get
hooped by certain stupid sender verification schemes.

initial shot at making greylisting seem normal...

sort options and usage();

Flag day for spamd -
1) config files move to /etc/mail
2) -g option goes away in spamd-setup and spamd - greylisting is now the default
3) option change to spamd, -b addr becomes -l addr.
4) -b option in spamd-setup and spamd to turn on old blacklisting mode.

Man page shortly to be flensed to make this easier to explain
ok deraadt@ millert@

- HELO/EHLO is part of the tuple
- remove misleading sentence

ok millert

Attempt to clarify new greylisting rules.

When greylisting we don't actually need to use the <spamd> pf table.
We just do no-rdr for things in <spamd-white> and rdr the rest to spamdb.
OK beck@

tweaks;

to_suffixes -> alloweddomains, that got missed, noticed
by okan@demirmen.com

greytrapping improvements
1) remove requirement for <> around spamtrap addresses
2) add support for /etc/spamd/alloweddomains to specify
suffixes for which any destinations that don't match
get trapped

various knf's by theo, feedback from jmc, millert, deraadt

improve previous;

clarify "maxcon" somewhat, particularly its upper limit;
from jared rr spiegel (pr #5292), tweaked somewhat;

no need to escape "'";

Make this easier for people who aren't aware of what shell they are running.
ok deraadt@

typo; from sthen

-r only applies to blacklists. ok beck@

add an -h option to override the hostname that is reported in the
SMTP banner

ok beck@

Spell "blacklisted" consistently.

ok jmc@

missing full stop;

replace port number 8025 w/ symbolic `spamd';
ok krw@ deraadt@

diff from ray lai;

update FILES;

- describe start up better
- note that greylisting does stutter slightly
- make clear role of spamdb and spamd.conf
- few minor tweaks

ok beck@

Make spamd stutter at greylisted connections for a short period before talking
full speed. By default do this for 10 seconds. Many spammers disconnect by
then. Adds -S option to select the amount of time greylisted connections
will be stuttered at.

feedback from jmc@, deraadt@, ok deraadt@

"Greytrapping" for spamd - allow for spamd greylisting to maintain
a list of spamtrap destination addresses in the spamd database. When
a spamtrap address gets an attempted greylist delivery, blacklist the
offending host for a day. Does not affect hosts already whitelisted.

ok deraadt@, jmc@, dhartmei@ to get it in so it can be whacked on

clarification; ok beck

Change the default passtime to 25 minutes,
MTA's with a quadratic retry schedule have a retry after 26 minutes, and
then again after an hour, so this probably makes a lot more sense than the
old 30 minute default.

ok henning@

change default to 451 for greylisting, thanks to a number of
people on misc, and some observations by Evan harris on the greylisting
mailing list that a number of clustered mailers like aol behave better
(and retry from the same IP) when they see a 451, but do not when
they see a 450 (traditionally used for mailbox lock failure)

450 was the original for spamd, as the default for the tarpit is to
encourage quick retries to punish blacklisted smtp servers more. This
got carried over to the greylisting implementation, and isnt' really
optimal for that case.

ok millert@, henning@, todd@

sort options and escape a minus sign;

Add -B option, with maxblack limit to limit the number of blacklist
connections to something less than maxcon when greylisting. This ensures
you don't completely run out of connections tarpitting spammers, and not
allow real mail through.
ok dhartmei@ millert@

sort options;

Fix typo, spotted by Eduardo Alvarenga <eduardo@eduardo.lan.cei>
ok xsa@ henning@

add -b option to specify local bind address, sent by
yongari@kt-is.co.kr
ok deraadt@

typo; we do have spamlogd(8) not spamlog(8);
ok beck@

Add -g option for greylisting support for spamd. The greylisting techinque
originates from a paper by Evan Harris which can be found at
http://projects.puremagic.com/greylisting/. This implementation makes
spamd allow for non-blacklisted addresses to be treated as "greylisted".
where they are tracked in a db file, and whitelisted by addition to a
pf table when the same envelope from and to are retried from the same
source IP address. Testing by many, ok deraadt@

the example should use 'rdr pass' so that you do not have to open 8025 to
the outside world -- in fact 'rdr pass' was designed for this, but once
again someone forgot to updated the bloody man page; mcbride ok

