[milters] Archive

Lists Index Date Thread Search

Article: 334
From: Anthony Howe
Date: 2005-02-14 03:09:18 -0500
Subject: Re: Milter-Sender question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Rose, Bobby wrote:
> Is it possible to have milter-sender to 550 failed DNS lookups?  I have
> this stupid issue where Univ of Michigan's MX's for their email
> forwarding service doesn't do any kind of sendmail DNS checks.  So they
> accept bogus domains and such and relay the junk on.  The problem is
> that when milter-sender 450s these guys, those Umich servers keep trying
> over and over again until they reach their timeout.  The end result is
> that we get 1000s of connections from them and most of it is these
> resend attempts.  They ignored my complaints until I blocked them and
> some users complained at which I finally got a response from their
> postmaster but I doubt they are going to do anything about it.  If I
> could 550 this junk being forwarded thru them then that should stop it.
> I know that DNS failures should be temp but 450ing them just leads to
> DoS.  
I'll consider it an option for the next release. In the meantime you 
could try this patch. I've just whipped this one up, pretty simple 
really, but have not tested it just yet as I'm fighting the flu just now.


-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

            "Once...we were here."  - Last of The Mohicans



-- Attached file included as plaintext by Ecartis --
-- File: DnsRejectOnError.patch

--- milter-sender.c.orig	2005-01-31 15:52:37.609375000 +0100
+++ milter-sender.c	2005-02-14 09:02:50.859375000 +0100
@@ -275,6 +275,7 @@
 static NumericOption debugLogOnly 		= { 1, "DebugLogOnly",			0,	"debug
mode logs messages, never rejects" };
 static NumericOption deferHeloReject 		= { 1, "DeferHeloReject",		0,	"if
connection/HELO fails, reject unless sender white listed" };
 static NumericOption deferMailReject 		= { 1, "DeferMailReject",		0,	"if
sender fails callback, reject unless recipients white listed" };
+static NumericOption dnsRejectOnError 		= { 1,
"DnsRejectOnError",		0,	"reject on any DNS errors, instead of temporary
failing" };
 static NumericOption failWelcome554 		= { 1, "FailWelcome554",		0,	"reject
MX servers that return a \"554 No SMTP service here\" greeting" };
 static NumericOption greyListBlockTime		= { 0, "GreyListBlockTime",		300 *
2,	"grey list block time in seconds, must be less than CacheGreyListTTL" };
 static NumericOption greyListRejectCount	= { 0,
"GreyListRejectCount",		3,	"reject too many attempts during the grey list
block time, 0 = disable" };
@@ -340,7 +341,8 @@
 	&clientRejectThisNet,
 	&debugLogOnly, 		
 	&deferHeloReject, 		
-	&deferMailReject, 		
+	&deferMailReject, 
+	&dnsRejectOnError,
 	&failWelcome554,
 	&greyListBlockTime,
 	&greyListRejectCount,
@@ -1695,13 +1697,9 @@
 	switch (rcode) {
 	case RCODE_OK:
 		break;
-	case RCODE_ERRNO:
-		syslog(LOG_ERR, TAG_FORMAT "'%s' lookup failed: %s (%d)", TAG_ARGS,
data->work.mail->domain.string, error, rcode);
-		rc = setReply(data, 451, "4.4.3", "'%s' lookup failed",
data->work.mail->domain.string);
-		goto error2;
 	case RCODE_UNDEFINED:
 		/* RFC 2505 section 2.13. Return Codes says that a 5xx
-		 * can be reported for authorative non-existant domain.
+		 * can be reported for an authorative non-existant domain.
 		 * I take some liberty here an relax the authorative
 		 * DNS lookup recommendation. (At least until I improve
 		 * my DNS code to do this.)
@@ -1712,7 +1710,8 @@
 		rc = setReply(data, 553, "5.4.4", "'%s' lookup failed: %s",
data->work.mail->domain.string, error);
 		goto error2;
 	default:
-		rc = setReply(data, 451, "4.4.3", "'%s' lookup failed: %s",
data->work.mail->domain.string, error);
+		syslog(LOG_ERR, TAG_FORMAT "'%s' lookup failed: %s (%d)", TAG_ARGS,
data->work.mail->domain.string, error, rcode);
+		rc = setReply(data, dnsRejectOnError.value ? 550 : 451, dnsRejectOnError.value ?
"5.4.3" : "4.4.3", "'%s' lookup failed: %s",
data->work.mail->domain.string, error);
 		goto error2;
 	}
 



Lists Index Date Thread Search