Re: Sendmail reject non-extant hosts? RFC1123
On Sun, Jul 20, 2003 at 05:37:31PM -0500, Jack L. Stone typed: At 09:38 PM 7.20.2003 +0100, Matthew Seaman wrote: On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote: I'm not happy that Sendmail is allowing connections from non- existent hosts (i.e., spammers...) I run Sendmail more or less straight out of the box on -stable. I had been under the impression that the line ALL : PARANOID : RFC931 20 : deny in /etc/hosts.allow would help reject some of this stuff. However, as the amount of spam in my inbox is beginning to attest, this isn't the case. I've been googling and searching the archives with strings similar to the one in the title, and haven't yet grok what I'm supposed to do to get this to work... So, how do I tell Sendmail that if a host doesn't exist, (i.e. d3kr890d.129ddk.org) I don't want to talk to it... The way that sendmail(8) uses tcp wrappers is slightly different to most daemons. Instead of outright refusing to connect (which would lead to the other side trying again every half hour or so for the next five days), it permits the remote side to connect and then issues a permanent reject code during the SMTP dialogue. Even without enabling tcp wrappers functionality, sendmail should still reject egregiously forged addresses. You have to add FEATURE(`accept_unresolvable_domains')dnl to your `hostname`.mc file to allow incoming mail from domains without either A or MX records registered in the DNS. Cheers, Matthew Matthew: Are you saying that the above 'FEATURE' should be used in addition to Dan Nelson's suggestion for the adding of these local_rules...? http://www.sendmail.org/~ca/email/chk-810.html#810UNRESOLVIP He is saying that the stock sendmail should allready have the behaviour you want. Only when you want to disable this behaviour (which you don't) you can add this FEATURE. Your link to sendmail.org is about an older version (8.10) of sendmail. What sendmail version are you using? This is something I had been looking for just yesterday made up a procmail recipe to grab the forgeries specifically. I'm getting quite a few of them here. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail reject non-extant hosts? RFC1123
On Mon, Jul 21, 2003 at 08:42:48AM +0200, Ruben de Groot wrote: On Sun, Jul 20, 2003 at 05:37:31PM -0500, Jack L. Stone typed: At 09:38 PM 7.20.2003 +0100, Matthew Seaman wrote: On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote: I'm not happy that Sendmail is allowing connections from non- existent hosts (i.e., spammers...) I run Sendmail more or less straight out of the box on -stable. I had been under the impression that the line ALL : PARANOID : RFC931 20 : deny in /etc/hosts.allow would help reject some of this stuff. However, as the amount of spam in my inbox is beginning to attest, this isn't the case. I've been googling and searching the archives with strings similar to the one in the title, and haven't yet grok what I'm supposed to do to get this to work... So, how do I tell Sendmail that if a host doesn't exist, (i.e. d3kr890d.129ddk.org) I don't want to talk to it... The way that sendmail(8) uses tcp wrappers is slightly different to most daemons. Instead of outright refusing to connect (which would lead to the other side trying again every half hour or so for the next five days), it permits the remote side to connect and then issues a permanent reject code during the SMTP dialogue. Even without enabling tcp wrappers functionality, sendmail should still reject egregiously forged addresses. You have to add FEATURE(`accept_unresolvable_domains')dnl to your `hostname`.mc file to allow incoming mail from domains without either A or MX records registered in the DNS. Cheers, Matthew Matthew: Are you saying that the above 'FEATURE' should be used in addition to Dan Nelson's suggestion for the adding of these local_rules...? http://www.sendmail.org/~ca/email/chk-810.html#810UNRESOLVIP He is saying that the stock sendmail should allready have the behaviour you want. Only when you want to disable this behaviour (which you don't) you can add this FEATURE. Your link to sendmail.org is about an older version (8.10) of sendmail. What sendmail version are you using? This is something I had been looking for just yesterday made up a procmail recipe to grab the forgeries specifically. I'm getting quite a few of them here. Dan's local ruleset goes further than the default that sendmail(8) supplies -- by default, sendmail just checks that it can look up the name part of the 'From' e-mail address as supplied in the SMTP dialog. These local ruleset additions take the IP number of the connecting host and checks that it can resolve that IP number into a hostname. It rejects any e-mail if the other side can't be resolved. That's something that should be familiar to any users of FreeBSD mailing lists, although the freebsd.org mailer doesn't use sendmail(8). Basically, you don't want to use FEATURE(`accept_unresolvable_domains'). I'm sorry if that was confusing, but I was trying to make the point that the default behaviour was pretty much what the OP wanted, and that you had to take extraordinary steps to turn it off. The local ruleset additions will work anyhow. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Sendmail reject non-extant hosts? RFC1123
I'm not happy that Sendmail is allowing connections from non- existent hosts (i.e., spammers...) I run Sendmail more or less straight out of the box on -stable. I had been under the impression that the line ALL : PARANOID : RFC931 20 : deny in /etc/hosts.allow would help reject some of this stuff. However, as the amount of spam in my inbox is beginning to attest, this isn't the case. I've been googling and searching the archives with strings similar to the one in the title, and haven't yet grok what I'm supposed to do to get this to work... So, how do I tell Sendmail that if a host doesn't exist, (i.e. d3kr890d.129ddk.org) I don't want to talk to it... Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail reject non-extant hosts? RFC1123
In the last episode (Jul 20), Kevin Kinsey, DaleCo, S.P. said:
I'm not happy that Sendmail is allowing connections from non-
existent hosts (i.e., spammers...)