- add -v to SYNOPSIS
- new sentence, new line
- .Dv for variables
- fix .Xr

make logging less verbose by default - default logs connect, disconnect
and blacklist matches. Add -v (verbose) flag to allow other detailed
logging (subject, body, smtp dialogue, etc.) when it's needed.
ok dhartmei@ -> ok deraadt@

- add .Bk/.Ek to SYNOPSIS
- use -offset rather than indenting the actual display
- kill unnecessary .Pp

crank max connections to 800 (really, there are poeple doing this)

permit the window/receive buffer to be adjustable. default back to system
default. in reponse to pr3435. ok beck deraadt dhartmei

add -s to specify stuttering delay, set receive buffer size to 1 byte
(causing a small TCP window size, tying up sender's resources), additional
states: keep connection until ten body lines have been received, improved
logging through syslog (envelope from/to, From:/To:/Subject: in header,
first lines of body) at various levels. ok deraadt@

- remove .Pp's before .Sh
- correct .Xr
- .Ox instead of OpenBSD
- whitespace between punctuation

attempt not to wrap a line, bad nroff

cmdline options and descriptions in alphabetical order in usage() and manpage
add arguments to the flags that take them in the DESCRIPTION
add "inet" to the rdr rule example to match etc/pf.conf example

ok dhartmei@ henning@

duplicate words: on on, in in
ok miod@ jmc@

spamd is running on port 8025, not 25; from Adrian Knoth

correct table usage in rdr example, spotted by todd

EOL whitespace
ok jmc@

new sentence, new line
ok beck@

also mention max connections default; ok deraadt

mention error code 450 is default; ok deraadt

Fix a few typos, Make spamd and spamd-setup use /etc/services to find
their ports. Adds "spamd" and "spamd-cfg" services to /etc/services.
Mostly from Daniel Lucq <daniel@lucq.org>.

remove some more ambigious bs

spamd typos;

ok beck@

can be can be, but also may not be, or cannot be, and in any case can be
once is better than can be can be
guess who found that? yeah, David Krause, again. great!

date should be written formally: .Dd Month day, year
ok henning@ jmc@

new sentence, new line
(fixes some sentences with only 1 space between)
ok henning@

pasto, from thierry, who does not want to be a pf-like commiter ;-)

typos; Daniel Lucq

spam not SPAM; nick@electric-pickle.net

"an table" -> "a table", add persist keyword.
ok deraadt@

more tweaking

more

knf

Spamd changes to add blacklist awareness to spamd, new spamd-setup.pl
which configures individual blacklists sources and deals with whitelists.
Perl still needs some stylistic changes as suggested by bmc which will go
in shortly.
ok deraadt@

start new sentence on a new line
ok mpech@

typos;

setextattr(8): example markus@
spamd(8): someone else found some of these on bugs/misc, but for the life
of me i can't find out who
pf.conf(5): from openbsd@davidkrause.com
raidctl(8): from ian@darwinsys.com

Add "inet proto tcp" to the last rdr example, it produces a syntax error
otherwise. Found by David Norman.

typos; alan@alanday.com

the the; bsd@openbsd.rutgers.edu

fxi som tpyos

Mention pf rdr rules and anchors.

remove nasty verbiage

minor minor tweaks; mjc@bitz.ca

fixes; openbsd@davidkrause.com

spamd: work in progress

note that some hosts never generate tuples and are ignored;
ok beck

define the role of spamd-setup a little better;

use one way to show filter rules, not two. the bits and pieces of the
spamd setup are complex enough without freestyling the pf rules;

while here, Bk/Ek no longer required

start replacing some \*([GL]t;

divert-to a table needs an address family;
from steve shockley

ok sthen

use file system path (.Pa) semantic markup macros where appropriate.

ok jmc@

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)

Tested by many
With help from okan@
OK okan@ beck@ millert@

wrap a long line

Don't use Aq macros when <> is intended; they are not the same thing.

ok schwarze@

put -G and it's args back onto one line in SYNOPSIS, to avoid having mandoc
split it; while here, zap trailing whitespace;

add STARTTLS support, using the shiny libtls.
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob

/dev/random has created the same effect as /dev/arandom (and /dev/urandom)
for quite some time. Mop up the last few, by using /dev/random where we
actually want it, or not even mentioning arandom where it is irrelevant.

Fix manpage: -y only takes interface names, and doesnt take ip addresses.
Fix example while here.
ok back@

less sendmail;

Simplify the syslog.conf example: .info means that *and higher*

ok beck@

remove some history details which have been around for long enough
to no longer be relevant;

ok beck

fix rdr-to example (requires direction); from James Turner

ok jmc@

merge/update the spamlogd rules into spamd - there were some subtle
problems because of the recent pf nat changes that caused problems;
i've fleshed out the example in spamd and just added a pointer to it
from spamlogd;

ok beck

the example pf rules should be "pass in", not just "pass"; ok henning

match samples here with pf.conf(5) sample ruleset following recent pf changes
ok henning@

tweak previous;

PR 6090 - from Olli Hauer <ohauer@gmx.de>

A number of small improvements:

- patch for empty lines and comments in alloweddomains_file
- remove some whitespaces at end of line.
- document comment and empty line handling
- Remove unused parameter 'r' from getopt in spamd.c, it is removed in the 'switch statement'
but not in getopt.
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/spamd/spamd.c.diff?r1=1.94;r2=1.95;f=h
- replace atoi with strtonum
- make debug output more usefull, display only what will be synced and not a second
message which prints always "sync trapped %s"

- some cosemtic and whitespace fixes.

clarification for the MX stuff; requested by Stephan A. Rickauer
ok beck

document spamd log entry format; requested by Stephan A. Rickauer
ok beck

some documentation updates for spamd synchronisation:
- whitelisted entries are not synced
- entries added manually (using spamdb) are not synced

suggested by Stephan A. Rickauer; ok reyk

typo, ok beck@

simplify the suggested pf ruleset; ok beck

tweak previous:
- this document talks about "default mode", not "greylisting mode"
- kill trailing whitespace

Add note to the effect that the spamd pf table is no
longer used in greylisting mode.
ok ckuethe@

document maximum values for -S and -s;
from Saint Aardvark the Carpeted, documentation/5535;

s/is is/it is/. From Jim Razmus, jim (at) bonetruck (dot) org; thanks.

convert to new .Dd format;

remove a redundant paragraph; ok beck
also, this section is blacklist-only, so tweak .Sh

spamd-setup needs -b for blacklist-only mode; from Nick Templeton

kill trailing whitespace...shame on me if i sent bob a diff w/
whitespace at eol

A couple of spamd improvements

1) Implement the NOOP command, which now seems necessary for certain
windows mail wrappers and sender verification schemes. Tested by me
and sidcarter@symonds.net, who noticed the problem on his site.
ok millert@

2) Change the behaviour of the maxblack parameter, instead of hanging
up immediately on new blacklisted connections when the maxblack parameter
is reached, we instead make spamd not stutter at them, so the connection
is instead completed quickly. This seems to handle peaks and spikes
much better than the old way of doing this.
ok deraadt@, with some man page changes by jmc@

fix -y example;

closes user/5408 from sthen
ok reyk

Add some emphasis for easier reading and clarify MX trapping by
explicitly mentioning IP aliases, which is typically how you would
implement MX trapping using a single host.
OK beck@, trusted by deraadt@

clean up the greytrap stuff;

some spelling fixes;

new sentence, new line
kill whitespace at eol

Add -M option to specify a local address that is a lower priority MX
address than the primary one. spamd will trap hosts that contact this
address first without first contacting the primary.
- get it in, deraadt@

tweak -c; sort FILES;

- move LOGGING into the main body
- move some relevant bits of SYNCHRONISATION into -Yy descriptions
- tweaks for SYNCHRONISATION

ok reyk beck

document allowing -c to increase to within 200 of kern.maxfiles

remove -r option that didn't work anyway.
ok jmc@, reyk@

better dd options for the spamd.key generation example.

document spamd.key better. what format does the file take? how do i
create one? and so on...

help from jmc@

correct location of spamd.key

Database synchronizaton for spamd/spamlogd

This adds an HMAC protected synchronization protocol for use by spamd and
spamlogd.

- spamd can receive updates from other hosts for GREY, WHITE, and TRAPPED db
entries, and will update the local /var/db/spamd accordingly.

