Solved

reject with no reverse dns

Posted on 2004-09-14
10
1,564 Views
Last Modified: 2013-12-17
I'd like to configure my sendmail to reject messages from senders that have no reverse dns (ptr).  Is there an easy way to do this via editing the sendmail.cf file?
0
Comment
Question by:NoelKent
10 Comments
 
LVL 34

Expert Comment

by:PsiCop
ID: 12058728
Well, hopefully, you don't edit the sendmail.cf file directly. I'm saying this as a person who rolled his own sendmail.cfs for nearly 10 years - learn the m4 macro system and use sendmail.mc to generate your sendmail.cf files. I switched earlier this year, and I never want to go back.

You need to specify your sendmail version. Different sendmail versions have different capabilities.
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 43 total points
ID: 12058831
Offhand, I'd say that this is a Bad Idea (tm). You can do it - depending on the sendmail version, you may need to use a MILTER, such as SpamAssassin, to do this. The issue is that there are a lot of legitimate mailhosts out there with lazy admins who've never bothered to put PTR records in DNS for their mailhosts. So, if you use this as a sole basis to accept/reject a particular host, you're going to reject a not-insignificant amount of legitmate hosts (for example, AOL fails to have PTR records for their mail hosts).

If you're still serious about doing this, then your sendmail version is needed. The easiest way to implement is probably using SpamAssassin, so you'd need to be prepared for that and MIMEdefang.
0
 

Author Comment

by:NoelKent
ID: 12059588
Sendmail 8.12.8, I also am running SpamAssassin version 2.64 on RedHat 9
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Expert Comment

by:PsiCop
ID: 12061243
Hmmm...that's a slightly-dated version. Do you have the security patches on it? Might be a good idea to upgrade to at least v8.12.10.

I'm fairly sure that SpamAssassin can reject based on the sending mailhost not having a PTR record. Personally, I wouldn't do that - give them a few points towards their SPAM score, yeah, but not outright reject.
0
 
LVL 5

Assisted Solution

by:cgrey
cgrey earned 41 total points
ID: 12066611
We tried implementing non-ptr bouncing two years ago and caught so much heat that we abandonded the idea. We handle ~350k message/day on average (though we hit peaks of 1million/day once in a while).  I would guess that (even with the nice GENERATE feature in bind) 50% of the ISPs with less than 50,000 users don't have proper reverse DNS.  If you are looking to block email from brazillian dsl customers (just an example picked at random ;)  investigate implementing either an outsourced solution of pre-processing spam filtering (like PostIni) or possibly set up spam trap filtering.  Change your inbound MX records and don't every use mail.domain.com for your inbound MX hostnames.  Give your customers/users another hostname for their outbound smtp (e.g. smtp-out.domain.com) and for pop3/imap (e.g. pop3.domain.com).  Then recreate mail.domain.com and list it in your dns. Now mail.domain.com should NEVER EVER get any incoming email. Set up a program to log inbound smtp connections.  As soon as you receive an email on this box, drop the offending IP into your real mx servers access.db file with a REJECT 550.  It sounds complicated, but it really isn't.  If you are using some rbl's (you should NEVER rely solely upon one RBL - see PsiCop's comment on SpamAssassin) on your inbound MX then you will find that many spammers fall back to mail.domain.com if they can't send to your listed MX.

Here is a (relatively simple) solution.

Build a linux box (debian is a good choice for this).
Install libmilter, sendmail, spamassassin.
call this box mxf.domain.com
configure iptables to only allow SMTP coming IN from the outside
configure sendmail to forward all mail to your real internal mail server
configure spamassassin and zero all scores except MTA/MX/DNS PTR/RBL related ones.
Tweak your remaining scores to what you feel comfortable with. (set spamcop to 0.1 if you use it at all)
Configure the spamassassin milter to dump anything scoring over your threshold.
Test
Test again
Test once more. =)
update DNS to set mxf.domain.com as your lowest numbered (highest priority) MX.


HINT TO ANY DNS ADMINS OUT THERE

emacs /var/named/rev/db.c.b.a.reverse.zone.file

$GENERATE 0-255 $.c.b.a.in-addr.arpa. PTR dsl-$-c-b-a.in-addr.arpa.

PLEASE PLEASE PLEASE DO THIS for all your DHCP/DIALUP/DSL pools. :) If you are running windows please generate reverse zones for your forwards.
0
 

Author Comment

by:NoelKent
ID: 12067522
I think i'll work on implimenting the different domains for pop3/smtp, currently I'm using access.db to block all ips from lacnin, and apnic, we are a small company that works only within north america and we don't really care about email from those parts of the world especially considering 95% of it we receive is spam.
0
 
LVL 6

Assisted Solution

by:anfi
anfi earned 41 total points
ID: 12174288
http://www.cs.niu.edu/~rickert/cf/
[...]
HACK(`require_rdns') -- reject mail from sites without valid reverse DNS. Access entries allow individual override. I don't recommend this. The amount of collateral damage is excessive. (pgp signature)
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Suggested Solutions

This short article will present "How to import ICS Calendar onto Office 365 Calendar". I was searching for free (or not free) tools to convert ICS to CSV without success. The only tools I found & working well were online tools...this was too hard to…
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now