So, how do I tell Sendmail that if a host doesn't exist, (i.e.
d3kr890d.129ddk.org) I don't want to talk to it...
This works for me:
http://www.sendmail.org/~ca/email/chk-810.html#810UNRESOLVIP
LOCAL_RULESETS
SLocal_check_rcpt
# check client name: did it resolve?
R$* $: ${client_resolve}
RTEMP $#error $@ 4.7.1 $: 450 Cannot resolve PTR record for
${client_addr}
RFORGED $#error $@ 5.7.1 $: 550 IP name possibly forged
${client_name}
RFAIL $#error $@ 5.7.1 $: 550 IP name lookup failed
${client_name}
--
Dan Nelson
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Sendmail reject non-extant hosts? RFC1123
On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote:
I'm not happy that Sendmail is
allowing connections from non-
existent hosts (i.e., spammers...)
I run Sendmail more or less straight
out of the box on -stable. I had
been under the impression that the
line
ALL : PARANOID : RFC931 20 : deny
in /etc/hosts.allow would help reject
some of this stuff. However, as the
amount of spam in my inbox is
beginning to attest, this isn't the case.
I've been googling and searching the
archives with strings similar to the
one in the title, and haven't yet grok
what I'm supposed to do to get this
to work...
So, how do I tell Sendmail that if
a host doesn't exist, (i.e. d3kr890d.129ddk.org)
I don't want to talk to it...
The way that sendmail(8) uses tcp wrappers is slightly different to
most daemons. Instead of outright refusing to connect (which would
lead to the other side trying again every half hour or so for the next
five days), it permits the remote side to connect and then issues a
permanent reject code during the SMTP dialogue.
Even without enabling tcp wrappers functionality, sendmail should
still reject egregiously forged addresses. You have to add
FEATURE(`accept_unresolvable_domains')dnl
to your `hostname`.mc file to allow incoming mail from domains without
either A or MX records registered in the DNS.
I find that the DNSBL feature is rather effective at rejecting spam
e-mail. Generally my mailserver gets about 20--30 spam e-mails a
day. Of those, all but 2 or 3 are rejected by the DNSBL, and the rest
are taken out by spamassassin, with perhaps 2 false negatives a week
and no false positives.
I find that the combination of these three blacklists is most effective:
FEATURE(dnsbl, `bl.spamcop.net', `550 Mail from ${client_addr} rejected
using spamcop.net DNSBL. See http://spamcop.net/w3m?action=checkblockip=;
${client_addr}', `')dnl
FEATURE(dnsbl, `relays.osirusoft.com', `550 Mail from ${client_addr}
rejected using relays.osirusoft.com DNSBL. See http://relays.osirusoft.com/;', `')dnl
FEATURE(`dnsbl', `blackholes.easynet.nl', `550 5.7.1 ACCESS DENIED to
${client_name} by easynet.nl DNSBL (http://blackholes.easynet.nl/errors.html)',
`')dnl
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature
Re: Sendmail reject non-extant hosts? RFC1123
At 09:38 PM 7.20.2003 +0100, Matthew Seaman wrote: On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote: I'm not happy that Sendmail is allowing connections from non- existent hosts (i.e., spammers...) I run Sendmail more or less straight out of the box on -stable. I had been under the impression that the line ALL : PARANOID : RFC931 20 : deny in /etc/hosts.allow would help reject some of this stuff. However, as the amount of spam in my inbox is beginning to attest, this isn't the case. I've been googling and searching the archives with strings similar to the one in the title, and haven't yet grok what I'm supposed to do to get this to work... So, how do I tell Sendmail that if a host doesn't exist, (i.e. d3kr890d.129ddk.org) I don't want to talk to it... The way that sendmail(8) uses tcp wrappers is slightly different to most daemons. Instead of outright refusing to connect (which would lead to the other side trying again every half hour or so for the next five days), it permits the remote side to connect and then issues a permanent reject code during the SMTP dialogue. Even without enabling tcp wrappers functionality, sendmail should still reject egregiously forged addresses. You have to add FEATURE(`accept_unresolvable_domains')dnl to your `hostname`.mc file to allow incoming mail from domains without either A or MX records registered in the DNS. Cheers, Matthew Matthew: Are you saying that the above 'FEATURE' should be used in addition to Dan Nelson's suggestion for the adding of these local_rules...? http://www.sendmail.org/~ca/email/chk-810.html#810UNRESOLVIP This is something I had been looking for just yesterday made up a procmail recipe to grab the forgeries specifically. I'm getting quite a few of them here. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
