Spamd on OpenBSD!

Spamd config on OpenBSD 4.0 PF firewall

After using FreeBSD with first IPFW, then PF as firewall I've decided to try OpenBSD.
The reason for not going to Open sooner was the unfamiliarity with both Open and PF, so after setting up PF on Free to get a feel for it I could also move to Open.
Two reasons to do this are the most up-to-date version of PF, with spamd integrated and because I couldn't get GRE proxying working on Free.

After hearing about greylisting with spamd I looked up articles on it and found what seemed to be the right ones at Onlamp and Elwood.net.
However, the rules used there prevented my mailserver from sending mail. It did receive just fine but SMTP timeout errors appeared in the maillogs.
Testing it with a telnet session from the firewall to a mailserver confirmed I got the connection, but after sending the EHLO or HELO command nothing happened.

The reason for this were the following two rules:
pass in log inet proto tcp from any to $external_addr port smtp flags S/SA synproxy state
pass out log inet proto tcp from $external_addr to any port smtp flags S/SA synproxy state

I replaced those with the simple:
pass out log on $if_wan proto tcp from ($if_wan) to any port smtp keep state
..and some time later the mail stuck in the queue arrived at my mailbox at Yahoo! and at work.

In short, not all configs found on the internet are suitable for every setup.

The rules used for spamd:

# deny first, then allow
rdr pass on $if_wan proto tcp from <spamd> to ($if_wan) port smtp -> 127.0.0.1 port spamd
rdr pass on $if_wan proto tcp from { <spamd-white>, <spamd-allowed> } to ($if_wan) port smtp -> $mail
rdr pass on $if_wan proto tcp from !<spamd-allowed> to ($if_wan) port smtp -> 127.0.0.1 port spamd

# and the legitimate mail is allowed to the mailserver
pass out on $if_lan proto tcp from any to $mail port smtp keep state
# log outgoing smtp connections for spamd whitelisting
pass out log on $if_wan proto tcp from ($if_wan) to any port smtp keep state

The spamd-allowed table is the manual whitelist file I created from the output of spamdb | grep WHITE.
This way I have a preconfigured whitelist in case the spamd whitelist table runs empty or if I set up spamd a second time somewhere.

Download spamd-allowed (short list, will be updated once in a while)

Update: After using spamd for some months now I've seen the grey list come down from about 20 to nothing. This would mean that spamd has not only been effective in blocking spambots but also in reducing the usage of my email address.

Extra

To replace a table in pf:
pfctl -t spamd-allowed -T replace -f /usr/local/etc/spamd-allowed