ietf-asrg
[Top] [All Lists]

Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General - Administrative - for M. Wild)

2003-09-02 20:19:49
On Tue, Sep 02, 2003 at 11:13:25PM +0200, Brad Knowles wrote

  How about total lack of rDNS ?  I block on that, not on mismatching
rDNS.

      Can you be sure?  If Dean Anderson were to send you a mail 
message from his mis-configured machines in av8.com (e.g., 
concorde.av8.net -> 130.105.11.50 -> relay1.av8.net, or 
concorde.av8.com -> 130.105.11.3 -> concorde.av8.net -> 130.105.11.50 
& 130.105.11.3), would you accept or reject that message on the basis 
of the way he has reverse DNS set up?  What method have you used to 
ensure that this is the case?

      I ask this because the postfix option of reject_unknown_client 
will reject a connection for either non-existent rDNS or incorrect 
rDNS.  Many IP addresses will have essentially useless rDNS defined 
for them by their ISP, even if the person using that IP address is 
totally unaware of this fact.  Are you sure that your code (or 
sendmail itself) doesn't do the same?

  It's not "my" code.  I'm a customer off clss.net.  They run a modified
Qmail that parses a config file in the customer's home directory after
the RCPT: stage. (I don't admin the MTA, I admin the filters for my
account).  Any email that the config file decides to reject gets the
big 550 before the DATA: stage.  There are 3 different rules that might
apply here.  Direct quotes from "man dnsblfilter"...


       PARANOID reply
              If the sending IP address has a reverse DNS pointer
              that is not matched by a forward (address)  record,
              reply is printed and the message is rejected.

       REJECTNOHOSTNAME reply
              If the sending IP address has no name in any avail-
              able address-to-name database, reply is printed and
              the message is rejected.

       SUPERPARANOID reply
              If the sending IP address has no  name,  or  has  a
              reverse  DNS  pointer that is not matched by a for-
              ward (address) record, reply  is  printed  and  the
              message is rejected. This is equivalent to PARANOID
              combined with REJECTNOHOSTNAME.

  I use REJECTNOHOSTNAME in my ruleset.  It catches really gross stuff
where there simply is no rDNS period.  For instance...

[waltdnes(_at_)m450 waltdnes]$ host 192.168.1.1
Host 1.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)

  Let's look at Dean's setup...

[waltdnes(_at_)m450 waltdnes]$ host concorde.av8.net
concorde.av8.net has address 130.105.11.3
concorde.av8.net has address 130.105.11.50

  Looks like a load-balancing act.  How do each of the two addresses
work out ?

[waltdnes(_at_)m450 waltdnes]$ host 130.105.11.3
3.11.105.130.in-addr.arpa domain name pointer concorde.av8.net.

  That one looks OK.

[waltdnes(_at_)m450 waltdnes]$ host 130.105.11.50
50.11.105.130.in-addr.arpa domain name pointer relay1.av8.net.
[waltdnes(_at_)m450 waltdnes]$ host relay1.av8.net
relay1.av8.net has address 130.105.11.50

  What's wrong with this one ?  130.105.11.50 has a name (different from
the original name) that resolves back to 130.105.11.50.  I don't see
how this is "misconfigured", unless all load-balancing is considered to
be misconfiguration.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>