Re: Reverse Lookup zone benefits ?

Maaz · ‎08-08-2006

what are the benefits of reverse lookup zone ?

I dont know why... but there must be a relation-ship between sendmail and reverse lookup zone, becuase when I dont create the reverse lookup zone, using Outlook Express, send/recieve takes a lot much time, but when I create the reverse lookup zone, send/receive is very fast.

So I wana know why send/receive gets the benefit(in terms of speed) from reverse lookup zone ?
And is there any other benefits of creating reverse lookup zone ?

Regards
Maaz

Steven E. Protter · ‎08-08-2006

Shalom Maaz,

Main benefit is when you send mail to the Internet most mail servers require valid reverse lookup prior to accepting the mail.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Ivan Ferreira · ‎08-08-2006

Most services do a reverse lookup when a connection is established. This could be for security reasons as reject the connection if the reverse lookup is not found, or for logging reasons, so in the log you can identify the hostname.

Some services gives you an option to disable the reverse lookup, some other don't.

Is good to have a reverse lookup for these reasons, also it could help you to identify your hosts in your network.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎08-08-2006

Thanks Dear SEP and Ivan Ferriera ;)

smtp server: sendmail 8.x
when I dont create the reverse lookup zone, using Outlook Express, send/recieve takes a lot much time, but when I create the reverse lookup zone, send/receive is very fast.
Any Reason ?
Regards
Maaz

Ivan Ferreira · ‎08-08-2006

That could be for a setting like this:

http://www.sendmail.org/~ca/email/check.html#check_relay

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Stuart Browne · ‎08-08-2006

On an Internal network, the benefits are minor, given that it's internal there is (theoreitcally) more control over who's connecting.

That being said, you can get around it by using a properly populated 'hosts' file usually (and a service.switch file).

As Ivan says though, if you're using a pre-compiled package, there's no real way you can get around using it.

All this being said, why aren't you setting up reverse zone files? It's not hard to do, and if it is an internal network, and you don't care what the individual machines reverse lookup returns (sendmail doesn't unless you turn on some pretty harsh options for HELO matching), then simple names are more than enough, i.e.:

1 IN PTR 1.internal.

for all 255 numbers, and you can copy it around *shrug*.

One long-haired git at your service...

Al Licause · ‎08-09-2006

As was mentioned, many applications such as sendmail and telnetd perform reverse lookups during normal operations. In some cases the lookup is simply for logging purposes....in others it is for security such as nfs and if the lookup is not successful, the connection will be refused.

In your case, there may be an alternate dns server that has reverse zones defined or the applicaiton may simply timeout and either use what it has.

The benefits are that it can greatly increase connection times avoiding long delays. It's up to you to weigh the benefits.

Steven E. Protter · ‎08-09-2006

Shalom again Maaz,

Answer to your question.

My servers will reject your mail out of hand if there is no reverse lookup zone.

Other servers will drop your priority, making it harder to process your message,introducing delays.

If you do some email interactively with telnet, you will see this yourself. You will also see messageing concerning reverse lookup zones. Its absolutely essential to have them.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Ivan Ferreira · ‎08-09-2006

Also, as when you use outlook express, you also receive messages at the time you send, so, could be your pop/imap server doing the reverse lookups.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎08-09-2006

Thanks Dear ALL Gurus for such a nice help and support ;)

>My servers will reject your mail out of hand if there is no reverse lookup zone

I also want to implement this ... what should I do in sendmail.mc ?

Regards
Maaz

Ivan Ferreira · ‎08-09-2006

Check this link:

http://networking.ringofsaturn.com/Unix/sendmailtips.php

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎08-09-2006

Thanks Dear Ivan for help ;)
from the tutorial(http://networking.ringofsaturn.com/Unix/sendmailtips.php)I copy paste the lines into my sendmail.cf, and then restart the service, error occured.
Plz check the attachment for the error

Maaz · ‎08-09-2006

plz find the attached sendmail.cf file also.

Ivan Ferreira · ‎08-09-2006

So, you get an error. I can see from the attached file that you used space instead of tabs. Sendmail is very sensitive with that, you must add tabs instead of space in this ruleset declaration

Add this to the end of your sendmail.mc file:

LOCAL_RULESETS
SLocal_check_relay
R$* $: $&{client_resolve}
RTEMP $#error $@ 4.7.1 $: "450 Access denied. Cannot resolve PTR record for " $&{client_addr}
RFORGED $#error $@ 4.7.1 $: "450 Access denied. IP name possibly forged " $&{client_name}
RFAIL $#error $@ 4.7.1 $: "450 Access denied. IP name lookup failed " $&{client_name}

Ensure that TAB is used to separate the right side with the left side.