- spamd can send updates when it makes changes to the GREY or TRAPPED
entries in the db to other hosts running spamd. (Note it does not send
WHITE entries because the other spamd will see the GREY changes and have
complete information to make appropritate decisions)

- spamlogd can send updates for WHITE db entries that it performs on the local
db to other hosts running spamd, which will then apply them on remote hosts.

note that while this diff provides synchronization for changes made to the
spamd db by the daemons, it does *not* provide for sychonizing changes
to the spamd db made manually with the spamdb command.

Synchronization protocol and most of the work by reyk@,
with a bunch of the spamd, and spamlogd stuff by me.

testing mostly at the U of A, running happily there under big load.

ok reyk@ jmc@

improve the sections on pf rules; ok beck

first pass at simplifying the language in this page; more to come

double word: be be

prevent .Em abuse:
.Dq for services
.Aq for tables

forgot to remove this comment;

- don;t mark up colons
- no need for <> for tables
- use escapes for <> where needed

no -g flag for spamd-setup;

explain the concepts of black/white/greylisting, briefly;
diff from Okan Demirmen, tweaked by myself and beck

ok beck

the tempfail message happens after the DATA command, and
has for a little while now - it got changed so people don't get
hooped by certain stupid sender verification schemes.

initial shot at making greylisting seem normal...

sort options and usage();

Flag day for spamd -
1) config files move to /etc/mail
2) -g option goes away in spamd-setup and spamd - greylisting is now the default
3) option change to spamd, -b addr becomes -l addr.
4) -b option in spamd-setup and spamd to turn on old blacklisting mode.

Man page shortly to be flensed to make this easier to explain
ok deraadt@ millert@

- HELO/EHLO is part of the tuple
- remove misleading sentence

ok millert

Attempt to clarify new greylisting rules.

When greylisting we don't actually need to use the <spamd> pf table.
We just do no-rdr for things in <spamd-white> and rdr the rest to spamdb.
OK beck@

tweaks;

to_suffixes -> alloweddomains, that got missed, noticed
by okan@demirmen.com

greytrapping improvements
1) remove requirement for <> around spamtrap addresses
2) add support for /etc/spamd/alloweddomains to specify
suffixes for which any destinations that don't match
get trapped

various knf's by theo, feedback from jmc, millert, deraadt

improve previous;

clarify "maxcon" somewhat, particularly its upper limit;
from jared rr spiegel (pr #5292), tweaked somewhat;

no need to escape "'";

Make this easier for people who aren't aware of what shell they are running.
ok deraadt@

typo; from sthen

-r only applies to blacklists. ok beck@

add an -h option to override the hostname that is reported in the
SMTP banner

ok beck@

Spell "blacklisted" consistently.

ok jmc@

missing full stop;

replace port number 8025 w/ symbolic `spamd';
ok krw@ deraadt@

diff from ray lai;

update FILES;

- describe start up better
- note that greylisting does stutter slightly
- make clear role of spamdb and spamd.conf
- few minor tweaks

ok beck@

Make spamd stutter at greylisted connections for a short period before talking
full speed. By default do this for 10 seconds. Many spammers disconnect by
then. Adds -S option to select the amount of time greylisted connections
will be stuttered at.

feedback from jmc@, deraadt@, ok deraadt@

"Greytrapping" for spamd - allow for spamd greylisting to maintain
a list of spamtrap destination addresses in the spamd database. When
a spamtrap address gets an attempted greylist delivery, blacklist the
offending host for a day. Does not affect hosts already whitelisted.

ok deraadt@, jmc@, dhartmei@ to get it in so it can be whacked on

clarification; ok beck

Change the default passtime to 25 minutes,
MTA's with a quadratic retry schedule have a retry after 26 minutes, and
then again after an hour, so this probably makes a lot more sense than the
old 30 minute default.

ok henning@

change default to 451 for greylisting, thanks to a number of
people on misc, and some observations by Evan harris on the greylisting
mailing list that a number of clustered mailers like aol behave better
(and retry from the same IP) when they see a 451, but do not when
they see a 450 (traditionally used for mailbox lock failure)

450 was the original for spamd, as the default for the tarpit is to
encourage quick retries to punish blacklisted smtp servers more. This
got carried over to the greylisting implementation, and isnt' really
optimal for that case.

ok millert@, henning@, todd@

sort options and escape a minus sign;

Add -B option, with maxblack limit to limit the number of blacklist
connections to something less than maxcon when greylisting. This ensures
you don't completely run out of connections tarpitting spammers, and not
allow real mail through.
ok dhartmei@ millert@

sort options;

