topic Re: Reverse Lookup zone benefits ? in Operating System - Linux

Reverse Lookup zone benefits ?

Maaz — Tue, 08 Aug 2006 13:37:43 GMT

what are the benefits of reverse lookup zone ?

I dont know why... but there must be a relation-ship between sendmail and reverse lookup zone, becuase when I dont create the reverse lookup zone, using Outlook Express, send/recieve takes a lot much time, but when I create the reverse lookup zone, send/receive is very fast.

So I wana know why send/receive gets the benefit(in terms of speed) from reverse lookup zone ?
And is there any other benefits of creating reverse lookup zone ?

Regards
Maaz

Re: Reverse Lookup zone benefits ?

Steven E. Protter — Tue, 08 Aug 2006 13:52:21 GMT

Shalom Maaz,

Main benefit is when you send mail to the Internet most mail servers require valid reverse lookup prior to accepting the mail.

SEP

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Tue, 08 Aug 2006 14:19:31 GMT

Most services do a reverse lookup when a connection is established. This could be for security reasons as reject the connection if the reverse lookup is not found, or for logging reasons, so in the log you can identify the hostname.

Some services gives you an option to disable the reverse lookup, some other don't.

Is good to have a reverse lookup for these reasons, also it could help you to identify your hosts in your network.

Re: Reverse Lookup zone benefits ?

Maaz — Tue, 08 Aug 2006 14:45:05 GMT

Thanks Dear SEP and Ivan Ferriera ;)

smtp server: sendmail 8.x
when I dont create the reverse lookup zone, using Outlook Express, send/recieve takes a lot much time, but when I create the reverse lookup zone, send/receive is very fast.
Any Reason ?
Regards
Maaz

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Tue, 08 Aug 2006 15:20:20 GMT

That could be for a setting like this:

http://www.sendmail.org/~ca/email/check.html#check_relay

Re: Reverse Lookup zone benefits ?

Stuart Browne — Tue, 08 Aug 2006 17:26:15 GMT

On an Internal network, the benefits are minor, given that it's internal there is (theoreitcally) more control over who's connecting.

That being said, you can get around it by using a properly populated 'hosts' file usually (and a service.switch file).

As Ivan says though, if you're using a pre-compiled package, there's no real way you can get around using it.

All this being said, why aren't you setting up reverse zone files? It's not hard to do, and if it is an internal network, and you don't care what the individual machines reverse lookup returns (sendmail doesn't unless you turn on some pretty harsh options for HELO matching), then simple names are more than enough, i.e.:

1 IN PTR 1.internal.

for all 255 numbers, and you can copy it around *shrug*.

Re: Reverse Lookup zone benefits ?

Al Licause — Wed, 09 Aug 2006 07:31:14 GMT

As was mentioned, many applications such as sendmail and telnetd perform reverse lookups during normal operations. In some cases the lookup is simply for logging purposes....in others it is for security such as nfs and if the lookup is not successful, the connection will be refused.

In your case, there may be an alternate dns server that has reverse zones defined or the applicaiton may simply timeout and either use what it has.

The benefits are that it can greatly increase connection times avoiding long delays. It's up to you to weigh the benefits.

Re: Reverse Lookup zone benefits ?

Steven E. Protter — Wed, 09 Aug 2006 07:38:53 GMT

Shalom again Maaz,

Answer to your question.

My servers will reject your mail out of hand if there is no reverse lookup zone.

Other servers will drop your priority, making it harder to process your message,introducing delays.

If you do some email interactively with telnet, you will see this yourself. You will also see messageing concerning reverse lookup zones. Its absolutely essential to have them.

SEP

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Wed, 09 Aug 2006 09:34:05 GMT

Also, as when you use outlook express, you also receive messages at the time you send, so, could be your pop/imap server doing the reverse lookups.

Re: Reverse Lookup zone benefits ?

Maaz — Wed, 09 Aug 2006 13:16:15 GMT

Thanks Dear ALL Gurus for such a nice help and support ;)

>My servers will reject your mail out of hand if there is no reverse lookup zone

I also want to implement this ... what should I do in sendmail.mc ?

Regards
Maaz

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Wed, 09 Aug 2006 13:59:55 GMT

Check this link:

http://networking.ringofsaturn.com/Unix/sendmailtips.php

Re: Reverse Lookup zone benefits ?

Maaz — Wed, 09 Aug 2006 15:10:07 GMT

Thanks Dear Ivan for help ;)
from the tutorial(http://networking.ringofsaturn.com/Unix/sendmailtips.php)I copy paste the lines into my sendmail.cf, and then restart the service, error occured.
Plz check the attachment for the error

Re: Reverse Lookup zone benefits ?

Maaz — Wed, 09 Aug 2006 15:13:39 GMT

plz find the attached sendmail.cf file also.

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Wed, 09 Aug 2006 15:59:59 GMT

So, you get an error. I can see from the attached file that you used space instead of tabs. Sendmail is very sensitive with that, you must add tabs instead of space in this ruleset declaration

Add this to the end of your sendmail.mc file:

LOCAL_RULESETS
SLocal_check_relay
R$* $: $&{client_resolve}
RTEMP $#error $@ 4.7.1 $: "450 Access denied. Cannot resolve PTR record for " $&{client_addr}
RFORGED $#error $@ 4.7.1 $: "450 Access denied. IP name possibly forged " $&{client_name}
RFAIL $#error $@ 4.7.1 $: "450 Access denied. IP name lookup failed " $&{client_name}

Ensure that TAB is used to separate the right side with the left side.

Create your cf with:

m4 sendmail.mc sendmail.cf

Restar sendmail, you should not get errors.

Try again.

Re: Reverse Lookup zone benefits ?

Maaz — Fri, 11 Aug 2006 02:17:17 GMT

client IP: 10.0.0.1

Thanks Dear Ivan for such a nice/kind help
Ok I put the code into sendmail.cf file and then restart the sendmail, no error ;)

But when I telnet the server from client, following is the result
#telnet mail.test.com 25
220 localhost.localdomain ESMTP Sendmail 8.13.1/8.13.1; Fri, 11 Aug 2006 11:37:3
8 +0500
helo test.com
250 localhost.localdomain Hello pc1.test.com [10.0.0.1] (may be forged), pleas
ed to meet you
MAIL FROM:
450 4.7.1 Access denied. IP name possibly forged [10.0.0.1]

On sendmail server:
#tail -f /var/log/maillog
Aug 11 11:41:29 system2 sendmail[2787]: ruleset=check_relay, arg1=[10.0.0.1], arg2=10.0.0.1, relay=pc1.test.com [10.0.0.1] (may be forged), reject=450 4.7.1 Access denied. IP name possibly forged [10.0.0.1]

Bind and sendmail is configured on the same system(10.0.0.2)
on sendmail server:
#cat /etc/resolv.conf
nameserver 10.0.0.2

#cat /etc/named.conf
zone "0.0.10.in-addr.arpa" IN {
type master;
file "re";
};

zone "test.com" IN {
type master;
file "test.com.frwd";
};

file for reverse lookup zone is attached(/var/named/chroot/var/named/re)

Re: Reverse Lookup zone benefits ?

Maaz — Fri, 11 Aug 2006 02:19:38 GMT

reverse lookup zone file is attached.

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Fri, 11 Aug 2006 08:59:43 GMT

What is the output of:

dig -x 10.0.0.1

Also, you can leave only the line that check for PTR and remove the others that check for forged addresses.

Re: Reverse Lookup zone benefits ?

Maaz — Sat, 12 Aug 2006 12:44:25 GMT

Millions of Thanks Dear Mr Ivan Ferriera, for such a nice help and support ;)

dig -x 10.0.0.1 output is attached.

As per your instructions, I simply remove the "forged" line from sendmail.cf, and now its working ;).

from sendmail.cf:

SLocal_check_relay
R$* $: $&{client_resolve}
RTEMP $#error $@ 4.7.1 $: "450 Access denied. Cannot resolve PTR record for " $&{client_addr}
RFAIL $#error $@ 4.7.1 $: "450 Access denied. IP name lookup failed " $&{client_name}

May I know, why this line [ RFORGED $#error $@ 4.7.1 $: "450 Access denied. IP name possibly forged " $&{client_name}
] is not working properly ? even though IP to name resolution is working fine.

Refards
Maaz

Re: Reverse Lookup zone benefits ?

Maaz — Sat, 12 Aug 2006 12:44:36 GMT

Re: Reverse Lookup zone benefits ?

Ivan Ferreira — Sun, 13 Aug 2006 06:29:48 GMT

Glad to help Maaz.

The theory indicates that sendmail will try to do 2 lookups, a reverse lookup and a forward lookup. If the forward lookup does not match the information obtained in the reverse lookup, then considers the IP "forged".

Ensure that the A record and the PTR record resolves to the same hostname. If that is correct, then additional debugging is needed.