[Mimedefang] Re: MIMEDefang digest, Vol 1 #763 - 16 msgs

Rick Robino rrobino at wavedivision.com
Thu Jun 26 14:46:01 EDT 2003 

On Thursday, June 26, 2003, at 08:31  AM, 
mimedefang-request at lists.roaringpenguin.com wrote:
>
> Message: 6
> Date: Wed, 25 Jun 2003 20:46:07 -0400 (EDT)
> From: "David F. Skoll" <dfs at roaringpenguin.com>
> [...]
> On Wed, 25 Jun 2003, Richard Laager wrote:
>
>> Has anyone here tried setting up MIMEDefang to enforce reverse DNS 
>> entries
>> for the MAIL FROM: domain, and/or the $RelayAddr?
>
> Sendmail itself normally verifies that the domain has either an MX or 
> an A
> record.
>
> You can enforce reverse DNS like this:
>
> sub filter_relay {
> 	my($hostip, $hostname, $helo) = @_;
> 	if ($hostname eq "[$hostip]") {
> 		# NOTE: If lookup failed temporarily, we reject!
> 		# We should really check for that.
> 		return('REJECT', "Sorry: $hostip has no reverse DNS");
> 	}
> 	return ('CONTINUE', "ok");
> }
>
>> Any thoughts on if this
>> causes a lot of legitimate mail to be blocked?
>
> Probably.  However, AOL has implemented something like this, so I 
> expect
> DNS maintainers to clean up their act, and I'd expect most hosts to
> have good reverse DNS within a few months to a year.
>
> --
> David.
>
>
> Message: 13
> Date: Thu, 26 Jun 2003 10:22:58 -0400
> From: Joseph Brennan <brennan at columbia.edu>
> [...[
>
>> Has anyone here tried setting up MIMEDefang to enforce reverse DNS 
>> entries
>> for the MAIL FROM: domain, and/or the $RelayAddr? Any thoughts on if 
>> this
>> causes a lot of legitimate mail to be blocked?
>
> It would cause a lot of legitimate mail to be blocked.
>
> But we give 2 points for no rDNS in Spamassassin.
>
> Joseph Brennan          Columbia University in the City of New York
> postmaster at columbia.edu                 Academic Technologies Group

The subject of reverse-dns and what to do about it in terms of routing 
mail have had alot of debate over the years.  While I don't want to 
rehash what has already been said here about missing PTR records, I 
would like to bring up here something that hasn't been treated for a 
while, and is something of a new situation:  real MX records for bogus 
hosts, pointing to reachable servers that do not accept mail.  The 
problem is that since (sendmail) finds valid MX records and can reach 
the servers listed that it keeps retrying to send bounce messages for 
the full length of the queue timeout.

Spammers are actively employing this, and that means that we're talking 
about alot of queued up bounces that are not going anywhere - keep in 
mind that sendmail's default is (IIRC) four days.  If your mqueue and 
clientmqueue and MIMEDefang area are all on one slice, like mine, this 
can become a problem.  Is anyone else seeing this?

The real solution would be to implement a more intelligent and easily 
configurable queueing algorithm, where state would be kept about hosts 
who reject email and their reasons.  In my experience, most 
legitimately down hosts will at least return a DSN indicating a 
problem.  The problem hosts I am talking about here don't have anything 
listening on port 25, let alone responding with proper SMTP dialogue.  
But there isn't really an easy way to pick and choose rules according 
to host conditions and queue tries, time, etc... so what I have had to 
do is put some of these domains in my own DNS, configure myself to 
accept the mail locally, and then alias the whole domain to /dev/null 
in virtusers - mind you this is on a machine that doesn't have any 
local mailboxes, and routes everything real with mailertable.  Yes, 
Ugly.

I do have a MIMEDefang point here, but I think asking MD to help handle 
this problem as an alternative to the above had to be clarified to 
avoid some flames.  My point is:  can someone hand my lazy self a 
filter rule that does an SMTP check to the MX list of wherever MD would 
normally send a bounce (or quarantine msg) to, that if there is no 
valid SMTP reply at all the message could be marked and then treated 
normally, allowing me to trash it or apply other rules?  The MX lists 
very often consists of only one priority 0 host.  I would want to queue 
if the host simply wasn't reachable at all, and for that matter I 
suppose a ping would suffice as a check (a quick syn scan would 
probably be too long).

It may sound loose and dangerous to throw away mail like this, 
obviously legitimately down hosts will suffer flat out data loss 
because if this behavior, but in my case I could and would use it.  Any 
MD solutions?  If someone has some moral advice for me on this topic 
you can proselytize directly to me offline and spare the group ;-)

Thanks in advance,

--Rick

More information about the MIMEDefang mailing list