Fix typo, spotted by Eduardo Alvarenga <eduardo@eduardo.lan.cei>
ok xsa@ henning@

add -b option to specify local bind address, sent by
yongari@kt-is.co.kr
ok deraadt@

typo; we do have spamlogd(8) not spamlog(8);
ok beck@

Add -g option for greylisting support for spamd. The greylisting techinque
originates from a paper by Evan Harris which can be found at
http://projects.puremagic.com/greylisting/. This implementation makes
spamd allow for non-blacklisted addresses to be treated as "greylisted".
where they are tracked in a db file, and whitelisted by addition to a
pf table when the same envelope from and to are retried from the same
source IP address. Testing by many, ok deraadt@

the example should use 'rdr pass' so that you do not have to open 8025 to
the outside world -- in fact 'rdr pass' was designed for this, but once
again someone forgot to updated the bloody man page; mcbride ok

- add -v to SYNOPSIS
- new sentence, new line
- .Dv for variables
- fix .Xr

make logging less verbose by default - default logs connect, disconnect
and blacklist matches. Add -v (verbose) flag to allow other detailed
logging (subject, body, smtp dialogue, etc.) when it's needed.
ok dhartmei@ -> ok deraadt@

- add .Bk/.Ek to SYNOPSIS
- use -offset rather than indenting the actual display
- kill unnecessary .Pp

crank max connections to 800 (really, there are poeple doing this)

permit the window/receive buffer to be adjustable. default back to system
default. in reponse to pr3435. ok beck deraadt dhartmei

add -s to specify stuttering delay, set receive buffer size to 1 byte
(causing a small TCP window size, tying up sender's resources), additional
states: keep connection until ten body lines have been received, improved
logging through syslog (envelope from/to, From:/To:/Subject: in header,
first lines of body) at various levels. ok deraadt@

- remove .Pp's before .Sh
- correct .Xr
- .Ox instead of OpenBSD
- whitespace between punctuation

attempt not to wrap a line, bad nroff

cmdline options and descriptions in alphabetical order in usage() and manpage
add arguments to the flags that take them in the DESCRIPTION
add "inet" to the rdr rule example to match etc/pf.conf example

ok dhartmei@ henning@

duplicate words: on on, in in
ok miod@ jmc@

spamd is running on port 8025, not 25; from Adrian Knoth

correct table usage in rdr example, spotted by todd

EOL whitespace
ok jmc@

new sentence, new line
ok beck@

also mention max connections default; ok deraadt

mention error code 450 is default; ok deraadt

Fix a few typos, Make spamd and spamd-setup use /etc/services to find
their ports. Adds "spamd" and "spamd-cfg" services to /etc/services.
Mostly from Daniel Lucq <daniel@lucq.org>.

remove some more ambigious bs

spamd typos;

ok beck@

can be can be, but also may not be, or cannot be, and in any case can be
once is better than can be can be
guess who found that? yeah, David Krause, again. great!

date should be written formally: .Dd Month day, year
ok henning@ jmc@

new sentence, new line
(fixes some sentences with only 1 space between)
ok henning@

pasto, from thierry, who does not want to be a pf-like commiter ;-)

typos; Daniel Lucq

spam not SPAM; nick@electric-pickle.net

"an table" -> "a table", add persist keyword.
ok deraadt@

more tweaking

more

knf

Spamd changes to add blacklist awareness to spamd, new spamd-setup.pl
which configures individual blacklists sources and deals with whitelists.
Perl still needs some stylistic changes as suggested by bmc which will go
in shortly.
ok deraadt@

start new sentence on a new line
ok mpech@

typos;

setextattr(8): example markus@
spamd(8): someone else found some of these on bugs/misc, but for the life
of me i can't find out who
pf.conf(5): from openbsd@davidkrause.com
raidctl(8): from ian@darwinsys.com

Add "inet proto tcp" to the last rdr example, it produces a syntax error
otherwise. Found by David Norman.

typos; alan@alanday.com

the the; bsd@openbsd.rutgers.edu

fxi som tpyos

Mention pf rdr rules and anchors.

remove nasty verbiage

minor minor tweaks; mjc@bitz.ca

fixes; openbsd@davidkrause.com

spamd: work in progress