|
»
Detect missing reverse dns
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Detect missing reverse dns
by Todd Lyons
::
Rate this Message:
I want to work on a greylist solution that uses memcache for the
backend. I'm either going to use a single memcache server using the method posted in this mailing list a couple months back, or I'm going to use embedded perl so that it will spread it out over all memcache servers. I have decided that for now I'm only going to greylist those connections where the ip doesn't reverse resolve. From my limited understanding, the hosts line below should only pass when there is an actual PTR record for the IP address. But I get the log_message for every hosts that connects, with or without reverse dns. What's wrong with what I have below? warn !senders = : !authenticated = * !hosts = +relay_from_hosts !hosts = ${lookup dnsdb{ptr=$sender_host_address}{$value}fail} log_message = No reverse DNS for $sender_host_address, would greylist check -- Regards... Todd -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ |
|
|
Re: Detect missing reverse dns
by Dean Brooks
::
Rate this Message:
On Fri, Jul 17, 2009 at 09:30:51PM -0700, Todd Lyons wrote:
> servers. I have decided that for now I'm only going to greylist those > connections where the ip doesn't reverse resolve. From my limited > understanding, the hosts line below should only pass when there is an > actual PTR record for the IP address. But I get the log_message for > every hosts that connects, with or without reverse dns. What's wrong > with what I have below? > > warn !senders = : > !authenticated = * > !hosts = +relay_from_hosts > !hosts = ${lookup dnsdb{ptr=$sender_host_address}{$value}fail} > log_message = No reverse DNS for $sender_host_address, would greylist check Try this instead: warn !senders = : !authenticated = * !hosts = +relay_from_hosts !condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}} log_message = No reverse DNS for $sender_host_address, would gre\ ylist check The "defer_never" is important. Without it, you might end up sending a temporary error (4xx) code back to the sender if any part of the DNS lookups hang for some reason. Unless that's what you want to have happen. There's more detail about the defer_xx items in section 9.12 in spec.txt. We also don't want to use "fail" in the failure of the lookup unless you want to cause a 4xx code back to the sender if they don't have a PTR record. That would be bad. -- Dean Brooks dean@... -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ |
|
|
Re: Detect missing reverse dns
by Todd Lyons
::
Rate this Message:
On Sat, Jul 18, 2009 at 7:39 AM, Dean Brooks<dean@...> wrote:
>> !hosts = ${lookup dnsdb{ptr=$sender_host_address}{$value}fail} > Try this instead: > !condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}} Ugh, when I have tunnel vision it is annoying. It's a condition, not a host. Duh. > The "defer_never" is important. Without it, you might end up sending > a temporary error (4xx) code back to the sender if any part of the DNS > lookups hang for some reason. Unless that's what you want to have happen. > There's more detail about the defer_xx items in section 9.12 in spec.txt. My gut reaction was that a 4xx is what I want, but I will err on the side of caution first. > We also don't want to use "fail" in the failure of the lookup unless > you want to cause a 4xx code back to the sender if they don't have a > PTR record. That would be bad. Makes sense, that verbage about fail didn't quite make a distinction to me about when to use it the first few times I read it, I'll read it again and see if I can understand the context to use it. Thank you. -- Regards... Todd -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ |
|
|
Re: Detect missing reverse dns
by Ian P. Christian
::
Rate this Message:
2009/7/18 Todd Lyons <tlyons@...>:
> Makes sense, that verbage about fail didn't quite make a distinction > to me about when to use it the first few times I read it, I'll read it > again and see if I can understand the context to use it. I urge you, and everyone else running an MX to just outright reject mail from hosts without rDNS - there's no excuse for mail server admins not to do this, and people not being strict means spammers can get away with more on botnets. The stricter we all are, the better. We use this: deny ! condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}} log_message = [RDNS] no PTR found for $sender_host_address message = This host has no reverse DNS, See \ http://postmaster.timico.net/faq.html#RDNS for more information. -- Blog: http://pookey.co.uk/blog Follow me on twitter: http://twitter.com/ipchristian -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ |
| Free embeddable forum powered by Nabble | Forum Help |
