What configuration option is used in sendmail to perform a reverse
lookup on the client MTA during the SMTP dialogue?

Is there a section in the sendmail doc that deals with sendmail
client / smtp restrictions?

Finally, from those out there with more experience, does enabling this
feature lead to lots of false positives that block good MTAs that
didn't properely configure their DNS?

thanks

On Tue, 11 Dec 2007, googlee07@yahoo.com wrote:

>
> What configuration option is used in sendmail to perform a reverse
> lookup on the client MTA during the SMTP dialogue?

FEATURE(`require_rdns')dnl

>
> Is there a section in the sendmail doc that deals with sendmail
> client / smtp restrictions?

Yes, many people dont read it because its large, its large for a reason,
its detailed

FEATURE(`delay_checks') <-- enable regardless
FEATURE(`badmx') <-- read the doc carefully about this one
FEATURE(`block_bad_helo') <-- read docs carefully about this one too

>
> Finally, from those out there with more experience, does enabling this
> feature lead to lots of false positives that block good MTAs that
> didn't properely configure their DNS?

Not that I've noticed, and thats on networks running millions of messages
a day, I did find I had to whitelist some of the government IP ranges
because they employ first year weenors who have NFI on how to configure
DNS, I have used this for many many many years, I think from around the
time the original 'hack' was written and its served us very well with few
complaints.

YMMV depending on where you are in the world, what works well here
in Australia might not in your part of the world, like if your in Asia,
there is a serious lack of DNS ability in some Asian countries, so you
would be best *not* using it, or risk massive amounts of complaints.


--
Cheers
Res

mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';
~# radzap troll

rez,

thanks for your informative reply.. more below

> > Is there a section in the sendmail doc that deals with sendmail
> > client / smtp restrictions?
>
> Yes, many people dont read it because its large, its large for a reason,
> its detailed

what's the section / page called or should i just search for these
Feature params to get me in the right place?
what's sendmail lingo to reach these?

> FEATURE(`delay_checks') <-- enable regardless
> FEATURE(`badmx') <-- read the doc carefully about this one
> FEATURE(`block_bad_helo') <-- read docs carefully about this one too

it looks like you've pointed me in the direction of some good basic
security checks i should consider..

would you mind sharing a / your good base security checks for a
standard mailhost (no internal relaying) assuming there are more than
what you mentioned? i imagine the order within the mc file is
important too?

thanks

On Tue, 11 Dec 2007, googlee07@yahoo.com wrote:

>
> rez,
>
> thanks for your informative reply.. more below
>
>>> Is there a section in the sendmail doc that deals with sendmail
>>> client / smtp restrictions?
>>
>> Yes, many people dont read it because its large, its large for a reason,
>> its detailed
>
> what's the section / page called or should i just search for these
> Feature params to get me in the right place?
> what's sendmail lingo to reach these?

Search for each, they are from memory around the same part of the docs.

>
>> FEATURE(`delay_checks') <-- enable regardless
>> FEATURE(`badmx') <-- read the doc carefully about this one
>> FEATURE(`block_bad_helo') <-- read docs carefully about this one too
>
> it looks like you've pointed me in the direction of some good basic
> security checks i should consider..
>
> would you mind sharing a / your good base security checks for a
> standard mailhost (no internal relaying) assuming there are more than
> what you mentioned? i imagine the order within the mc file is
> important too?

http://support.ausics.net/sendmail/newsendmail.mc would be a god
starting point, its what we recommend to our colo's
I also would recommend smf-spf and milter-regex milters to further curb
some more rubbish http://support.ausics.net/sendmail/milter-regex.conf
is an older version of the rules file I use (my more current one has a few
extras in it)


--
Cheers
Res

mysql> update auth set Framed-IP-Address='127.0.0.127' where user= 'troll';
~# radzap troll

Res <res@ausics.net> writes:

> On Tue, 11 Dec 2007, googlee07@yahoo.com wrote:
>
>>
>> What configuration option is used in sendmail to perform a reverse
>> lookup on the client MTA during the SMTP dialogue?
>
> FEATURE(`require_rdns')dnl
>
> [...]
> YMMV depending on where you are in the world, what works well here in
> Australia might not in your part of the world, like if your in Asia,
> there is a serious lack of DNS ability in some Asian countries, so you
> would be best *not* using it, or risk massive amounts of complaints.

