From owner-freebsd-questions@FreeBSD.ORG  Sun Jul 20 13:38:20 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DDC2237B401
	for <questions@freebsd.org>; Sun, 20 Jul 2003 13:38:19 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 5007843F3F
	for <questions@freebsd.org>; Sun, 20 Jul 2003 13:38:18 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	h6KKc3Mc012635
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 20 Jul 2003 21:38:10 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)h6KKc3Pu012634;
	Sun, 20 Jul 2003 21:38:03 +0100 (BST)	(envelope-from matthew)
Date: Sun, 20 Jul 2003 21:38:02 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz>
Message-ID: <20030720203802.GA12318@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	"Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz>, questions@freebsd.org
References: <00c801c34eed$f262e910$0441d5cc@nitanjared>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c"
Content-Disposition: inline
In-Reply-To: <00c801c34eed$f262e910$0441d5cc@nitanjared>
User-Agent: Mutt/1.5.4i
X-Spam-Status: No, hits=-8.9 required=5.0
	tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,REFERENCES,
	      REPLY_WITH_QUOTES,USER_AGENT_MUTT
	autolearn=ham version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
cc: questions@freebsd.org
Subject: Re: Sendmail reject non-extant hosts? RFC1123
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2003 20:38:20 -0000


--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 20, 2003 at 01:37:15PM -0500, Kevin Kinsey, DaleCo, S.P. wrote:
> I'm not happy that Sendmail is
> allowing connections from non-
> existent hosts (i.e., spammers...)
>=20
> I run Sendmail more or less straight
> "out of the box" on -stable.  I had
> been under the impression that the
> line
>=20
> ALL : PARANOID : RFC931 20 : deny
>=20
> in /etc/hosts.allow would help reject
> some of this stuff.  However, as the
> amount of spam in my inbox is
> beginning to attest, this isn't the case.
>=20
> I've been googling and searching the=20
> archives with strings similar to the
> one in the title, and haven't yet grok
> what I'm supposed to do to get this
> to work...
>=20
> So, how do I tell Sendmail that if
> a host doesn't exist, (i.e. d3kr890d.129ddk.org)
> I don't want to talk to it...

The way that sendmail(8) uses tcp wrappers is slightly different to
most daemons.  Instead of outright refusing to connect (which would
lead to the other side trying again every half hour or so for the next
five days), it permits the remote side to connect and then issues a
permanent reject code during the SMTP dialogue.

Even without enabling tcp wrappers functionality, sendmail should
still reject egregiously forged addresses.  You have to add

    FEATURE(`accept_unresolvable_domains')dnl

to your `hostname`.mc file to allow incoming mail from domains without
either A or MX records registered in the DNS.

I find that the DNSBL feature is rather effective at rejecting spam
e-mail.  Generally my mailserver gets about 20--30 spam e-mails a
day. Of those, all but 2 or 3 are rejected by the DNSBL, and the rest
are taken out by spamassassin, with perhaps 2 false negatives a week
and no false positives.

I find that the combination of these three blacklists is most effective:

    FEATURE(dnsbl, `bl.spamcop.net', `"550 Mail from " $&{client_addr} " re=
jected using spamcop.net DNSBL. See http://spamcop.net/w3m?action=3Dcheckbl=
ock&ip=3D" $&{client_addr}', `')dnl
    FEATURE(dnsbl, `relays.osirusoft.com', `"550 Mail from " $&{client_addr=
} " rejected using relays.osirusoft.com DNSBL. See http://relays.osirusoft.=
com/"', `')dnl
    FEATURE(`dnsbl', `blackholes.easynet.nl', `"550 5.7.1 ACCESS DENIED to =
"$&{client_name}" by easynet.nl DNSBL (http://blackholes.easynet.nl/errors.=
html)"', `')dnl

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/Gv2qdtESqEQa7a0RAvhUAJ4p4Px8f4054wvym32thOwpcihUxQCgh+p1
0zpoTCaMGDgmNLLjWrzB0g4=
=Y5MC
-----END PGP SIGNATURE-----

--sm4nu43k4a2Rpi4c--