topic Re: sendmail challenge!!!!! validate dns in Operating System - HP-UX

sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 15:56:26 GMT

recommend changes to make sendmail daemon validate that the domain sending the mail actually exists.

So that if schmobagel@aol.com sends me mail its accepted because aol.com exists

But if shmuel@schmobagel.com sends me mail its rejected.

This would be a very effective spam filter.

What I need is as follows:

1) A tested scenario. This means you've actually done it. I'll give points for suggestions, but if you want 10 you need to provide a tested, step by step plan run on either HP-UX or Linux.

2) Details

For example, add following directives to senmail.mc rebuild the hash db(I know how but does everyone else?)

If you don't think this is possible, try sending mail to aol from an unregistered domain name, even if the sending email address is perfectly valid. Do it on the command line and see what response you get.
/usr/sbin/sendmail -v -d8.99 -d38.99 stevenprotter"at"juf.org (hpux mod it for linux) choose a real aol.com email address btw.

I will not follow the rules and say this in a shout.

I WANT MY SERVER TO DO THAT!

Regards,

Steve

Re: sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 16:00:37 GMT

sendmail.mc

I know the changes have to be partially here, so I'll give you astarting point.

Sorry no attachment, don't have that kind of access.

The names if the innocent IP addresses have been randomized.

FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=69.92.183.164, Name=MTA')
DAEMON_OPTIONS(`Port=smtp,Addr=69.92.183.167, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
# FEATURE(`accept_unresolvable_domains')dnl
FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwinvestmenttool.com
Cwisnamerica.comdnl DOMAIN(investmenttool.com) dnl
MASQUERADE_AS(investmenttool.com)dnl
MASQUERADE_DOMAIN(investmenttool.com)dnl
MASQUERADE_DOMAIN(isnamerica.com)dnl

Re: sendmail challenge!!!!! validate dns

Jochen Heuer — Tue, 14 Jan 2003 16:06:55 GMT

Hi Steve,

some points:

- which version of sendmail are you using / do you plan to use?

- testing the part in the from: header does not protect against spammers at all since spammers are used to forge headers

- what you want is validating if the ip address of the system connecting to your sendmail can be resolved. and from sendmail 8.9.3 upwards this check is done always except you disable it (I think its option 9 in the sendmail gen_cf script: allow unresolvable domains).

Regards,

Joche

Re: sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 16:14:58 GMT

I want to do this on a HP-UX machine and a Linux machine.

Believe it or not, I never tried it on HP-UX yet.

I'll backup and try it on HP-UX it might give me the directives I need for Linux as well.

Sendmail versions.

Probably the latest.

[1832#] what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 8/10/2001 (PHNE_25184)

Since there is no what command on Linux, I can't answer that question so eaily.

Re: sendmail challenge!!!!! validate dns

Jochen Heuer — Tue, 14 Jan 2003 16:17:07 GMT

Hi Steve,

I am not sure about Linux sendmail but doing a telnet to port 25 provides the version of sendmail / config file and the active patch level on HP-UX.

Regards,

Jochen

Re: sendmail challenge!!!!! validate dns

Christopher Caldwell — Tue, 14 Jan 2003 16:44:31 GMT

The answer is somewhat dependent on the version of sendmail you run, so I'll give you a couple of examples:

8.11.1
Kresolve host -a -T

Make sure the above ruleset is uncommented. You should get this by default unless you built sendmail.cf with accept_unresolvable_domains.

8.9.3 Uncomment these rulesets under check_mail

# lookup IP address (reverse mapping available?)
# R$*<@[$+]>$* $: $1 < @ $[ [ $2 ] $] > $3
# no DNS entry? this is dangerous!
# R$*<@$*$~P>$* $#error $@ 4.1.8 $: 418 unresolvable host name $2$3, check your
configuration.

(At this point, you should have enabled all of the anti-spam rulesets in sendmail.cf for 8.9.3).