It is possible using FEATURE(`anfi/require_rdns'),
FEATURE(`anfi/rsdnsbl'), and "IP to country" DNS services
(such as zz.countries.nerd.dk) to exclude some countries from
rdns checks or do rdns checks only for some countries
e.g. USA, China, Republic of Korea
[ sample upon request posted here ]

URL(s):
http://open-sendmail.sourceforge.net/

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

> http://support.ausics.net/sendmail/newsendmail.mc would be a god
> starting point, its what we recommend to our colo's
> I also would recommend smf-spf and milter-regex milters to further curb
> some more rubbishhttp://support.ausics.net/sendmail/milter-regex.conf
> is an older version of the rules file I use (my more current one has a few
> extras in it)

thanks. i'll have to through it line by line.

wondering how much of that config is already in my existing config on
a fresh sendmail install
versus how much needs to be added / modified.. mostly concerned with
the security stuff.

On Dec 12, 12:25 pm, Andrzej Adam Filip <a...@onet.eu> wrote:
> Res <r...@ausics.net> writes:
> > On Tue, 11 Dec 2007, google...@yahoo.com wrote:
>
> >> What configuration option is used in sendmail to perform a reverse
> >> lookup on the client MTA during the SMTP dialogue?
>
> > FEATURE(`require_rdns')dnl
>
> > [...]
> > YMMV depending on where you are in the world, what works well here in
> > Australia might not in your part of the world, like if your in Asia,
> > there is a serious lack of DNS ability in some Asian countries, so you
> > would be best *not* using it, or risk massive amounts of complaints.
>
> It is possible using FEATURE(`anfi/require_rdns'),

why do you use 'anfi' when res doesn't have it in his feature line?

> FEATURE(`anfi/rsdnsbl'), and "IP to country" DNS services
> (such as zz.countries.nerd.dk) to exclude some countries from
> rdns checks or do rdns checks only for some countries
> e.g. USA, China, Republic of Korea
> [ sample upon request posted here ]

love a sample.

i hadn't thought to blacklist country ips but it does make sense and a
very good idea assuming one knows who their mail clients will be..

An additional but related question...

what feature / lookup table if any allows for restriction based on
local ip address coming in on a public interface at the SMTP client
level? does it even exist?

i ask because wouldn't it be possible for a rogue mta server to change
it's IP address either manually or by crafting a packet that spoofs a
localhost (127.0.0.1) or other priviate ip address that just so
happens to be available as a trusted client on the target remote
server?

i guess what i'm asking is if my MTA trusts 127.0.0.1 and 192.168.0.1,
2, 3.. couldn't a spammer just connect to my MTA as 127.0.0.1.. or
192.168.0.1, etc and try to pass off a message to my MTA? It kind of
doesn't make sense because the remote bogus client MTA wouldn't be
able to execute the subsequent HELO, MAIL FROM or MAIL RCPT but it's
possible that the localhost could think the request was it's own and
then carry out the remaining helo, mail from, mail rcpt steps..

just figured i'd check to make sure on this one..

if what i say is true.. how does one prevent it?

thanks

googlee07@yahoo.com writes:

> On Dec 12, 12:25 pm, Andrzej Adam Filip <a...@onet.eu> wrote:
>> Res <r...@ausics.net> writes:
>> > On Tue, 11 Dec 2007, google...@yahoo.com wrote:
>>
>> >> What configuration option is used in sendmail to perform a reverse
>> >> lookup on the client MTA during the SMTP dialogue?
>>
>> > FEATURE(`require_rdns')dnl
>>
>> > [...]
>> > YMMV depending on where you are in the world, what works well here in
>> > Australia might not in your part of the world, like if your in Asia,
>> > there is a serious lack of DNS ability in some Asian countries, so you
>> > would be best *not* using it, or risk massive amounts of complaints.
>>
>> It is possible using FEATURE(`anfi/require_rdns'),
>
> why do you use 'anfi' when res doesn't have it in his feature line?

