Solved

Sendmail: how to reject SMTP connections that are not DNS reverse mapped?

Posted on 2006-06-15
4
572 Views
Last Modified: 2012-05-11
I am looking for details of how to update the sendmail.cf and sendmail.mc so that Sendmail will refuse to accept inbound mail from any smtp host that does not have a resolvable reverse DNS entry.  I found some code that may do it, but it does not seem to work -- maybe it's in the wrong location.  Any help would be most appreciated.
0
Comment
Question by:ibell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 2

Expert Comment

by:jcs5003
ID: 16932333
add "HACK(`require_rdns')" without quotes to your sendmail.mc file the m4 it....this will make sendmail check for rdns records and reject the senders if it dosn't match their A record and MX record.
0
 
LVL 2

Accepted Solution

by:
jcs5003 earned 125 total points
ID: 16932359
you will also need to add the file require_rdns.m4 to /usr/share/sendmail-cf/hack/

create the file and copy this into it

divert(-1)

dnl ##      NOTE:      This M4 file is suitable for sendmail
dnl ##      8.12.x .  To use it with 8.10.x or 8.11.x, a one line
dnl ##      change is required.  Comments indicate which lines
dnl ##      to change (to comment or uncomment)

dnl ################################################################
dnl ##
dnl ##            This is a HACK to reject mail from connecting clients
dnl ##            without proper rDNS (reverse DNS), functional
dnl ##            gethostbyaddr() resolution.
dnl ##
dnl ##            Use as:
dnl ##
dnl ##                  HACK(require_rdns)
dnl ##
dnl ##            An optional second argument is available, and must be
dnl ##            either `OK' or `REJECT'.  With the second argument,
dnl ##            the decision to reject depends on the recipient, and
dnl ##            is based on access table entries for that recipient.
dnl ##            The second argument gives the default assumed for
dnl ##            recipients without access table entries.  Currently,
dnl ##            only the first letter of the second argument is
dnl ##            checked.
dnl ##
dnl ##            Note that the second argument makes no sense unless
dnl ##            FEATURE(`delay_checks') is also in effect.  It is
dnl ##            best for the `delay_check' line to come first.  This
dnl ##            is not strictly required, but will avoid a warning
dnl ##            message.
dnl ##
dnl ##            The basis policy is to reject message with a 5xx
dnl ##            error if the IP address fails to resolve.  However,
dnl ##            if this is a temporary failure, a 4xx temporary
dnl ##            failure is returned.  If the look succeeds, but
dnl ##            returns an apparently forged value, this is treated
dnl ##            as a temporary failure with a 4xx error code.
dnl ##
dnl ##            EXCEPTIONS:
dnl ##
dnl ##            Exceptions based on access entries are discussed
dnl ##            below.  Any IP address matched using $=R (the
dnl ##            "relay-domains" file) is excepted from the rules.
dnl ##            Since we have explicitely allowed relaying for this
dnl ##            host, based on IP address, we ignore the rDNS
dnl ##            failure.
dnl ##
dnl ##            The philosophical assumption here is that most users
dnl ##            do not control their rDNS.  They should be able to
dnl ##            send mail through their ISP, whether or not they have
dnl ##            valid rDNS.  The class $=R, roughly speaking,
dnl ##            contains those IP addresses and address ranges for
dnl ##            which we are the ISP, or are acting as if the ISP.
dnl ##
dnl ##            If `delay_checks' is in effect (recommended), then
dnl ##            any sender who has authenticated is also excepted
dnl ##            from the restrictions.  This happens because the
dnl ##            rules produced by this HACK() will not be applied to
dnl ##            authenticated senders (assuming `delay_checks').
dnl ##
dnl ##                  ACCESS MAP ENTRIES:
dnl ##
dnl ##            Per-user entries:
dnl ##
dnl ##            The per-user entries are of the form
dnl ##                  rdns:user      OK
dnl ##            where the RHS should be `OK' or `REJECT'.  If `OK' is
dnl ##            used, mail addressed to this user is not blocked on
dnl ##            rDNS problems.  If the value is `REJECT', it is
dnl ##            checked.  The second argument to the HACK() enables
dnl ##            this feature, and provides the default for users with
dnl ##            no entry.
dnl ##
dnl ##            Note that the user in "rdns:user" is the user part in
dnl ##            the mailer triple after address parsing.  For a
dnl ##            virtual address, this will be the user after
dnl ##            virtusertable processing.  If the mail is addressed
dnl ##            to "user+detail" the "+detail" is stripped before
dnl ##            this checking.
dnl ##
dnl ##            If the recipient is on another host, then the key