Re: sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 16:45:20 GMT

Its obvious I probably need a Linux post to work this out.

A couple of interesing things.

# FEATURE(`accept_unresolvable_domains')dnl

I should not accept mail from unresolvable domains. Trust me, my Linux server is getting mail from unresolvable domains.

Is this due to forged headers?

I'll do that.

on UX though.

/usr/newconfig/etc/mail/cf/cf/gen_cf

The configuration file is: sendmail.cf.gen

Press Return key to continue....

I hit return

Select the options below with space as the separator

1: generate sendmail.cf with Relay ON [ Includes 9 10 13 options ]
2: generate sendmail.cf with Relay OFF [ Default sendmail.cf file ]
3: generate sendmail.cf with Relay_entire_domain
4: generate sendmail.cf with Relay_based_on_MX
5: generate sendmail.cf with Relay_hosts_only
6: generate sendmail.cf with Access_db
7: generate sendmail.cf with Relay_local_from
8: generate sendmail.cf with Blacklist_recipients
9: generate sendmail.cf with Accept_unresolvable_domains
10: generate sendmail.cf with Accept_unqualified_senders
11: generate sendmail.cf with Realtime Blackhole List
12: generate sendmail.cf with Loose_relay_check
13: generate sendmail.cf with Promiscuous_relay

h: Help [ Number ] [all]
x: Exit from selection

choose option 9'

9
Including accept_unresolvable_domains
cat: Cannot open generic-hpux10.changed: No such file or directory

Building .. sendmail.cf.gen file

/usr/ccs/bin/m4:-:1 can't open file

Kind of wondering whats going on here.

Steve

Re: sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 16:48:30 GMT

Linux Version number

220 investmenttool.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 14 Jan 2003 10:46:42 -
0600

As is the usual case, more bleeding edge.

Steve

Re: sendmail challenge!!!!! validate dns

Steven E. Protter — Tue, 14 Jan 2003 17:01:43 GMT

It would seem painfully obvious that my Linux and HP-UX mail environments should already be able to do what I want them to do.

The Linux one is not.

I will have to go home, and run some tests on the mail I've sucked off the server into outlook, because I don't have any examples yet.

Steve

Re: sendmail challenge!!!!! validate dns

Christopher Caldwell — Tue, 14 Jan 2003 18:59:53 GMT

Few things to help -

-give or take, the Linux and HP-UX sendmail.cf files should be _very_ similar. The difference is mainly in delivery agents. The rulesets you're concerned with should be the same.

-you _don't_ want to enable this feature:
# FEATURE(`accept_unresolvable_domains')dnl

-the configs are easier to see and understand on 8.11.1

-IIRC, 8.11.1 has two checks/points of control ... 1 to see if the IP of the relay is resolvable, 1 to see if the domain portion of the sender's e-mail is resolvable

Re: sendmail challenge!!!!! validate dns

Shannon Petry — Tue, 14 Jan 2003 20:48:10 GMT

The problem is not with name resolution, but spoofing. I can forge mail from anyone, and spammers mail packages can do it better than I.

I used to use the RBL, and it works like a champ. There is another product called PerlMX (I think it has a new name now). This product is an anti-spam package which I think does reverse lookups (because this is the failure), as well as spam filtering from good/valid domains. A friend of mine just went off of the RBL sendmail options and onto perlMX. His company bought 3 licenses and support for 3 years they were so happy with it.

On the down side, it's a pay-for product. On the up-side his company has reduced spam by 80%.

Regards,
Shannon

Re: sendmail challenge!!!!! validate dns

Jordan Bean — Wed, 15 Jan 2003 18:06:14 GMT

config problem:

# FEATURE(`accept_unresolvable_domains')dnl

In m4 template files, # does not comment out macros. Use dnl like so:

dnl FEATURE(`accept_unresolvable_domains')dnl

Or delete the line completely and rebuild the cf file.