smtp connections with improper DNS
David Killingsworth
So far I have not been able to resolve on problem.
When an smtp connection comes in we only want to connect
with servers who have forward and reverse DNS that match.
I managed to install a macro into sendmail (mail server we replaced)
in about 15 minutes that takes the IP of the incoming smtp request
looks up the name, then looks up the IP for the NAME. the IP
should be the same as the connecting host. If this is not the case
the smtp connection should be dropped.
I use tcpserver to start smtpd.
I use the -p (paranoid) option, (added the option a few days ago)
which by my preliminary understanding was supposed to accomplish this
task of DNS cross-matching.
However I receieved an email recently whois headers are
Received: from unknown (HELO www.somang.or.kr) (ro...@211.38.3.100)
I noticed that there isn't a hostname.
nslookup 211.38.3.100 will return no hostname.
So back to the drawing board.
http://cr.yp.to/ucspi-tcp/tcpserver.html ( <-- drawing board)
I notice
-p: Paranoid. After looking up the remote host name in DNS, look up the
IP addresses in
DNS for that host name, and remove the environment variable
$TCPREMOTEHOST if none of
the addresses match the client's IP address.
upon re-reading this option I notice it did what it says it does, It
removed the
$TCPREMOTEHOST, hence the "Received: from unknown "
I still got the email. So now I figure that $TCPREMOTEHOST is passed to
smtpd in
the environment variables. so somehow I need to tell smtpd to close if
"condition"
is not met.
Oh.. I have read the man pages. I have installed qmail, vpopmail, on
more than a dozen
servers for nearly that many clients. I understand quite abit.
David Killingsworth.
Gerrit Pape
> I have been running qmail for about 8 months, It works great.
> So far I have not been able to resolve on problem.
> When an smtp connection comes in we only want to connect
> with servers who have forward and reverse DNS that match.
> I use tcpserver to start smtpd.
> I use the -p (paranoid) option, (added the option a few days ago)
> which by my preliminary understanding was supposed to accomplish this
> task of DNS cross-matching.
> I notice
> -p: Paranoid. After looking up the remote host name in DNS, look up the
> IP addresses in
> DNS for that host name, and remove the environment variable
> $TCPREMOTEHOST if none of
> the addresses match the client's IP address.
> upon re-reading this option I notice it did what it says it does, It
> removed the
> $TCPREMOTEHOST, hence the "Received: from unknown "
> I still got the email. So now I figure that $TCPREMOTEHOST is passed to
> smtpd in
> the environment variables. so somehow I need to tell smtpd to close if
> "condition"
> is not met.
You can use something like
~# cat /service/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
exec softlimit -m 3000000 \
tcpserver -v -p -x /etc/qmail/tcp.smtp.cdb \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
sh -c 'test -z "$TCPREMOTEHOST" \
|| exec /var/qmail/bin/qmail-smtpd' 2>&1
~#
Gerrit.
--
pa...@innominate.com
innominate AG
tel: +49.30.308806-0 fax: -77 http://www.innominate.com
David Killingsworth
If I understand what your suggest.. is to test for the existence of
$TCPREMOTEHOST
I believe this may work, however, for server security, I don'thave much
reason
to talk to ANY hosts on any services if they are now properly configured
on the DNS
side of INTERNET. I would like to have tcpserver make this decision
itself when
the connection is found not to have forward/reverse DNS. tcpserver
should drop
the connection at this point. I'm reading thru tcpserver to find what
changes
need to be made. I do like your suggestion and it will definitely work
for the
immediate time. thanks
David.