reject localhost <> 127.0.0.1
Oliver Bellgardt
is there a way to reject mails coming from ip-adresses (like 222.253.63.148)
that resolve to "localhost" having an ip-address <> 127.0.0.1
maillog:
Aug 3 04:34:33 linux sendmail[4816]: m732YUu3004816:
from=<fbq...@bus.net>, size=4920, class=0, nrcpts=1, msgid=<00
1601c8f54c$209dc7f0$00d9bd1c@m1>, proto=ESMTP, daemon=MTA, relay=localhost
[222.252.139.254] (may be forged)
Loki Harfagr
if your sendmail is at least 8.14, easy way is around:
FEATURE(`badmx', `^(127\.|10\.|172\.(1(6|7|8|9)|2.|3(0|1))\.|192\.168\.|169\.254\.|192\.0\.2\.|224\.|240\.|0\.)')
if you use MimeDefang there is also a md_get_bogus_mx_hosts
function that you may use for that.
Grant Taylor
> if your sendmail is at least 8.14, easy way is around:
> FEATURE(`badmx',
> `^(127\.|10\.|172\.(1(6|7|8|9)|2.|3(0|1))\.|192\.168\.|169\.254\.|192\.0\.2\.|224\.|240\.|0\.)')
If you are not running 8.14 yet, take a look at the thread with a
subject of "BadMX ruleset for 8.13.*..." that I started a while back. I
got a similar set of rules working in an older 8.13.x that do the same
thing as the (8.14) badmx feature.
Grant. . . .
Claus Aßmann
> Oliver Bellgardt wrote:
> > is there a way to reject mails coming from ip-adresses (like
> > 222.253.63.148) that resolve to "localhost" having an ip-address <>
> > 127.0.0.1
> if your sendmail is at least 8.14, easy way is around:
> FEATURE(`badmx',
Sorry, no points for that answer... (see the fine documentation
describing that feature)
To the OP: look for this:
${client_ptr}
The result of the PTR lookup for the client IP
address.
and write a small custom ruleset (e.g., Local_check_relay)
Loki Harfagr
ooops yes!
Thanks Claus, you're right, just I wasn't wrong about
what `badmx' did, but... er, it is "only" that I was wrong
about what exactly the OP wanted to achieve! I thought he
wanted to check the ptr of the sender domain, now I've
read his real question, ooops my bad!
Oliver Bellgardt
that's it.
in sendmail.cf i need a custom ruleset in section $Local_check_relay.
if (${client_ptr}="localhost")
then
if (${client_addr} != "127.0.0.1")
then $#error $@ 5.7.1 $: "550 Rejected: " $&{client_name} " with "
$&{client_ptr} " vorbidden"
but i'm struggling heavily with the strange syntax.
anyone any hints ;-)
THX
Oliver Bellgardt
8.12 with a little bit 8.14
Dietmar Rieder
Untested, but use it as start :-)
LOCAL_RULESETS
C{LocalIP}127.0.0.1
C{LocalName}localhost
SLocal_check_relay
R$* $: $&{client_addr} $| $&{client_ptr}
R$={LocalName} $| $={LocalIP} $#error $@ 5.7.1 $: "550 Rejected: "
$&{client_name} " with " $&{client_ptr} " forbidden"
R$* $@ OKSOFAR
Didi
ps: You can add additional IP-addresses and Names to the Classes LocalIP
and LocalName if you wish (space separated)
pps: Space between LHS and RHS are tabs
Dietmar Rieder
Sorry I had a line mixed up, it should be something like:
LOCAL_RULESETS
C{LocalIP}127.0.0.1
C{LocalName}localhost
SLocal_check_relay
R$* $: $&{client_addr} $| $&{client_ptr}
R$={LocalName} $| $={LocalIP} $@ OKSOFAR
R$={LocalName} $| $* $#error $@ 5.7.1 $: "550 Rejected: "
David F. Skoll
> if (${client_addr} != "127.0.0.1")
To future-proof yourself, you might also want to allow ::1
Regards,
David.
D. Stussy
news:c8a8b$4a7c17a3$d1d97a75$72...@PRIMUS.CA...
> Oliver Bellgardt wrote:
>
> > if (${client_addr} != "127.0.0.1")
>
> To future-proof yourself, you might also want to allow ::1
Which needs to be specified as "IPv6:::1"
D. Stussy
news:h588us$55b$02$1...@news.t-online.com...
That should result in ${client_resolve} = FORGED, since the IP address
resolves to "localhost" which resolves only to 127.0.0.1 (or ::1) and does
NOT match the original IP address one started with.
Oliver Bellgardt
for some cases(mails from egypt dialup) if have to allow forged hosts.
i just want to treat the "localhost"s specially.
D. Stussy
Then place your check for this after a check of the access database, and
whitelist the exceptions in that db.
Oliver Bellgardt
following your advice, i added the following to my sendmail.cf
SNIP===============================
######################################################################
### check_relay -- check hostname/address on SMTP startup
######################################################################
# C{LocalIP}127.0.0.1
# C{LocalName}localhost
## p5B0D73DD.dip.t-dialin.net resolves to 91.13.115.221
## 91.13.115.220 is a WRONG IP to test
C{LocalIP}91.13.115.220
C{LocalName}p5B0D73DD.dip.t-dialin.net
SLocal_check_relay
R$* $: $&{client_addr} $| $&{client_ptr}
R$={LocalName} $| $={LocalIP} $@OKSOFAR
R$={LocalName} $| $* $#error $@ 5.7.1 $: "550 Rejected:
"$&{client_name} " with " $&{client_addr} " forbidden"
R$* $@OKSOFAR
SNIP===============================
but i was not rejected :-(
what's going wrong?
maillog:
SNIP===============================
Aug 10 03:53:27 linux sendmail[10707]: n7A1pSvd010707:
from=<oli...@dccc.net>, size=75, class=0, nrcpts=1,
msgid=<200908100152.n7A1pSvd010707@l
inux.dccc.net>, proto=SMTP, daemon=MTA, relay=p5B0D73DD.dip.t-dialin.net
[91.13.115.221]
SNIP===============================
Dietmar Rieder
Sorry in my hurry I swapped client_ptr and client_addr:
R$* $: $&{client_addr} $| $&{client_ptr}
should be:
R$* $: $&{client_ptr} $| $&{client_addr}
Now at least in test mode it works:
# /usr/lib/sendmail -C ./sendmail.cf -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
.D{client_ptr}p5B0D73DD.dip.t-dialin.net
.D{client_addr}91.13.115.221
Local_check_relay root@localhost
Local_check_rela input: root @ localhost
Local_check_rela returns: $# error $@ 5 . 7 . 1 $: "550 Rejected: "
p5B0D73DD . dip . t-dialin . net " with " 91 . 13 . 115 . 221 " forbidden"
Didi