?
Solved

Sendmail: how to reject SMTP connections that are not DNS reverse mapped?

Posted on 2006-06-15
4
Medium Priority
?
583 Views
Last Modified: 2012-05-11
I am looking for details of how to update the sendmail.cf and sendmail.mc so that Sendmail will refuse to accept inbound mail from any smtp host that does not have a resolvable reverse DNS entry.  I found some code that may do it, but it does not seem to work -- maybe it's in the wrong location.  Any help would be most appreciated.
0
Comment
Question by:ibell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 2

Expert Comment

by:jcs5003
ID: 16932333
add "HACK(`require_rdns')" without quotes to your sendmail.mc file the m4 it....this will make sendmail check for rdns records and reject the senders if it dosn't match their A record and MX record.
0
 
LVL 2

Accepted Solution

by:
jcs5003 earned 500 total points
ID: 16932359
you will also need to add the file require_rdns.m4 to /usr/share/sendmail-cf/hack/

create the file and copy this into it

divert(-1)

dnl ##      NOTE:      This M4 file is suitable for sendmail
dnl ##      8.12.x .  To use it with 8.10.x or 8.11.x, a one line
dnl ##      change is required.  Comments indicate which lines
dnl ##      to change (to comment or uncomment)

dnl ################################################################
dnl ##
dnl ##            This is a HACK to reject mail from connecting clients
dnl ##            without proper rDNS (reverse DNS), functional
dnl ##            gethostbyaddr() resolution.
dnl ##
dnl ##            Use as:
dnl ##
dnl ##                  HACK(require_rdns)
dnl ##
dnl ##            An optional second argument is available, and must be
dnl ##            either `OK' or `REJECT'.  With the second argument,
dnl ##            the decision to reject depends on the recipient, and
dnl ##            is based on access table entries for that recipient.
dnl ##            The second argument gives the default assumed for
dnl ##            recipients without access table entries.  Currently,
dnl ##            only the first letter of the second argument is
dnl ##            checked.
dnl ##
dnl ##            Note that the second argument makes no sense unless
dnl ##            FEATURE(`delay_checks') is also in effect.  It is
dnl ##            best for the `delay_check' line to come first.  This
dnl ##            is not strictly required, but will avoid a warning
dnl ##            message.
dnl ##
dnl ##            The basis policy is to reject message with a 5xx
dnl ##            error if the IP address fails to resolve.  However,
dnl ##            if this is a temporary failure, a 4xx temporary
dnl ##            failure is returned.  If the look succeeds, but
dnl ##            returns an apparently forged value, this is treated
dnl ##            as a temporary failure with a 4xx error code.
dnl ##
dnl ##            EXCEPTIONS:
dnl ##
dnl ##            Exceptions based on access entries are discussed
dnl ##            below.  Any IP address matched using $=R (the
dnl ##            "relay-domains" file) is excepted from the rules.
dnl ##            Since we have explicitely allowed relaying for this
dnl ##            host, based on IP address, we ignore the rDNS
dnl ##            failure.
dnl ##
dnl ##            The philosophical assumption here is that most users
dnl ##            do not control their rDNS.  They should be able to
dnl ##            send mail through their ISP, whether or not they have
dnl ##            valid rDNS.  The class $=R, roughly speaking,
dnl ##            contains those IP addresses and address ranges for
dnl ##            which we are the ISP, or are acting as if the ISP.
dnl ##
dnl ##            If `delay_checks' is in effect (recommended), then
dnl ##            any sender who has authenticated is also excepted
dnl ##            from the restrictions.  This happens because the
dnl ##            rules produced by this HACK() will not be applied to
dnl ##            authenticated senders (assuming `delay_checks').
dnl ##
dnl ##                  ACCESS MAP ENTRIES:
dnl ##
dnl ##            Per-user entries:
dnl ##
dnl ##            The per-user entries are of the form
dnl ##                  rdns:user      OK
dnl ##            where the RHS should be `OK' or `REJECT'.  If `OK' is
dnl ##            used, mail addressed to this user is not blocked on
dnl ##            rDNS problems.  If the value is `REJECT', it is
dnl ##            checked.  The second argument to the HACK() enables
dnl ##            this feature, and provides the default for users with
dnl ##            no entry.
dnl ##
dnl ##            Note that the user in "rdns:user" is the user part in
dnl ##            the mailer triple after address parsing.  For a
dnl ##            virtual address, this will be the user after
dnl ##            virtusertable processing.  If the mail is addressed
dnl ##            to "user+detail" the "+detail" is stripped before
dnl ##            this checking.
dnl ##
dnl ##            If the recipient is on another host, then the key

