HPE Community
Operating System - Linux
1822512 Members
2524 Online
109642 Solutions
New Discussion юеВ

Re: sendmail question.

 
Steven E. Protter
Exalted Contributor

тАО01-14-2003 10:42 AM

тАО01-14-2003 10:42 AM

sendmail question.

How to I verify that my sendmail daemon only accepts messages from valid domain names?

I think I have that right.

How do I make sure its doing reverse lookups to validate the IP address of senders.

I want to screw things down tight.

recommend changes to make sendmail daemon validate that the domain sending the mail actually exists.

So that if schmobagel@aol.com sends me mail its accepted because aol.com exists

But if shmuel@schmobagel.com sends me mail its rejected.

This would be a very effective spam filter.

What I need is as follows:

1) A tested scenario. This means you've actually done it. I'll give points for suggestions, but if you want 10 you need to provide a tested, step by step plan run on either HP-UX or Linux.

2) Details

For example, add following directives to senmail.mc rebuild the hash db(I know how but does everyone else?)

If you don't think this is possible, try sending mail to aol from an unregistered domain name, even if the sending email address is perfectly valid. Do it on the command line and see what response you get.
/usr/sbin/sendmail -v -d8.99 -d38.99 stevenprotter"at"juf.org (hpux mod it for linux) choose a real aol.com email address btw.

I will not follow the rules and say this in a shout.

I WANT MY SERVER TO DO THAT!

Red Hat 7.3

Linux Version number

220 investmenttool.com ESMTP Sendmail 8.11.6/8.11.6; Tue, 14 Jan 2003 10:46:42 -
0600


I'm hopefully looking for TESTED sendmail.mc directives.

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
6 REPLIES 6
Stuart Browne
Honored Contributor

тАО01-14-2003 02:42 PM

тАО01-14-2003 02:42 PM

Re: sendmail question.

I'm assuming you do *NOT* have the "FEATURE(`accept_unresolvable_domains')" un-commented in your /etc/mail/sendmail.mc ?

Short of pumping in SMTP commands to test (which is how we do it, but then again, I like doing things by hand), I'm unsure of the best way to test things.

About the closest thing I can see to testing senders without manually typing in SMTP conversations (two lines to get that far btw), is to use '/usr/lib/sendmail -bt', turn on resovler debugging (type '-d38.20'), then issue '/canon '. It'll show the steps, and show if it fails to resovle a given domain.

Other than that, 'telnet 25', 'helo blah', then 'mail from: '. It'll reject it there if it fails.

Hope this helps a little.
One long-haired git at your service...
0 Kudos
Reply
Trever Furnish
Regular Advisor

тАО01-15-2003 05:53 AM

тАО01-15-2003 05:53 AM

Re: sendmail question.

Stewart's right but I'll add a note to his smtp conversation comments - be sure you're not doing it from somewhere that is approved for other reasons.

Ie usually the box itself is allowed to relay based on its IP address, so your unresolvable domain won't even get checked. To make your test valid, do it from somewhere you are sure you haven't allowed relay based on source address. Ie telnet to port 25 from some external box.
Hockey PUX?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-15-2003 05:53 AM

тАО01-15-2003 05:53 AM

Re: sendmail question.

Thank you, keep the ideas coming. I'm still trying things out.

Steve
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО01-15-2003 08:56 PM

тАО01-15-2003 08:56 PM

Re: sendmail question.

Run network sniffer to analyse DNS queries.
tcpdump or ethereal is my choice.

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО01-16-2003 08:40 PM

тАО01-16-2003 08:40 PM

Re: sendmail question.

Hi,

To trace DNS lookups run sendmail in this debugmode.

#sendmail -d8.8

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО01-16-2003 11:37 PM

тАО01-16-2003 11:37 PM

Re: sendmail question.

Hi,

Run this command

#echo '/map host [202.156.33.23]' | sendmail -bt -d8.8

let 202.156.33.23 be one of the server in domain
you have authorised . So i reverse lookup is working properly then the DNS name of the above IP address will returned by the above command.

regards,
U.SivaKumar




Innovations are made when conventions are broken
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.