The new proxy protocol support in greyd enables it to accept connections from haproxy (and amazon elastic load balancer, etc.) and function correctly, however, this is not enough for greyd to run in "modern" cloud environments. An haproxy greyd firewall driver can be made that syncs it's whitelist (or blacklists if run in blacklist only mode) to an haproxy stick table/in memory map which can then be used to make the necessary routing decisions (which are now done via iptables PREROUTING rules). This is the final missing piece before greyd can run in a "cloud native" context.

Hi,

I started postfix on loopback listening at 25. Same for greyd on 8025. And I created the following rules:

iptables -t nat -A PREROUTING -p tcp --dport 25 -d -j REDIRECT --to-port 8025

It works fines, but I guess I need to create some chain to allow a connection toward port 25 on white list. If I manually add a rule before that one, like:

iptables -t nat -A PREROUTING -p tcp -s --dport 25 -d -j REDIRECT --to-port 25

But I guess it should be automatic. I miss some direction about that. Can you help me?

Listing what it is, current status/readiness, how to set up and use, as well as why it's created (what problems it's solving) and maybe a bit about alternatives that exist (OpenBSD greyd) and the competition (other ports/other software).

Looks nice, but it's hard knowing anything about it without the README :)

The BDB SQL tests were temporarily removed in 7218f1d due to the berkeley db library not cleaning up memory properly and making valgrind unhappy, which reports an error. Fix this somehow (maybe by ignoring this valgrind error message somehow) and enable the other database drivers such as mysql and postgres.

Make an alpine linux package for greyd in a similar manner to the existing centos 7 packages.

• Make an alpine linux package building docker image
• Make sure all of the dependencies are available and greyd builds there
• Publish the artifacts via https somewhere, preferably on the greyd repo site

The small image sizes are pretty attractive and would be good for running the unit tests in the CI jobs.

Make an "official" greyd docker image and push to github. This image can be used for running the CI tests in travis as well as running in kubernetes. This is now feasible due to the new proxy protocol support which allows greyd to accept connections from proxy protocol supporting load balancers (eg haproxy, nginx, etc.).

during my search for an ipv6 patch I found your project and the spf part is quite nice. what do you think about implementing rbl/dnsbl?

thanks

Hi! There is bug in a couple of distros with libltdl:
in ltdh.h defined lt__PROGRAM__LTX_preloaded_symbols but in libltdl.so it marked as lt_libltdl_LTX_preloaded_symbols.
To fix this add

define lt__PROGRAM__LTX_preloaded_symbols lt_libltdl_LTX_preloaded_symbols

to top of src/mod.c

Hi,

If I leave the directory empty, it complains about non-existent file:

could not open /var/greyd/greyd.db: unable to open database file

and it doesn't create it at all.
If I manually "touch" such file, it fails as well:

db txn start failed: attempt to write a readonly database
sqlite3_step: SQL logic error or missing database
db scan failed

I'm using sqlite3, but the same applies to Berkeley DB.

Hi!
I made a PKGBUILD (Arch Linux rules for building package ) for greyd 0.7.0, including integration with systemctl & iptables & some scripts. You may use it for other distros if you want.

And thanks, yeah, I thought about porting spamd a few weeks ago

https://aur.archlinux.org/packages/greyd/

Hi,

For every check on DB, I'm gettting back this error, like this, which failed on SPF verification:

Jul 8 10:14:04 server greyd[28591]: (GREY) 181.44.24.44: [email protected] -> [email protected]
Jul 8 10:14:04 server greyd[28592]: SPF failure for 181.44.24.44 [email protected] helo cpe-181-44-24-44.telecentro-reversos.com.ar
Jul 8 10:14:04 server greyd[28592]: unexpected sqlite3_step result: 1

But it happens always. I just added a few information for white and black domains using greydb -[TD] -a "@domain.com". Since this message shows up 4 times in the source code, do you have any clue about could be the problem?

/usr/local/bin/greyd: symbol lookup error: /usr/local/lib/greyd/greyd_netfilter.so: undefined symbol: nfct_nlmsg_build

cat /etc/debian_version
7.8

installed packages:

[1047] > dpkg --get-selections | grep -v deinstall | grep netfilter
libnetfilter-conntrack-dev install
libnetfilter-conntrack3:amd64 install
libnetfilter-log-dev install
libnetfilter-log1 install

[1048] > dpkg --get-selections | grep -v deinstall | grep libip
libipset-dev install
libipset2:amd64 install
libiptcdata0 install
libiptcdata0-dev install

[1049] > dpkg --get-selections | grep -v deinstall | grep libcap
libcap-dev:amd64 install
libcap-ng0 install
libcap2:amd64 install
libcap2-bin install
[root@debian /var/src/greyd-0.6.1]

nm -D /usr/lib/x86_64-linux-gnu/libnetfilter_conntrack.so.3 | grep nfct_
0000000000006400 T nfct_attr_grp_is_set
00000000000064c0 T nfct_attr_grp_unset
0000000000006130 T nfct_attr_is_set
0000000000006190 T nfct_attr_is_set_array
0000000000006240 T nfct_attr_unset
0000000000006530 T nfct_build_conntrack
00000000000065b0 T nfct_build_query
0000000000005c40 T nfct_callback_register
0000000000005d90 T nfct_callback_register2
0000000000005d20 T nfct_callback_unregister
0000000000005e60 T nfct_callback_unregister2
00000000000067c0 T nfct_catch
0000000000005a90 T nfct_clone
0000000000005470 T nfct_close
00000000000068d0 T nfct_cmp
0000000000006870 T nfct_compare
0000000000006930 T nfct_copy
0000000000006c10 T nfct_copy_attr
0000000000005a00 T nfct_destroy
0000000000005520 T nfct_fd
0000000000006ce0 T nfct_filter_add_attr
0000000000006d80 T nfct_filter_add_attr_u32
0000000000006df0 T nfct_filter_attach
0000000000006ca0 T nfct_filter_create
0000000000006cb0 T nfct_filter_destroy
0000000000006e20 T nfct_filter_detach
0000000000006e50 T nfct_filter_dump_create
0000000000006e60 T nfct_filter_dump_destroy
0000000000006e90 T nfct_filter_dump_set_attr
0000000000006f30 T nfct_filter_dump_set_attr_u8
0000000000006da0 T nfct_filter_set_logic
0000000000005fe0 T nfct_get_attr
0000000000006310 T nfct_get_attr_grp
00000000000060b0 T nfct_get_attr_u16
00000000000060e0 T nfct_get_attr_u32
0000000000006100 T nfct_get_attr_u64
0000000000006080 T nfct_get_attr_u8
0000000000005bf0 T nfct_getobjopt
0000000000005a80 T nfct_maxsize
00000000000059d0 T nfct_new
0000000000005530 T nfct_nfnlh
0000000000005400 T nfct_open
0000000000005310 T nfct_open_nfnl
00000000000065c0 T nfct_parse_conntrack
00000000000066a0 T nfct_query
0000000000006730 T nfct_send
0000000000005ed0 T nfct_set_attr
00000000000062a0 T nfct_set_attr_grp
0000000000005f80 T nfct_set_attr_u16
0000000000005fa0 T nfct_set_attr_u32
0000000000005fc0 T nfct_set_attr_u64
0000000000005f60 T nfct_set_attr_u8
0000000000005ba0 T nfct_setobjopt
0000000000005a50 T nfct_sizeof
00000000000067f0 T nfct_snprintf

The following modules need test coverage:

• the sync module
• the netfilter firewall driver

Travis CI is broken due to an ancient ubuntu runner. A custom docker image [1] in which to run the tests would be easier to control and maintain.

[1] https://docs.travis-ci.com/user/docker/