dnl ##            actually looked up is "rdns:@host." with the "host"
dnl ##            being the destination to which we will send it.  In
dnl ##            some cases, this might come from a mailertable
dnl ##            entry.  It is not possible to individuate the
dnl ##            decision for remote recipients.  Note that the "."
dnl ##            might be needed after the hostname.  It is best to
dnl ##            use the output of
dnl ##                  echo "/parse address" | sendmail -bt
dnl ##            to decide what goes in the access map.
dnl ##
dnl ##            IP address entries:
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      OK
dnl ##                  1.2.3.4            OK
dnl ##                  1.2            RELAY
dnl ##            will whitelist IP address 1.2.3.4, so that the rDNS
dnl ##            blocking does apply to that IP address
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      REJECT
dnl ##                  1.2.3.4            REJECT
dnl ##            will have the effect of forcing a temporary failure
dnl ##            for that address to be treated as a permanent
dnl ##            failure.
dnl ##
dnl ################################################################

divert(0)dnl
VERSIONID(`$Id: require_rdns.m4,v 1.7 2003/06/13 03:59:16 rickert Exp $')
divert(-1)

define(`_REQUIRE_RDNS_',
ifelse(defn(`_ARG_'), `', `',
      lower(substr(_ARG_,0,1)), `o', `OK',
      lower(substr(_ARG_,0,1)), `r', `REJECT',
      `errprint(`*** Bad argument _ARG_ for require_rdns')'))

ifelse(_REQUIRE_RDNS_,`',`',
ifdef(`_DELAY_CHECKS_',`',
``errprint(`*** Warning: Optional argument to require_rdns needs delay_checks
')''
))

PUSHDIVERT(9)dnl
SLocal_check_relay
ifelse(_REQUIRE_RDNS_,`',dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}>
,dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}> $&{rcpt_addr}
)dnl
R$*<?><OK>$*            $@OK                  Resolves.
R$=R $* <?><$*>$*      $@RELAY                  We relay for these
ifelse(_REQUIRE_RDNS_,`',`',dnl
R$*<?><$*>$+@$+            $:$1<?><$2>@$&{rcpt_host}      use @host for remote
R$*<?><$*>$+ + $*      $:$1<?><$2>$3            remove +detail
R$*<?><$*>$+            `$:$1<?><$2>$(access rdns:$3 $:' _REQUIRE_RDNS_ `$)'      Check rcpt
)dnl
ifelse(_REQUIRE_RDNS_, `REJECT',dnl
`R$*<?><$*>$={Accept}      $@ $3                  Bypass for this recipient
', _REQUIRE_RDNS_, `OK',dnl
`R$*<?><$*>REJECT      $:$1<?><$2>            mark rejections
R$*<?><$*>$+            $@OK                  bypass for others
',`')dnl
dnl      ### The next line is sendmail version dependent
dnl      ### Use this (with LookUpAddress)for sendmail-8.10 and 8.11
dnl`'R$+<?><$*>$*            $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
dnl      ### but use to following, instead, for 8.12
R$+<?><$*>$*            $:$1 $>A <$1> <?> <+ rdns> <$2>
dnl      ### end of version dependent text
R$*<$={Accept}><$+>      $@ $2                  OK or RELAY - whitelisted
R$*<REJECT><$*>            $: $1<?><FAIL>            REJECT - treat tempfail as fail
R$*<?><FAIL>            $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1, or use your ISP server
R$*<?><TEMP>            $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$*<?><FORGED>            $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
POPDIVERT
undefine(`_REQUIRE_RDNS_')dnl





I tried this on my system and it works fine
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question