require_rdns.m4 - SendMail

Ed Davis wrote:

> I also notice that I just received spam from this ip addresses:
> 121.15.90.49
>
> That ip address does not have a proper reverse DNS. But for some
> reason the hack did not reject. Here an excerpt from the log file. I
> have changed an email address. The email from the unresolvable client
> ip was forwarded to the final recipient via virtualusertable. The
> email should have been rejected.
>
> Any ideas why the hack didn't reject client ip 121.15.90.49?


It may be cleared for access in /etc/mail/access

--

//Aho

On Apr 16, 11:18 am, "J.O. Aho" <u...@example.net> wrote:
>
> It may be cleared for access in /etc/mail/access

Here is my access file. As you can see, the file is very short.
Could it be something with the To: or Connect: lines? Pretend like
zzzzz.com is my domain.

#################
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY

To:zzzzz.com RELAY
Connect:zzzzz.com RELAY
#################


Thanks,

-Ed

Ed Davis wrote:
> On Apr 16, 11:18 am, "J.O. Aho" <u...@example.net> wrote:
>> It may be cleared for access in /etc/mail/access
>
> Here is my access file. As you can see, the file is very short.
> Could it be something with the To: or Connect: lines? Pretend like
> zzzzz.com is my domain.
>
> #################
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
>
> To:zzzzz.com RELAY
> Connect:zzzzz.com RELAY
> #################

Yes, it could be those To: and Connect: lines that causes it to be accepted.
The lines don't make any sense, I suggest you remove those.

--

//Aho

On Apr 16, 12:57 pm, "J.O. Aho" <u...@example.net> wrote:
>
> Yes, it could be those To: and Connect: lines that causes it to be accepted.
> The lines don't make any sense, I suggest you remove those.
>

I removed those lines. Here is my new access file:

#################
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
#################

I ran this command after changing the file.
$ makemap hash access < access

The timestamp on access.db leads me to believe the changes worked.

It appears the two questionable lines were not doing anything. My
users are still getting email. In addition, the reverse DNS still is
not doing anything.

Just a few moments ago I got a spam:
From: nutsberry7834 at yahoo dot de
client ip: 221.203.91.75
That client does not have proper reverse DNS and should have been
rejected.

I will make two changes to the .mc file and watch if it does anything.

/etc/mail/sendmail/mc
- feature(delay_checks)dnl
+ feature(`delay_checks',`friend')dnl

- hack(`require_rdns')dnl
+ hack(`require_rdns',`REJECT')dnl

In a few minutes I will post my new .mc and .cf at these links:
http://sawcrest.com/sendmail/sendmail.mc.txt
http://sawcrest.com/sendmail/sendmail.cf.txt

Thanks,

Ed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Apr 2007, J.O. Aho wrote:

>> Could it be something with the To: or Connect: lines? Pretend like
>> zzzzz.com is my domain.

>> To:zzzzz.com RELAY

> Yes, it could be those To: and Connect: lines that causes it to be accepted.

I'd say yes definately


- --

Cheers
Res

Let Novell know what you think of their back door deal with the devil.
Sign the petition today: http://techp.org/p/1/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGI+xesWhAmSIQh7MRAgznAKCZARqupdlO7p0+lv/kq7/ab/WWcQCgm9wE
mpBFW0upXjJ6I0uyAysfTxE=
=ZOHy
-----END PGP SIGNATURE-----

>
> I will make two changes to the .mc file and watch if it does anything.
>

No difference.

I just got a spam from 151.75.208.186 which does not resolve.

If the reverse DNS does not return a PTR the email is not rejected,
but if reverse DNS does return a PTR and the PTR does not resolve back
to the original IP the email does get rejected. (reject=451)

Part of this hack is working, but not all of it. This is strange.


-Ed

Ed Davis wrote:
>> I will make two changes to the .mc file and watch if it does anything.
>>
>
> No difference.
>
> I just got a spam from 151.75.208.186 which does not resolve.
>
> If the reverse DNS does not return a PTR the email is not rejected,
> but if reverse DNS does return a PTR and the PTR does not resolve back
> to the original IP the email does get rejected. (reject=451)
>
> Part of this hack is working, but not all of it. This is strange.

I took a look at the require_rdns.m4 that I have (which by the way works), I
noticed that there are a line that has to be enabled if using 8.12 and others
for 8.10 and 8.11, it could be that yours has been setup for 8.11, which would
make it not work properly.

For 8.11/0: `'R$+<?><$*>$* $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>

For 8.12: R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>

This the only thing I can think of at this early hour.

--

//Aho

On Apr 16, 10:17 pm, "J.O. Aho" <u...@example.net> wrote:
> I took a look at therequire_rdns.m4that I have (which by the way works), I
> noticed that there are a line that has to be enabled if using 8.12 and others
> for 8.10 and 8.11, it could be that yours has been setup for 8.11, which would
> make it not work properly.
>
> For 8.11/0: `'R$+<?><$*>$* $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
>
> For 8.12: R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>
>
> This the only thing I can think of at this early hour.
>

I am using require_rdns.m4 from the following link *as is*
http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4

I am not familiar with reading sendmail rules. But is it possible I
see a typo in the line for 8.12?

For 8.10/8.11
`'R$+<?><$*>$* $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>

For 8.12
R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>


Comparing these two lines I see the characters `' are missing from the
start of the line for the sendmail 8.12 version. I have no clue what
those first two characters are doing in the 8.10/8.11 line.

I am going to try an experiment. I will change my 8.12 line to the
following
`'R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>

I will update my cf and mc files at the previously posted links.

-Ed

Ed Davis wrote:
> On Apr 16, 10:17 pm, "J.O. Aho" <u...@example.net> wrote:
>> I took a look at therequire_rdns.m4that I have (which by the way works), I
>> noticed that there are a line that has to be enabled if using 8.12 and others
>> for 8.10 and 8.11, it could be that yours has been setup for 8.11, which would
>> make it not work properly.
>>
>> For 8.11/0: `'R$+<?><$*>$* $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
>>
>> For 8.12: R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>
>>
>> This the only thing I can think of at this early hour.
>>
>
> I am using require_rdns.m4 from the following link *as is*
> http://www.cs.niu.edu/~rickert/cf/hack/require_rdns.m4
>
> I am not familiar with reading sendmail rules. But is it possible I
> see a typo in the line for 8.12?
>
> For 8.10/8.11
> `'R$+<?><$*>$* $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
>
> For 8.12
> R$+<?><$*>$* $:$1 $>A <$1> <?> <+ rdns> <$2>

No, it's not a typo, they are different.



--

//Aho