sendmail rdns question
Ian Smith
smithi at nimnet.asn.au
Sat Aug 28 07:28:29 UTC 2010
In freebsd-questions Digest, Vol 325, Issue 5, Message: 4
On Tue, 24 Aug 2010 12:06:33 +0100 Paul Macdonald <paul at ifdnrg.com> wrote:
> Hi,
>
> Sorry for posting on a bsd list but i figure there's more than a few
> sendmail experts here.
>
> I would like to run reverse dns checks on one of my boxes but the
> check_rnds macro looks a bit overkill to me.
>
> I want to reject the mail if there's no reverse dns, but not if there is
> rdns but the PTR loop isn't closed (which is very common).
>
> So accepting these types:
>
> reject=451 4.1.8 Possibly forged hostname for
>
> but rejecting these types
> reject=550 5.7.1 <........>... Fix reverse DNS for
> .......................
>
> In sendmail, FEATURE(`require_rdns')dnl seems to do both.
Well yes, it does just that, which is usually what's desired.
Eg from the other day, reformatted for readability:
Aug 24 19:13:43 xxxxx sm-mta[22564]: ruleset=check_relay,
arg1=[220.229.138.147], arg2=220.229.138.147,
relay=adsl-220-229-138-147.TC.sparqnet.net [220.229.138.147] (may be forged),
reject=451 4.1.8 Possibly forged hostname for 220.229.138.147
% dig +short -x 220.229.138.147
adsl-220-229-138-147.TC.sparqnet.net.
% dig +short adsl-220-229-138-147.TC.sparqnet.net.
%
(RDNS, but the supplied RDNS does not resolve - no 'closed loop' as you
put it - so deferred. It's a good clue to the (genuine) sender to fix
it, but you'll find that 99% of these will be spam anyway)
Aug 24 22:40:59 xxxxx sm-mta[33233]: ruleset=check_relay,
arg1=[217.107.186.83], arg2=217.107.186.83,
relay=[217.107.186.83], reject=550 5.7.1 Fix reverse DNS for 217.107.186.83
% dig +short -x 217.107.186.83
%
(no RDNS - so rejected)
In sendmail.cf you'll see something like this (tabs lost in cut'n'paste)
R$* $: $&{client_addr} $| $&{client_resolve}
R$=R $* $@ RELAY We relay for these
R$* $| OK $@ OK Resolves.
R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
You could make the FORGED ones return '$@ OK' also .. NOT recommended!
You'd be much better off whitelisting particular senders that for some
reason can't fix their broken RNS, by adding 'someone at somewhere OK' to
your /etc/mail/access file.
cheers, Ian
More information about the freebsd-questions
mailing list