HPE Community
Operating System - HP-UX
1752591 Members
3171 Online
108788 Solutions
New Discussion юеВ

sendmail challenge!!!!! validate dns

 
Steven E. Protter
Exalted Contributor

тАО01-14-2003 07:56 AM

тАО01-14-2003 07:56 AM

sendmail challenge!!!!! validate dns

recommend changes to make sendmail daemon validate that the domain sending the mail actually exists.

So that if schmobagel@aol.com sends me mail its accepted because aol.com exists

But if shmuel@schmobagel.com sends me mail its rejected.

This would be a very effective spam filter.

What I need is as follows:

1) A tested scenario. This means you've actually done it. I'll give points for suggestions, but if you want 10 you need to provide a tested, step by step plan run on either HP-UX or Linux.

2) Details

For example, add following directives to senmail.mc rebuild the hash db(I know how but does everyone else?)

If you don't think this is possible, try sending mail to aol from an unregistered domain name, even if the sending email address is perfectly valid. Do it on the command line and see what response you get.
/usr/sbin/sendmail -v -d8.99 -d38.99 stevenprotter"at"juf.org (hpux mod it for linux) choose a real aol.com email address btw.

I will not follow the rules and say this in a shout.

I WANT MY SERVER TO DO THAT!

Regards,

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
11 REPLIES 11
Steven E. Protter
Exalted Contributor

тАО01-14-2003 08:00 AM

тАО01-14-2003 08:00 AM

Re: sendmail challenge!!!!! validate dns

sendmail.mc

I know the changes have to be partially here, so I'll give you astarting point.

Sorry no attachment, don't have that kind of access.

The names if the innocent IP addresses have been randomized.

FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
DAEMON_OPTIONS(`Port=smtp,Addr=69.92.183.164, Name=MTA')
DAEMON_OPTIONS(`Port=smtp,Addr=69.92.183.167, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
# FEATURE(`accept_unresolvable_domains')dnl
FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwinvestmenttool.com
Cwisnamerica.comdnl DOMAIN(investmenttool.com) dnl
MASQUERADE_AS(investmenttool.com)dnl
MASQUERADE_DOMAIN(investmenttool.com)dnl
MASQUERADE_DOMAIN(isnamerica.com)dnl
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jochen Heuer
Respected Contributor

тАО01-14-2003 08:06 AM

тАО01-14-2003 08:06 AM

Re: sendmail challenge!!!!! validate dns

Hi Steve,

some points:

- which version of sendmail are you using / do you plan to use?

- testing the part in the from: header does not protect against spammers at all since spammers are used to forge headers

- what you want is validating if the ip address of the system connecting to your sendmail can be resolved. and from sendmail 8.9.3 upwards this check is done always except you disable it (I think its option 9 in the sendmail gen_cf script: allow unresolvable domains).

Regards,

Joche
Well, yeah ... I suppose there's no point in getting greedy, is there?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-14-2003 08:14 AM

тАО01-14-2003 08:14 AM

Re: sendmail challenge!!!!! validate dns

I want to do this on a HP-UX machine and a Linux machine.

Believe it or not, I never tried it on HP-UX yet.

I'll backup and try it on HP-UX it might give me the directives I need for Linux as well.

Sendmail versions.

Probably the latest.

[1832#] what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 8/10/2001 (PHNE_25184)


Since there is no what command on Linux, I can't answer that question so eaily.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jochen Heuer
Respected Contributor

тАО01-14-2003 08:17 AM

тАО01-14-2003 08:17 AM

Re: sendmail challenge!!!!! validate dns

Hi Steve,

I am not sure about Linux sendmail but doing a telnet to port 25 provides the version of sendmail / config file and the active patch level on HP-UX.

Regards,

Jochen
Well, yeah ... I suppose there's no point in getting greedy, is there?
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО01-14-2003 08:44 AM

тАО01-14-2003 08:44 AM

Re: sendmail challenge!!!!! validate dns

The answer is somewhat dependent on the version of sendmail you run, so I'll give you a couple of examples:

8.11.1
Kresolve host -a -T

Make sure the above ruleset is uncommented. You should get this by default unless you built sendmail.cf with accept_unresolvable_domains.

8.9.3 Uncomment these rulesets under check_mail

# lookup IP address (reverse mapping available?)
# R$*<@[$+]>$* $: $1 < @ $[ [ $2 ] $] > $3
# no DNS entry? this is dangerous!
# R$*<@$*$~P>$* $#error $@ 4.1.8 $: 418 unresolvable host name $2$3, check your
configuration.


(At this point, you should have enabled all of the anti-spam rulesets in sendmail.cf for 8.9.3).
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-14-2003 08:45 AM

тАО01-14-2003 08:45 AM

Re: sendmail challenge!!!!! validate dns

Its obvious I probably need a Linux post to work this out.

A couple of interesing things.

# FEATURE(`accept_unresolvable_domains')dnl

I should not accept mail from unresolvable domains. Trust me, my Linux server is getting mail from unresolvable domains.

Is this due to forged headers?

I'll do that.

on UX though.

/usr/newconfig/etc/mail/cf/cf/gen_cf

The configuration file is: sendmail.cf.gen

Press Return key to continue....

I hit return

Select the options below with space as the separator


1: generate sendmail.cf with Relay ON [ Includes 9 10 13 options ]
2: generate sendmail.cf with Relay OFF [ Default sendmail.cf file ]
3: generate sendmail.cf with Relay_entire_domain
4: generate sendmail.cf with Relay_based_on_MX
5: generate sendmail.cf with Relay_hosts_only
6: generate sendmail.cf with Access_db
7: generate sendmail.cf with Relay_local_from
8: generate sendmail.cf with Blacklist_recipients
9: generate sendmail.cf with Accept_unresolvable_domains
10: generate sendmail.cf with Accept_unqualified_senders
11: generate sendmail.cf with Realtime Blackhole List
12: generate sendmail.cf with Loose_relay_check
13: generate sendmail.cf with Promiscuous_relay

h: Help [ Number ] [all]
x: Exit from selection



choose option 9'


9
Including accept_unresolvable_domains
cat: Cannot open generic-hpux10.changed: No such file or directory


Building .. sendmail.cf.gen file


/usr/ccs/bin/m4:-:1 can't open file


Kind of wondering whats going on here.

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-14-2003 08:48 AM

тАО01-14-2003 08:48 AM

Re: sendmail challenge!!!!! validate dns

Linux Version number

220 investmenttool.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 14 Jan 2003 10:46:42 -
0600

As is the usual case, more bleeding edge.

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-14-2003 09:01 AM

тАО01-14-2003 09:01 AM

Re: sendmail challenge!!!!! validate dns

It would seem painfully obvious that my Linux and HP-UX mail environments should already be able to do what I want them to do.

The Linux one is not.

I will have to go home, and run some tests on the mail I've sucked off the server into outlook, because I don't have any examples yet.

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО01-14-2003 10:59 AM

тАО01-14-2003 10:59 AM

Re: sendmail challenge!!!!! validate dns

Few things to help -

-give or take, the Linux and HP-UX sendmail.cf files should be _very_ similar. The difference is mainly in delivery agents. The rulesets you're concerned with should be the same.

-you _don't_ want to enable this feature:
# FEATURE(`accept_unresolvable_domains')dnl

-the configs are easier to see and understand on 8.11.1

-IIRC, 8.11.1 has two checks/points of control ... 1 to see if the IP of the relay is resolvable, 1 to see if the domain portion of the sender's e-mail is resolvable
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.