Create your cf with:

m4 sendmail.mc sendmail.cf

Restar sendmail, you should not get errors.

Try again.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎08-10-2006

client IP: 10.0.0.1

Thanks Dear Ivan for such a nice/kind help
Ok I put the code into sendmail.cf file and then restart the sendmail, no error ;)

But when I telnet the server from client, following is the result
#telnet mail.test.com 25
220 localhost.localdomain ESMTP Sendmail 8.13.1/8.13.1; Fri, 11 Aug 2006 11:37:3
8 +0500
helo test.com
250 localhost.localdomain Hello pc1.test.com [10.0.0.1] (may be forged), pleas
ed to meet you
MAIL FROM:
450 4.7.1 Access denied. IP name possibly forged [10.0.0.1]

On sendmail server:
#tail -f /var/log/maillog
Aug 11 11:41:29 system2 sendmail[2787]: ruleset=check_relay, arg1=[10.0.0.1], arg2=10.0.0.1, relay=pc1.test.com [10.0.0.1] (may be forged), reject=450 4.7.1 Access denied. IP name possibly forged [10.0.0.1]

Bind and sendmail is configured on the same system(10.0.0.2)
on sendmail server:
#cat /etc/resolv.conf
nameserver 10.0.0.2

#cat /etc/named.conf
zone "0.0.10.in-addr.arpa" IN {
type master;
file "re";
};

zone "test.com" IN {
type master;
file "test.com.frwd";
};

file for reverse lookup zone is attached(/var/named/chroot/var/named/re)

Maaz · ‎08-10-2006

reverse lookup zone file is attached.

Ivan Ferreira · ‎08-11-2006

What is the output of:

dig -x 10.0.0.1

Also, you can leave only the line that check for PTR and remove the others that check for forged addresses.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Maaz · ‎08-12-2006

Millions of Thanks Dear Mr Ivan Ferriera, for such a nice help and support ;)

dig -x 10.0.0.1 output is attached.

As per your instructions, I simply remove the "forged" line from sendmail.cf, and now its working ;).

from sendmail.cf:

SLocal_check_relay
R$* $: $&{client_resolve}
RTEMP $#error $@ 4.7.1 $: "450 Access denied. Cannot resolve PTR record for " $&{client_addr}
RFAIL $#error $@ 4.7.1 $: "450 Access denied. IP name lookup failed " $&{client_name}

May I know, why this line [ RFORGED $#error $@ 4.7.1 $: "450 Access denied. IP name possibly forged " $&{client_name}
] is not working properly ? even though IP to name resolution is working fine.

Refards
Maaz

Maaz · ‎08-12-2006

Millions of Thanks Dear Mr Ivan Ferriera, for such a nice help and support ;)

dig -x 10.0.0.1 output is attached.

As per your instructions, I simply remove the "forged" line from sendmail.cf, and now its working ;).

from sendmail.cf:

SLocal_check_relay
R$* $: $&{client_resolve}
RTEMP $#error $@ 4.7.1 $: "450 Access denied. Cannot resolve PTR record for " $&{client_addr}
RFAIL $#error $@ 4.7.1 $: "450 Access denied. IP name lookup failed " $&{client_name}

May I know, why this line [ RFORGED $#error $@ 4.7.1 $: "450 Access denied. IP name possibly forged " $&{client_name}
] is not working properly ? even though IP to name resolution is working fine.

Regards
Maaz

Ivan Ferreira · ‎08-12-2006

Glad to help Maaz.

The theory indicates that sendmail will try to do 2 lookups, a reverse lookup and a forward lookup. If the forward lookup does not match the information obtained in the reverse lookup, then considers the IP "forged".

Ensure that the A record and the PTR record resolves to the same hostname. If that is correct, then additional debugging is needed.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Kodjo Agbenu · ‎08-13-2006

Hi Maaz,

I can say that you are very generous man, thus awarding several times 10 points in the same thread.

Hence, I hoped that by complimenting you about your generosity, I could expect some points in return.

Forget my stupid joke :-)

Good lcuk.
Kodjo

Learn and explain...

Maaz · ‎08-20-2006

Dear Ivan Ferriera, As per your Instruction, I simply also add a record for the client machine, in forward lookup zone, and now its working ;).

Dear Kodjo Agbenu, Well i think anyone who helps/reply..., takes out the time from his/her busy schedule. so I think I must appreciate ;). Believe me I have save my job several times... this forums and you GUYS are GENEROUS ;).

Thanks and Regards
Maaz

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Reverse Lookup zone benefits ?

Reverse Lookup zone benefits ?