dnl ##            actually looked up is "rdns:@host." with the "host"
dnl ##            being the destination to which we will send it.  In
dnl ##            some cases, this might come from a mailertable
dnl ##            entry.  It is not possible to individuate the
dnl ##            decision for remote recipients.  Note that the "."
dnl ##            might be needed after the hostname.  It is best to
dnl ##            use the output of
dnl ##                  echo "/parse address" | sendmail -bt
dnl ##            to decide what goes in the access map.
dnl ##
dnl ##            IP address entries:
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      OK
dnl ##                  1.2.3.4            OK
dnl ##                  1.2            RELAY
dnl ##            will whitelist IP address 1.2.3.4, so that the rDNS
dnl ##            blocking does apply to that IP address
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      REJECT
dnl ##                  1.2.3.4            REJECT
dnl ##            will have the effect of forcing a temporary failure
dnl ##            for that address to be treated as a permanent
dnl ##            failure.
dnl ##
dnl ################################################################

divert(0)dnl
VERSIONID(`$Id: require_rdns.m4,v 1.7 2003/06/13 03:59:16 rickert Exp $')
divert(-1)

define(`_REQUIRE_RDNS_',
ifelse(defn(`_ARG_'), `', `',
      lower(substr(_ARG_,0,1)), `o', `OK',
      lower(substr(_ARG_,0,1)), `r', `REJECT',
      `errprint(`*** Bad argument _ARG_ for require_rdns')'))

ifelse(_REQUIRE_RDNS_,`',`',
ifdef(`_DELAY_CHECKS_',`',
``errprint(`*** Warning: Optional argument to require_rdns needs delay_checks
')''
))

PUSHDIVERT(9)dnl
SLocal_check_relay
ifelse(_REQUIRE_RDNS_,`',dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}>
,dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}> $&{rcpt_addr}
)dnl
R$*<?><OK>$*            $@OK                  Resolves.
R$=R $* <?><$*>$*      $@RELAY                  We relay for these
ifelse(_REQUIRE_RDNS_,`',`',dnl
R$*<?><$*>$+@$+            $:$1<?><$2>@$&{rcpt_host}      use @host for remote
R$*<?><$*>$+ + $*      $:$1<?><$2>$3            remove +detail
R$*<?><$*>$+            `$:$1<?><$2>$(access rdns:$3 $:' _REQUIRE_RDNS_ `$)'      Check rcpt
)dnl
ifelse(_REQUIRE_RDNS_, `REJECT',dnl
`R$*<?><$*>$={Accept}      $@ $3                  Bypass for this recipient
', _REQUIRE_RDNS_, `OK',dnl
`R$*<?><$*>REJECT      $:$1<?><$2>            mark rejections
R$*<?><$*>$+            $@OK                  bypass for others
',`')dnl
dnl      ### The next line is sendmail version dependent
dnl      ### Use this (with LookUpAddress)for sendmail-8.10 and 8.11
dnl`'R$+<?><$*>$*            $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
dnl      ### but use to following, instead, for 8.12
R$+<?><$*>$*            $:$1 $>A <$1> <?> <+ rdns> <$2>
dnl      ### end of version dependent text
R$*<$={Accept}><$+>      $@ $2                  OK or RELAY - whitelisted
R$*<REJECT><$*>            $: $1<?><FAIL>            REJECT - treat tempfail as fail
R$*<?><FAIL>            $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1, or use your ISP server
R$*<?><TEMP>            $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$*<?><FORGED>            $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
POPDIVERT
undefine(`_REQUIRE_RDNS_')dnl





I tried this on my system and it works fine
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question