sendmail rdns question

Ian Smith smithi at nimnet.asn.au
Sat Aug 28 07:28:29 UTC 2010 

In freebsd-questions Digest, Vol 325, Issue 5, Message: 4
On Tue, 24 Aug 2010 12:06:33 +0100 Paul Macdonald <paul at ifdnrg.com> wrote:
 > Hi,
 > 
 > Sorry for posting on a bsd list but i figure there's more than a few 
 > sendmail experts here.
 > 
 > I would like to run reverse dns checks on one of my boxes but the 
 > check_rnds macro looks a bit overkill to me.
 > 
 > I want to reject the mail if there's no reverse dns, but not if there is 
 > rdns but the PTR loop isn't closed (which is very common).
 > 
 > So accepting these types:
 > 
 >          reject=451 4.1.8 Possibly forged hostname for
 > 
 >     but rejecting these types
 >    reject=550 5.7.1 <........>... Fix reverse DNS for 
 > .......................
 > 
 > In sendmail, FEATURE(`require_rdns')dnl  seems to do both.

Well yes, it does just that, which is usually what's desired.

Eg from the other day, reformatted for readability:

Aug 24 19:13:43 xxxxx sm-mta[22564]: ruleset=check_relay, 
  arg1=[220.229.138.147], arg2=220.229.138.147,
  relay=adsl-220-229-138-147.TC.sparqnet.net [220.229.138.147] (may be forged),
  reject=451 4.1.8 Possibly forged hostname for 220.229.138.147

% dig +short -x 220.229.138.147
adsl-220-229-138-147.TC.sparqnet.net.
% dig +short adsl-220-229-138-147.TC.sparqnet.net.
%

(RDNS, but the supplied RDNS does not resolve - no 'closed loop' as you 
put it - so deferred.  It's a good clue to the (genuine) sender to fix 
it, but you'll find that 99% of these will be spam anyway)

Aug 24 22:40:59 xxxxx sm-mta[33233]: ruleset=check_relay, 
  arg1=[217.107.186.83], arg2=217.107.186.83,
  relay=[217.107.186.83], reject=550 5.7.1 Fix reverse DNS for 217.107.186.83

% dig +short -x 217.107.186.83
%

(no RDNS - so rejected)

In sendmail.cf you'll see something like this (tabs lost in cut'n'paste)

R$*                     $: $&{client_addr} $| $&{client_resolve}
R$=R $*                 $@ RELAY                We relay for these
R$* $| OK               $@ OK                   Resolves.
R$* $| FAIL             $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP             $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$* $| FORGED           $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1

You could make the FORGED ones return '$@ OK' also .. NOT recommended!

You'd be much better off whitelisting particular senders that for some 
reason can't fix their broken RNS, by adding 'someone at somewhere OK' to 
your /etc/mail/access file.

cheers, Ian

More information about the freebsd-questions mailing list