Re: FCrDNS check implemented
On Thu, Dec 20, 2018 at 11:31:27AM +0100, Aham Brahmasmi wrote:
> Monsieur Gilles,
>
[...]
> > This will result in smtpd replacing the welcome banner with the message,
> > then dropping the client connection if they don't have a reverse DNS and
> > a matching forward DNS. You can apply the check at further phases if you
> > need to log more details, this is up to you.
>
> Thank you for the check-fcrdns filter. Would it be possible for you to
> please share your thoughts on the filter, specifically the checks that
> the filter performs.
>
> Given a client IP 29.3.20.19 trying to send email, which of these
> checks will the filter perform?
>
> i) Resolve 29.3.20.19 to the set of hostnames. If no hostname is
> returned, reject connection.
>
Yes, however it is not recommended to use multiple PTR records for an IP
address, and the behavior is unspecified by the RFC as far as I know. If
you specify multiple PTR records, things will not work as you want. This
is not an OpenSMTPD thing but a DNS thing.
Anyways, to answer your question:
OpenSMTPD will resolve 29.3.20.19 into _one_ hostname.
If none could be found, it will reject.
It one could be found, it will go to next check.
> ii) Suppose 29.3.20.19 resolves to { brexit.eu, reunite.uk }. Next
> resolve the set of hostnames to a set of IP addresses. If no IP address
> is returned for any of the hostnames, reject connection.
Yes, except that it will do that for the one hostname it resolved.
> iii) Suppose some hostnames do resolve to a set of IP addresses. If
> 29.3.20.19 is not present in the set of IP addresses, reject connection.
>
Yes.
> In case I have understood this incorrectly, I apologize. I have based
> this flow on my understanding of the "reject_unknown_client_hostname"
> feature of Postfix [1].
>
Yes, they are alike.
--
Gilles Chehade @poolpOrg
https://www.poolp.org tip me: https://paypal.me/poolpOrg
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: FCrDNS check implemented
Monsieur Gilles,
> helo misc@,
>
> I wrote an article a few days ago:
>
> https://poolp.org/posts/2018-12-06/opensmtpd-proc-filters-fc-rdns/
>
>
> Since then, I implemented the check-fcrdns builtin filter allowing us to
> filter incoming sessions that do not have a valid FCrDNS.
>
> How does it work ?
>
> 1- configure your listener to be filtered
> 2- add a filter hook on whatever phase you want to trigger the check on
>
>[...]
>listen on all filter
>
>filter smtp-in connect check-fcrdns disconnect "550 GO AWAY, PUNK"
>[...]
>
> This will result in smtpd replacing the welcome banner with the message,
> then dropping the client connection if they don't have a reverse DNS and
> a matching forward DNS. You can apply the check at further phases if you
> need to log more details, this is up to you.
Thank you for the check-fcrdns filter. Would it be possible for you to
please share your thoughts on the filter, specifically the checks that
the filter performs.
Given a client IP 29.3.20.19 trying to send email, which of these
checks will the filter perform?
i) Resolve 29.3.20.19 to the set of hostnames. If no hostname is
returned, reject connection.
ii) Suppose 29.3.20.19 resolves to { brexit.eu, reunite.uk }. Next
resolve the set of hostnames to a set of IP addresses. If no IP address
is returned for any of the hostnames, reject connection.
iii) Suppose some hostnames do resolve to a set of IP addresses. If
29.3.20.19 is not present in the set of IP addresses, reject connection.
In case I have understood this incorrectly, I apologize. I have based
this flow on my understanding of the "reject_unknown_client_hostname"
feature of Postfix [1].
Merci Beaucoup / Danke Schön / Arigatou Gozaimasu / Dhanyavaad.
Regards,
ab
[1] - http://www.postfix.org/postconf.5.html
-|-|-|-|-|-|-|--
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
