On Tue, 22 Aug 2006 13:19:32 +0200 "tonix (Antonio Nati)" <[EMAIL PROTECTED]>
wrote:
> > > > > I've noticed some spam sending hosts, which use e.g.
> > > > > localhost/ 127.0.0.1
> > > > > as their sender MX. When my mailserver tries to verify the
> > > > > sending account via bounce check (connecting to 127.0.0.1),
> > > > > the rcpt to: check is ok, because chkuser accepts "unknown"
> > > > > rcpt to's from localhost. Is there a settings to get rid of
> > > > > that?
> > > >
> > > > Better would be a patch to qmail-smtpd that only accepted
> > > > localhost and 127.0.0.1 as the HELO name on connections from
> > > > 127.0.0.1. I don't know enough about chkuser to answer your
> > > > original question.
> > >
> > >This would be one possibility but in this case the mail is already
> > >in the local queue - what we try to prevent. I think an extended
> > >chkuser patch is the better way. While chkuser already checks for
> > >an existing MX-record it could easily test the received A-Record
> > >against 127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable
> > >at all.
> >
> > If you send me more details on how check should be done, I could try
> > to put in in 2.0.10 version of chkuser.
My comment above was not quite correkt. I suggest to realize it this
way:
1) Test for a valid MX-RR (RFC 1035, para. 3.3.9)
A MX-Record must contain a host name, not an IP address.
This could be a compile time option (MX_STRICT_FQDN_CHECK ;-)
log rejects with meaningful messages
(e.g. "Sender MX (domain.tld MX=1.2.3.4) violates RFC1035, 3.3.9"
2) Do an A-RR lookup with the acquired fqdn and test the resolved IP
against any of the following scopes[0] (reject on match).
"Private Use" IP addresses:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
"Autoconfiguration" IP Addresses:
169.254.0.0 - 169.254.255.255
"Loopback" IP addresses:
127.0.0.0 - 127.255.255.255
log rejects with meaningful messages
(e.g. "Sender MX (fastmail.com -> MX=we-dont-accept-mail.fastmail.com ->
A=127.0.0.1) never reachable")
This could be compile time option(s) too or (what I prefer) a file
loaded at runtime (e.g. $QMAIL_ROOT/control/chkuser_bad_mx_ip). The
latter solution lets you add or remove ranges without recompiling
(e.g. for smtpds in private LANs)
Example for 'chkuser_bad_mx_ip' (I prefer the CIDR notation)
,-----
| # do we need comments? would be really nice ;-)
| # RFC1018
| 10.0.0.0/8
| 172.16.0.0/12
| 192.168.0.0/16
|
| # windows auto config range
| 169.254.0.0/16
|
| # loopback
| 127.0.0.0/8
|
| # this is my day off ;-)
| 0.0.0.0/0
`-----
Problem: How do we handle multiple MX records? I think we only take care
of the best prioritized record because this is the one nearly always
used.
regards
Lars
[0] http://www.iana.org/faqs/abuse-faq.htm#SpecialUseAddresses
