tcpserver -p and smtpd and DNS
I have been running qmail for about 8 months, It works great. So far I have not been able to resolve on problem. When an smtp connection comes in we only want to connect with servers who have forward and reverse DNS that match. I managed to install a macro into sendmail (mail server we replaced) in about 15 minutes that takes the IP of the incoming smtp request looks up the name, then looks up the IP for the NAME. the IP should be the same as the connecting host. If this is not the case the smtp connection should be dropped. I use tcpserver to start smtpd. I use the -p (paranoid) option, (added the option a few days ago) which by my preliminary understanding was supposed to accomplish this task of DNS cross-matching. However I receieved an email recently whois headers are Received: from unknown (HELO www.somang.or.kr) ([EMAIL PROTECTED]) I noticed that there isn't a hostname. nslookup 211.38.3.100 will return no hostname. So back to the drawing board. http://cr.yp.to/ucspi-tcp/tcpserver.html ( -- drawing board) I notice -p: Paranoid. After looking up the remote host name in DNS, look up the IP addresses in DNS for that host name, and remove the environment variable $TCPREMOTEHOST if none of the addresses match the client's IP address. upon re-reading this option I notice it did what it says it does, It removed the $TCPREMOTEHOST, hence the Received: from unknown I still got the email. So now I figure that $TCPREMOTEHOST is passed to smtpd in the environment variables. so somehow I need to tell smtpd to close if condition is not met. Oh.. I have read the man pages. I have installed qmail, vpopmail, on more than a dozen servers for nearly that many clients. I understand quite abit. David Killingsworth.
Re: tcpserver -p and smtpd and DNS
On Mon, May 14, 2001 at 06:30:44AM -, David Killingsworth wrote: I have been running qmail for about 8 months, It works great. So far I have not been able to resolve on problem. When an smtp connection comes in we only want to connect with servers who have forward and reverse DNS that match. I allready anwered your question in alt.comp.mail.qmail some days ago. What is wrong with my answer? Gerrit. -- [EMAIL PROTECTED] innominate AG the linux architects tel: +49.30.308806-0 fax: -77 http://www.innominate.com
Re: tcpserver -p and smtpd and DNS
I have narrowed this to one simple item. Could someone, possibly you Gerrit I know you have answered one way to get around this I just wanna understand why I have to get around it, explain to me why qmail has delivered an email to me that contains the following header: Received: from unknown (HELO dali.onevision.de) (@212.77.172.50) by mail.myweb.net with SMTP; 14 May 2001 08:59:56 - I have tcpserver -DUvp wrapping smtpd for qmail. Shouldn't tcpserver drop the connection when $TCPREMOTEIP is DNS'd to a hostname and $TCPREMOTEHOST is DNS'd to an IP. if $TCPREMOTEIP can't be resolved or if $TCPREMOTEHOST can't be resolved, shouldn't this cause a FATAL in tcpserver? and it will drop the incoming connection? David. On Mon, 14 May 2001 10:51:33 +0200, Gerrit Pape [EMAIL PROTECTED] wrote : On Mon, May 14, 2001 at 06:30:44AM -, David Killingsworth wrote: I have been running qmail for about 8 months, It works great. So far I have not been able to resolve on problem. When an smtp connection comes in we only want to connect with servers who have forward and reverse DNS that match. I allready anwered your question in alt.comp.mail.qmail some days ago. What is wrong with my answer? Gerrit. -- [EMAIL PROTECTED] innominate AG the linux architects tel: +49.30.308806-0 fax: -77 http://www.innominate.com
Re: tcpserver -p and smtpd and DNS
On Mon, May 14, 2001 at 10:10:21AM -, David Killingsworth wrote: I have narrowed this to one simple item. Could someone, possibly you Gerrit I know you have answered one way to get around this I just wanna understand why I have to get around it, explain to me why qmail has delivered an email to me that contains the following header: Received: from unknown (HELO dali.onevision.de) (@212.77.172.50) by mail.myweb.net with SMTP; 14 May 2001 08:59:56 - I have tcpserver -DUvp wrapping smtpd for qmail. Shouldn't tcpserver drop the connection when $TCPREMOTEIP is DNS'd to a hostname and $TCPREMOTEHOST is DNS'd to an IP. if $TCPREMOTEIP can't be resolved or if $TCPREMOTEHOST can't be resolved, shouldn't this cause a FATAL in tcpserver? and it will drop the incoming connection? tcpserver *only* rejects connections if told to do so by the rules supplied with -x or -X. What rules have you tried? You should be able to get tcpserver to drop connections that do not have TCPREMOTEHOST set by putting these entries in your rules: =.:allow :deny Regards. David. On Mon, 14 May 2001 10:51:33 +0200, Gerrit Pape [EMAIL PROTECTED] wrote : On Mon, May 14, 2001 at 06:30:44AM -, David Killingsworth wrote: I have been running qmail for about 8 months, It works great. So far I have not been able to resolve on problem. When an smtp connection comes in we only want to connect with servers who have forward and reverse DNS that match. I allready anwered your question in alt.comp.mail.qmail some days ago. What is wrong with my answer? Gerrit. -- [EMAIL PROTECTED] innominate AG the linux architects tel: +49.30.308806-0 fax: -77 http://www.innominate.com
Re: tcpserver -p and smtpd and DNS
On Mon, May 14, 2001 at 10:10:21AM -, David Killingsworth wrote: Shouldn't tcpserver drop the connection when $TCPREMOTEIP is DNS'd to a hostname and $TCPREMOTEHOST is DNS'd to an IP. if $TCPREMOTEIP can't be resolved or if $TCPREMOTEHOST can't be resolved, shouldn't this cause a FATAL in tcpserver? and it will drop the incoming connection? No. The docs say, tcpserver will remove $TCPREMOTEHOST in that case. it is on You (your proc tcpserver is running) to decide to drop the connection. Gerrit. -- [EMAIL PROTECTED] innominate AG the linux architects tel: +49.30.308806-0 fax: -77 http://www.innominate.com
Re: tcpserver -p and smtpd and DNS
On Mon, May 14, 2001 at 12:35:32PM +, Mark Delany wrote: =.:allow :deny Close. To achieve this, the tcp.smtp file should actually contain: =:allow :deny I just experimented with both forms. With the dot, nothing matched, including hosts with good forward/reverse resolvability. Without it, only sites for which tcpserver didn't unset TCPREMOTEHOST matched. This, of course, is exactly the desired behavior. As already mentioned in this thread, tcpserver -p unsets TCPREMOTEHOST when the name obtained by reverse lookup can't be resolved to the original IP. Consequently, for such an (arguably) undesirable client IP, no match occurs at the =:allow line in the above tcp.smtp settings, since the = token only matches when TCPREMOTEHOST is defined. The :deny line then rejects those undesirable clients as they fall through. Just to be thorough, even if obvious, I'll also mention that these two lines must appear LAST in your tcp.smtp file.
