Re: wanted: patch to reject mail if envelope sender isn't valid domain
On 05-Jan-99 06:04:01, Russell Nelson wrote something about "Re: wanted: patch to reject mail if envelope sender isn't valid domain". I just couldn't help replying to it, thus: > Yes (nods to johnl), but I'm trying to convince Dan that it's a good > idea. I think the increase in reliability (rejecting mail which you > *know* cannot accept a bounce message, should one be generated) is > worth the increase in cost (more code and network traffic to check the DNS). And similiarily, I'm also looking at a way of implementing recipient address DNS check. If I *know* I can't deliver the message, there is not point in accepting it in the first place. This will also help in the case where 1. Another server tries to send you a message with invalid sender domain. 2. You reject it. 3. The other server tries to relay the resulting bounce through you, now with an invalid recipient address. 4. You get the double bounce yourself. With a check of the recipient address, the double bounce will end on the other mail server, which should be closer to where the message was generated. Regards, /¯¯T¯\ | Rask Ingemann Lambertsen | [EMAIL PROTECTED] | | Registered Phase5 developer | WWW: http://www.gbar.dtu.dk/~c948374/ | | A4000, 775 kkeys/s (RC5-64) | "ThrustMe" on XPilot and EFnet IRC | | Which is worse: Ignorance or apathy? Who knows... Who cares...|
Re: wanted: patch to reject mail if envelope sender isn't valid domain
I asked: > Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender > domain can't be resolved? Russell Nelson <[EMAIL PROTECTED]> replied: > Yes (nods to johnl), but I'm trying to convince Dan that it's a good > idea. I think the increase in reliability (rejecting mail which you > *know* cannot accept a bounce message, should one be generated) is > worth the increase in cost (more code and network traffic to check the DNS). [more good reasons deleted] I'll certainly lend my support for this. It should be a standard feature, though it should be possible to disable it. I'd even settle for the default being disabled, although I think that is somewhat less desirable. Eric
Re: wanted: patch to reject mail if envelope sender isn't valid domain
This may not be the perfect solution: you must use the qmail-users
mechanism. First, put the dnsfq program in /var/qmail/bin (it comes
with qmail; it is used by config but is not installed) Then in each
user's .qmail file put
|dnsfq `echo $SENDER|awk -F@ '{print $NF}'`
./Mailbox
Well, this would bounce bad messages to the user. Perhaps a better
one is
| if ! dnsfq `echo $SENDER|awk -F@ '{print $NF}'` >/dev/null 2> /dev/null; then exit
|99; fi
Anyways, the solution depends on what one wants to do with the bad message.
Of course a more high tech solution needs a patch.
Mate
Re: wanted: patch to reject mail if envelope sender isn't valid domain
This may not be the perfect solution: you must use the qmail-users
mechanism. First, put the dnsfq program in /var/qmail/bin (it comes
with qmail; it is used by config but is not installed) Then in each
user's .qmail file put
|dnsfq `echo $SENDER|awk -F@ '{print $NF}'`
./Mailbox
(I am assuming you do not know in advance the sender's bad address).
Mate---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: wanted: patch to reject mail if envelope sender isn't valid domain
[EMAIL PROTECTED] writes: > Why not break the smtpd into two parts, the way qmail's pop3d > separates auth from mail access. The first part handles everything > before DATA, and this can be as simple as a shell or perl script. > This is where you can attempt to resolve addresses or do rbl, or > check for valid recipient addresses or check recipient or sender > quotas or whatever. There have been many such requests. > > The second part queues the message. Basically it's qmail-queue. That's an interesting idea, but the difference between POP and SMTP is that once you exit the POP authentication phase, there's no going back. SMTP, on the other hand, needs to keep going. Perhaps the better solution is to have a parameter to qmail-smtpd, which gets Bernstein-chained like qmail-popup fork/execs checkpassword. This program would work very much like qmail-queue; might even be a modified qmail-queue, so I'll call it "qmail-queue" even though it operates differently. When qmail-smtpd gets a MAIL FROM: command, "qmail-queue" gets forked and the parameter is written to it. "qmail-queue" writes a byte of output which indicates whether the parameter was acceptable or not. The following RCPT TO: commands get written, and a byte read in a similar manner. When the DATA command is issued, the terminating null is written down the qmail-queue control channel, and "qmail-queue" operates as qmail-queue currently does. This would be nearly as efficient as the current system. Sometimes an extra "qmail-queue" might get spawned and have to be killed. It would be just as secure as the current system. The only thing "qmail-queue" needs to do besides what it currently does is write a byte every time it reads a sender or recipient. And, it would completely obviate all the anti-spam patches, since the qmail-smtpd parameter program would be able to do any and all filtering, and since it's not a wrapper, it wouldn't get overwritten whenever ``make setup'' is performed. Whadda ya say, Dan? -- -russ nelson <[EMAIL PROTECTED]> http://crynwr.com/~nelson Crynwr supports Open Source(tm) Software| PGPok | There is good evidence 521 Pleasant Valley Rd. | +1 315 268 1925 voice | that freedom is the Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | cause of world peace.
