Solved

Sendmail: how to reject SMTP connections that are not DNS reverse mapped?

Posted on 2006-06-15
4
561 Views
Last Modified: 2012-05-11
I am looking for details of how to update the sendmail.cf and sendmail.mc so that Sendmail will refuse to accept inbound mail from any smtp host that does not have a resolvable reverse DNS entry.  I found some code that may do it, but it does not seem to work -- maybe it's in the wrong location.  Any help would be most appreciated.
0
Comment
Question by:ibell
  • 2
4 Comments
 
LVL 2

Expert Comment

by:jcs5003
ID: 16932333
add "HACK(`require_rdns')" without quotes to your sendmail.mc file the m4 it....this will make sendmail check for rdns records and reject the senders if it dosn't match their A record and MX record.
0
 
LVL 2

Accepted Solution

by:
jcs5003 earned 125 total points
ID: 16932359
you will also need to add the file require_rdns.m4 to /usr/share/sendmail-cf/hack/

create the file and copy this into it

divert(-1)

dnl ##      NOTE:      This M4 file is suitable for sendmail
dnl ##      8.12.x .  To use it with 8.10.x or 8.11.x, a one line
dnl ##      change is required.  Comments indicate which lines
dnl ##      to change (to comment or uncomment)

dnl ################################################################
dnl ##
dnl ##            This is a HACK to reject mail from connecting clients
dnl ##            without proper rDNS (reverse DNS), functional
dnl ##            gethostbyaddr() resolution.
dnl ##
dnl ##            Use as:
dnl ##
dnl ##                  HACK(require_rdns)
dnl ##
dnl ##            An optional second argument is available, and must be
dnl ##            either `OK' or `REJECT'.  With the second argument,
dnl ##            the decision to reject depends on the recipient, and
dnl ##            is based on access table entries for that recipient.
dnl ##            The second argument gives the default assumed for
dnl ##            recipients without access table entries.  Currently,
dnl ##            only the first letter of the second argument is
dnl ##            checked.
dnl ##
dnl ##            Note that the second argument makes no sense unless
dnl ##            FEATURE(`delay_checks') is also in effect.  It is
dnl ##            best for the `delay_check' line to come first.  This
dnl ##            is not strictly required, but will avoid a warning
dnl ##            message.
dnl ##
dnl ##            The basis policy is to reject message with a 5xx
dnl ##            error if the IP address fails to resolve.  However,
dnl ##            if this is a temporary failure, a 4xx temporary
dnl ##            failure is returned.  If the look succeeds, but
dnl ##            returns an apparently forged value, this is treated
dnl ##            as a temporary failure with a 4xx error code.
dnl ##
dnl ##            EXCEPTIONS:
dnl ##
dnl ##            Exceptions based on access entries are discussed
dnl ##            below.  Any IP address matched using $=R (the
dnl ##            "relay-domains" file) is excepted from the rules.
dnl ##            Since we have explicitely allowed relaying for this
dnl ##            host, based on IP address, we ignore the rDNS
dnl ##            failure.
dnl ##
dnl ##            The philosophical assumption here is that most users
dnl ##            do not control their rDNS.  They should be able to
dnl ##            send mail through their ISP, whether or not they have
dnl ##            valid rDNS.  The class $=R, roughly speaking,
dnl ##            contains those IP addresses and address ranges for
dnl ##            which we are the ISP, or are acting as if the ISP.
dnl ##
dnl ##            If `delay_checks' is in effect (recommended), then
dnl ##            any sender who has authenticated is also excepted
dnl ##            from the restrictions.  This happens because the
dnl ##            rules produced by this HACK() will not be applied to
dnl ##            authenticated senders (assuming `delay_checks').
dnl ##
dnl ##                  ACCESS MAP ENTRIES:
dnl ##
dnl ##            Per-user entries:
dnl ##
dnl ##            The per-user entries are of the form
dnl ##                  rdns:user      OK
dnl ##            where the RHS should be `OK' or `REJECT'.  If `OK' is
dnl ##            used, mail addressed to this user is not blocked on
dnl ##            rDNS problems.  If the value is `REJECT', it is
dnl ##            checked.  The second argument to the HACK() enables
dnl ##            this feature, and provides the default for users with
dnl ##            no entry.
dnl ##
dnl ##            Note that the user in "rdns:user" is the user part in
dnl ##            the mailer triple after address parsing.  For a
dnl ##            virtual address, this will be the user after
dnl ##            virtusertable processing.  If the mail is addressed
dnl ##            to "user+detail" the "+detail" is stripped before
dnl ##            this checking.
dnl ##
dnl ##            If the recipient is on another host, then the key

