From owner-freebsd-questions@FreeBSD.ORG Sat Aug 28 07:28:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86A251065674 for ; Sat, 28 Aug 2010 07:28:29 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id D7B058FC0C for ; Sat, 28 Aug 2010 07:28:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o7S7SPkp023430; Sat, 28 Aug 2010 17:28:26 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 28 Aug 2010 17:28:25 +1000 (EST) From: Ian Smith To: Paul Macdonald In-Reply-To: <20100824120028.7D5EE1065702@hub.freebsd.org> Message-ID: <20100825020741.E44189@sola.nimnet.asn.au> References: <20100824120028.7D5EE1065702@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: sendmail rdns question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2010 07:28:29 -0000 In freebsd-questions Digest, Vol 325, Issue 5, Message: 4 On Tue, 24 Aug 2010 12:06:33 +0100 Paul Macdonald wrote: > Hi, > > Sorry for posting on a bsd list but i figure there's more than a few > sendmail experts here. > > I would like to run reverse dns checks on one of my boxes but the > check_rnds macro looks a bit overkill to me. > > I want to reject the mail if there's no reverse dns, but not if there is > rdns but the PTR loop isn't closed (which is very common). > > So accepting these types: > > reject=451 4.1.8 Possibly forged hostname for > > but rejecting these types > reject=550 5.7.1 <........>... Fix reverse DNS for > ....................... > > In sendmail, FEATURE(`require_rdns')dnl seems to do both. Well yes, it does just that, which is usually what's desired. Eg from the other day, reformatted for readability: Aug 24 19:13:43 xxxxx sm-mta[22564]: ruleset=check_relay, arg1=[220.229.138.147], arg2=220.229.138.147, relay=adsl-220-229-138-147.TC.sparqnet.net [220.229.138.147] (may be forged), reject=451 4.1.8 Possibly forged hostname for 220.229.138.147 % dig +short -x 220.229.138.147 adsl-220-229-138-147.TC.sparqnet.net. % dig +short adsl-220-229-138-147.TC.sparqnet.net. % (RDNS, but the supplied RDNS does not resolve - no 'closed loop' as you put it - so deferred. It's a good clue to the (genuine) sender to fix it, but you'll find that 99% of these will be spam anyway) Aug 24 22:40:59 xxxxx sm-mta[33233]: ruleset=check_relay, arg1=[217.107.186.83], arg2=217.107.186.83, relay=[217.107.186.83], reject=550 5.7.1 Fix reverse DNS for 217.107.186.83 % dig +short -x 217.107.186.83 % (no RDNS - so rejected) In sendmail.cf you'll see something like this (tabs lost in cut'n'paste) R$* $: $&{client_addr} $| $&{client_resolve} R$=R $* $@ RELAY We relay for these R$* $| OK $@ OK Resolves. R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1 R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1 You could make the FORGED ones return '$@ OK' also .. NOT recommended! You'd be much better off whitelisting particular senders that for some reason can't fix their broken RNS, by adding 'someone@somewhere OK' to your /etc/mail/access file. cheers, Ian