greylisting?

John Rudd jrudd at ucsc.edu
Mon Apr 17 21:54:36 IST 2006


On Apr 16, 2006, at 8:43 PM, Res wrote:

> On Sat, 15 Apr 2006, Alex Neuman van der Hans wrote:
>
>> Res wrote:
>>> I agree with this, you only need it set to about 5000, it catches so 
>>> much of it, and enforcing RFC1912 catches around 90% more.
>> By that you mean only accepting mail from valid domains with an MX? 
>> RFC1912 seems to cover a lot. How do you do it? Please share ;)
>
> You dont have to have matching A and PTR's but they both must exist, 
> and we let you in :)
> we use the require_rdns hack, I used to do it in local rulesets but 
> the hack is far better as it allows for exemptions via the 
> delay_checks friends option.
>
> The hack is available at http://support.ausics.net/require_rdns.m4  if 
> you have not seen it before.

So, you make sure they have a PTR record for that relay's IP addr, but 
you don't make sure that the name it gives has an A record that matches 
the relay's IP addr?  That's what I'd like to see.

The one thing I don't like, from reading the comments in 
require_rdns.m4 is:

It treats forgeries as a temp failure, and no-rDNS as a permanent 
failure.  This is _exactly_ backward to me.  I want no-rDNS to be a 
temp failure (in case it was caused by a slow DNS check, in the hope 
that the next time they try, their rDNS result will be in my name 
server's cache), and I want _forgeries_ to be permanently rejected (if 
someone is forging their rDNS, I don't want to see their messages 
_ever_, until they stop forging).


I do something similar in MIMEDefang's filter_relay (at home, not yet 
at work), where I check if the relay's hostname (in MIMEDefang) is 
"[$ip]".  If hostname eq "[$ip]" and $ip is in (my local IP block, the 
email server IP block at work, 127.0.0.1), then I let it through.  
Elsif $hostname eq "[$ip]", then I reject with a temporary failure (in 
case it's a transient DNS error, hopefully by the time they resubmit, 
their rDNS check will be in my name server's cache).

The one case I am not _easily_ able to check is for forgeries.  I would 
have to do the DNS check on $hostname to be sure it returns an IP 
address in its list of results which matches $ip.  Which I _could_ do, 
but I'm not sure how much it'll slow things down.  I wish the milter 
just had a way of telling me sendmail's "may be forged" status (I don't 
know if this is sendmail's fault, or mimedefang's, for not having that 
information available to my filters).


All of my no-rDNS submitters are being caught either by the greet_pause 
or by filter_relay.  (so far today 3 no-rDNS hosts in greet_pause (out 
of 28 total hosts caught by greet_pause, in 38 connection attempts), 46 
no-rDNS hosts caught by filter_relay; only 8 of them have tried 
multiple connections today).  Note: greet_pause happens first, so those 
46 hosts caught by filter_relay are getting through the greet_pause. 
(not a complaint, just an observation, I'm a HUGE fan of the 
greet_pause)



More information about the MailScanner mailing list