Sendmail/Blacklists rejecting authenticated users

Discussion:

Michael Knox

2006-01-10 18:58:54 UTC

Quick question regarding dnsbl's... The other day I was in the
Pittsburgh airport trying to send an email using their free wifi.
Unsurprisingly this network's ip range is listed on a few of the
blacklists. This resulted in my mail server rejecting my connection when
I tried to send some emails. Does anyone know how I can configure
sendmail/procmail to not check the IP addresses against the dnsbls for
authenticated users? I have already done a fair amount of googling but
haven't come up with anything workable, nor can I think of a good way to
test (since I don't have access to a blacklisted network).

Thanks,
Mike

Scott Gifford

2006-01-11 21:47:05 UTC

Permalink

Post by Michael Knox
Quick question regarding dnsbl's... The other day I was in the
Pittsburgh airport trying to send an email using their free wifi.
Unsurprisingly this network's ip range is listed on a few of the
blacklists. This resulted in my mail server rejecting my connection
when I tried to send some emails. Does anyone know how I can
configure sendmail/procmail to not check the IP addresses against the
dnsbls for authenticated users? I have already done a fair amount of
googling but haven't come up with anything workable,

The easiest way is to run an SMTP server on another port, which does
not use an RBL and only accepts authenticated connections. Good
candidates are 587 (SMTP Submit port) or running SMTPS (SMTP over SSL)
on port 465.

Post by Michael Knox
nor can I think of a good way to test (since I don't have access to
a blacklisted network).

Most blacklists put 127.0.0.2 on their blacklist for testing, so you
can do:

telnet 127.0.0.2 25

from the server to test.

----Scott.

Bill Weiss

2006-01-12 21:42:31 UTC

Permalink

Post by Scott Gifford

I'm a postfix user, but I'm sure that sendmail can do soemthing similar.

In all of the places where I use RBLs, I put a rule before them to allow
authenticated users. Thus, something like this:

smtpd_helo_restrictions = permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client postmaster.rfc-ignorant.org

Because permit_sasl_authenticated is first, authenticated users bypass
all of the restrictions.

Post by Scott Gifford

Post by Michael Knox
nor can I think of a good way to test (since I don't have access to
a blacklisted network).

Most blacklists put 127.0.0.2 on their blacklist for testing, so you
telnet 127.0.0.2 25
from the server to test.

Uh... I don't think that's going to work. Even if a server uses a
blacklist that lists 127.0.0.2, that's not always going to provide
reverse DNS for that IP. Even if it does, telnet to that should just
come back to the same machine (maybe) or nowhere (probably).

As far as testing is concerned, your best bet is to just blacklist the
dynamic IP your modem has (DSL modem, cable box, what have you) and try
from there. This is assuming that the server is somewhere other than
your home connection, but that's not too much of a stretch. If it is,
get a shell somewhere and try it from there.

--
Bill Weiss

about 50 per cent of the [United States] population now believes that Iraq
was responsible for the attack on the World Trade Center.
-- Noam Chomsky

Scott Gifford

2006-01-16 01:18:30 UTC

Permalink

[...]

Post by Bill Weiss

Post by Scott Gifford
Most blacklists put 127.0.0.2 on their blacklist for testing, so you
telnet 127.0.0.2 25
from the server to test.

Did you try it? For the 2 DNSBL's I currently use, it works fine:

$ dig +short 2.0.0.127.bl.spamcop.net.
127.0.0.2
$ dig +short 1.0.0.127.bl.spamcop.net.
$ dig +short 2.0.0.127.relays.ordb.org
127.0.0.2
$ dig +short 1.0.0.127.relays.ordb.org
$

$ telnet 127.0.0.2 25
Trying 127.0.0.2...
Connected to 127.0.0.2.
Escape character is '^]'.
220 rblsmtpd.local
mail from:<blah>
250 rblsmtpd.local
rcpt to:<blah>
451 Listed by ORDB - for testing purposes only
Connection closed by foreign host.

