access.db problems

Hello,

I am a bit confused about spam we accept while I think it is blocked in
the access.db.

For instance mail send from 201008165066.user.veloxzone.com.br.

In access.db I have:

~> grep veloxzone.com.br /etc/mail/access*
/etc/mail/access:user.veloxzone.com.br ERROR:5.1.8:"Use your
providers mail server."
Binary file /etc/mail/access.db matches

When I check the logfiles I see some mail get accepted:
Feb 1 15:09:29 netlx098 sendmail-in[31357]: m11E9Rth031357:
from=, size=1306, class=0, nrcpts=1,
msgid=<000901c864dc$0cf67400$42a508c9@user8c6524d79c>, proto=ESMTP,
daemon=SMTP, relay=201008165066.user.veloxzone.com.br [201.8.165.66]
(may be forged)
Feb 1 15:09:29 netlx098 sendmail-in[31357]: m11E9Rth031357:
to=, delay=00:00:01, mailer=esmtp, pri=31306,
stat=queued
Feb 1 15:17:00 netlx098 sendmail[3440]: m11E9Rth031357:
to=, delay=00:07:32, xdelay=00:00:00,
mailer=esmtp, pri=121306, relay=tns17.tnw.utwente.nl. [130.89.26.183],
dsn=2.0.0, stat=Sent (Ok: queued as C488714DD0F)

In the past we had problems because access.db also included
utwente.nl RELAY

That is since then changed to
Connect:utwente.nl RELAY

The .mc file has:
FEATURE(`relay_based_on_MX')
But I checked the MX for anielakuptel.pl, because some spammers set the
MX to localhost or the host they connect to.
~> host -t mx anielakuptel.pl
anielakuptel.pl mail is handled by 10 anielakuptel.pl.
~> host anielakuptel.pl.
anielakuptel.pl has address 85.128.138.62
~> host 85.128.138.62
62.138.128.85.in-addr.arpa domain name pointer akh62.rev.netart.pl.

There is no entry for oopeilla@anielakuptel.pl, anielakuptel.pl or pl in
access.db not in virthosts. Virthost is automatically populated with
hosts we should accept mail for AND only if the MX points to our
mailserver as the final destination.
There is no OK or RELAY entry for h.k.hemmes@utwente.nl.
The only RELAY entries are for our local domain, IP and IPv6 ranges.
The only OK entries are exceptions to ERROR entries in access.db.
Also the IP address 201.8.165.66 or any of its nets is not in access.db.

--
Peter Peters

Re: access.db problems ["may be forged", FEATURE(`anfi/rsdnsbl")]

Peter Peters writes:

> Hello,
>
> I am a bit confused about spam we accept while I think it is blocked in
> the access.db.
>
> For instance mail send from 201008165066.user.veloxzone.com.br.
>
> In access.db I have:
>
> ~> grep veloxzone.com.br /etc/mail/access*
> /etc/mail/access:user.veloxzone.com.br ERROR:5.1.8:"Use your
> providers mail server."
> Binary file /etc/mail/access.db matches
>
> When I check the logfiles I see some mail get accepted:
> Feb 1 15:09:29 netlx098 sendmail-in[31357]: m11E9Rth031357:
> from=, size=1306, class=0, nrcpts=1,
> msgid=<000901c864dc$0cf67400$42a508c9@user8c6524d79c>, proto=ESMTP,
> daemon=SMTP, relay=201008165066.user.veloxzone.com.br [201.8.165.66]
> (may be forged)
> [...]

You have to learn (via more painful way) meaning of "may be forged" :-)

$ nslookup 201.8.165.66
66.165.8.201.in-addr.arpa name = 201008165066.user.veloxzone.com.br.
$ nslookup 201008165066.user.veloxzone.com.br.
** server can't find 201008165066.user.veloxzone.com.br.: NXDOMAIN

"May be forged" means that there was PTR record but there was not
matching A record to create *closed* PTR-A loop.

In current implementation sendmail *ignores* such "May be forged names
in access lookups because they *really* may be forged.

I suggested some time ago to *modify* sendmail.cf generators to use such
"may be forged" names to access lookups with ignoring all results except
error:* and REJECT.

Fast fix I suggest:
Use combination of FEATURE(`anfi/rsdnsbl'),
FEATURE(`anfi/require_rdns.m4') and zz.countries.nerd.dk (IP to country)
DNS service to require closed PTR-A loops for all hosts except a few
countries [up to 6 countries per one FEATURE(`anfi/rsdnsbl')]
e.g. NL,DE,FR,BE,UK,PL.

#v+
FEATURE(`anfi/countries')dnl list of C2_* country codes
dnl skip remaning DNSBL and RDNS test for IP addresses with high, medium
dnl and low dnswl reputation (ignore "none" reputation level)
FEATURE(`anfi/rsdnsbl',`list.dnswl.org',
`whitelist',`',`127.0.$-.3.',`127.0.$-.2.',`127.0.$-.1.')dnl
dnl skip remaning DNSBL and RDNS test for NL IP addresses
FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',`' , C2_NL)dnl
dnl require only existing PTR record
FEATURE(`anfi/require_rdns',`forgedignore')dnl
dnl skip remaning DNSBL and RDNS test for BE, LU, DE, DK, UK and PL [:-)]
FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',`' ,
C2_BE,C2_LU,C2_DE,C2_DK,C2_UK,C2_PL)dnl
dnl generate 5?? reply in response to "may be forged"
FEATURE(`anfi/require_rdns',`forgedperm')dnl
#v-

FEATURE(`require_rdns') provided by sendmail.org puts the RDNS test at
fixed position *after* all other DNSBL tests and foes not support
forgedignore or forgedperm parameter.


URL(s):
http://open-sendmail.sourceforge.net/

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
One man's "magic" is another man's engineering. "Supernatural" is a null word.
-- Robert Heinlein
----
http://groups.google.com/groups?selm=87fxwc4s99+robin@fsf.ho bby-site.com

Re: access.db problems ["may be forged", FEATURE(`anfi/rsdnsbl")]

On Fri, 01 Feb 2008 16:21:22 +0100, Andrzej Adam Filip
wrote:

>Peter Peters writes:
>
>> Hello,
>>
>> I am a bit confused about spam we accept while I think it is blocked in
>> the access.db.
>>
>> For instance mail send from 201008165066.user.veloxzone.com.br.
>>
>> In access.db I have:
>>
>> ~> grep veloxzone.com.br /etc/mail/access*
>> /etc/mail/access:user.veloxzone.com.br ERROR:5.1.8:"Use your
>> providers mail server."
>> Binary file /etc/mail/access.db matches
>>
>> When I check the logfiles I see some mail get accepted:
>> Feb 1 15:09:29 netlx098 sendmail-in[31357]: m11E9Rth031357:
>> from=, size=1306, class=0, nrcpts=1,
>> msgid=<000901c864dc$0cf67400$42a508c9@user8c6524d79c>, proto=ESMTP,
>> daemon=SMTP, relay=201008165066.user.veloxzone.com.br [201.8.165.66]
>> (may be forged)
>> [...]
>
>You have to learn (via more painful way) meaning of "may be forged" :-)
>
>$ nslookup 201.8.165.66
>66.165.8.201.in-addr.arpa name = 201008165066.user.veloxzone.com.br.
>$ nslookup 201008165066.user.veloxzone.com.br.
>** server can't find 201008165066.user.veloxzone.com.br.: NXDOMAIN

I have learned it that way. November last year I configured the
require_DNS patch. Within a week management were stampeding at the door
of my office claiming I wasn't allowed to block e-mail send to them. I
changed it so I only block IP addresses without a reverse. But still I
have the occasional manager who gets furious. But my boss manages to
calm those down.

>Fast fix I suggest:
>Use combination of FEATURE(`anfi/rsdnsbl'),
>FEATURE(`anfi/require_rdns.m4') and zz.countries.nerd.dk (IP to country)
>DNS service to require closed PTR-A loops for all hosts except a few
>countries [up to 6 countries per one FEATURE(`anfi/rsdnsbl')]
>e.g. NL,DE,FR,BE,UK,PL.

I can't reinstate the closed loop test. :(

The same goes for a number of blacklists I would gladly configure. At
this moment I only use the virbl from BIT.

>#v+
>FEATURE(`anfi/countries')dnl list of C2_* country codes
>dnl skip remaning DNSBL and RDNS test for IP addresses with high, medium
>dnl and low dnswl reputation (ignore "none" reputation level)
>FEATURE(`anfi/rsdnsbl',`list.dnswl.org',
> `whitelist',`',`127.0.$-.3.',`127.0.$-.2.',`127.0.$-.1.')dnl
>dnl skip remaning DNSBL and RDNS test for NL IP addresses
>FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',` ', C2_NL)dnl
>dnl require only existing PTR record
>FEATURE(`anfi/require_rdns',`forgedignore')dnl
>dnl skip remaning DNSBL and RDNS test for BE, LU, DE, DK, UK and PL [:-)]
>FEATURE(`anfi/rsdnsbl',`zz.countries.nerd.dk',`whitelist',` ',
> C2_BE,C2_LU,C2_DE,C2_DK,C2_UK,C2_PL)dnl
>dnl generate 5?? reply in response to "may be forged"
>FEATURE(`anfi/require_rdns',`forgedperm')dnl
>#v-

Because we are a university we have to accept e-mail from all over the
world. We have had blocks (even in the router) for certain netblocks.
Until some intern of professor was working there and needed to get back
at people at the university.

>URL(s):
>http://open-sendmail.sourceforge.net/

I'll have a closer look at this URL after the weekend.

--
Peter Peters

Re: access.db problems [access lookups for "may be forged"]

Peter Peters writes:

> On Fri, 01 Feb 2008 16:21:22 +0100, Andrzej Adam Filip
> wrote:
>
>>Peter Peters writes:
>>
>>> Hello,
>>>
>>> I am a bit confused about spam we accept while I think it is blocked in
>>> the access.db.
>>>
>>> For instance mail send from 201008165066.user.veloxzone.com.br.
>>>
>>> In access.db I have:
>>>
>>> ~> grep veloxzone.com.br /etc/mail/access*
>>> /etc/mail/access:user.veloxzone.com.br ERROR:5.1.8:"Use your
>>> providers mail server."
>>> Binary file /etc/mail/access.db matches
>>>
>>> When I check the logfiles I see some mail get accepted:
>>> Feb 1 15:09:29 netlx098 sendmail-in[31357]: m11E9Rth031357:
>>> from=, size=1306, class=0, nrcpts=1,
>>> msgid=<000901c864dc$0cf67400$42a508c9@user8c6524d79c>, proto=ESMTP,
>>> daemon=SMTP, relay=201008165066.user.veloxzone.com.br [201.8.165.66]
>>> (may be forged)
>>> [...]
>>
>>You have to learn (via more painful way) meaning of "may be forged" :-)
>>
>>$ nslookup 201.8.165.66
>>66.165.8.201.in-addr.arpa name = 201008165066.user.veloxzone.com.br.
>>$ nslookup 201008165066.user.veloxzone.com.br.
>>** server can't find 201008165066.user.veloxzone.com.br.: NXDOMAIN
>
> I have learned it that way. November last year I configured the
> require_DNS patch. Within a week management were stampeding at the door
> of my office claiming I wasn't allowed to block e-mail send to them. I
> changed it so I only block IP addresses without a reverse. But still I
> have the occasional manager who gets furious. But my boss manages to
> calm those down.
> [...]
> Because we are a university we have to accept e-mail from all over the
> world. We have had blocks (even in the router) for certain netblocks.
> Until some intern of professor was working there and needed to get back
> at people at the university.
> [...]

Do you want to *test* cf/m4/proto.m4 patch implementing access lookups
based on $&{client_ptr} when $&{client_name} is missing?
[ all lookup results except 'reject' or 'error:*' will be ignored]
${client_ptr} has been added in sendmail-8.13.0.

It would require
1) slightly modified copy of "D" rule set ("DN"?)
[ ignoring all access lookups results except "reject" and "error:*"]
2) slight modification of "Basic_check_relay" rule set
[ adding conditional "DN" rule set consultations with $&{client_ptr}]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
Classical music is the kind we keep thinking will turn into a tune.
-- Kin Hubbard, "Abe Martin's Sayings"
----
http://groups.google.com/groups?selm=87ejbw3aaf+adam@fsf.hob by-site.com