Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1691
  • Last Modified:

reject with no reverse dns

I'd like to configure my sendmail to reject messages from senders that have no reverse dns (ptr).  Is there an easy way to do this via editing the sendmail.cf file?
0
NoelKent
Asked:
NoelKent
3 Solutions
 
PsiCopCommented:
Well, hopefully, you don't edit the sendmail.cf file directly. I'm saying this as a person who rolled his own sendmail.cfs for nearly 10 years - learn the m4 macro system and use sendmail.mc to generate your sendmail.cf files. I switched earlier this year, and I never want to go back.

You need to specify your sendmail version. Different sendmail versions have different capabilities.
0
 
PsiCopCommented:
Offhand, I'd say that this is a Bad Idea (tm). You can do it - depending on the sendmail version, you may need to use a MILTER, such as SpamAssassin, to do this. The issue is that there are a lot of legitimate mailhosts out there with lazy admins who've never bothered to put PTR records in DNS for their mailhosts. So, if you use this as a sole basis to accept/reject a particular host, you're going to reject a not-insignificant amount of legitmate hosts (for example, AOL fails to have PTR records for their mail hosts).

If you're still serious about doing this, then your sendmail version is needed. The easiest way to implement is probably using SpamAssassin, so you'd need to be prepared for that and MIMEdefang.
0
 
NoelKentAuthor Commented:
Sendmail 8.12.8, I also am running SpamAssassin version 2.64 on RedHat 9
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
PsiCopCommented:
Hmmm...that's a slightly-dated version. Do you have the security patches on it? Might be a good idea to upgrade to at least v8.12.10.

I'm fairly sure that SpamAssassin can reject based on the sending mailhost not having a PTR record. Personally, I wouldn't do that - give them a few points towards their SPAM score, yeah, but not outright reject.
0
 
cgreyCommented:
We tried implementing non-ptr bouncing two years ago and caught so much heat that we abandonded the idea. We handle ~350k message/day on average (though we hit peaks of 1million/day once in a while).  I would guess that (even with the nice GENERATE feature in bind) 50% of the ISPs with less than 50,000 users don't have proper reverse DNS.  If you are looking to block email from brazillian dsl customers (just an example picked at random ;)  investigate implementing either an outsourced solution of pre-processing spam filtering (like PostIni) or possibly set up spam trap filtering.  Change your inbound MX records and don't every use mail.domain.com for your inbound MX hostnames.  Give your customers/users another hostname for their outbound smtp (e.g. smtp-out.domain.com) and for pop3/imap (e.g. pop3.domain.com).  Then recreate mail.domain.com and list it in your dns. Now mail.domain.com should NEVER EVER get any incoming email. Set up a program to log inbound smtp connections.  As soon as you receive an email on this box, drop the offending IP into your real mx servers access.db file with a REJECT 550.  It sounds complicated, but it really isn't.  If you are using some rbl's (you should NEVER rely solely upon one RBL - see PsiCop's comment on SpamAssassin) on your inbound MX then you will find that many spammers fall back to mail.domain.com if they can't send to your listed MX.

Here is a (relatively simple) solution.

Build a linux box (debian is a good choice for this).
Install libmilter, sendmail, spamassassin.
call this box mxf.domain.com
configure iptables to only allow SMTP coming IN from the outside
configure sendmail to forward all mail to your real internal mail server
configure spamassassin and zero all scores except MTA/MX/DNS PTR/RBL related ones.
Tweak your remaining scores to what you feel comfortable with. (set spamcop to 0.1 if you use it at all)
Configure the spamassassin milter to dump anything scoring over your threshold.
Test
Test again
Test once more. =)
update DNS to set mxf.domain.com as your lowest numbered (highest priority) MX.


HINT TO ANY DNS ADMINS OUT THERE

emacs /var/named/rev/db.c.b.a.reverse.zone.file

$GENERATE 0-255 $.c.b.a.in-addr.arpa. PTR dsl-$-c-b-a.in-addr.arpa.

PLEASE PLEASE PLEASE DO THIS for all your DHCP/DIALUP/DSL pools. :) If you are running windows please generate reverse zones for your forwards.
0
 
NoelKentAuthor Commented:
I think i'll work on implimenting the different domains for pop3/smtp, currently I'm using access.db to block all ips from lacnin, and apnic, we are a small company that works only within north america and we don't really care about email from those parts of the world especially considering 95% of it we receive is spam.
0
 
anfiCommented:
http://www.cs.niu.edu/~rickert/cf/
[...]
HACK(`require_rdns') -- reject mail from sites without valid reverse DNS. Access entries allow individual override. I don't recommend this. The amount of collateral damage is excessive. (pgp signature)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now