Date: Sun, 20 Jul 2003 17:37:31 -0500 From: "Jack L. Stone" <jackstone@sage-one.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz> Cc: questions@freebsd.org Subject: Re: Sendmail reject non-extant hosts? RFC1123 Message-ID: <3.0.5.32.20030720173731.012cff60@sage-one.net> In-Reply-To: <20030720203802.GA12318@happy-idiot-talk.infracaninophile.c o.uk> References: <00c801c34eed$f262e910$0441d5cc@nitanjared> <00c801c34eed$f262e910$0441d5cc@nitanjared>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:38 PM 7.20.2003 +0100, Matthew Seaman wrote: >On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote: >> I'm not happy that Sendmail is >> allowing connections from non- >> existent hosts (i.e., spammers...) >> >> I run Sendmail more or less straight >> "out of the box" on -stable. I had >> been under the impression that the >> line >> >> ALL : PARANOID : RFC931 20 : deny >> >> in /etc/hosts.allow would help reject >> some of this stuff. However, as the >> amount of spam in my inbox is >> beginning to attest, this isn't the case. >> >> I've been googling and searching the >> archives with strings similar to the >> one in the title, and haven't yet grok >> what I'm supposed to do to get this >> to work... >> >> So, how do I tell Sendmail that if >> a host doesn't exist, (i.e. d3kr890d.129ddk.org) >> I don't want to talk to it... > >The way that sendmail(8) uses tcp wrappers is slightly different to >most daemons. Instead of outright refusing to connect (which would >lead to the other side trying again every half hour or so for the next >five days), it permits the remote side to connect and then issues a >permanent reject code during the SMTP dialogue. > >Even without enabling tcp wrappers functionality, sendmail should >still reject egregiously forged addresses. You have to add > > FEATURE(`accept_unresolvable_domains')dnl > >to your `hostname`.mc file to allow incoming mail from domains without >either A or MX records registered in the DNS. > > Cheers, > > Matthew Matthew: Are you saying that the above 'FEATURE' should be used in addition to Dan Nelson's suggestion for the adding of these local_rules...? http://www.sendmail.org/~ca/email/chk-810.html#810UNRESOLVIP This is something I had been looking for & just yesterday made up a procmail recipe to grab the forgeries specifically. I'm getting quite a few of them here. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20030720173731.012cff60>