Re: 7. BCP - Mail Administrators: Checking HELO (was: [Asrg] 0. General - Administrative - for M. Wild)

[waltdnes@waltdnes.org]

On Tue, Sep 02, 2003 at 11:13:25PM +0200, Brad Knowles wrote

> >   How about total lack of rDNS ?  I block on that, not on mismatching
> > rDNS.
> 
> 	Can you be sure?  If Dean Anderson were to send you a mail 
> message from his mis-configured machines in av8.com (e.g., 
> concorde.av8.net -> 130.105.11.50 -> relay1.av8.net, or 
> concorde.av8.com -> 130.105.11.3 -> concorde.av8.net -> 130.105.11.50 
> & 130.105.11.3), would you accept or reject that message on the basis 
> of the way he has reverse DNS set up?  What method have you used to 
> ensure that this is the case?
> 
> 	I ask this because the postfix option of reject_unknown_client 
> will reject a connection for either non-existent rDNS or incorrect 
> rDNS.  Many IP addresses will have essentially useless rDNS defined 
> for them by their ISP, even if the person using that IP address is 
> totally unaware of this fact.  Are you sure that your code (or 
> sendmail itself) doesn't do the same?

  It's not "my" code.  I'm a customer off clss.net.  They run a modified
Qmail that parses a config file in the customer's home directory after
the RCPT: stage. (I don't admin the MTA, I admin the filters for my
account).  Any email that the config file decides to reject gets the
big 550 before the DATA: stage.  There are 3 different rules that might
apply here.  Direct quotes from "man dnsblfilter"...


       PARANOID reply
              If the sending IP address has a reverse DNS pointer
              that is not matched by a forward (address)  record,
              reply is printed and the message is rejected.

       REJECTNOHOSTNAME reply
              If the sending IP address has no name in any avail-
              able address-to-name database, reply is printed and
              the message is rejected.

       SUPERPARANOID reply
              If the sending IP address has no  name,  or  has  a
              reverse  DNS  pointer that is not matched by a for-
              ward (address) record, reply  is  printed  and  the
              message is rejected. This is equivalent to PARANOID
              combined with REJECTNOHOSTNAME.

  I use REJECTNOHOSTNAME in my ruleset.  It catches really gross stuff
where there simply is no rDNS period.  For instance...

[waltdnes@m450 waltdnes]$ host 192.168.1.1
Host 1.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)

  Let's look at Dean's setup...

[waltdnes@m450 waltdnes]$ host concorde.av8.net
concorde.av8.net has address 130.105.11.3
concorde.av8.net has address 130.105.11.50

  Looks like a load-balancing act.  How do each of the two addresses
work out ?

[waltdnes@m450 waltdnes]$ host 130.105.11.3
3.11.105.130.in-addr.arpa domain name pointer concorde.av8.net.

  That one looks OK.

[waltdnes@m450 waltdnes]$ host 130.105.11.50
50.11.105.130.in-addr.arpa domain name pointer relay1.av8.net.
[waltdnes@m450 waltdnes]$ host relay1.av8.net
relay1.av8.net has address 130.105.11.50

  What's wrong with this one ?  130.105.11.50 has a name (different from
the original name) that resolves back to 130.105.11.50.  I don't see
how this is "misconfigured", unless all load-balancing is considered to
be misconfiguration.

-- 
Walter Dnes <waltdnes@waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg