About FEATURE(`require_rdns")

Hello,

If anybody of sendmail fame is reading this: I would like to propose
a slight modification to Sendmail 8.14.x FEATURE(`require_rdns').

As it is, we have found the ruleset enabled by this feature to be
a bit too strict. The rules from m4/proto.m4 are:


R$* $: $&{client_addr} $| $&{client_resolve}
R$=R $* $@ RELAY We relay for these
R$* $| OK $@ OK Resolves.
R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1


The last "FORGED" case is giving us problems: unfortunately there are
too many false positives (yes, the cf/README correctly warns about this,
but I had to try it out to see)

My suggestion is that FEATURE(`require_rdns') would be augmented with
an optional argument to omit that last "FORGED"-rule. Of course we
could modify proto.m4, but I'd prefer not to do it. Giving more control
over FEATURE(`require_rdns') would probably allow more Sendmail users to
enable the feature.

Any comments?

Regards,
vmk

Re: About FEATURE(`require_rdns")

On Fri, 31 Aug 2007, Vesa-Matti J Kari wrote:

>
> Hello,
>
> If anybody of sendmail fame is reading this: I would like to propose
> a slight modification to Sendmail 8.14.x FEATURE(`require_rdns').
>
> As it is, we have found the ruleset enabled by this feature to be
> a bit too strict. The rules from m4/proto.m4 are:
>
>
> R$* $: $&{client_addr} $| $&{client_resolve}
> R$=R $* $@ RELAY We relay for these
> R$* $| OK $@ OK Resolves.
> R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
> R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
> R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
>
>
> The last "FORGED" case is giving us problems: unfortunately there are
> too many false positives (yes, the cf/README correctly warns about this,
> but I had to try it out to see)
>
> My suggestion is that FEATURE(`require_rdns') would be augmented with
> an optional argument to omit that last "FORGED"-rule. Of course we
> could modify proto.m4, but I'd prefer not to do it. Giving more control
> over FEATURE(`require_rdns') would probably allow more Sendmail users to
> enable the feature.

That means you expect Sendmail to incorporate a work around for someone
elses incompetance? As it soft-fails there is a warning to the sender, if
they can not get their ISP/OSP/content providor to fix it, they need to
move to someone who has a clue and cares about their network.

> Any comments?

Sure but you wont like it :) I change them all to hard failures...
I've run it like this for a long time, way back when the 'hack'
first came out, gave us maybe a handful of complaints a year, with
millions of emails a day thats not too bad, but I admit that is this part
of the world and what works here might not in another parts of the world.


-Why hardfail? well, most people ignore and dont read the soft fail
errors, a hard fail error they tend to read more often than not.
Of course you should only do this with several protection layers for
your DNS, else your problem might cause the rejects, but a well desgined
network wont see this problem.

--

Cheers
Res

Re: About FEATURE(`require_rdns")

Vesa-Matti J Kari writes:
> If anybody of sendmail fame is reading this: I would like to propose
> a slight modification to Sendmail 8.14.x FEATURE(`require_rdns').
>
> As it is, we have found the ruleset enabled by this feature to be
> a bit too strict. The rules from m4/proto.m4 are:
>
>
> R$* $: $&{client_addr} $| $&{client_resolve}
> R$=R $* $@ RELAY We relay for these
> R$* $| OK $@ OK Resolves.
> R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
> R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
> R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
>
>
> The last "FORGED" case is giving us problems: unfortunately there are
> too many false positives (yes, the cf/README correctly warns about this,
> but I had to try it out to see)
>
> My suggestion is that FEATURE(`require_rdns') would be augmented with
> an optional argument to omit that last "FORGED"-rule. Of course we
> could modify proto.m4, but I'd prefer not to do it. Giving more control
> over FEATURE(`require_rdns') would probably allow more Sendmail users to
> enable the feature.
>
> Any comments?

You want more lax reaction to FORGED, the previous request was
for more strict reaction to FORGED (5?? instead of 4??) but
both modifications are simple to implement:

http://anfi.homeunix.net/sendmail/require_rdns2.m4

1) Copy require_rdns2.m4 to cf/feature/ directory
2) In sendmail.mc use
FEATURE(`require_rdns2',`forgedignore')dnl

P.S.
require_rdns is always enforced *after* DNSBL checks.
require_rdns2 may be enforced before some DNSBL checks.
[ Watch out for require_rdns2 and enhdnsbl order ]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
History teaches us that men and nations behave wisely once they have
exhausted all other alternatives.
-- Abba Eban

Re: About FEATURE(`require_rdns")

Andrzej Adam Filip wrote:
> both modifications are simple to implement:

> http://anfi.homeunix.net/sendmail/require_rdns2.m4

> 1) Copy require_rdns2.m4 to cf/feature/ directory
> 2) In sendmail.mc use
> FEATURE(`require_rdns2',`forgedignore')dnl

Thanks, Andrzej. You have implemented exactly what I meant (and more).
I think your m4-version should be distributed as part of standard open source
Sendmail, because it brings along more flexibility.

Regards,
vmk

Re: About FEATURE(`require_rdns")

Vesa-Matti J Kari writes:

> Andrzej Adam Filip wrote:
>> both modifications are simple to implement:
>
>> http://anfi.homeunix.net/sendmail/require_rdns2.m4
>
>> 1) Copy require_rdns2.m4 to cf/feature/ directory
>> 2) In sendmail.mc use
>> FEATURE(`require_rdns2',`forgedignore')dnl
>
> Thanks, Andrzej. You have implemented exactly what I meant (and more).
> I think your m4-version should be distributed as part of standard open source
> Sendmail, because it brings along more flexibility.

BTW Would you like to apply different "strength" of rdns checks based on
"country of origin"? [not based on RDNS data]
e.g.
* lax checks for Finnish IP addresses and almost all EU countries
* very strict checks for CN, KR, BR
* "normal" checks for remaning countries

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
We seldom repent talking too little, but very often talking too much.
-- Jean de la Bruyere

Re: About FEATURE(`require_rdns")

Andrzej Adam Filip wrote:
> Vesa-Matti J Kari writes:

> > Andrzej Adam Filip wrote:
> >> both modifications are simple to implement:
> >
> >> http://anfi.homeunix.net/sendmail/require_rdns2.m4
> >
> >> 1) Copy require_rdns2.m4 to cf/feature/ directory
> >> 2) In sendmail.mc use
> >> FEATURE(`require_rdns2',`forgedignore')dnl
> >
> > Thanks, Andrzej. You have implemented exactly what I meant (and more).
> > I think your m4-version should be distributed as part of standard open source
> > Sendmail, because it brings along more flexibility.

> BTW Would you like to apply different "strength" of rdns checks based on
> "country of origin"? [not based on RDNS data]
> e.g.
> * lax checks for Finnish IP addresses and almost all EU countries
> * very strict checks for CN, KR, BR
> * "normal" checks for remaning countries

Well, why not. And if not me, probably someone else is interested.

Regards,
vmk
--
************************************************************ ****************
"Hacks are stupid things" - someone
************************************************************ ****************

Re: About FEATURE(`require_rdns")

Andrzej Adam Filip writes:

> Vesa-Matti J Kari writes:
>> If anybody of sendmail fame is reading this: I would like to propose
>> a slight modification to Sendmail 8.14.x FEATURE(`require_rdns').
>>
>> As it is, we have found the ruleset enabled by this feature to be
>> a bit too strict. The rules from m4/proto.m4 are:
>>
>>
>> R$* $: $&{client_addr} $| $&{client_resolve}
>> R$=R $* $@ RELAY We relay for these
>> R$* $| OK $@ OK Resolves.
>> R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
>> R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
>> R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1
>>
>>
>> The last "FORGED" case is giving us problems: unfortunately there are
>> too many false positives (yes, the cf/README correctly warns about this,
>> but I had to try it out to see)
>>
>> My suggestion is that FEATURE(`require_rdns') would be augmented with
>> an optional argument to omit that last "FORGED"-rule. Of course we
>> could modify proto.m4, but I'd prefer not to do it. Giving more control
>> over FEATURE(`require_rdns') would probably allow more Sendmail users to
>> enable the feature.
>>
>> Any comments?
>
> You want more lax reaction to FORGED, the previous request was
> for more strict reaction to FORGED (5?? instead of 4??) but
> both modifications are simple to implement:
>
> http://anfi.homeunix.net/sendmail/require_rdns2.m4
>
> 1) Copy require_rdns2.m4 to cf/feature/ directory
> 2) In sendmail.mc use
> FEATURE(`require_rdns2',`forgedignore')dnl
>
> P.S.
> require_rdns is always enforced *after* DNSBL checks.
> require_rdns2 may be enforced before some DNSBL checks.
> [ Watch out for require_rdns2 and enhdnsbl order ]

Sorry, the previous version was unfit to be used *before* some DNSBL
checks. The new version is available.
[ it had used "$@" (return from ruleset) on successful check ]
[ The new version is 1.3 dated 2007/09/01 16:00:00 ]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
As flies to wanton boys are we to the gods; they kill us for their sport.
-- Shakespeare, "King Lear"

Re: About FEATURE(`require_rdns")

Vesa-Matti J Kari writes:

> Andrzej Adam Filip wrote:
>> Vesa-Matti J Kari writes:
>
>> > Andrzej Adam Filip wrote:
>> >> both modifications are simple to implement:
>> >
>> >> http://anfi.homeunix.net/sendmail/require_rdns2.m4
>> >
>> >> 1) Copy require_rdns2.m4 to cf/feature/ directory
>> >> 2) In sendmail.mc use
>> >> FEATURE(`require_rdns2',`forgedignore')dnl
>> >
>> > Thanks, Andrzej. You have implemented exactly what I meant (and more).
>> > I think your m4-version should be distributed as part of standard open source
>> > Sendmail, because it brings along more flexibility.
>
>> BTW Would you like to apply different "strength" of rdns checks based on
>> "country of origin"? [not based on RDNS data]
>> e.g.
>> * lax checks for Finnish IP addresses and almost all EU countries
>> * very strict checks for CN, KR, BR
>> * "normal" checks for remaning countries
>
> Well, why not. And if not me, probably someone else is interested.

It is ready - take a look at thread with FEATURE(`anfi/rsdnsbl') in subject.

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Superstition, idolatry, and hypocrisy have ample wages, but truth goes
a-begging.
-- Martin Luther

Re: About FEATURE(`require_rdns") [ FEATURE(`anfi/require_rdns") ]

Vesa-Matti J Kari writes:

> Andrzej Adam Filip wrote:
>> both modifications are simple to implement:
>
>> http://anfi.homeunix.net/sendmail/require_rdns2.m4
>
>> 1) Copy require_rdns2.m4 to cf/feature/ directory
>> 2) In sendmail.mc use
>> FEATURE(`require_rdns2',`forgedignore')dnl
>
> Thanks, Andrzej. You have implemented exactly what I meant (and more).
> I think your m4-version should be distributed as part of standard open source
> Sendmail, because it brings along more flexibility.
>
> Regards,
> vmk

The modified version of require_rdns is avalable at
http://open-sendmail.cvs.sourceforge.net/*checkout*/open-sen dmail/open-sendmail/cf/feature/anfi/rsdnsbl.m4

1) create cf/feature/ directory
2) copy the file at the URL to cf/feature/anfi/ directory
3) add the following line to *.mc file to use it:
FEATURE(`anfi/require_rdns')

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Another dream that failed. There's nothing sadder.
-- Kirk, "This side of Paradise", stardate 3417.3

Re: About FEATURE(`require_rdns")

Andrzej Adam Filip wrote:

: http://anfi.homeunix.net/sendmail/require_rdns2.m4

: 1) Copy require_rdns2.m4 to cf/feature/ directory
: 2) In sendmail.mc use
: FEATURE(`require_rdns2',`forgedignore')dnl


One comment, in the current m4 file you have, this line appears...

ifdef(FORGED_IGNORE','dnl

Shouldn't that be...

ifdef(FORGED_IGNORE_','dnl

Else if either forgedignore or forgedperm is selected in the sendmail.mc
file, it just generates the same code in the sendmail.cf.

-bruce
bje@ripco.com

Re: About FEATURE(`require_rdns")

Bruce Esquibel writes:

> Andrzej Adam Filip wrote:
>
> : http://anfi.homeunix.net/sendmail/require_rdns2.m4
>
> : 1) Copy require_rdns2.m4 to cf/feature/ directory
> : 2) In sendmail.mc use
> : FEATURE(`require_rdns2',`forgedignore')dnl
>
>
> One comment, in the current m4 file you have, this line appears...
>
> ifdef(FORGED_IGNORE','dnl
>
> Shouldn't that be...
>
> ifdef(FORGED_IGNORE_','dnl
>
> Else if either forgedignore or forgedperm is selected in the sendmail.mc
> file, it just generates the same code in the sendmail.cf.

Thank for the notice.
The version at the URL above had been "partially operational" [broken ;-)]

The latest version is available at:
http://open-sendmail.cvs.sourceforge.net/*checkout*/open-sen dmail/open-sendmail/cf/feature/anfi/require_rdns.m4

I hope it works as "expected".

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
In the Spring, I have counted 136 different kinds of weather inside of
24 hours.
-- Mark Twain, on New England weather

Re: About FEATURE(`require_rdns")

Ruleset (partially quoted):
> R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
> R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
> R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1

I have an issue with the extended codes used here. "4.1.8" is wrong.
It's not the sender's IP address but the RELAY's IP address that is
being tested. Things wrong with DNS answers also seem to fall into
the category where the middle digit is a "4" (network or routing
status), not category "1" (sender or recipient addresses).

Shouldn't these be:
TEMP => 4.4.3 (DNS failure.)
FORGED => [4,5].4.8 (Bad DNS data - mismatch. I use a permanent
failure.)
FAIL => 5.4.8 (Bad DNS data - missing, although 5.7.1 could be used
also.)?