Re: wanted: patch to reject mail if envelope sender isn't valid domain
Russell Nelson ([EMAIL PROTECTED]) wrote: : Eric Smith writes: : > Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender : > domain can't be resolved? : Yes (nods to johnl), but I'm trying to convince Dan that it's a good : idea. I think the increase in reliability (rejecting mail which you : *know* cannot accept a bounce message, should one be generated) is : worth the increase in cost (more code and network traffic to check the DNS). : This will also have the side effect of making ezmlm work better : (because it relies on the envelope sender being correct) by keeping : the mail on a server closer to the point of error. Why not break the smtpd into two parts, the way qmail's pop3d separates auth from mail access. The first part handles everything before DATA, and this can be as simple as a shell or perl script. This is where you can attempt to resolve addresses or do rbl, or check for valid recipient addresses or check recipient or sender quotas or whatever. There have been many such requests. The second part queues the message. Basically it's qmail-queue. Why not make the whole thing a shell script? Because we want to catch network errors and timeouts, and we don't want a shell anywhere near a remote user. -harold
Re: wanted: patch to reject mail if envelope sender isn't valid domain
Eric Smith writes: > Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender > domain can't be resolved? Yes (nods to johnl), but I'm trying to convince Dan that it's a good idea. I think the increase in reliability (rejecting mail which you *know* cannot accept a bounce message, should one be generated) is worth the increase in cost (more code and network traffic to check the DNS). This will also have the side effect of making ezmlm work better (because it relies on the envelope sender being correct) by keeping the mail on a server closer to the point of error. -- -russ nelson <[EMAIL PROTECTED]> http://crynwr.com/~nelson Crynwr supports Open Source(tm) Software| PGPok | There is good evidence 521 Pleasant Valley Rd. | +1 315 268 1925 voice | that freedom is the Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | cause of world peace.
Re: wanted: patch to reject mail if envelope sender isn't valid domain
>Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender >domain can't be resolved? Funny you should ask, not 15 minutes ago I upgraded to 1.0.3 using such a patch. You want the patches from Jonathan Bradshaw mentioned on www.qmail.org. The patches do some other stuff as well, most of which is useful, notably logging when qmail-smtpd rejects a mail attempt due to relay or other rules. It also supports a cdb for a large badmailfrom database if you want to try and get into spam filtering by MAIL FROM address. (I don't, I just want the domain validation.) When you test this, note that the rejection actually comes after the RCPT TO, because he makes a special case of postmaster@ and abuse@ and accepts mail to those even from bogus sender domains. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
wanted: patch to reject mail if envelope sender isn't valid domain
Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender domain can't be resolved? I'm providing a backup MX for someone who is running Sendmail 8.9.x, and my queue is full of spam that keeps getting "451 ...Sender domain must resolve" responses. I'd really like to avoid accepting this stuff in the first place. I read the FAQL and www.qmail.org, but didn't seem to find anything that quite fits the bill, though I think I'll try the Russell's RBL patch. [I'd also like to whack the people that have written MTAs or MUAs that don't respect the precedence field of MX records with a very large clue stick!] Thanks! Eric