$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 accept.example.com ESMTP
mail from:<blah>
250 ok
rcpt to:<blah>
250 ok
quit
221 accept.example.com
Connection closed by foreign host.

As you can see, these RBLs list 127.0.0.2 but not 127.0.0.1, so when
you telnet to your own host using the address "127.0.0.2" it will act
as if you're blacklisted, while if you use "127.0.0.1" it will act as
normal. That's a good way to test whether your blacklist is
configured properly: if it's overzealous, you'll be blacklisted at
127.0.0.1, and if it's underzealous, you'll be allowed to send via
127.0.0.2

Not all DNSBLs support this, but for those that do it's quite
convenient. Some OS's require you to "ifconfig up" an interface alias
with the address 127.0.0.2 to perform this test; Linux will
automatically route 127/8 to the loopback adapter on standard
configurations.

----Scott.

Robert BARABAS

2006-01-11 23:59:46 UTC

Permalink

On Tuesday 10 January 2006 19:58, Michael Knox wrote:
Hello,

Well, it's not really a direct answer to your question but maybe from a free
wifi it'd be more advantageous (secure) to connect to a VPN and do everything
through it (assuming that your local trusted VPN host is not blacklisted).
The direct answer however might be this sendmail hack at
http://ist.uwaterloo.ca/~dkeenan/docs/sendmail-whitelist.html .
Best regards

DC

Post by Michael Knox
Quick question regarding dnsbl's... The other day I was in the
Pittsburgh airport trying to send an email using their free wifi.
Unsurprisingly this network's ip range is listed on a few of the
blacklists. This resulted in my mail server rejecting my connection when
I tried to send some emails. Does anyone know how I can configure
sendmail/procmail to not check the IP addresses against the dnsbls for
authenticated users? I have already done a fair amount of googling but
haven't come up with anything workable, nor can I think of a good way to
test (since I don't have access to a blacklisted network).
Thanks,
Mike

--
Robert BARABAS
Budapest University of Technology and Economics

Glynn Clements

2006-01-12 03:10:49 UTC

Permalink

The dnsbl feature is implemented in the check_relay ruleset, which is
called as soon as an inbound SMTP connection is made, before
authentication has occurred. If it rejects the connection, you won't
get a chance to authenticate.

You would need to re-implement the dnsbl feature in a later ruleset,
e.g. check_rcpt (this is the ruleset normally used to control
relaying).

If you need to access any of your services remotely, you may be better
off implementing a VPN.

--
Glynn Clements <***@gclements.plus.com>

Kurt Seifried

2006-01-11 21:35:41 UTC

Permalink

Quick question regarding dnsbl's... The other day I was in the Pittsburgh
airport trying to send an email using their free wifi. Unsurprisingly
this network's ip range is listed on a few of the blacklists. This
resulted in my mail server rejecting my connection when I tried to send
some emails. Does anyone know how I can configure sendmail/procmail to
not check the IP addresses against the dnsbls for authenticated users? I
have already done a fair amount of googling but haven't come up with
anything workable, nor can I think of a good way to test (since I don't
have access to a blacklisted network).
Thanks,
Mike

Several options:

1) Use the submission port (587) and configure it to allow authenticated
users only (no other restrictions)

2) Setup postfix/etc ocrrectly so that authenticated use is allowed even if
the IP is on DNSRBL (i.e. the order of smtpd_recipient_restrictions or
whatever you are using matters).

3) Stop using DNSRBL (I find OpenBSD's spamd does a MUCH better job in any
event, it's catching about 90% of my inbound spam and pretty much all the
viruses with no false positives) however by protecting port 25 to all your
mail servers you will need to setup something for sending email (either
submission port or a mail relay with user authentication).

-Kurt

Łukasz Kwiek

2006-01-12 21:48:48 UTC

Permalink

Just add this line to your sendmail.mc configuration:

FEATURE(`delay_checks')dnl
(more about this sendmail option at:
http://www.sendmail.org/m4/anti_spam.html#delay_check)

Using dnsbl with "delay_checks" and local whitelist should solve all
your problems which you can have with dnsbl.

Regards,
Woo