|
Qmail anti spam HOWTO
The original of this article located here
1. Rejecting SMTP connections at the network level
from hosts with bad DNS
It is becoming common for the default installation of many Unix operating systems like
FreeBSD and Linux to include a mechanism to block network traffic based on certain criteria,
commonly referred to "host-based access control" and commonly implemented using the t
cp_wrappers package. In some of these installations, network traffic from hostnames that
do not map to valid IP addresses is blocked. While not an e-mail specific measure, this
is one way to cut down on e-mail from hosts that have misconfigured their DNS, and therefore
are thought by some to be more likely to be spam-friendly.
If you're using inetd, an example line in a FreeBSD /etc/hosts.allow is here:
ALL : PARANOID : RFC931 20 : deny
One can also achieve this using the ucspi-tcp package's tcpserver (now the recommended
alternative to inetd), by enabling the "-p" option, for paranoid, e.g. in
/service/qmail-smtpd/run, you might have:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
exec softlimit -m 3000000 \
tcpserver -v -p -x /etc/qmail/tcp.smtp.cdb \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
sh -c 'test -z "$TCPREMOTEHOST" \
&& echo "451 bad reverse DNS" \
|| exec /var/qmail/bin/qmail-smtpd' 2>&1
This basically tells tcpserver to remove the environment variable "TCPREMOTEHOST" if
it can't resolve the reverse DNS, and then not to run qmail-smtpd if TCPREMOTE HOST
isn't populated. (Thanks to Mike Jimenez for noting that only using tcpserver -p isn't enough,
and to Gerrit Pape for suggesting the above code snippet. Thanks to Jerry Amundson for
updating it to include a useful error message for the connecting SMTP server.)
|
|