Because I have decided to use such "naming convention" for FEATURES that
are supported by me as part of open-sendmail at sourceforge.net
http://open-sendmail.sourceforge.net/
[licencing allows sendmail.org to include it i sendmail distribution]

anfi/require_rdns is a slightly modified version of require_rdns

>> FEATURE(`anfi/rsdnsbl'), and "IP to country" DNS services
>> (such as zz.countries.nerd.dk) to exclude some countries from
>> rdns checks or do rdns checks only for some countries
>> e.g. USA, China, Republic of Korea
>> [ sample upon request posted here ]
>
> love a sample.
>
> i hadn't thought to blacklist country ips but it does make sense and a
> very good idea assuming one knows who their mail clients will be..

Blocking "by country of origin" (based on IP address without RDNS queries)
is possible with FEATURE(`enhdnsbl') [provided by sendmail.org] and
(e.g.) zz.countries.nerd.dk.

FEATURE(`anfi/rsdnsbl') allows more subtle use:]
it allows to deploy *EXTRA* tests for "suspicious neighborhoods",
test you are willing to spare for good neighborhoods.
[it says under which condition to skip *later* enhdns and
anfi/rquire_rdns tests.

example:
Below please find an example configuration for a company in Poland
exporting to Germany. Its DNSBL checks is grouped into three "zones"

+ Poland and Germany are in "good" zone
["good" zone tests]
+ Addresses outside Poland and Germany and not listed by l2.apews.org
are in "typical zone"
["good" and "typical" zones tests]
+ Addresses outside Poland and Germany and listed by l2.apews.org
are in "bad zone"
["good", "typical" and "bad" zones tests]

l2.apews.org list "the worse half" (~42%) of the Internet.
IP addresses listed by it will get "extra caution" without being
blocked *ONLY* for being listed by l2.apews.org

#v+
FEATURE(`anfi/countries')dnl list of country codes
dnl ------------------------------------------------------

dnl
dnl Part for DNSBL test for all (good & typical & bad)
dnl

dnl ------------------------------------------------------
FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',`',
C2_PL,C2_DE)dnl
dnl IP addresses in in Poland and Germany are excluded from
dnl tests below (up to 6 countries may be listed)
dnl -------------------------------------------------------

dnl
dnl Part for DNSBL test for typical & bad
dnl

FEATURE(`anfi/rsdnsbl',`forgedignore')dnl
dnl require PTR record ignore lack of closed PTR-A loop

dnl reject dynamic IP addresses
FEATURE(`enhdnsbl', `pbl.spamhaus.org',
`"553 Dynamic IP Address - See http://www.spamhaus.org/query/bl?ip="$&{client_addr}',
`', `127.0.0.10.',`127.0.0.11.')dnl


dnl -------------------------------------------------------
FEATURE(`anfi/rsdnsbl',`l2.apews.org',`blacklist',`')dnl
dnl tests below are conducted only for IP addresses
dnl listed byl2.apews.org (the worse half of the Internet)
dnl -------------------------------------------------------

dnl
dnl Part for DNSBL test for bad
dnl

FEATURE(`anfi/rsdnsbl',`forgedperm')
dnl forgedperm changes replies on FORGED from 4?? to 5??
#v-

URL(s):
* Homesite of anfi/* features
http://open-sendmail.sourceforge.net/
* Download of anfi/rsdnsbl, anfi/countries and `anfi/rsdnsbl
http://sourceforge.net/project/showf...kage_id=228383

P.S.
Another variant may use l2.apews.org for blocking only if connecting IP
is located in "high spam" countries (e.g. China, Republic of Korea).

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/