dnl ##            actually looked up is "rdns:@host." with the "host"
dnl ##            being the destination to which we will send it.  In
dnl ##            some cases, this might come from a mailertable
dnl ##            entry.  It is not possible to individuate the
dnl ##            decision for remote recipients.  Note that the "."
dnl ##            might be needed after the hostname.  It is best to
dnl ##            use the output of
dnl ##                  echo "/parse address" | sendmail -bt
dnl ##            to decide what goes in the access map.
dnl ##
dnl ##            IP address entries:
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      OK
dnl ##                  1.2.3.4            OK
dnl ##                  1.2            RELAY
dnl ##            will whitelist IP address 1.2.3.4, so that the rDNS
dnl ##            blocking does apply to that IP address
dnl ##
dnl ##            Entries such as
dnl ##                  rdns:1.2.3      REJECT
dnl ##                  1.2.3.4            REJECT
dnl ##            will have the effect of forcing a temporary failure
dnl ##            for that address to be treated as a permanent
dnl ##            failure.
dnl ##
dnl ################################################################

divert(0)dnl
VERSIONID(`$Id: require_rdns.m4,v 1.7 2003/06/13 03:59:16 rickert Exp $')
divert(-1)

define(`_REQUIRE_RDNS_',
ifelse(defn(`_ARG_'), `', `',
      lower(substr(_ARG_,0,1)), `o', `OK',
      lower(substr(_ARG_,0,1)), `r', `REJECT',
      `errprint(`*** Bad argument _ARG_ for require_rdns')'))

ifelse(_REQUIRE_RDNS_,`',`',
ifdef(`_DELAY_CHECKS_',`',
``errprint(`*** Warning: Optional argument to require_rdns needs delay_checks
')''
))

PUSHDIVERT(9)dnl
SLocal_check_relay
ifelse(_REQUIRE_RDNS_,`',dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}>
,dnl
R$* $| $*            $:$2 <?> <$&{client_resolve}> $&{rcpt_addr}
)dnl
R$*<?><OK>$*            $@OK                  Resolves.
R$=R $* <?><$*>$*      $@RELAY                  We relay for these
ifelse(_REQUIRE_RDNS_,`',`',dnl
R$*<?><$*>$+@$+            $:$1<?><$2>@$&{rcpt_host}      use @host for remote
R$*<?><$*>$+ + $*      $:$1<?><$2>$3            remove +detail
R$*<?><$*>$+            `$:$1<?><$2>$(access rdns:$3 $:' _REQUIRE_RDNS_ `$)'      Check rcpt
)dnl
ifelse(_REQUIRE_RDNS_, `REJECT',dnl
`R$*<?><$*>$={Accept}      $@ $3                  Bypass for this recipient
', _REQUIRE_RDNS_, `OK',dnl
`R$*<?><$*>REJECT      $:$1<?><$2>            mark rejections
R$*<?><$*>$+            $@OK                  bypass for others
',`')dnl
dnl      ### The next line is sendmail version dependent
dnl      ### Use this (with LookUpAddress)for sendmail-8.10 and 8.11
dnl`'R$+<?><$*>$*            $:$1 $>LookUpAddress <$1> <?> <$2> <+ rdns>
dnl      ### but use to following, instead, for 8.12
R$+<?><$*>$*            $:$1 $>A <$1> <?> <+ rdns> <$2>
dnl      ### end of version dependent text
R$*<$={Accept}><$+>      $@ $2                  OK or RELAY - whitelisted
R$*<REJECT><$*>            $: $1<?><FAIL>            REJECT - treat tempfail as fail
R$*<?><FAIL>            $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1, or use your ISP server
R$*<?><TEMP>            $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$*<?><FORGED>            $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
POPDIVERT
undefine(`_REQUIRE_RDNS_')dnl





I tried this on my system and it works fine
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question