At 17:45 29/09/00 +0200, Vincent de Lau wrote:
> > yes, it sucks, but that's SMTP: it choosed to marry DNS since
> > a long time, and
> > they've not divorced yet :)
>
>Thanks to CIDR, reverse DNS got a very different face. I do not have control
>over my reverse DNS zone, because I'm not the only one that is in that
>network. (netmask /26)
Actually, you don't need the reverse to match anything, so just ask the ISP
to declare your IP address in his reverse database. this is ok except for very
rare situations. and this is part of the service he must provide.
Now, it's still better to ask him to delegate the given addresses to you.
if you have few
addresses, this easily done manually. if you have any addresses, a script
can be used
to generate the entries (this is possible cos' you don't need the guy to
specify real hostnames.
he must just say that the addresses can be resolved by querying your server).
you can take Alan's idea and script it (and give the script to the ISP). A
similar idea is
as follows:
assume you have the addresses 1.2.3.a to 1.2.3.b where a and b are some
integer values.
then the script should generate lines of the form:
x.3.2.1.in-addr.arpa. IN CNAME x.a-b.3.2.1.in-addr.arpa.
for x=a to x=b (x++ of course).
and then one or more lines (depending on the number of servers you have):
a-b.3.2.1.in-addr.arpa. 86400 IN NS your.dns.server
where you should replace the 86400 with a value that suits you, and
your.dns.server
is one of your DNS servers. so you can just copy the line and use each of your
servers (for ex, your primary and your secondary)
>I think reverse DNS checking is not a good way to "authenticate" this kind
>of traffic.
only few sites check for matching direct/reverse lookups, so that's not
really a problem.
for MTAs, the neme given with the HELO or EHLO command may be checked, but
this should
be configurable (in the worst case, configure the hostname to be a public
one). in particular,
you can customize the $j and/or $w in sendmail.
the dns check is motivated by the fact hat there are too many spammers over
there. so making sure
the reverse works limits the "risk", and gives a hint to where the
connection is coming from. thus,
in case of a problem, one can black-list the whole organization or ISP if
it appears he allows rarbitrary elay!
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
