On Tue, Sep 02, 2003 at 11:13:25PM +0200, Brad Knowles wrote
How about total lack of rDNS ? I block on that, not on mismatching
rDNS.
Can you be sure? If Dean Anderson were to send you a mail
message from his mis-configured machines in av8.com (e.g.,
concorde.av8.net -> 130.105.11.50 -> relay1.av8.net, or
concorde.av8.com -> 130.105.11.3 -> concorde.av8.net -> 130.105.11.50
& 130.105.11.3), would you accept or reject that message on the basis
of the way he has reverse DNS set up? What method have you used to
ensure that this is the case?
I ask this because the postfix option of reject_unknown_client
will reject a connection for either non-existent rDNS or incorrect
rDNS. Many IP addresses will have essentially useless rDNS defined
for them by their ISP, even if the person using that IP address is
totally unaware of this fact. Are you sure that your code (or
sendmail itself) doesn't do the same?
It's not "my" code. I'm a customer off clss.net. They run a modified
Qmail that parses a config file in the customer's home directory after
the RCPT: stage. (I don't admin the MTA, I admin the filters for my
account). Any email that the config file decides to reject gets the
big 550 before the DATA: stage. There are 3 different rules that might
apply here. Direct quotes from "man dnsblfilter"...
PARANOID reply
If the sending IP address has a reverse DNS pointer
that is not matched by a forward (address) record,
reply is printed and the message is rejected.
REJECTNOHOSTNAME reply
If the sending IP address has no name in any avail-
able address-to-name database, reply is printed and
the message is rejected.
SUPERPARANOID reply
If the sending IP address has no name, or has a
reverse DNS pointer that is not matched by a for-
ward (address) record, reply is printed and the
message is rejected. This is equivalent to PARANOID
combined with REJECTNOHOSTNAME.
I use REJECTNOHOSTNAME in my ruleset. It catches really gross stuff
where there simply is no rDNS period. For instance...
[waltdnes(_at_)m450 waltdnes]$ host 192.168.1.1
Host 1.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Let's look at Dean's setup...
[waltdnes(_at_)m450 waltdnes]$ host concorde.av8.net
concorde.av8.net has address 130.105.11.3
concorde.av8.net has address 130.105.11.50
Looks like a load-balancing act. How do each of the two addresses
work out ?
[waltdnes(_at_)m450 waltdnes]$ host 130.105.11.3
3.11.105.130.in-addr.arpa domain name pointer concorde.av8.net.
That one looks OK.
[waltdnes(_at_)m450 waltdnes]$ host 130.105.11.50
50.11.105.130.in-addr.arpa domain name pointer relay1.av8.net.
[waltdnes(_at_)m450 waltdnes]$ host relay1.av8.net
relay1.av8.net has address 130.105.11.50
What's wrong with this one ? 130.105.11.50 has a name (different from
the original name) that resolves back to 130.105.11.50. I don't see
how this is "misconfigured", unless all load-balancing is considered to
be misconfiguration.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg